[Samba] kinit works, net join ads fails

Peter Baumgartner sgt.hulka at gmail.com
Wed Oct 3 17:06:33 GMT 2007


On 9/27/07, eric roseme <eroseme at emonster.rose.hp.com> wrote:
> I know this sounds a little strange, but I was having the same problem
> on 3.0.25c, but adding the password to the command line solved it.  I
> have no idea why:
>
> net ads join -U administrator%password
>

Looks like that got me past the preauthentication error, but I'm still
having an issue joining. Here is the debug log followed by my smb.conf

# /usr/sfw/sbin/net ads join -d3 -Umyuser%mypassword
[2007/10/03 09:07:37, 3] param/loadparm.c:(5024)
  lp_load: refreshing parameters
[2007/10/03 09:07:37, 3] param/loadparm.c:(1424)
  Initialising global parameters
[2007/10/03 09:07:37, 3] param/params.c:(572)
  params.c:pm_process() - Processing configuration file "/etc/sfw/smb.conf"
[2007/10/03 09:07:37, 3] param/loadparm.c:(3763)
  Processing section "[global]"
[2007/10/03 09:07:37, 2] lib/interface.c:(81)
  added interface ip=192.168.1.245 bcast=192.168.1.255 nmask=255.255.255.0
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
  get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libads/ldap.c:(394)
  Connected to LDAP server 192.168.1.240
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
  get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
  get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
  get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libads/ldap.c:(394)
  Connected to LDAP server 192.168.1.240
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/10/03 09:07:37, 3] libads/sasl.c:(222)
  ads_sasl_spnego_bind: got server principal name = mydomain-svr$@MYDOMAIN.LOCAL
[2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
file found)
[2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Wed, 03 Oct 2007 19:07:37 MDT
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
  get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libads/ldap.c:(394)
  Connected to LDAP server 192.168.1.240
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/10/03 09:07:37, 3] libads/sasl.c:(222)
  ads_sasl_spnego_bind: got server principal name = mydomain-svr$@MYDOMAIN.LOCAL
[2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Wed, 03 Oct 2007 19:07:37 MDT
[2007/10/03 09:07:37, 3] libsmb/cliconnect.c:(1509)
  Connecting to host=mydomain-svr.mydomain.local
[2007/10/03 09:07:37, 3] lib/util_sock.c:(874)
  Connecting to 192.168.1.240 at port 445
[2007/10/03 09:07:37, 3] libsmb/cliconnect.c:(972)
  cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
[2007/10/03 09:07:37, 1] libsmb/cliconnect.c:(1606)
  failed session setup with NT_STATUS_LOGON_FAILURE
[2007/10/03 09:07:37, 1] utils/net.c:(294)
  Cannot connect to server using kerberos.  Error was NT_STATUS_LOGON_FAILURE
[2007/10/03 09:07:37, 1] utils/net_ads.c:(1548)
  call of net_join_domain failed: Logon failure
Failed to join domain: Logon failure
[2007/10/03 09:07:37, 2] utils/net.c:(1036)
  return code = -1

### smb.conf
[global]
 realm = MYDOMAIN.LOCAL
 workgroup = MYDOMAIN
 security = ADS
 use kerberos keytab = true
; password server = mydomain-svr.mydomain.local
 encrypt passwords = yes
 client lanman auth = no
 client NTLMv2 auth = yes
 lanman auth = no
 min protocol = LANMAN2
 ntlm auth = no
 server string = Samba ADS
 client use spnego = no
 server signing = auto
# winbind configuration:
 winbind separator = +
 ; winbind enum users = yes
 ; template homedir = /samba/pchome/%D/%U

 idmap domains = MYDOMAIN
 idmap config MYDOMAIN:default = yes
 idmap config MYDOMAIN:backend = tdb
 idmap config MYDOMAIN:range = 10000-20000
# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/samba/log/log.%m
   log level = 10
# Put a capping on the size of the log files (in Kb).
   max log size = 1024

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
;   socket options = TCP_NODELAY


More information about the samba mailing list