[Samba] Problems with ADS join after Samba update on FC4

Elio Tondo elio at tondo.it
Wed Sep 6 17:32:19 GMT 2006 

Hi,

I used to have a working Samba + Winbind configuration in ADS mode under FC4;
Samba version was 3.0.14a-2. I joined a W2k domain, and winbind correctly
returned the user information. krb5.conf and smb.cong have been modified
according to Howtos and tutorials found on the net.

One day Samba has been updated to 3.0.23a-1.fc4.1 and it stopped working.
No modification has been done to the configuration files, but it cannot join the
domain any more. Kerberos still works (kinit works as expected and klist shows
the ticket).

After a lot of time spent trying to understand the problem I uninstalled the new
Samba version and reinstalled the old one without modifying anything else,
and it started working again. Then I ran "net ads info" and "net ads join" with
debugging enabled and saved the results. Then I reinstalled the updated version
and, with no surprise, it did not work any more. Then I ran the same commands
with debugging enabled and saved the results. I tried also on a different machine
with FC5 and the same (new) version, and it fails exactly the same way.

By comparing the output of the two version I can see some differences; it looks
like the join command fails the connection to the ADS server, while the info
command is unable to get the server time information; can these two things
be related somehow? Consider that in this installation both the domain name
and the realm of the ADS server are a single word, with no dots.

The output of the four tests is somewhat long (1300 lines total); if someone can
help me I will send it by private email. I will try here to cut and paste some
relevant part (removing the parts with no differences).

Thank you for any help
Elio

-----------------

Join:

-[2006/07/31 17:34:44, 5] libads/ldap.c:ads_try_connect(123)
-  ads_try_connect: trying ldap server 'SRV_SIRIO' port 389
-[2006/07/31 17:34:44, 3] libads/ldap.c:ads_connect(285)
+[2006/07/31 17:43:26, 5] libads/ldap.c:ads_try_connect(127)
+  ads_try_connect: sending CLDAP request to SRV_SIRIO (realm: EDUCATION)
+[2006/07/31 17:43:26, 5] lib/gencache.c:gencache_init(60)
+  Opening cache file at /var/cache/samba/gencache.tdb
+[2006/07/31 17:43:26, 3] libads/ldap.c:ads_connect(287)
   Connected to LDAP server 192.168.0.2
...
-[2006/07/31 17:34:44, 3] libads/ldap.c:ads_server_info(2469)
-  got ldap server name srv_sirio at EDUCATION, using bind path: dc=EDUCATION
-[2006/07/31 17:34:44, 4] libads/ldap.c:ads_server_info(2475)
-  time offset is 0 seconds
-[2006/07/31 17:34:44, 4] libads/sasl.c:ads_sasl_bind(447)
-  Found SASL mechanism GSS-SPNEGO
[many other lines of output
-Using short domain name -- EDUCATION
-Joined 'ALFA' to realm 'EDUCATION'

while the newer version gives:

+[2006/07/31 17:43:26, 0] utils/net_ads.c:ads_startup(286)
+  ads_connect: Operations error
+[2006/07/31 17:43:26, 2] utils/net.c:main(988)
+  return code = -1


Info:

-[2006/07/31 17:10:21, 6] libads/ldap.c:ads_find_dc(214)
-  ads_find_dc: looking for domain 'EDUCATION'
-[2006/07/31 17:10:21, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
-  get_sorted_dc_list: attempting lookup using [lmhosts wins host bcast]
-[2006/07/31 17:10:21, 10] libsmb/namequery.c:internal_resolve_name(1028)
-  internal_resolve_name: looking up SRV_SIRIO#20
-[2006/07/31 17:10:21, 5] lib/gencache.c:gencache_init(59)
+[2006/07/31 17:43:03, 6] libads/ldap.c:ads_find_dc(224)
+  ads_find_dc: looking for realm 'EDUCATION'
+[2006/07/31 17:43:03, 8] libsmb/namequery.c:get_sorted_dc_list(1524)
+  get_sorted_dc_list: attempting lookup using [ads]
+[2006/07/31 17:43:03, 5] lib/gencache.c:gencache_init(60)
   Opening cache file at /var/cache/samba/gencache.tdb
-[2006/07/31 17:10:21, 10] lib/gencache.c:gencache_get(271)
-  Returning valid cache entry: key = NBT/SRV_SIRIO#20, value = 192.168.0.2:0, timeout = 
Mon Jul 31 17:13:46 2006
-
-[2006/07/31 17:10:21, 5] libsmb/namecache.c:namecache_fetch(201)
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_get(287)
+  Returning valid cache entry: key = SAF/DOMAIN/EDUCATION, value = 192.168.0.2, timeout = 
Mon Jul 31 17:57:37 2006
+[2006/07/31 17:43:03, 5] libsmb/namequery.c:saf_fetch(108)
+  saf_fetch: Returning "192.168.0.2" for "EDUCATION" domain
+[2006/07/31 17:43:03, 3] libsmb/namequery.c:get_dc_list(1399)
+  get_dc_list: preferred server list: "192.168.0.2, SRV_SIRIO"
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:internal_resolve_name(1110)
+  internal_resolve_name: looking up SRV_SIRIO#20
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_get(287)
+  Returning valid cache entry: key = NBT/SRV_SIRIO#20, value = 192.168.0.2:0, timeout = 
Mon Jul 31 17:53:37 2006
+[2006/07/31 17:43:03, 5] libsmb/namecache.c:namecache_fetch(201)
+  name SRV_SIRIO#20 found.
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:remove_duplicate_addrs2(408)
+  remove_duplicate_addrs2: looking for duplicate address/port pairs
+[2006/07/31 17:43:03, 4] libsmb/namequery.c:get_dc_list(1502)
+  get_dc_list: returning 1 ip addresses in an ordered list
+[2006/07/31 17:43:03, 4] libsmb/namequery.c:get_dc_list(1503)
+  get_dc_list: 192.168.0.2:389
+[2006/07/31 17:43:03, 5] libads/ldap.c:ads_try_connect(127)
+  ads_try_connect: sending CLDAP request to 192.168.0.2 (realm: EDUCATION)
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:saf_store(71)
+  saf_store: domain = [EDUCATION], server = [192.168.0.2], expire = [1154361483]
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_set(131)
+  Adding cache entry with key = SAF/DOMAIN/EDUCATION; value = 192.168.0.2 and timeout = 
Mon Jul 31 17:58:03 2006
+   (900 seconds ahead)
+[2006/07/31 17:43:03, 3] libads/ldap.c:ads_connect(287)
+  Connected to LDAP server 192.168.0.2
+[2006/07/31 17:43:03, 6] libads/ldap.c:ads_find_dc(224)
+  ads_find_dc: looking for realm 'EDUCATION'
+[2006/07/31 17:43:03, 8] libsmb/namequery.c:get_sorted_dc_list(1524)
+  get_sorted_dc_list: attempting lookup using [ads]
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_get(287)
+  Returning valid cache entry: key = SAF/DOMAIN/EDUCATION, value = 192.168.0.2, timeout = 
Mon Jul 31 17:58:03 2006
+[2006/07/31 17:43:03, 5] libsmb/namequery.c:saf_fetch(108)
+  saf_fetch: Returning "192.168.0.2" for "EDUCATION" domain
+[2006/07/31 17:43:03, 3] libsmb/namequery.c:get_dc_list(1399)
+  get_dc_list: preferred server list: "192.168.0.2, SRV_SIRIO"
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:internal_resolve_name(1110)
+  internal_resolve_name: looking up SRV_SIRIO#20
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_get(287)
+  Returning valid cache entry: key = NBT/SRV_SIRIO#20, value = 192.168.0.2:0, timeout = 
Mon Jul 31 17:53:37 2006
+[2006/07/31 17:43:03, 5] libsmb/namecache.c:namecache_fetch(201)
+  name SRV_SIRIO#20 found.
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:remove_duplicate_addrs2(408)
+  remove_duplicate_addrs2: looking for duplicate address/port pairs
+[2006/07/31 17:43:03, 4] libsmb/namequery.c:get_dc_list(1502)
+  get_dc_list: returning 1 ip addresses in an ordered list
+[2006/07/31 17:43:03, 4] libsmb/namequery.c:get_dc_list(1503)
+  get_dc_list: 192.168.0.2:389
+[2006/07/31 17:43:03, 5] libads/ldap.c:ads_try_connect(127)
+  ads_try_connect: sending CLDAP request to 192.168.0.2 (realm: EDUCATION)
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:saf_store(71)
+  saf_store: domain = [EDUCATION], server = [192.168.0.2], expire = [1154361483]
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_set(131)
+  Adding cache entry with key = SAF/DOMAIN/EDUCATION; value = 192.168.0.2 and timeout = 
Mon Jul 31 17:58:03 2006
+   (900 seconds ahead)
+[2006/07/31 17:43:03, 3] libads/ldap.c:ads_connect(287)
+  Connected to LDAP server 192.168.0.2
+[2006/07/31 17:43:03, 6] libads/ldap.c:ads_find_dc(224)
+  ads_find_dc: looking for realm 'EDUCATION'
+[2006/07/31 17:43:03, 8] libsmb/namequery.c:get_sorted_dc_list(1524)
+  get_sorted_dc_list: attempting lookup using [ads]
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_get(287)
+  Returning valid cache entry: key = SAF/DOMAIN/EDUCATION, value = 192.168.0.2, timeout = 
Mon Jul 31 17:58:03 2006
+[2006/07/31 17:43:03, 5] libsmb/namequery.c:saf_fetch(108)
+  saf_fetch: Returning "192.168.0.2" for "EDUCATION" domain
+[2006/07/31 17:43:03, 3] libsmb/namequery.c:get_dc_list(1399)
+  get_dc_list: preferred server list: "192.168.0.2, SRV_SIRIO"
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:internal_resolve_name(1110)
+  internal_resolve_name: looking up SRV_SIRIO#20
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_get(287)
+  Returning valid cache entry: key = NBT/SRV_SIRIO#20, value = 192.168.0.2:0, timeout = 
Mon Jul 31 17:53:37 2006
+[2006/07/31 17:43:03, 5] libsmb/namecache.c:namecache_fetch(201)
   name SRV_SIRIO#20 found.
-[2006/07/31 17:10:21, 10] libsmb/namequery.c:remove_duplicate_addrs2(320)
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:remove_duplicate_addrs2(408)
   remove_duplicate_addrs2: looking for duplicate address/port pairs
-[2006/07/31 17:10:21, 4] libsmb/namequery.c:get_dc_list(1406)
+[2006/07/31 17:43:03, 4] libsmb/namequery.c:get_dc_list(1502)
   get_dc_list: returning 1 ip addresses in an ordered list
-[2006/07/31 17:10:21, 4] libsmb/namequery.c:get_dc_list(1407)
+[2006/07/31 17:43:03, 4] libsmb/namequery.c:get_dc_list(1503)
   get_dc_list: 192.168.0.2:389
-[2006/07/31 17:10:21, 5] libads/ldap.c:ads_try_connect(123)
-  ads_try_connect: trying ldap server '192.168.0.2' port 389
-[2006/07/31 17:10:21, 3] libads/ldap.c:ads_connect(285)
+[2006/07/31 17:43:03, 5] libads/ldap.c:ads_try_connect(127)
+  ads_try_connect: sending CLDAP request to 192.168.0.2 (realm: EDUCATION)
+[2006/07/31 17:43:03, 10] libsmb/namequery.c:saf_store(71)
+  saf_store: domain = [EDUCATION], server = [192.168.0.2], expire = [1154361483]
+[2006/07/31 17:43:03, 10] lib/gencache.c:gencache_set(131)
+  Adding cache entry with key = SAF/DOMAIN/EDUCATION; value = 192.168.0.2 and timeout = 
Mon Jul 31 17:58:03 2006
+   (900 seconds ahead)
+[2006/07/31 17:43:03, 3] libads/ldap.c:ads_connect(287)
   Connected to LDAP server 192.168.0.2
-[2006/07/31 17:10:21, 3] libads/ldap.c:ads_server_info(2469)
-  got ldap server name srv_sirio at EDUCATION, using bind path: dc=EDUCATION
-[2006/07/31 17:10:21, 4] libads/ldap.c:ads_server_info(2475)
-  time offset is 1 seconds
-[2006/07/31 17:10:21, 10] intl/lang_tdb.c:lang_tdb_init(135)
+[2006/07/31 17:43:03, 10] intl/lang_tdb.c:lang_tdb_init(138)
   lang_tdb_init: /usr/lib/samba/en_US.en.msg: No such file or directory
-[2006/07/31 17:10:21, 2] utils/net.c:main(897)
+Failed to get server's current time!
+[2006/07/31 17:43:03, 2] utils/net.c:main(988)
   return code = 0
 LDAP server: 192.168.0.2
-LDAP server name: srv_sirio
+LDAP server name: srv_sirio.EDUCATION
 Realm: EDUCATION
 Bind Path: dc=EDUCATION
 LDAP port: 389
-Server time: Mon, 31 Jul 2006 17:10:22 GMT
+Server time: Thu, 01 Jan 1970 01:00:00 CET
 KDC server: 192.168.0.2
-Server time offset: 1
+Server time offset: 0

Please note the output "Failed to get server's current time!"
with the new version.

More information about the samba mailing list