[Samba] Getting ads_connect: Strong authentication required when doing ne t ads join

jonas.back at ppm.nu jonas.back at ppm.nu
Thu Feb 24 16:41:03 GMT 2005 

In my lab I successfully got everything working running our secured Active
Directory and Fedora Core 3. In our AD we have secured settings like
refusing NTLMv2, require LDAP signing, SMB signing and more. In the lab we
have the following rpm's:
krb5-workstation-1.3.4.7
samba-3.0.8.0.pre1.3
openldap-2.2.13-2

But now we're implementing this in production and there we're running Red
Hat ES3 and have the following rpm's (newest so far):
krb5-workstation-1.2.7-38
samba-3.0.9-1.3E.2
openldap-2.0.27-11

Kinit and smbclient works fine but when I run net ads join it fails with
"ads_connect: Strong authentication required". I've read somewhere that the
security policy setting: "Domain Controller: LDAP server signing
requirements" set to "Require signing" is the reason for this but our
security team will not let me disable this setting. Is there any other way
to get around this?

I've made sure all configuration files (krb5.conf, smb.conf and ldap.conf)
have the same options.

Also found an earlier posts, but they don't really give me a solution:
http://lists.samba.org/archive/samba-technical/2003-October/032422.html
<http://lists.samba.org/archive/samba-technical/2003-October/032422.html>
and here http://lists.samba.org/archive/samba/2003-October/000806.html
<http://lists.samba.org/archive/samba/2003-October/000806.html> 

[root at xtmplin1 /]# kinit domainuser
Password for domainuser at PPM.NU: 
[root at xtmplin1 /]# klist
Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0> 
Default principal: domainuser at PPM.NU

Valid starting     Expires            Service principal
02/24/05 17:00:27  02/25/05 03:00:27  krbtgt/PPM.NU at PPM.NU


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at xtmplin1 /]# net ads join "ServrarSamba" -U domainuser
domainuser's password: 
[2005/02/24 17:00:45, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Strong authentication required
[root at xtmplin1 /]# 



Here's the complete debug for net ads join:

[root at xtmplin1 samba]# net ads join "ServrarSamba" -U domainuser -d 10
[2005/02/24 16:15:22, 5] lib/debug.c:debug_dump_status(366)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
[2005/02/24 16:15:22, 3] param/loadparm.c:lp_load(3911)
  lp_load: refreshing parameters
[2005/02/24 16:15:22, 3] param/loadparm.c:init_globals(1312)
  Initialising global parameters
[2005/02/24 16:15:22, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2005/02/24 16:15:22, 3] param/loadparm.c:do_section(3404)
  Processing section "[global]"
  doing parameter workgroup = EXAMPLE
  doing parameter realm = EXAMPLE.NU
  doing parameter use spnego = yes
  doing parameter client signing = yes
  doing parameter client use spnego = yes
  doing parameter server string = Samba Server
  doing parameter printcap name = /etc/printcap
  doing parameter load printers = yes
  doing parameter cups options = raw
  doing parameter log file = /var/log/samba/%m.log
  doing parameter max log size = 50
  doing parameter security = ads
  doing parameter encrypt passwords = yes
  doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  doing parameter dns proxy = no
[2005/02/24 16:15:22, 4] param/loadparm.c:lp_load(3942)
  pm_process() returned Yes
[2005/02/24 16:15:22, 7] param/loadparm.c:lp_servicenumber(4052)
  lp_servicenumber: couldn't find homes
[2005/02/24 16:15:22, 10] param/loadparm.c:set_server_role(3851)
  set_server_role: role = ROLE_DOMAIN_MEMBER
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UCS-2LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UCS-2LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF-16LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF-16LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UCS-2BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UCS-2BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF-16BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF-16BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF-8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF-8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset ASCII
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset ASCII
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset 646
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset 646
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset ISO-8859-1
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset ISO-8859-1
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UCS2-HEX
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UCS2-HEX
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/util.c:init_names(278)
  Netbios name list:-
  my_netbios_names[0]="XTMPLIN1"
[2005/02/24 16:15:22, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.25.231 bcast=192.168.25.255 nmask=255.255.255.0
domainuser's password: 
[2005/02/24 16:15:35, 6] libads/ldap.c:ads_find_dc(176)
  ads_find_dc: looking for realm 'EXAMPLE.NU'
[2005/02/24 16:15:35, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
  get_sorted_dc_list: attempting lookup using [ads]
[2005/02/24 16:15:35, 10] libsmb/namequery.c:internal_resolve_name(1028)
  internal_resolve_name: looking up EXAMPLE.NU#1c
[2005/02/24 16:15:35, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /var/cache/samba/gencache.tdb
[2005/02/24 16:15:35, 10] lib/gencache.c:gencache_get(263)
  Returning valid cache entry: key = NBT/EXAMPLE.NU#1C, value =
192.168.40.100:389,192.168.129.100:389,192.168.115.100:389, timeout = Thu
Feb 24 16:16:40 2005
  
[2005/02/24 16:15:35, 5] libsmb/namecache.c:namecache_fetch(201)
  name EXAMPLE.NU#1C found.
[2005/02/24 16:15:35, 8] libsmb/namequery.c:get_dc_list(1316)
  Adding 3 DC's from auto lookup
[2005/02/24 16:15:35, 10] libsmb/namequery.c:remove_duplicate_addrs2(320)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1406)
  get_dc_list: returning 3 ip addresses in an unordered list
[2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1407)
  get_dc_list: 192.168.40.100:389 192.168.129.100:389 192.168.115.100:389 
[2005/02/24 16:15:35, 5] libads/ldap.c:ads_try_connect(85)
  ads_try_connect: trying ldap server '192.168.40.100' port 389
[2005/02/24 16:15:35, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 192.168.40.100
[2005/02/24 16:15:35, 3] libads/ldap.c:ads_server_info(2432)
  got ldap server name server1 at EXAMPLE.NU, using bind path: dc=EXAMPLE,dc=NU
[2005/02/24 16:15:35, 4] libads/ldap.c:ads_server_info(2438)
  time offset is 0 seconds
[2005/02/24 16:15:35, 4] libads/sasl.c:ads_sasl_bind(447)
  Found SASL mechanism GSS-SPNEGO
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name =server1$@EXAMPLE.NU
[2005/02/24 16:15:35, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2005/02/24 16:15:36, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
  Ticket in ccache[MEMORY:net_ads] expiration Fri, 25 Feb 2005 02:15:35 GMT
[2005/02/24 16:15:36, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409)
  ads_krb5_mk_req: Ticket (server1$@EXAMPLE.NU) in ccache (MEMORY:net_ads)
is valid until: (Fri, 25 Feb 2005 02:15:35 GMT - 1109294135)
[2005/02/24 16:15:36, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(510)
  Got KRB5 session key of length 16
[2005/02/24 16:15:36, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Strong authentication required
[2005/02/24 16:15:36, 2] utils/net.c:main(859)
  return code = -1
[root at xtmplin1 samba]#

More information about the samba mailing list