[Samba] Can join ADS domain, all accounts/auth work fine,
but leaving domain fails
Mark Casey
markc at unifiedgroup.com
Thu Mar 19 19:19:03 GMT 2009
Hello all,
As the subject says, as far as I can tell everything works on my ads
integrated samba server. Domain accounts can be used for ssh, and
accessing shares, I just can't leave the domain. Here is a successful
join command followed by an unsuccessful leave command at debug level 4.
Any ideas?
TIA,
Mark
user at dordal:~$ sudo net ads join -U administrator at MYDOMAIN.COM -d 4
[2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063)
lp_load: refreshing parameters
[2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448)
Initialising global parameters
[2009/03/19 14:00:07, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802)
Processing section "[global]"
doing parameter workgroup = MYDOMAIN
doing parameter realm = MYDOMAIN.COM
doing parameter security = ADS
doing parameter password server = dal-dc1.mydomain.com,
den-dc1.mydomain.com
doing parameter client schannel = Yes
doing parameter server schannel = Yes
doing parameter username map = /etc/samba/smbusers
doing parameter obey pam restrictions = Yes
doing parameter enable privileges = Yes
doing parameter restrict anonymous = 2
doing parameter allow trusted domains = No
doing parameter lanman auth = No
doing parameter ntlm auth = No
doing parameter client NTLMv2 auth = Yes
doing parameter log level = 1
doing parameter syslog = 0
doing parameter min protocol = NT1
doing parameter client signing = Yes
doing parameter server signing = Yes
doing parameter load printers = No
doing parameter preferred master = No
doing parameter local master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter ldap ssl = no
doing parameter host msdfs = No
doing parameter idmap domains = MYDOMAIN
doing parameter idmap alloc backend = ldap
doing parameter template shell = /bin/false
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter winbind use default domain = Yes
doing parameter winbind refresh tickets = Yes
doing parameter idmap alloc config:range = 100000 - 500000
doing parameter idmap alloc config:ldap_url =
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
doing parameter idmap alloc config:ldap_user_dn =
cn=idmapmgr,cn=users,dc=mydomain,dc=com
doing parameter idmap alloc config:ldap_base_dn =
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
doing parameter idmap config MYDOMAIN:range = 100000 - 500000
doing parameter idmap config MYDOMAIN:ldap_url =
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
doing parameter idmap config MYDOMAIN:ldap_user_dn =
cn=idmapmgr,cn=users,dc=mydomain,dc=com
doing parameter idmap config MYDOMAIN:ldap_base_dn =
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
doing parameter idmap config MYDOMAIN:backend = ldap
doing parameter idmap config MYDOMAIN:default = yes
doing parameter hosts allow = 10.0.0.0/255.255.254.0
10.1.0.0/255.255.254.0
doing parameter map acl inherit = No
doing parameter hide special files = Yes
doing parameter map archive = No
doing parameter map readonly = No
doing parameter map system = No
doing parameter map hidden = No
doing parameter ea support = No
doing parameter store dos attributes = No
doing parameter wide links = No
doing parameter follow symlinks = No
doing parameter dos filemode = No
doing parameter add share command = /etc/samba/command.pl
doing parameter delete share command = /etc/samba/command.pl
doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094)
pm_process() returned Yes
[2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73)
ads_dc_name: domain=MYDOMAIN
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com,
den-dc1.mydomain.com"
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com,
den-dc1.mydomain.com"
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com,
den-dc1.mydomain.com"
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(139)
ads_dc_name: using server='DAL-DC1.MYDOMAIN.COM' IP=10.0.1.30
administrator at MYDOMAIN.COM's password:
[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com,
den-dc1.mydomain.com"
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Fri, 20 Mar 2009 00:00:14 CDT
[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com,
den-dc1.mydomain.com"
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Fri, 20 Mar 2009 00:00:14 CDT
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
Connecting to 10.0.1.30 at port 445
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(795)
Doing spnego session setup (blob length=113)
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(828)
got principal=dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:00:14, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(615)
Doing kerberos session setup
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Fri, 20 Mar 2009 00:00:14 CDT
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \lsarpc fnum
0x10 bind request returned ok.
[2009/03/19 14:00:14, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \samr fnum
0x1e bind request returned ok.
Using short domain name -- MYDOMAIN
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
Connecting to 10.0.1.30 at port 445
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON fnum
0x400a bind request returned ok.
[2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_req_chal(46)
cli_net_req_chal: LSA Request Challenge from DORDAL to
\\DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_auth2(170)
cli_net_auth2: srv:\\DAL-DC1.mydomain.com acct:DORDAL$ sc:2 mc: DORDAL
neg: 600fffff
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON fnum
0x400b bind request returned ok.
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_domain_func_level(2471)
ads_domain_func_level: 2
[2009/03/19 14:00:14, 3]
libads/kerberos.c:kerberos_secrets_store_des_salt(337)
kerberos_secrets_store_des_salt: Storing salt
"host/dordal.mydomain.com at MYDOMAIN.COM"
[2009/03/19 14:00:14, 4] libads/dns.c:ads_dns_lookup_ns(508)
ads_dns_lookup_ns: 2 records returned in the answer section.
Joined 'DORDAL' to realm 'MYDOMAIN.COM'
[2009/03/19 14:00:14, 2] utils/net.c:main(1046)
return code = 0
user at dordal:~$ sudo net ads leave -U administrator at MYDOMAIN.COM -d 4
[2009/03/19 14:02:44, 3] param/loadparm.c:lp_load(5063)
lp_load: refreshing parameters
[2009/03/19 14:02:44, 3] param/loadparm.c:init_globals(1448)
Initialising global parameters
[2009/03/19 14:02:44, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2009/03/19 14:02:44, 3] param/loadparm.c:do_section(3802)
Processing section "[global]"
doing parameter workgroup = MYDOMAIN
doing parameter realm = MYDOMAIN.COM
doing parameter security = ADS
doing parameter password server = dal-dc1.MYDOMAIN.com,
den-dc1.MYDOMAIN.com
doing parameter client schannel = Yes
doing parameter server schannel = Yes
doing parameter username map = /etc/samba/smbusers
doing parameter obey pam restrictions = Yes
doing parameter enable privileges = Yes
doing parameter restrict anonymous = 2
doing parameter allow trusted domains = No
doing parameter lanman auth = No
doing parameter ntlm auth = No
doing parameter client NTLMv2 auth = Yes
doing parameter log level = 1
doing parameter syslog = 0
doing parameter min protocol = NT1
doing parameter client signing = Yes
doing parameter server signing = Yes
doing parameter load printers = No
doing parameter preferred master = No
doing parameter local master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter ldap ssl = no
doing parameter host msdfs = No
doing parameter idmap domains = MYDOMAIN
doing parameter idmap alloc backend = ldap
doing parameter template shell = /bin/false
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter winbind use default domain = Yes
doing parameter winbind refresh tickets = Yes
doing parameter idmap alloc config:range = 100000 - 500000
doing parameter idmap alloc config:ldap_url =
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
doing parameter idmap alloc config:ldap_user_dn =
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
doing parameter idmap alloc config:ldap_base_dn =
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
doing parameter idmap config MYDOMAIN:range = 100000 - 500000
doing parameter idmap config MYDOMAIN:ldap_url =
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
doing parameter idmap config MYDOMAIN:ldap_user_dn =
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
doing parameter idmap config MYDOMAIN:ldap_base_dn =
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
doing parameter idmap config MYDOMAIN:backend = ldap
doing parameter idmap config MYDOMAIN:default = yes
doing parameter hosts allow = 10.0.0.0/255.255.254.0
10.1.0.0/255.255.254.0
doing parameter map acl inherit = No
doing parameter hide special files = Yes
doing parameter map archive = No
doing parameter map readonly = No
doing parameter map system = No
doing parameter map hidden = No
doing parameter ea support = No
doing parameter store dos attributes = No
doing parameter wide links = No
doing parameter follow symlinks = No
doing parameter dos filemode = No
doing parameter add share command = /etc/samba/command.pl
doing parameter delete share command = /etc/samba/command.pl
doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:02:44, 4] param/loadparm.c:lp_load(5094)
pm_process() returned Yes
[2009/03/19 14:02:44, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
administrator at MYDOMAIN.COM's password:
[2009/03/19 14:02:47, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com,
den-dc1.MYDOMAIN.com"
[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:47, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:47, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:02:47, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:02:47, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
ads_krb5_mk_req: krb5_get_credentials failed for dal-dc1$@MYDOMAIN.COM
(Ticket not yet valid)
[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid
[2009/03/19 14:02:48, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com,
den-dc1.MYDOMAIN.com"
[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:48, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:48, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:02:48, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
ads_krb5_mk_req: krb5_get_credentials failed for dal-dc1$@MYDOMAIN.COM
(Ticket not yet valid)
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
ads_krb5_mk_req: krb5_get_credentials failed for dal-dc1$@MYDOMAIN.COM
(Ticket not yet valid)
[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid
[2009/03/19 14:02:48, 2] utils/net.c:main(1046)
return code = -1
More information about the samba
mailing list