[Samba] net join, client tls bug?
Hornbaker, RW
Rw.Hornbaker at si-intl.com
Tue Sep 18 16:07:21 GMT 2007
QUESTION: Does samba have client side TLS capabilities?
BACKGROUND
Samba ADS compliant distributions tried:
RHEL samba 3.0.10
Blastware samba 3.0.22 (for Solaris 8 and above)
Solaris 9 compilations 3.0.24, 25b, 25c, 26a
My ADS is running in native 2003 mode. The only access I have
to it is to set up Machine accounts.
SMB.CONF
For all versions I used the same smb.conf (see end of document)
NET JOIN USED
./net ads join -S werebear.myrl.ds.home.org -Urw.hornbaker.ad -d10
ALL VERSION PRIOR TO 3.0.25
after acquiring a kerberos ticket via libsmb/clikrb5.c (see net dump below)
net join RETURNS
ads_connect: Strong(er) authentication required
CHANGED ADS ADMIN PASSWD
As suggested by a number of entries in the samba mailing lists, I changed
the password for my administrative account rw.hornbaker.ad on the ADS
The net ads join (above) returned the same "Strong(er) authentication
required" error message.
A search of all source code going into samba (kerberos, cyrus-sasl, openssl,
openldap, and samba cannot find this error message.
Searching MS knowledgebase returns only Article ID: 823659, August 14, 2007
For setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parameters\LDAPServerIntegrity
values can be:
None
Require signing -- Data signing required unless TLS/SSL is used.
Not defined
Compatiblility Problems:
Simple binds fail with
"Ldap_simple_bind_s() failed: Strong Authentication Required"
>From this I conclude my ADS is set to "Require signing".
Turning on TLS feature in smb.conf via
ldap ssl = start tls
Causes the net ads join to crash with:
Failed to issue the StartTLS instruction: Connect error
Samba documentation indicates this setting is to setup samba as a server that will be serving
certificates and not having created a cert or configured ldap there is no way this setting could work.
But all I want is for my samba machine to be an AD member NOT act as a
server.
So back to my question:
1. Is it the TLS capabilities or the lack there of that is causing
the "Strong(er) authentication required" errors?
2. Does samba have client side TLS capabilities that work?
3. And if so how do we get them to work?
Samba 3.0.25 and above it appears we can't even get a kerberos ticket
3.0.25b, 25c, and 26a yields (full net join dump further on):
...
[2007/09/12 15:30:52, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/09/12 15:30:52, 10] libads/sasl.c:ads_sasl_spnego_bind(262)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit[2007/09/12 15:30:52, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/samba/lock/smb_krb5/krb5.conf.MYRL]
[2007/09/12 15:30:52, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password rw.hornbaker.ad at MYRL.DS.HOME.ORG failed: Preauthentication failed
[2007/09/12 15:30:52, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: Preauthentication failed
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Samba 3.0.24, compiled on Solaris 9 net ads join FULL error dump
(
RHEL Samba 3.0.10, Blastware 3.0.22 net join dumps are the same except for the
time stamps and in 3.0.24(26a) Sol9 compilations of cyrus-sasl was compiled with
./configure --enable-gssapi --enable-login
Also compile the same source code without --enabl-gssapi. net join still died with
the "Strong(er) authentication required" error
)
[2007/09/13 07:16:42, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
[2007/09/13 07:16:42, 3] param/loadparm.c:lp_load(4945)
lp_load: refreshing parameters
[2007/09/13 07:16:42, 3] param/loadparm.c:init_globals(1410)
Initialising global parameters
[2007/09/13 07:16:43, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2007/09/13 07:16:43, 3] param/loadparm.c:do_section(3687)
Processing section "[global]"
doing parameter workgroup = MYRL
doing parameter realm = MYRL.DS.HOME.ORG
doing parameter server string = Samba %v
doing parameter security = ADS
doing parameter client schannel = No
doing parameter password server = 192.168.255.2
doing parameter username map = /etc/samba/private/username.map
doing parameter restrict anonymous = 2
doing parameter client lanman auth = No
doing parameter client plaintext auth = No
doing parameter log level = 3
doing parameter syslog = 0
doing parameter log file = /var/samba/log.%m
doing parameter lpq cache time = 0
doing parameter load printers = No
doing parameter printcap name = /dev/null
doing parameter disable spoolss = Yes
doing parameter preferred master = No
doing parameter local master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter ldap ssl = no
doing parameter utmp = Yes
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter template shell = /bin/ksh
doing parameter winbind separator = @
doing parameter winbind use default domain = Yes
doing parameter invalid users = root, ftp
doing parameter directory mask = 0750
[2007/09/13 07:16:43, 4] param/loadparm.c:lp_load(4976)
pm_process() returned Yes
[2007/09/13 07:16:43, 7] param/loadparm.c:lp_servicenumber(5112)
lp_servicenumber: couldn't find homes
[2007/09/13 07:16:43, 10] param/loadparm.c:set_server_role(4221)
set_server_role: role = ROLE_DOMAIN_MEMBER
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS-2LE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS-2LE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-16LE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-16LE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS-2BE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS-2BE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-16BE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-16BE
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF8
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF8
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-8
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-8
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset ASCII
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset ASCII
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset 646
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset 646
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset ISO-8859-1
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset ISO-8859-1
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS2-HEX
[2007/09/13 07:16:43, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS2-HEX
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/charcnv.c:charset_name(81)
Substituting charset '646' for LOCALE
[2007/09/13 07:16:43, 5] lib/util.c:init_names(286)
Netbios name list:-
my_netbios_names[0]="VAMPIRE"
[2007/09/13 07:16:43, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.192
[2007/09/13 07:16:56, 5] libads/ldap.c:ads_try_connect(127)
ads_try_connect: sending CLDAP request to werebear.myrl.ds.home.org (realm: MYRL.DS.HOME.ORG)
[2007/09/13 07:16:56, 5] lib/gencache.c:gencache_init(61)
Opening cache file at /var/samba/lock/gencache.tdb
[2007/09/13 07:16:56, 10] libsmb/namequery.c:saf_store(71)
saf_store: domain = [MYRL], server = [werebear.myrl.ds.home.org], expire = [1189690316]
[2007/09/13 07:16:56, 10] lib/gencache.c:gencache_set(140)
Adding cache entry with key = SAF/DOMAIN/MYRL; value = werebear.myrl.ds.home.org and timeout = Thu Sep 13 07:31:56 2007
(900 seconds ahead)
[2007/09/13 07:16:56, 3] libads/ldap.c:ads_connect(287)
Connected to LDAP server 192.168.255.2
[2007/09/13 07:16:56, 4] libads/ldap.c:ads_current_time(2296)
time offset is 0 seconds
[2007/09/13 07:16:57, 4] libads/sasl.c:ads_sasl_bind(468)
Found SASL mechanism GSS-SPNEGO
[2007/09/13 07:16:57, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/09/13 07:16:57, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/09/13 07:16:57, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/09/13 07:16:57, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/09/13 07:16:57, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name =werebear$@MYRL.DS.HOME.ORG
[2007/09/13 07:16:57, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/09/13 07:16:57, 10] libads/kerberos.c:kerberos_kinit_password_ext(89)
kerberos_kinit_password: using MEMORY:net_ads as ccache
[2007/09/13 07:16:59, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 13 Sep 2007 17:16:57 MDT
[2007/09/13 07:16:59, 10] libsmb/clikrb5.c:ads_krb5_mk_req(581)
ads_krb5_mk_req: Ticket (werebear$@MYRL.DS.HOME.ORG) in ccache (MEMORY:net_ads) is valid until: (Thu, 13 Sep 2007 17:16:57 MDT - 1189725417)
[2007/09/13 07:16:59, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(685)
Got KRB5 session key of length 16
[2007/09/13 07:16:59, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Strong(er) authentication required
[2007/09/13 07:16:59, 2] utils/net.c:main(988)
return code = -1
FULL Samba 3.0.26a net ads join error dump:
[2007/09/12 15:30:37, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
[2007/09/12 15:30:37, 3] param/loadparm.c:lp_load(5031)
lp_load: refreshing parameters
[2007/09/12 15:30:37, 3] param/loadparm.c:init_globals(1430)
Initialising global parameters
[2007/09/12 15:30:37, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2007/09/12 15:30:37, 3] param/loadparm.c:do_section(3770)
Processing section "[global]"
doing parameter workgroup = MYRL
doing parameter realm = MYRL.DS.HOME.ORG
doing parameter server string = Samba %v
doing parameter security = ADS
doing parameter client schannel = No
doing parameter password server = 192.168.255.2
doing parameter username map = /etc/samba/private/username.map
doing parameter restrict anonymous = 2
doing parameter client lanman auth = No
doing parameter client plaintext auth = No
doing parameter log level = 3
doing parameter syslog = 0
doing parameter log file = /var/samba/log.%m
doing parameter lpq cache time = 0
doing parameter load printers = No
doing parameter printcap name = /dev/null
doing parameter disable spoolss = Yes
doing parameter preferred master = No
doing parameter local master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter ldap ssl = no
doing parameter utmp = Yes
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter template shell = /bin/ksh
doing parameter winbind separator = @
doing parameter winbind use default domain = Yes
doing parameter invalid users = root, ftp
doing parameter directory mask = 0750
[2007/09/12 15:30:37, 4] param/loadparm.c:lp_load(5062)
pm_process() returned Yes
[2007/09/12 15:30:37, 7] param/loadparm.c:lp_servicenumber(5200)
lp_servicenumber: couldn't find homes
[2007/09/12 15:30:37, 10] param/loadparm.c:set_server_role(4306)
set_server_role: role = ROLE_DOMAIN_MEMBER
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS-2LE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS-2LE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-16LE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-16LE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS-2BE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS-2BE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-16BE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-16BE
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF8
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF8
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-8
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-8
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset ASCII
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset ASCII
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset 646
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset 646
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset ISO-8859-1
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset ISO-8859-1
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS2-HEX
[2007/09/12 15:30:37, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS2-HEX
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:37, 5] lib/charcnv.c:charset_name(82)
Substituting charset '646' for LOCALE
[2007/09/12 15:30:38, 2] lib/util_file.c:map_file(240)
map_file: Failed to load /usr/local/samba/lib/valid.dat - No such file or directory
[2007/09/12 15:30:38, 2] lib/util_unistr.c:init_valid_table(251)
creating default valid table
[2007/09/12 15:30:38, 5] lib/util.c:init_names(287)
Netbios name list:-
my_netbios_names[0]="VAMPIRE"
[2007/09/12 15:30:38, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.192
[2007/09/12 15:30:38, 5] lib/gencache.c:gencache_init(61)
Opening cache file at /var/samba/lock/gencache.tdb
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 4] libsmb/namequery_dc.c:ads_dc_name(73)
ads_dc_name: domain=MYRL
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 6] libads/ldap.c:ads_find_dc(294)
ads_find_dc: looking for realm 'MYRL.DS.HOME.ORG'
[2007/09/12 15:30:38, 8] libsmb/namequery.c:get_sorted_dc_list(1626)
get_sorted_dc_list: attempting lookup for name MYRL.DS.HOME.ORG (sitename WREBEAR) using [ads]
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = SAF/DOMAIN/MYRL.DS.HOME.ORG, value = 192.168.255.2, timeout = Wed Sep 12 15:31:09 2007
[2007/09/12 15:30:38, 5] libsmb/namequery.c:saf_fetch(136)
saf_fetch: Returning "192.168.255.2" for "MYRL.DS.HOME.ORG" domain
[2007/09/12 15:30:38, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "192.168.255.2, 192.168.255.2"
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 10] libsmb/namequery.c:remove_duplicate_addrs2(435)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2007/09/12 15:30:38, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 1 ip addresses in an ordered list
[2007/09/12 15:30:38, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 192.168.255.2:389
[2007/09/12 15:30:38, 5] libads/ldap.c:ads_try_connect(180)
ads_try_connect: sending CLDAP request to 192.168.255.2 (realm: MYRL.DS.HOME.ORG)
[2007/09/12 15:30:38, 10] libads/dns.c:sitename_store(638)
sitename_store: realm = [MYRL.DS.HOME.ORG], sitename = [WREBEAR], expire = [2147483647]
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_set(140)
Adding cache entry with key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG; value = WREBEAR and timeout = Mon Jan 18 20:14:07 2038
(957851009 seconds ahead)
[2007/09/12 15:30:38, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 192.168.255.2
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 10] libads/ldap.c:ads_closest_dc(149)
ads_closest_dc: ADS_CLOSEST flag set
[2007/09/12 15:30:38, 10] libads/kerberos.c:create_local_private_krb5_conf_for_domain(614)
create_local_private_krb5_conf_for_domain: fname = /var/samba/lock/smb_krb5/krb5.conf.MYRL, realm = MYRL.DS.HOME.ORG, domain = MYRL
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = SAF/DOMAIN/MYRL.DS.HOME.ORG, value = 192.168.255.2, timeout = Wed Sep 12 15:31:09 2007
[2007/09/12 15:30:38, 5] libsmb/namequery.c:saf_fetch(136)
saf_fetch: Returning "192.168.255.2" for "MYRL.DS.HOME.ORG" domain
[2007/09/12 15:30:38, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "192.168.255.2, 192.168.255.2"
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 10] libsmb/namequery.c:remove_duplicate_addrs2(435)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2007/09/12 15:30:38, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 1 ip addresses in an ordered list
[2007/09/12 15:30:38, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 192.168.255.2:389
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = SAF/DOMAIN/MYRL.DS.HOME.ORG, value = 192.168.255.2, timeout = Wed Sep 12 15:31:09 2007
[2007/09/12 15:30:38, 5] libsmb/namequery.c:saf_fetch(136)
saf_fetch: Returning "192.168.255.2" for "MYRL.DS.HOME.ORG" domain
[2007/09/12 15:30:38, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "192.168.255.2, 192.168.255.2"
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG, value = WREBEAR, timeout = Mon Jan 18 20:14:07 2038
[2007/09/12 15:30:38, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for MYRL.DS.HOME.ORG: "WREBEAR"
[2007/09/12 15:30:38, 10] libsmb/namequery.c:remove_duplicate_addrs2(435)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2007/09/12 15:30:38, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 1 ip addresses in an ordered list
[2007/09/12 15:30:38, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 192.168.255.2:389
[2007/09/12 15:30:38, 10] libads/kerberos.c:get_kdc_ip_string(565)
get_kdc_ip_string: Returning kdc = 192.168.255.2
[2007/09/12 15:30:38, 5] libads/kerberos.c:create_local_private_krb5_conf_for_domain(683)
create_local_private_krb5_conf_for_domain: wrote file /var/samba/lock/smb_krb5/krb5.conf.MYRL with realm MYRL.DS.HOME.ORG KDC = 192.168.255.2
[2007/09/12 15:30:38, 4] libsmb/namequery_dc.c:ads_dc_name(139)
ads_dc_name: using server='werebear.MYRL.DS.HOME.ORG' IP=192.168.255.2
rw.hornbaker.ad's password:
[2007/09/12 15:30:51, 5] libads/ldap.c:ads_try_connect(180)
ads_try_connect: sending CLDAP request to werebear.myrl.ds.home.org (realm: MYRL.DS.HOME.ORG)
[2007/09/12 15:30:51, 10] libads/dns.c:sitename_store(638)
sitename_store: realm = [MYRL.DS.HOME.ORG], sitename = [WREBEAR], expire = [2147483647]
[2007/09/12 15:30:51, 10] lib/gencache.c:gencache_set(140)
Adding cache entry with key = AD_SITENAME/DOMAIN/MYRL.DS.HOME.ORG; value = WREBEAR and timeout = Mon Jan 18 20:14:07 2038
(957850996 seconds ahead)
[2007/09/12 15:30:51, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 192.168.255.2
[2007/09/12 15:30:51, 10] libads/ldap.c:ads_closest_dc(149)
ads_closest_dc: ADS_CLOSEST flag set
[2007/09/12 15:30:51, 10] libsmb/namequery.c:saf_store(74)
saf_store: domain = [MYRL], server = [192.168.255.2], expire = [1189633551]
[2007/09/12 15:30:51, 10] lib/gencache.c:gencache_set(140)
Adding cache entry with key = SAF/DOMAIN/MYRL; value = 192.168.255.2 and timeout = Wed Sep 12 15:45:51 2007
(900 seconds ahead)
[2007/09/12 15:30:51, 10] libsmb/namequery.c:saf_store(74)
saf_store: domain = [MYRL.DS.HOME.ORG], server = [192.168.255.2], expire = [1189633551]
[2007/09/12 15:30:51, 10] lib/gencache.c:gencache_set(140)
Adding cache entry with key = SAF/DOMAIN/MYRL.DS.HOME.ORG; value = 192.168.255.2 and timeout = Wed Sep 12 15:45:51 2007
(900 seconds ahead)
[2007/09/12 15:30:51, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2007/09/12 15:30:51, 4] libads/sasl.c:ads_sasl_bind(521)
Found SASL mechanism GSS-SPNEGO
[2007/09/12 15:30:51, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/09/12 15:30:51, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/09/12 15:30:51, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/09/12 15:30:51, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/09/12 15:30:51, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = werebear$@MYRL.DS.HOME.ORG
[2007/09/12 15:30:52, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/09/12 15:30:52, 10] libads/sasl.c:ads_sasl_spnego_bind(262)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit
[2007/09/12 15:30:52, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/samba/lock/smb_krb5/krb5.conf.MYRL]
[2007/09/12 15:30:52, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password rw.hornbaker.ad at MYRL.DS.HOME.ORG failed: Preauthentication failed
[2007/09/12 15:30:52, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: Preauthentication failed
[2007/09/12 15:30:52, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/local/samba/lib/C.msg: No such file or directory
[2007/09/12 15:30:52, 2] utils/net.c:main(1036)
return code = -1
Failed to join domain: Logon failure
smb.conf
[global]
workgroup = MYRL
realm = MYRL.DS.HOME.ORG
server string = Samba %v
security = ADS
client schannel = No
password server = 192.168.255.2
username map = /etc/samba/private/username.map
restrict anonymous = 2
client lanman auth = No
client plaintext auth = No
log level = 3
syslog = 0
log file = /var/samba/log.%m
lpq cache time = 0
load printers = No
printcap name = /dev/null
disable spoolss = Yes
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
utmp = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/ksh
winbind separator = @
winbind use default domain = Yes
invalid users = root, ftp
directory mask = 0750
[homes]
comment = %h Home Dirs
valid users = %S
read only = No
More information about the samba
mailing list