[Samba] Joining a win2k3 ads fails

Lex Brugman lex.brugman at gmail.com
Fri Nov 9 11:06:52 GMT 2007 

Hello,

I'm trying to join a win2k3 ADS domain using a working config on a debian 'Lenny' (arm processor)
from another machine running gentoo (x86 processor) (only changed the netbios name).

Samba versions are 3.0.26a on both the machines.
I'm pretty sure this is not a kerberos or ldap problem, anyone has a clue what else it could be?


# net -d 3 ads join -U administrator
[2007/11/07 23:31:00, 3] param/loadparm.c:lp_load(5039)
   lp_load: refreshing parameters
[2007/11/07 23:31:00, 3] param/loadparm.c:init_globals(1438)
   Initialising global parameters
[2007/11/07 23:31:00, 3] param/params.c:pm_process(572)
   params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2007/11/07 23:31:00, 3] param/loadparm.c:do_section(3778)
   Processing section "[global]"
[2007/11/07 23:31:01, 3] param/params.c:pm_process(572)
   params.c:pm_process() - Processing configuration file "/etc/samba/dhcp.conf"
[2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
   added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
   added interface ip=10.0.0.22 bcast=10.0.0.255 nmask=255.255.255.0
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:02, 3] libads/ldap.c:ads_connect(394)
   Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
administrator's password:
[2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
   Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
   ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 08 Nov 2007 09:31:23 CET
[2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
   Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
   ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 08 Nov 2007 09:31:23 CET
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_start_connection(1509)
   Connecting to host=server2.thuis.local
[2007/11/07 23:31:05, 3] lib/util_sock.c:open_socket_out(874)
   Connecting to 10.0.0.2 at port 445
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(793)
   Doing spnego session setup (blob length=108)
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
   got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
   got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
   got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
   got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
   got principal=server2$@THUIS.LOCAL
[2007/11/07 23:31:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(613)
   Doing kerberos session setup
[2007/11/07 23:31:06, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 08 Nov 2007
09:31:23 CET
[2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
   rpc_pipe_bind: Remote machine server2.thuis.local pipe \lsarpc fnum 0x8001 bind request returned ok.
[2007/11/07 23:31:06, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
   lsa_io_sec_qos: length c does not match size 8
[2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
   rpc_pipe_bind: Remote machine server2.thuis.local pipe \samr fnum 0xa bind request returned ok.
[2007/11/07 23:31:06, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
   cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_NDR received from remote machine
server2.thuis.local pipe \samr fnum 0xa!
[2007/11/07 23:31:06, 1] utils/net_ads.c:net_ads_join(1548)
   call of net_join_domain failed: NT code 0x000006f7
Failed to join domain: NT code 0x000006f7
[2007/11/07 23:31:06, 2] utils/net.c:main(1036)
   return code = -1


smb.conf (relevant part only):
[global]
#       log level = 5
         enable privileges = Yes
         username map = /etc/samba/smbusers
         allow trusted domains = No
         idmap uid = 20000-30000
         idmap gid = 20000-30000
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind separator = +
         winbind use default domain = Yes
         winbind offline logon = Yes
         winbind refresh tickets = Yes
         use kerberos keytab = Yes
         winbind nss info = template
         template homedir = /home/%U
         template shell = /bin/bash
         client use spnego = Yes
         obey pam restrictions = No
         password server = thuis.local
         null passwords = No
         server signing = Auto
         client signing = Auto
         lm announce = No
         deadtime = 15
         encrypt passwords = Yes
         workgroup = THUIS
         realm = THUIS.LOCAL
         netbios name = BACKUP
         server string = Samba on %L
         interfaces = lo eth0
         bind interfaces only = Yes
         hosts deny = 0.0.0.0/0
         hosts allow = 10.0.0.0/24 127.0.0.1
         os level = 20
         wins support = No
         # get wins server address from dhcp
         include = /etc/samba/dhcp.conf
         name resolve order = wins lmhosts hosts bcast
         preferred master = No
         load printers = No
         log file = /var/log/samba/log.%m
         max log size = 0
         security = ads
         socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         dns proxy = No
         time server = No
         hide dot files = Yes
         username level = 1
         admin users = @%D%w"Domain Admins"
         guest ok = No
         public = No
         valid users = @%D%w"Domain Admins" @%D%w"Domain Power Users" @%D%w"Domain Users"
@%D%w"Domain Controllers" @%D%w"Domain Computers"

More information about the samba mailing list