[Samba] kinit works, net join ads fails
Peter Baumgartner
sgt.hulka at gmail.com
Wed Oct 3 17:06:33 GMT 2007
On 9/27/07, eric roseme <eroseme at emonster.rose.hp.com> wrote:
> I know this sounds a little strange, but I was having the same problem
> on 3.0.25c, but adding the password to the command line solved it. I
> have no idea why:
>
> net ads join -U administrator%password
>
Looks like that got me past the preauthentication error, but I'm still
having an issue joining. Here is the debug log followed by my smb.conf
# /usr/sfw/sbin/net ads join -d3 -Umyuser%mypassword
[2007/10/03 09:07:37, 3] param/loadparm.c:(5024)
lp_load: refreshing parameters
[2007/10/03 09:07:37, 3] param/loadparm.c:(1424)
Initialising global parameters
[2007/10/03 09:07:37, 3] param/params.c:(572)
params.c:pm_process() - Processing configuration file "/etc/sfw/smb.conf"
[2007/10/03 09:07:37, 3] param/loadparm.c:(3763)
Processing section "[global]"
[2007/10/03 09:07:37, 2] lib/interface.c:(81)
added interface ip=192.168.1.245 bcast=192.168.1.255 nmask=255.255.255.0
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libads/ldap.c:(394)
Connected to LDAP server 192.168.1.240
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libads/ldap.c:(394)
Connected to LDAP server 192.168.1.240
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/10/03 09:07:37, 3] libads/sasl.c:(222)
ads_sasl_spnego_bind: got server principal name = mydomain-svr$@MYDOMAIN.LOCAL
[2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
file found)
[2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Wed, 03 Oct 2007 19:07:37 MDT
[2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489)
get_dc_list: preferred server list: "192.168.1.240, *"
[2007/10/03 09:07:37, 3] libads/ldap.c:(394)
Connected to LDAP server 192.168.1.240
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/10/03 09:07:37, 3] libads/sasl.c:(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/10/03 09:07:37, 3] libads/sasl.c:(222)
ads_sasl_spnego_bind: got server principal name = mydomain-svr$@MYDOMAIN.LOCAL
[2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Wed, 03 Oct 2007 19:07:37 MDT
[2007/10/03 09:07:37, 3] libsmb/cliconnect.c:(1509)
Connecting to host=mydomain-svr.mydomain.local
[2007/10/03 09:07:37, 3] lib/util_sock.c:(874)
Connecting to 192.168.1.240 at port 445
[2007/10/03 09:07:37, 3] libsmb/cliconnect.c:(972)
cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
[2007/10/03 09:07:37, 1] libsmb/cliconnect.c:(1606)
failed session setup with NT_STATUS_LOGON_FAILURE
[2007/10/03 09:07:37, 1] utils/net.c:(294)
Cannot connect to server using kerberos. Error was NT_STATUS_LOGON_FAILURE
[2007/10/03 09:07:37, 1] utils/net_ads.c:(1548)
call of net_join_domain failed: Logon failure
Failed to join domain: Logon failure
[2007/10/03 09:07:37, 2] utils/net.c:(1036)
return code = -1
### smb.conf
[global]
realm = MYDOMAIN.LOCAL
workgroup = MYDOMAIN
security = ADS
use kerberos keytab = true
; password server = mydomain-svr.mydomain.local
encrypt passwords = yes
client lanman auth = no
client NTLMv2 auth = yes
lanman auth = no
min protocol = LANMAN2
ntlm auth = no
server string = Samba ADS
client use spnego = no
server signing = auto
# winbind configuration:
winbind separator = +
; winbind enum users = yes
; template homedir = /samba/pchome/%D/%U
idmap domains = MYDOMAIN
idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:backend = tdb
idmap config MYDOMAIN:range = 10000-20000
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/samba/log/log.%m
log level = 10
# Put a capping on the size of the log files (in Kb).
max log size = 1024
# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
; socket options = TCP_NODELAY
More information about the samba
mailing list