[Samba] Re: [3.0.25] "net ads join" problems

Bernd Schubert bs at q-leap.de
Wed Jul 18 14:35:42 GMT 2007

On Wednesday 18 July 2007 12:14:38 Bernd Schubert wrote:
> [2007/07/18 12:12:07, 2] libads/ldap.c:ldap_open_with_timeout(70)
>   Could not open LDAP connection to ads-2k3.ads2k3.q-leap.de:389: No such

This could be solved by adding ads-2k3.ads2k3.q-leap.de to the /etc/hosts, the 
problem is probably due to a windows misconfiguration. I just wonder why it 
hasn't been a problem with samba-3.0.22

Still, our main problems remains.

255 ha-test-1(new):/var/lock# net ads join

Password? We have a kerberos ticket and with samba-3.0.22 it doesn't ask for a 

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/ha-test-1 at ADS2K3.Q-LEAP.DE

Valid starting     Expires            Service principal
07/18/07 16:27:37  07/19/07 02:27:37  krbtgt/ADS2K3.Q-LEAP.DE at ADS2K3.Q-LEAP.DE
        renew until 07/25/07 16:27:37

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


So lets proceed without providing a password, but now with debug messages 

[2007/07/18 16:28:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration 
Thu, 19 Jul 2007 02:27:37 CEST
[2007/07/18 16:28:58, 10] libsmb/clikrb5.c:ads_krb5_mk_req(624)
  ads_krb5_mk_req: Ticket (ads-2k3$@ADS2K3.Q-LEAP.DE) in ccache 
(FILE:/tmp/krb5cc_0) is valid until: (Thu, 19 Jul 2007 02:27:37 CEST - 
[2007/07/18 16:28:58, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(735)
  Got KRB5 session key of length 16

[2007/07/18 16:29:38, 10] libads/sasl.c:ads_sasl_spnego_bind(262)
  ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling 
[2007/07/18 16:29:38, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
  kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config 
[2007/07/18 16:29:38, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password root at ADS2K3.Q-LEAP.DE failed: Client not found in 
Kerberos database
Failed to disable machine account in AD.  Please do so manually.
Failed to join domain: Type or value exists
[2007/07/18 16:29:39, 2] utils/net.c:main(1032)
  return code = -1

Why is it here trying to get a ticket for "root at ADS2K3.Q-LEAP.DE"? With 
samba-3.0.22 it only tried to get tickets 
like "host-ha-test-2 at ADS2K3.Q-LEAP.DE"

I'm rather lost here, the sources differ rather much between 3.0.22 and 3.0.25 
and its behaviour also does differ. But so far I didn't find any 
documentation about ads configuration changes.

Any help is appreciated.

Thanks in advance,

Bernd Schubert
Q-Leap Networks GmbH

More information about the samba mailing list