[Samba] Joining a win2k3 ads fails

herman herman at aeronetworks.ca
Fri Nov 9 19:24:13 GMT 2007 

Hmm, you have a whole bunch of stuff in smb.conf that I would not put 
there.  Some of them may be obsolete and won't matter, but whether it 
will break things is hard to tell.  I think you should look at the 
Official Howto and pare the settings down to the bare necessities, then 
try again. 

Also have a look my guide here:
http://www.aeronetworks.ca/LinuxActiveDirectory.html

I have found that KISS is a very important principle with ADS.  Make an 
OU for your Linux users, define your groups and users in that OU, then 
apply security policies to the OU and don't reference anything outside 
the OU.

Also note that it is possible to do things in ADS that you are not 
supposed to do, which can cause Winbind to get its balls in a twist.  In 
general, don't rename records, don't drag records from one OU to another 
OU, don't make a user in one OU a member of a group in another OU.  You 
are not supposed to do those things and it may cause ADS to complain, 
but while WinXP clients will still work, Winbind will blow up.  The only 
way to fix it is to find the offending records and delete them, but how 
to find them?  It is a situation that is best avoided!

Cheers,

Herman


Lex Brugman wrote:
> Hello,
>
> I'm trying to join a win2k3 ADS domain using a working config on a 
> debian 'Lenny' (arm processor)
> from another machine running gentoo (x86 processor) (only changed the 
> netbios name).
>
> Samba versions are 3.0.26a on both the machines.
> I'm pretty sure this is not a kerberos or ldap problem, anyone has a 
> clue what else it could be?
>
>
> # net -d 3 ads join -U administrator
> [2007/11/07 23:31:00, 3] param/loadparm.c:lp_load(5039)
>   lp_load: refreshing parameters
> [2007/11/07 23:31:00, 3] param/loadparm.c:init_globals(1438)
>   Initialising global parameters
> [2007/11/07 23:31:00, 3] param/params.c:pm_process(572)
>   params.c:pm_process() - Processing configuration file 
> "/etc/samba/smb.conf"
> [2007/11/07 23:31:00, 3] param/loadparm.c:do_section(3778)
>   Processing section "[global]"
> [2007/11/07 23:31:01, 3] param/params.c:pm_process(572)
>   params.c:pm_process() - Processing configuration file 
> "/etc/samba/dhcp.conf"
> [2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
>   added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> [2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
>   added interface ip=10.0.0.22 bcast=10.0.0.255 nmask=255.255.255.0
> [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
> [2007/11/07 23:31:02, 3] libads/ldap.c:ads_connect(394)
>   Connected to LDAP server 10.0.0.2
> [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
> [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
> administrator's password:
> [2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
> [2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
>   Connected to LDAP server 10.0.0.2
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
>   ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL
> [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
> found)
> [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
> expiration Thu, 08 Nov 2007 09:31:23 CET
> [2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
> [2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
>   Connected to LDAP server 10.0.0.2
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
>   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
>   ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL
> [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
> expiration Thu, 08 Nov 2007 09:31:23 CET
> [2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_start_connection(1509)
>   Connecting to host=server2.thuis.local
> [2007/11/07 23:31:05, 3] lib/util_sock.c:open_socket_out(874)
>   Connecting to 10.0.0.2 at port 445
> [2007/11/07 23:31:05, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(793)
>   Doing spnego session setup (blob length=108)
> [2007/11/07 23:31:05, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(818)
>   got OID=1 2 840 48018 1 2 2
> [2007/11/07 23:31:05, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(818)
>   got OID=1 2 840 113554 1 2 2
> [2007/11/07 23:31:05, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(818)
>   got OID=1 2 840 113554 1 2 2 3
> [2007/11/07 23:31:05, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(818)
>   got OID=1 3 6 1 4 1 311 2 2 10
> [2007/11/07 23:31:05, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(826)
>   got principal=server2$@THUIS.LOCAL
> [2007/11/07 23:31:06, 2] 
> libsmb/cliconnect.c:cli_session_setup_kerberos(613)
>   Doing kerberos session setup
> [2007/11/07 23:31:06, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
> expiration Thu, 08 Nov 2007
> 09:31:23 CET
> [2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
>   rpc_pipe_bind: Remote machine server2.thuis.local pipe \lsarpc fnum 
> 0x8001 bind request returned ok.
> [2007/11/07 23:31:06, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
>   lsa_io_sec_qos: length c does not match size 8
> [2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
>   rpc_pipe_bind: Remote machine server2.thuis.local pipe \samr fnum 
> 0xa bind request returned ok.
> [2007/11/07 23:31:06, 1] 
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
>   cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_NDR 
> received from remote machine
> server2.thuis.local pipe \samr fnum 0xa!
> [2007/11/07 23:31:06, 1] utils/net_ads.c:net_ads_join(1548)
>   call of net_join_domain failed: NT code 0x000006f7
> Failed to join domain: NT code 0x000006f7
> [2007/11/07 23:31:06, 2] utils/net.c:main(1036)
>   return code = -1
>
>
> smb.conf (relevant part only):
> [global]
> #       log level = 5
>         enable privileges = Yes
>         username map = /etc/samba/smbusers
>         allow trusted domains = No
>         idmap uid = 20000-30000
>         idmap gid = 20000-30000
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind separator = +
>         winbind use default domain = Yes
>         winbind offline logon = Yes
>         winbind refresh tickets = Yes
>         use kerberos keytab = Yes
>         winbind nss info = template
>         template homedir = /home/%U
>         template shell = /bin/bash
>         client use spnego = Yes
>         obey pam restrictions = No
>         password server = thuis.local
>         null passwords = No
>         server signing = Auto
>         client signing = Auto
>         lm announce = No
>         deadtime = 15
>         encrypt passwords = Yes
>         workgroup = THUIS
>         realm = THUIS.LOCAL
>         netbios name = BACKUP
>         server string = Samba on %L
>         interfaces = lo eth0
>         bind interfaces only = Yes
>         hosts deny = 0.0.0.0/0
>         hosts allow = 10.0.0.0/24 127.0.0.1
>         os level = 20
>         wins support = No
>         # get wins server address from dhcp
>         include = /etc/samba/dhcp.conf
>         name resolve order = wins lmhosts hosts bcast
>         preferred master = No
>         load printers = No
>         log file = /var/log/samba/log.%m
>         max log size = 0
>         security = ads
>         socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY 
> SO_RCVBUF=8192 SO_SNDBUF=8192
>         dns proxy = No
>         time server = No
>         hide dot files = Yes
>         username level = 1
>         admin users = @%D%w"Domain Admins"
>         guest ok = No
>         public = No
>         valid users = @%D%w"Domain Admins" @%D%w"Domain Power Users" 
> @%D%w"Domain Users"
> @%D%w"Domain Controllers" @%D%w"Domain Computers"
>

More information about the samba mailing list