[Samba] Samba: ads join to win2003 AD.
s_aiello at comcast.net
s_aiello at comcast.net
Mon Jun 11 14:57:38 GMT 2007
All,
I have a RedHat Enterprise 3 update 5 server. This server has the rpm binaries
provided from a link off the samba.org site. I am attempting to join the AD
tree, and getting the error, "NT_STATUS_WRONG_PASSWORD".
smb.conf:
[global]
workgroup = REMOVEME
realm=REALM
security = ADS
preferred master = no
bind interfaces only = yes
interfaces = eth0
admin users = @REMOVEME+Admin
log level = 1
use spnego = yes
client use spnego = yes
encrypt passwords = yes
deadtime = 15
local master = no
prefered master = no
socket options = TCP_NODELAY
idmap uid = 40000-250000
idmap gid = 40000-250000
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = no
winbind trusted domains only = yes
disable netbios = yes
password server=domainController
wins server = a1.a2.a3.a4 b1.b2.b3.b4
[temp]
path = /tmp
valid users = @REMOVEME+Admin
public = no
writeable = yes
create mode = 770
directory mode = 770
force user = nobody
force group = nobody
I perform the following commands:
kinit USER at REALM
net -d3 ads -UUSER at REALM
And I see the following:
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/06/11 10:22:49, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Mon,
11 Jun 2007 20:22:48 EDT
[2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_start_connection(1426)
Connecting to host=domainController
[2007/06/11 10:22:49, 3] lib/util_sock.c:open_socket_out(874)
Connecting to 3.170.65.210 at port 445
[2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721)
Doing spnego session setup (blob length=117)
[2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
got OID=1 2 840 48018 1 2 2
[2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
got OID=1 2 840 113554 1 2 2
[2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
got OID=1 2 840 113554 1 2 2 3
[2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
got OID=1 3 6 1 4 1 311 2 2 10
[2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754)
got principal=domainController$@REALM
[2007/06/11 10:22:49, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546)
Doing kerberos session setup
[2007/06/11 10:22:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration
Mon, 11 Jun 2007 20:22:49 EDT
[2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine domainController pipe \lsarpc fnum 0xc00f bind
request returned ok.
[2007/06/11 10:22:50, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8
[2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine domainController pipe \samr fnum 0xd bind
request returned ok.
Failed to set password for machine account (NT_STATUS_WRONG_PASSWORD)
Failed to join domain!
[2007/06/11 10:22:50, 2] utils/net.c:main(988)
return code = -1
The line, "lsa_io_sec_qos: length c does not match size 8", seems like
something is funky with my machine trust password. Guessing there is an
issues with crypting/decrypting it, or Password policy enforcers on the 2003
AD server is rejecting the password. Just guessing though, Any ideas or
thoughts are most welcomed.
~Steve
More information about the samba
mailing list