[Samba] Samba: ads join to win2003 AD.

s_aiello at comcast.net s_aiello at comcast.net
Tue Jun 12 15:57:14 GMT 2007 

On Monday 11 June 2007 10:57, s_aiello at comcast.net wrote:
> All,
>
> I have a RedHat Enterprise 3 update 5 server. This server has the rpm
> binaries provided from a link off the samba.org site. I am attempting to
> join the AD tree, and getting the error, "NT_STATUS_WRONG_PASSWORD".
>
> smb.conf:
> [global]
> 	workgroup = REMOVEME
> 	realm=REALM
> 	security = ADS
> 	preferred master = no
> 	bind interfaces only = yes
> 	interfaces = eth0
> 	admin users = @REMOVEME+Admin
> 	log level = 1
> 	use spnego = yes
> 	client use spnego = yes
> 	encrypt passwords = yes
> 	deadtime = 15
> 	local master = no
> 	prefered master = no
> 	socket options = TCP_NODELAY
> 	idmap uid = 40000-250000
> 	idmap gid = 40000-250000
> 	winbind enum users = no
> 	winbind enum groups = no
> 	winbind separator = +
> 	winbind use default domain = no
> 	winbind trusted domains only = yes
> 	disable netbios = yes
> 	password server=domainController
> 	wins server = a1.a2.a3.a4 b1.b2.b3.b4
> [temp]
> 	path = /tmp
> 	valid users = @REMOVEME+Admin
> 	public = no
> 	writeable = yes
> 	create mode = 770
> 	directory mode = 770
> 	force user = nobody
> 	force group = nobody
>
> I perform the following commands:
> kinit USER at REALM
> net -d3 ads -UUSER at REALM
>
> And I see the following:
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
> [2007/06/11 10:22:49, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
> Mon, 11 Jun 2007 20:22:48 EDT
> [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_start_connection(1426)
>   Connecting to host=domainController
> [2007/06/11 10:22:49, 3] lib/util_sock.c:open_socket_out(874)
>   Connecting to 3.170.65.210 at port 445
> [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721)
>   Doing spnego session setup (blob length=117)
> [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
>   got OID=1 2 840 48018 1 2 2
> [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
>   got OID=1 2 840 113554 1 2 2
> [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
>   got OID=1 2 840 113554 1 2 2 3
> [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746)
>   got OID=1 3 6 1 4 1 311 2 2 10
> [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754)
>   got principal=domainController$@REALM
> [2007/06/11 10:22:49, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session
> setup
> [2007/06/11 10:22:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration
> Mon, 11 Jun 2007 20:22:49 EDT
> [2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
>   rpc_pipe_bind: Remote machine domainController pipe \lsarpc fnum 0xc00f
> bind request returned ok.
> [2007/06/11 10:22:50, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
>   lsa_io_sec_qos: length c does not match size 8
> [2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
>   rpc_pipe_bind: Remote machine domainController pipe \samr fnum 0xd bind
> request returned ok.
> Failed to set password for machine account (NT_STATUS_WRONG_PASSWORD)
> Failed to join domain!
> [2007/06/11 10:22:50, 2] utils/net.c:main(988)
>   return code = -1
>
> The line, "lsa_io_sec_qos: length c does not match size 8", seems like
> something is funky with my machine trust password. Guessing there is an
> issues with crypting/decrypting it, or Password policy enforcers on the
> 2003 AD server is rejecting the password. Just guessing though, Any ideas
> or thoughts are most welcomed.
>
> ~Steve

If no one has any ideas on this, does anyone know of any commercial support 
offered for Samba/AD integration. I was looking for someone with indepth 
knowledge & experience with Samba & AD integration. Now I looked at the 
samba.org Commercial support page, and that data contained appears old 
(confirmed samba list maintainer that US list was update 3 years ago). So my 
questions, can anyone refer me to anyone they know that offers commercial 
grade support ? Location would be North East United States, ideally 
Connecticut or upstate New York.

~Steve

More information about the samba mailing list