Fwd: [Samba] Joining a SAMBA 4 TP4 Active Directory with WinXP

Mag. Leonhard Landrock 1977-Hamlet at gmx.at
Mon Feb 12 21:01:57 GMT 2007


Am Montag, 12. Februar 2007 14:43 schrieb paul:
> Mag. Leonhard Landrock schrieb:
> > *) Start a virtual machine with WinXP SP2 and trying to join the domain
> > LEOSENDE.FUN.
> >
> > The last point (joining the domain) doesn't work. I try the username
> > Administrator and the passwort as set with "./setup/provision" but it
> > doesn't work. I simply get unknown username or wrong password.
>
> Hi, my preliminary checklist:
>
> - make sure XP has the samba4 server setup as dns server

Checked and OK: XP has the samba4 server set up as dns server :-)

> - check dns for the varius _ldap._tcp entries from XP

I'm not quite sure how I should do that. I tried nslookup but didn't get an IP 
adress in response.

> - start samba with smbd -i -d3 or higher and check the debug messages

That makes sense. Thank you!

Ooops! Seems like a problem with the time (UTC vs. local time). Kerberos says 
that the time skew is to great.

Here comes the output:

"Initialising global parameters
lp_load: refreshing parameters from /usr/local/samba/etc/samba/smb.conf
params.c:pm_process() - Processing configuration 
file "/usr/local/samba/etc/samba/smb.conf"
Processing section "[globals]"
Processing section "[test]"
adding hidden service IPC$
adding hidden service ADMIN$
smbd version 4.0.0tp4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
SHARE backend [ldb] registered.
SHARE backend [classic] registered.
AUTH backend 'winbind_samba3' registered
AUTH backend 'winbind' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'fixed_challenge' registered
AUTH backend 'unix' registered
AUTH backend 'anonymous' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
GENSEC backend 'krb5' registered
gensec subsystem fake_gssapi_krb5 is disabled
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
gensec subsystem gssapi_spnego is disabled
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'ntlmssp' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'simple' for type 0 registered
NTVFS backend 'cifs' for type 0 registered
NTVFS backend 'nbench' for type 0 registered
NTVFS backend 'unixuid' for type 0 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifsposix' for type 0 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'xattr' registered
NTVFS backend 'nfs4acl' registered
NTVFS backend 'default' for type 1 registered
NTVFS backend 'default' for type 0 registered
NTVFS backend 'posix' for type 0 registered
PROCESS_MODEL 'standard' registered
PROCESS_MODEL 'single' registered
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
smbd: using 'standard' process model
added interface ip=10.0.0.123 nmask=255.255.255.0
added interface ip=192.168.1.123 nmask=255.255.255.0
Received dgram packet of length 230 from 192.168.1.100:138
Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 
192.168.1.100:138
Received dgram packet of length 230 from 10.0.0.125:138
Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 
10.0.0.125:138
Received dgram packet of length 230 from 10.0.0.125:138
Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 
10.0.0.125:138
Received dgram packet of length 210 from 192.168.1.100:138
Browse DomainAnnouncement (Op 12) 
on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 192.168.1.100:138
Received dgram packet of length 210 from 10.0.0.125:138
Browse DomainAnnouncement (Op 12) 
on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 10.0.0.125:138
Received dgram packet of length 210 from 10.0.0.125:138
Browse DomainAnnouncement (Op 12) 
on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 10.0.0.125:138
Received dgram packet of length 230 from 192.168.1.100:138
Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 
192.168.1.100:138
Received dgram packet of length 210 from 192.168.1.100:138
Browse DomainAnnouncement (Op 12) 
on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 192.168.1.100:138
added interface ip=10.0.0.123 nmask=255.255.255.0
added interface ip=192.168.1.123 nmask=255.255.255.0
added interface ip=10.0.0.123 nmask=255.255.255.0
added interface ip=192.168.1.123 nmask=255.255.255.0
Registered DEBIAN<00> with 192.168.1.123 on interface 192.168.1.255
Registered DEBIAN<00> with 10.0.0.123 on interface 10.0.0.255
Registered DEBIAN<03> with 192.168.1.123 on interface 192.168.1.255
Registered DEBIAN<03> with 10.0.0.123 on interface 10.0.0.255
Registered DEBIAN<20> with 192.168.1.123 on interface 192.168.1.255
Registered DEBIAN<20> with 10.0.0.123 on interface 10.0.0.255
Registered LEOSENDE<1b> with 192.168.1.123 on interface 192.168.1.255
Registered LEOSENDE<1b> with 10.0.0.123 on interface 10.0.0.255
Registered LEOSENDE<1c> with 192.168.1.123 on interface 192.168.1.255
Registered LEOSENDE<1c> with 10.0.0.123 on interface 10.0.0.255
Registered LEOSENDE<00> with 192.168.1.123 on interface 192.168.1.255
Registered LEOSENDE<00> with 10.0.0.123 on interface 10.0.0.255
Received cldap packet of length 133 from 10.0.0.101:1129
Received cldap packet of length 133 from 10.0.0.101:1131
Received cldap packet of length 180 from 10.0.0.101:1132
Received cldap packet of length 180 from 10.0.0.101:1133
using SPNEGO
Selected protocol [5][NT LM 0.12]
Kerberos: AS-REQ Administrator at leosende.fun from 10.0.0.101 for 
krbtgt/leosende.fun at leosende.fun
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator at leosende.fun
Kerberos: Looking for ENC-TS pa-data -- Administrator at leosende.fun
Kerberos: Too large time skew, client time 2007-02-12T21:50:57 is out by 3673 
> 300 seconds -- Administrator at leosende.fun
Kerberos: AS-REQ Administrator at leosende.fun from 10.0.0.101 for 
krbtgt/leosende.fun at leosende.fun
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator at leosende.fun
Kerberos: Looking for ENC-TS pa-data -- Administrator at leosende.fun
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at leosende.fun 
using arcfour-hmac-md5
Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128, 
des-cbc-md5, des-cbc-crc, 24, -135
Kerberos: Using arcfour-hmac-md5/aes256-cts-hmac-sha1-96
Kerberos: Requested flags: renewable_ok, canonicalize, renewable, forwardable
Kerberos: AS-REQ authtime: 2007-02-12T22:52:10 starttime: unset endtime: 
2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
Kerberos: Failed to verify AP-REQ: Clock skew too great
Kerberos: Failed parsing TGS-REQ from 10.0.0.101
Kerberos: TGS-REQ Administrator at LEOSENDE.FUN from 10.0.0.101 for 
cifs/debian.leosende.fun at LEOSENDE.FUN [renewable, forwardable]
Kerberos: TGS-REQ authtime: 2007-02-12T22:52:10 starttime: 2007-02-12T22:52:10 
endtime: 2037-09-13T04:48:05 renew till: unset
Kerberos: TGS-REQ Administrator at LEOSENDE.FUN from 10.0.0.101 for 
krbtgt/LEOSENDE.FUN at LEOSENDE.FUN [renewable_ok, canonicalize, renewable, 
forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2007-02-12T22:52:10 starttime: 2007-02-12T22:52:10 
endtime: 2037-09-13T04:48:05 renew till: unset
GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Clock 
skew too great
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
standard_terminate: reason[NT_STATUS_END_OF_FILE]
using SPNEGO
Selected protocol [5][NT LM 0.12]
Got NTLMSSP neg_flags=0xe2088297
Got user=[] domain=[] workstation=[MAG-CD33C6A59BB] len1=1 len2=0
auth_check_password_send:  Checking password for unmapped user 
[]\[]@[MAG-CD33C6A59BB]
auth_check_password_send:  mapped user is: [LEOSENDE]\[]@[MAG-CD33C6A59BB]
10.0.0.101 closed connection to service IPC$
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Received cldap packet of length 133 from 10.0.0.101:1144
Received cldap packet of length 180 from 10.0.0.101:1145
Received cldap packet of length 180 from 10.0.0.101:1146
using SPNEGO
Selected protocol [5][NT LM 0.12]
Kerberos: AS-REQ Administrator at leosende.fun from 10.0.0.101 for 
krbtgt/leosende.fun at leosende.fun
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator at leosende.fun
Kerberos: Looking for ENC-TS pa-data -- Administrator at leosende.fun
Kerberos: Too large time skew, client time 2007-02-12T21:51:00 is out by 3673 
> 300 seconds -- Administrator at leosende.fun
Kerberos: AS-REQ Administrator at leosende.fun from 10.0.0.101 for 
krbtgt/leosende.fun at leosende.fun
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator at leosende.fun
Kerberos: Looking for ENC-TS pa-data -- Administrator at leosende.fun
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at leosende.fun 
using arcfour-hmac-md5
Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128, 
des-cbc-md5, des-cbc-crc, 24, -135
Kerberos: Using arcfour-hmac-md5/aes256-cts-hmac-sha1-96
Kerberos: Requested flags: renewable_ok, canonicalize, renewable, forwardable
Kerberos: AS-REQ authtime: 2007-02-12T22:52:13 starttime: unset endtime: 
2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
Kerberos: Failed to verify AP-REQ: Clock skew too great
Kerberos: Failed parsing TGS-REQ from 10.0.0.101
Kerberos: TGS-REQ Administrator at LEOSENDE.FUN from 10.0.0.101 for 
cifs/debian.leosende.fun at LEOSENDE.FUN [renewable, forwardable]
Kerberos: TGS-REQ authtime: 2007-02-12T22:52:13 starttime: 2007-02-12T22:52:13 
endtime: 2037-09-13T04:48:05 renew till: unset
Kerberos: TGS-REQ Administrator at LEOSENDE.FUN from 10.0.0.101 for 
krbtgt/LEOSENDE.FUN at LEOSENDE.FUN [renewable_ok, canonicalize, renewable, 
forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2007-02-12T22:52:13 starttime: 2007-02-12T22:52:13 
endtime: 2037-09-13T04:48:05 renew till: unset
GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Clock 
skew too great
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
standard_terminate: reason[NT_STATUS_END_OF_FILE]"

> - for w2k I had to add arcfour-hmac-md5 enctype to
> $PREFIX/private/secrets.keytab, to change this edit your krb5.conf and
> reprovision or put "credentials_update_all_keytabs();" in a file and run
> it with smbscript (thanks to abartlet for this), you can check the
> content of the keytab with "ktutil -k private/secrets.keytab list".

OK.

> - vista wants aes256-cts-hmac-sha1-96 but still doesn't work ;(

Well ...

> - post debug output to #samba-technical or here, so ppl could make more
> educated guesses than this one.

See above.

> hope this helps

I've found one error at least. :-)

>  Paul

Leonhard.


> BTW: Is there documentation for the various ejs funcions for samba?

Dont know. Sorry.


More information about the samba-technical mailing list