[Samba] Failure to add computer to domain
Michał Półrolniczak
michal.polrolniczak at warp.org.pl
Thu Aug 7 01:31:37 MDT 2014
smb.conf:
# Global parameters
[global]
workgroup = WARP
realm = WARP.LOCAL
netbios name = ARNE
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
log level = 3
[netlogon]
path = /var/lib/samba/sysvol/warp.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
when adding computer using administrator account (which results in bad
password)
[2014/08/07 09:20:49.320465, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ administrator at warp.local from
ipv4:192.168.0.176:49238 for krbtgt/warp.local at warp.local
[2014/08/07 09:20:49.322424, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2014/08/07 09:20:49.322598, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.322760, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.322919, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- administrator at warp.local
[2014/08/07 09:20:49.323085, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2014/08/07 09:20:49.324080, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/08/07 09:20:49.324262, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/08/07 09:20:49.324976, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ administrator at warp.local from
ipv4:192.168.0.176:49239 for krbtgt/warp.local at warp.local
[2014/08/07 09:20:49.326476, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: ENC-TS, 128
[2014/08/07 09:20:49.326647, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.326807, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.326964, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- administrator at warp.local
[2014/08/07 09:20:49.327165, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- administrator at warp.local
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2014/08/07 09:20:49.327339, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2014/08/07 09:20:49.329944, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/08/07 09:20:49.330184, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/08/07 09:20:49.414220, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ administrator at warp.local from
ipv4:192.168.0.176:49242 for krbtgt/warp.local at warp.local
[2014/08/07 09:20:49.415712, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2014/08/07 09:20:49.415885, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.416080, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.416238, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- administrator at warp.local
[2014/08/07 09:20:49.416432, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2014/08/07 09:20:49.417160, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/08/07 09:20:49.417404, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/08/07 09:20:49.418160, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ administrator at warp.local from
ipv4:192.168.0.176:49243 for krbtgt/warp.local at warp.local
[2014/08/07 09:20:49.419537, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: ENC-TS, 128
[2014/08/07 09:20:49.419704, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.419862, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.420020, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- administrator at warp.local
[2014/08/07 09:20:49.420192, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- administrator at warp.local
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2014/08/07 09:20:49.420357, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2014/08/07 09:20:49.422859, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/08/07 09:20:49.423077, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/08/07 09:20:49.625934, 2]
../source4/dns_server/dns_query.c:627(dns_server_process_query_send)
Not authoritative for 'harvester.pianomedia.eu', forwarding
[2014/08/07 09:20:49.683865, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ administrator at warp.local from
ipv4:192.168.0.176:49245 for krbtgt/warp.local at warp.local
[2014/08/07 09:20:49.685612, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2014/08/07 09:20:49.685782, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.685942, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.686157, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- administrator at warp.local
[2014/08/07 09:20:49.686323, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2014/08/07 09:20:49.686988, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/08/07 09:20:49.687162, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/08/07 09:20:49.687847, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ administrator at warp.local from
ipv4:192.168.0.176:49246 for krbtgt/warp.local at warp.local
[2014/08/07 09:20:49.689229, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: ENC-TS, 128
[2014/08/07 09:20:49.689408, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.689567, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- administrator at warp.local
[2014/08/07 09:20:49.689724, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- administrator at warp.local
[2014/08/07 09:20:49.689900, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- administrator at warp.local
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2014/08/07 09:20:49.690127, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2014/08/07 09:20:49.692293, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/08/07 09:20:49.692501, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Looking at log i notice kerberos Realms are in lowercase, I change
domain name to Upercase and computer Did connect to domain, but wont
allow anyone from domain to log on: bad password (same as adding to
lowercase domain with @domain)
Basicly it doesn't add computer to 'domain' or 'domain.local' using
'administrator' account,
but will add to 'DOMAIN.LOCAL' using 'administrator' or will add to
'domain' using 'administrator at domain'
All other computers were added and are using 'domain' or 'domain.local'
and 'administrator'
W dniu 2014-08-07 o 08:43, steve pisze:
> On Thu, 2014-08-07 at 07:57 +0200, Michał Półrolniczak wrote:
>> This is another computer which we have similar problem.
>> This is freshly installed windows 8.1 pro.
>>
>> When trying to add to domain, entering good login (administrator) and
>> password results in "Logon failure: unknown user name or bad password".
>> Password works on on other machines and kerberos. I can ping domain.
> So you can't add the computer to the domain...
>> I can add this computer to AD by typing login: administrator at domain, and
>> passwords is accepted.
> But now you can?
>
> Do you have a Samba4 domain controller? Can you post smb.conf? The error
> log?
>
More information about the samba
mailing list