[Samba] Kerberos works, but "net ads join" fails

Roman Bigler roeme at roeme.ch
Tue Feb 27 14:15:33 GMT 2007


Hi List,

this is gonna be a really funky/interesting/uncommon error you're  
going to deal with (if you do).

Developer(s): I'd be really happy if you can point me at the right  
source files or describe at which
stage of the "discussion" between my servers fail. This might be of  
some use..

But let's get to the facts:

SYMPTOMS
--------
1) Invoked "kinit", no error messages are generated, verbose mode  
says "Authenticated to Kerberos v5".
2) "klist" thereafter returns a valid ticket.
3) Trying to join the AD with "net ads join" et cetera however  
results in a "ads_connect: Operations error" after about 40 seconds.
4) "net" exits with errcode -1 (looks like an unspecified error to me?)

Further investigation revealed that "net" indeed can connect to the  
PDC, but fails with the errors described above.

MORE DETAILED OUTPUT OF TOOLS
-----------------------------
Unfortunately, the debug output of "net" does not help a lot, even  
with level 10. Here's the interesting part:
--snip--
[2007/02/27 14:35:14, 3] libads/ldap.c:ads_connect(287)
   Connected to LDAP server 192.168.0.4
[2007/02/27 14:35:54, 0] utils/net_ads.c:ads_startup(289)
   ads_connect: Operations error
[2007/02/27 14:35:54, 2] utils/net.c:main(988)
   return code = -1
--snap--
Please note 40 seconds gap between the first two messages.

CURRENT SETUP
-------------
- Windows 2003 Active Directory (functional level 2003, not 2000  
native).
- Linux 2.6.18.2-34, custom kernel, recent SuSE 10.2 distribution
- Samba 3.0.24-SerNet-SuSE

ADDITIONAL INFORMATION
----------------------
The whole thing was working until recently. After it stopped working,  
I've done several things:
- tweaked configurations several times (use DNS or fixed IP's /  
minimal config / etc.)
- removed the Samba server from the domain in order to rejoin it  
(helped in an earlier situation)
- updated Samba (from 3.0.23d to 3.0.24)
- raised the AD functional level
- checked kerberos messages on windows
- the usual google, man-page and mailing-list-crawling, even looked  
at the sources

ASSUMPTIONS
-----------
I assume that an unspecified service on the windows-side fails and  
causes the communication to halt (or similar), which in turn triggers  
a timeout.


Thanks in advance to anyone helping me out with this very strange error.

Cheers,
Roman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070227/b00dd18b/PGP.bin


More information about the samba mailing list