Hello , I want to add my linux client in my ad . I use net ads join -U administrator passwd : xxxx and I wait and I have no reponse but if I put 8 times t he key enter,? my machine is add to my add but I have? this message error : error reading from file descriptor 0 : empty password? which come from the server I don't understand why . My server is samba 4.11 and? my client use winbind . I use the debug in my client? and I have this result root at clientblues2:/etc/samba# net ads join -d 5 -U administrator INFO: Current debug levels: ? all: 5 ? tdb: 5 ? printdrivers: 5 ? lanman: 5 ? smb: 5 ? rpc_parse: 5 ? rpc_srv: 5 ? rpc_cli: 5 ? passdb: 5 ? sam: 5 ? auth: 5 ? winbind: 5 ? vfs: 5 ? idmap: 5 ? quota: 5 ? acls: 5 ? locking: 5 ? msdfs: 5 ? dmapi: 5 ? registry: 5 ? scavenger: 5 ? dns: 5 ? ldb: 5 ? tevent: 5 ? auth_audit: 5 ? auth_json_audit: 5 ? kerberos: 5 ? drs_repl: 5 ? smb2: 5 ? smb2_credits: 5 ? dsdb_audit: 5 ? dsdb_json_audit: 5 ? dsdb_password_audit: 5 ? dsdb_password_json_audit: 5 ? dsdb_transaction_audit: 5 ? dsdb_transaction_json_audit: 5 ? dsdb_group_audit: 5 ? dsdb_group_json_audit: 5 Processing section "[global]" doing parameter security = ADS doing parameter realm = SAMBADOM.CALAIS.FR doing parameter workgroup = SAMBADOM doing parameter netbios name = clientblues2 doing parameter winbind separator = / doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter idmap config * : backend = tdb doing parameter idmap config * : range = 1000-2000 doing parameter idmap config SAMBADOM : backend = ad doing parameter idmap config SAMBADOM : schema_mode = rfc2307 doing parameter idmap config SAMBADOM : range = 10000-600000 doing parameter idmap config SAMBADOM : unix_nss_info = yes doing parameter idmap config SAMBADOM : unix_primary_group = yes doing parameter winbind nss info = template doing parameter template homedir = /etudiants/%U doing parameter template shell = /bin/bash doing parameter kerberos method = secrets and keytab doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter winbind refresh tickets = yes doing parameter username map = /etc/samba/user.map doing parameter winbind use default domain = yes doing parameter log file = /var/log/samba/log.%m doing parameter log level = 5 doing parameter vfs object = acl_xattr doing parameter map acl inherit = yes doing parameter store dos attributes = yes pm_process() returned Yes Registering messaging pointer for type 2 - private_data=(nil) Registering messaging pointer for type 9 - private_data=(nil) Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) Registering messaging pointer for type 51 - private_data=(nil) lp_load_ex: refreshing parameters Freeing parametrics: Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: ? all: 5 ? tdb: 5 ? printdrivers: 5 ? lanman: 5 ? smb: 5 ? rpc_parse: 5 ? rpc_srv: 5 ? rpc_cli: 5 ? passdb: 5 ? sam: 5 ? auth: 5 ? winbind: 5 ? vfs: 5 ? idmap: 5 ? quota: 5 ? acls: 5 ? locking: 5 ? msdfs: 5 ? dmapi: 5 ? registry: 5 ? scavenger: 5 ? dns: 5 ? ldb: 5 ? tevent: 5 ? auth_audit: 5 ? auth_json_audit: 5 ? kerberos: 5 ? drs_repl: 5 ? smb2: 5 ? smb2_credits: 5 ? dsdb_audit: 5 ? dsdb_json_audit: 5 ? dsdb_password_audit: 5 ? dsdb_password_json_audit: 5 ? dsdb_transaction_audit: 5 ? dsdb_transaction_json_audit: 5 ? dsdb_group_audit: 5 ? dsdb_group_json_audit: 5 Processing section "[global]" doing parameter security = ADS doing parameter realm = SAMBADOM.CALAIS.FR doing parameter workgroup = SAMBADOM doing parameter netbios name = clientblues2 doing parameter winbind separator = / doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter idmap config * : backend = tdb doing parameter idmap config * : range = 1000-2000 doing parameter idmap config SAMBADOM : backend = ad doing parameter idmap config SAMBADOM : schema_mode = rfc2307 doing parameter idmap config SAMBADOM : range = 10000-600000 doing parameter idmap config SAMBADOM : unix_nss_info = yes doing parameter idmap config SAMBADOM : unix_primary_group = yes doing parameter winbind nss info = template doing parameter template homedir = /etudiants/%U doing parameter template shell = /bin/bash doing parameter kerberos method = secrets and keytab doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter winbind refresh tickets = yes doing parameter username map = /etc/samba/user.map doing parameter winbind use default domain = yes doing parameter log file = /var/log/samba/log.%m doing parameter log level = 5 doing parameter vfs object = acl_xattr doing parameter map acl inherit = yes doing parameter store dos attributes = yes pm_process() returned Yes Netbios name list:- my_netbios_names[0]="CLIENTBLUES2" added interface ens18 ip=192.168.xx.xxx bcast=192.168.xx.255 netmask=255.255.255.0 Enter administrator's password: libnet_Join: ??? libnet_JoinCtx: struct libnet_JoinCtx ??????? in: struct libnet_JoinCtx ??????????? dc_name????????????????? : NULL ??????????? machine_name???????????? : 'CLIENTBLUES2' ??????????? domain_name????????????? : * ??????????????? domain_name????????????? : 'SAMBADOM.CALAIS.FR' ??????????? domain_name_type???????? : JoinDomNameTypeDNS (1) ??????????? account_ou?????????????? : NULL ??????????? admin_account??????????? : 'administrator' ??????????? admin_domain???????????? : NULL ??????????? machine_password???????? : NULL ??????????? join_flags?????????????? : 0x00000023 (35) ?????????????????? 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS ?????????????????? 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME ?????????????????? 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT ?????????????????? 0: WKSSVC_JOIN_FLAGS_DEFER_SPN ?????????????????? 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED ?????????????????? 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE ?????????????????? 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED ?????????????????? 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE ?????????????????? 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE ?????????????????? 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE ?????????????????? 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE ??????????? os_version?????????????? : NULL ??????????? os_name????????????????? : NULL ??????????? os_servicepack?????????? : NULL ??????????? create_upn?????????????? : 0x00 (0) ??????????? upn????????????????????? : NULL ??????????? modify_config??????????? : 0x00 (0) ??????????? ads????????????????????? : NULL ??????????? debug??????????????????? : 0x01 (1) ??????????? use_kerberos???????????? : 0x00 (0) ??????????? secure_channel_type????? : SEC_CHAN_WKSTA (2) ??????????? desired_encryption_types : 0x0000001f (31) Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: Returning sitename for realm 'SAMBADOM.CALAIS.FR': "Default-First-Site-Name" ads_dns_lookup_srv: 1 records returned in the answer section. sitename_fetch: Returning sitename for realm 'SAMBADOM.CALAIS.FR': "Default-First-Site-Name" no entry for blueyestest.sambadom.calais.fr#20 found. resolve_hosts: Attempting host lookup for name blueyestest.sambadom.calais.fr<0x20> namecache_store: storing 1 address for blueyestest.sambadom.calais.fr#20: 192.168.xx.xxx Connecting to 192.168.xx.xxx at port 445 Socket options: ??? SO_KEEPALIVE = 0 ??? SO_REUSEADDR = 0 ??? SO_BROADCAST = 0 ??? TCP_NODELAY = 1 ??? TCP_KEEPCNT = 9 ??? TCP_KEEPIDLE = 7200 ??? TCP_KEEPINTVL = 75 ??? IPTOS_LOWDELAY = 0 ??? IPTOS_THROUGHPUT = 0 ??? SO_REUSEPORT = 0 ??? SO_SNDBUF = 87040 ??? SO_RCVBUF = 131072 ??? SO_SNDLOWAT = 1 ??? SO_RCVLOWAT = 1 ??? SO_SNDTIMEO = 0 ??? SO_RCVTIMEO = 0 ??? TCP_QUICKACK = 1 ??? TCP_DEFER_ACCEPT = 0 got OID=1.2.840.48018.1.2.2 cli_session_setup_spnego_send: Connect to blueyestest.sambadom.calais.fr as administrator at SAMBADOM.CALAIS.FR using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered on the server i have? the following trace ldb_wrap open of idmap.ldb /usr/sbin/smbd: Allowed connection from 192.168.22.233 (192.168.22.233) /usr/sbin/smbd: init_oplocks: initializing messages. /usr/sbin/smbd: Transaction 0 of length 88 (0 toread) /usr/sbin/smbd: switch message SMBnegprot (pid 12005) conn 0x0 /usr/sbin/smbd: Requested protocol [NT LANMAN 1.0] /usr/sbin/smbd: Requested protocol [NT LM 0.12] /usr/sbin/smbd: Requested protocol [SMB 2.002] /usr/sbin/smbd: Requested protocol [SMB 2.???] /usr/sbin/smbd: Selected protocol SMB2_FF /usr/sbin/smbd: load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/auth/samba4.so' loaded /usr/sbin/smbd: GENSEC backend 'gssapi_spnego' registered /usr/sbin/smbd: GENSEC backend 'gssapi_krb5' registered /usr/sbin/smbd: GENSEC backend 'gssapi_krb5_sasl' registered /usr/sbin/smbd: GENSEC backend 'spnego' registered /usr/sbin/smbd: GENSEC backend 'schannel' registered /usr/sbin/smbd: GENSEC backend 'naclrpc_as_system' registered /usr/sbin/smbd: GENSEC backend 'sasl-EXTERNAL' registered /usr/sbin/smbd: GENSEC backend 'ntlmssp' registered /usr/sbin/smbd: GENSEC backend 'ntlmssp_resume_ccache' registered /usr/sbin/smbd: GENSEC backend 'http_basic' registered /usr/sbin/smbd: GENSEC backend 'http_ntlm' registered /usr/sbin/smbd: GENSEC backend 'http_negotiate' registered /usr/sbin/smbd: GENSEC backend 'krb5' registered /usr/sbin/smbd: GENSEC backend 'fake_gssapi_krb5' registered /usr/sbin/smbd: ldb_wrap open of secrets.ldb /usr/sbin/smbd: AUTH backend 'sam' registered /usr/sbin/smbd: AUTH backend 'sam_ignoredomain' registered /usr/sbin/smbd: AUTH backend 'anonymous' registered /usr/sbin/smbd: AUTH backend 'winbind' registered /usr/sbin/smbd: AUTH backend 'name_to_ntstatus' registered /usr/sbin/smbd: AUTH backend 'unix' registered /usr/sbin/smbd: Selected protocol SMB 2.??? /usr/sbin/smbd: Selected protocol SMB3_11 /usr/sbin/smbd: ldb_wrap open of secrets.ldb and after /usr/sbin/smbd: Closing idle connection /usr/sbin/smbd: got a SHUTDOWN message /usr/sbin/smbd: Server exit (normal exit) when i put the key Enter in my client client , I see the various backens scroll in the trace Error reading password from file descriptor 0: empty password Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 Error reading password from file descriptor 0: empty password get_dc_list: preferred server list: "blueyestest.sambadom.calais.fr, *" get_dc_list: preferred server list: "blueyestest.sambadom.calais.fr, *" Successfully contacted LDAP server 192.168.22.230 Connected to LDAP server blueyestest.sambadom.calais.fr ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 Error reading password from file descriptor 0: empty password ads_domain_func_level: 4 The machine account already exists in the specified OU. I probably made a mistake in a configuration file - But I can?t find. Can I choose the good backend for add immediately the machine without error ? my smb.conf on my client is : [global] ??? security =ADS ??? realm = SAMBADOM.CALAIS.FR ??? workgroup =SAMBADOM ??? netbios name = clientblues2 ??? winbind separator = / ??? winbind enum users = yes ??? winbind enum groups = yes ??? idmap config * : backend=tdb ??? idmap config * : range=1000-2000 ??? idmap config SAMBADOM : backend = ad ??? idmap config SAMBADOM : schema_mode =rfc2307 ??? idmap config SAMBADOM : range = 10000-600000 ??? idmap config SAMBADOM : unix_nss_info = yes ??? idmap config SAMBADOM : unix_primary_group = yes ??? winbind nss info = template ??? template homedir =/etudiants/%U ??? template shell =/bin/bash ??? kerberos method =? secrets and keytab ??? dedicated keytab file =/etc/krb5.keytab ??? winbind refresh tickets =yes # ??? username map = /etc/samba/user.map ??? winbind use default domain = yes ??? log file =/var/log/samba/log.%m ??? log level = 5 # for acl support on members servers with shares ??? vfs object = acl_xattr ??? map acl inherit = yes ??? store dos attributes = yes Thanks for your help -- Nathalie RAMAT-LECLERCQ Service Informatique Universite du Littoral-C?te d'Opale SCoSI - Service Commun du Syst?me d'Information P?le Syst?mes et r?seaux Centre de Gestion Universitaire de Calais 50 rue ferdinand Buisson C.S 80699 62228 CALAIS CEDEX
On 07/11/2019 11:08, nathalie ramat via samba wrote:> Hello , > > I want to add my linux client in my ad . > > I use net ads join -U administrator > passwd : xxxx > > and I wait and I have no reponse but if I put 8 times t he key enter,? > my machine is add to my add but I have? this message error : error > reading from file descriptor 0 : empty password? which come from the > server > > I don't understand why . > > > My server is samba 4.11 and? my client use winbind .There doesn't seem to be anything wrong with your smb.conf, were 'smdb', 'nmbd' and 'winbind' running before the join ? Can you download this: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Run it on the Unix domain member and post the output into a reply to this post, do not attach it, this list strips attachments. Also, what is he DC ? OS and version. Rowland