Samba 4 alpha and OpenLDAP
Scott Lovenberg
scott.lovenberg at gmail.com
Thu Jul 24 14:49:35 GMT 2008
Christophe Thibault wrote:
> Hi,
>
> I tried to join a XP SP2 workstation to my test domain, but get the
> following error messages:
>
> * on the workstation, while getting the domain:
>
> "The following error occurred attempting to join the domain 'XXXXXX':
> Unable to update the password. The value provided as the current
> password is incorrect."
>
>
> * On the samba logs:
>
> There are "netlogon request to XXXX<1c> from 172.16.15.11:138"
> (172.16.15.11 is my XP workstation IP).
>
> There is also these traces:
>
> Kerberos: AS-REQ Administrator at XXXXX from 172.16.15.11 for
> krbtgt/XXXXX at XXXXX
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> Kerberos: Looking for PKINIT pa-data -- Administrator at XXXXX
> Kerberos: Looking for ENC-TS pa-data -- Administrator at XXXXX
> Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at XXXXX
> using arcfour-hmac-md5
> Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
> des-cbc-md5, des-cbc-crc, 24, -135
> Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
> forwardable
> Kerberos: AS-REQ authtime: 2008-07-24T15:10:26 starttime: unset
> endtime: 2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
> Kerberos: AS-REQ Administrator at XXXXX from 172.16.15.11 for
> krbtgt/XXXXX at XXXXX
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> Kerberos: Looking for PKINIT pa-data -- Administrator at XXXXX
> Kerberos: Looking for ENC-TS pa-data -- Administrator at XXXXX
> Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at XXXXX
> using arcfour-hmac-md5
> Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
> des-cbc-md5, des-cbc-crc, 24, -135
> Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
> forwardable
> Kerberos: AS-REQ authtime: 2008-07-24T15:10:27 starttime: unset
> endtime: 2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
> single_terminate: reason[NT_STATUS_END_OF_FILE]
> Kerberos: TGS-REQ Administrator at XXXXX.MYCORP.COM from 172.16.15.11 for
> cifs/CINDY at XXXXX.MYCORP.COM [renewable, forwardable]
> Kerberos: TGS-REQ authtime: 2008-07-24T15:10:27 starttime:
> 2008-07-24T15:10:27 endtime: 2037-09-13T04:48:05 renew till: unset
> Kerberos: TGS-REQ Administrator at XXXXX.MYCORP.COM from 172.16.15.11 for
> krbtgt/XXXXX.MYCORP.COM at XXXXX.MYCORP.COM [renewable_ok, canonicalize,
> renewable, forwarded, forwardable]
> Kerberos: TGS-REQ authtime: 2008-07-24T15:10:27 starttime:
> 2008-07-24T15:10:27 endtime: 2037-09-13T04:48:05 renew till: unset
> Kerberos: TGS-REQ Administrator at XXXXX.MYCORP.COM from 172.16.15.11 for
> krbtgt/XXXXX.MYCORP.COM at XXXXX.MYCORP.COM [renewable_ok, canonicalize,
> renewable, forwarded, forwardable]
> Kerberos: TGS-REQ authtime: 2008-07-24T15:10:27 starttime:
> 2008-07-24T15:10:27 endtime: 2037-09-13T04:48:05 renew till: unset
> single_terminate: reason[NT_STATUS_END_OF_FILE]
> ...
> using SPNEGO
> Selected protocol [5][NT LM 0.12]
> Kerberos: AS-REQ Administrator at XXXXX from 172.16.15.11 for
> krbtgt/XXXXX at XXXXX
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> Kerberos: Looking for PKINIT pa-data -- Administrator at XXXXX
> Kerberos: Looking for ENC-TS pa-data -- Administrator at XXXXX
> Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at XXXXX
> using arcfour-hmac-md5
> Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
> des-cbc-md5, des-cbc-crc, 24, -135
> Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
> forwardable
> Kerberos: AS-REQ authtime: 2008-07-24T15:10:36 starttime: unset
> endtime: 2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
> Kerberos: AS-REQ Administrator at XXXXX from 172.16.15.11 for
> krbtgt/XXXXX at XXXXX
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> Kerberos: Looking for PKINIT pa-data -- Administrator at XXXXX
> Kerberos: Looking for ENC-TS pa-data -- Administrator at XXXXX
> Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at XXXXX
> using arcfour-hmac-md5
> Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
> des-cbc-md5, des-cbc-crc, 24, -135
> Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
> forwardable
> Kerberos: AS-REQ authtime: 2008-07-24T15:10:36 starttime: unset
> endtime: 2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
> single_terminate: reason[NT_STATUS_END_OF_FILE]
> Kerberos: TGS-REQ Administrator at XXXXX.MYCORP.COM from 172.16.15.11 for
> cifs/cindy.xxxxx.mycorp.com at XXXXX.MYCORP.COM [renewable, forwardable]
> Kerberos: TGS-REQ authtime: 2008-07-24T15:10:36 starttime:
> 2008-07-24T15:10:36 endtime: 2037-09-13T04:48:05 renew till: unset
> Kerberos: TGS-REQ Administrator at XXXXX.MYCORP.COM from 172.16.15.11 for
> cifs/cindy.xxxxx.mycorp.com at XXXXX.MYCORP.COM [renewable, forwardable]
> Kerberos: TGS-REQ authtime: 2008-07-24T15:10:36 starttime:
> 2008-07-24T15:10:36 endtime: 2037-09-13T04:48:05 renew till: unset
> single_terminate: reason[NT_STATUS_END_OF_FILE]
> Kerberos: TGS-REQ Administrator at XXXXX.MYCORP.COM from 172.16.15.11 for
> krbtgt/XXXXX.MYCORP.COM at XXXXX.MYCORP.COM [renewable_ok, canonicalize,
> renewable, forwarded, forwardable]
> Kerberos: TGS-REQ authtime: 2008-07-24T15:10:36 starttime:
> 2008-07-24T15:10:36 endtime: 2037-09-13T04:48:05 renew till: unset
> Kerberos: TGS-REQ Administrator at XXXXX.MYCORP.COM from 172.16.15.11 for
> krbtgt/XXXXX.MYCORP.COM at XXXXX.MYCORP.COM [renewable_ok, canonicalize,
> renewable, forwarded, forwardable]
> Kerberos: TGS-REQ authtime: 2008-07-24T15:10:36 starttime:
> 2008-07-24T15:10:36 endtime: 2037-09-13T04:48:05 renew till: unset
> single_terminate: reason[NT_STATUS_END_OF_FILE]
> Found account name from PAC: Administrator []
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> added interface ip=172.16.0.2 nmask=255.255.0.0
> added interface ip=172.16.0.2 nmask=255.255.0.0
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x00008205
> 172.16.15.11 closed connection to service IPC$
> single_terminate: reason[NT_STATUS_END_OF_FILE]
> Received dgram packet of length 201 from 172.16.15.11:138
>
> (I tried to remove other Samba announcements)
>
>
>
>
> Any idea?
>
> thanks,
>
> chris
>
Kneejerk reaction, but are your clocks synced to within five minutes of
each other? Krb is very picky about that.
>
> Christophe Thibault a écrit :
>> oops,
>>
>> I saw what I missed ;)
>>
>> I have to specify to the slapcat command the database number to dump
>> it, since there are multiple databases ;)
>>
>> Thanks for the info, I continue to play !
>>
>> chris
>>
>> Andrew Bartlett a écrit :
>>> On Tue, 2008-07-22 at 10:38 +0200, Christophe Thibault wrote:
>>>
>>>> Hi,
>>>>
>>>> The OpenLDAP server starts fine, Samba also starts fine, but after
>>>> running the scripts, the database seems to be quite empty.
>>>>
>>>> It only contains the following objects (dumped with the "openldap
>>>> slapcat command):
>>>>
>>>>
>>>> ## start -----
>>>> dn: cn=Samba
>>>>
>>>
>>> This is the Samba 'management partitition' (for want of a better
>>> description). It contains just enough so that we can do a SASL bind to
>>> OpenLDAP, and create the rest with the actual provision script, against
>>> a 'live' openldap instance.
>>>
>>> The rest will be under dc=example,dc=com (or whatever you selected).
>>> Andrew Bartlett
>>>
>>>
>>
>>
>
More information about the samba-technical
mailing list