[Samba] Join domain problems in Windows 2003 environment

James Harr james.harr at gmail.com
Sat Feb 23 20:11:22 GMT 2008 

I had a server in the domain, after a while winbind broke down. When I
try joining the domain again, I get this error:
  Failed to join domain: Strong(er) authentication required

I did move this server to a different OU in the directory, but that
shouldn't affect trying to rejoin. Our domain is at the Windows 2003
functionality level. The domain controller it is attaching to has been
tightened down for security a bit. I went through the Security
Configuration Wizard on it, which might have disabled some
functionality that samba needs.

Any ideas or pointers?

# net -V
Version 3.0.26a
# net -d 4 ads join -U jharr
[2008/02/23 13:54:41, 3] param/loadparm.c:lp_load(5039)
  lp_load: refreshing parameters
[2008/02/23 13:54:41, 3] param/loadparm.c:init_globals(1438)
  Initialising global parameters
[2008/02/23 13:54:41, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2008/02/23 13:54:41, 3] param/loadparm.c:do_section(3778)
  Processing section "[global]"
  doing parameter workgroup = MY-DOM
  doing parameter realm = DOM.FOO.COM
  doing parameter server string = %h server (Samba, Ubuntu)
  doing parameter dns proxy = no
  doing parameter log file = /var/log/samba/log.%m
  doing parameter max log size = 1000
  doing parameter syslog = 0
  doing parameter panic action = /usr/share/samba/panic-action %d
  doing parameter security = ads
  doing parameter encrypt passwords = true
  doing parameter passdb backend = tdbsam
  doing parameter obey pam restrictions = yes
  doing parameter invalid users = root
  doing parameter passwd program = /usr/bin/passwd %u
  doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully*
.
  doing parameter socket options = TCP_NODELAY
  doing parameter domain master = no
  doing parameter local master = no
  doing parameter idmap uid = 10000-200000
  doing parameter idmap gid = 10000-200000
  doing parameter idmap domains = MY-DOM
  doing parameter idmap config MY-DOM:backend = rid
  doing parameter idmap config MY-DOM:default = yes
  doing parameter idmap config MY-DOM:range = 11000-200000
  doing parameter idmap cache time = 900
  doing parameter idmap negative cache time = 120
  doing parameter template shell = /bin/bash
  doing parameter template homedir = /home/%U
  doing parameter allow trusted domains = no
  doing parameter winbind enum users = yes
  doing parameter winbind enum groups = yes
  doing parameter winbind separator = @
  doing parameter winbind nested groups = yes
  doing parameter winbind offline logon = yes
  doing parameter winbind refresh tickets = true
  doing parameter winbind use default domain = true
[2008/02/23 13:54:41, 4] param/loadparm.c:lp_load(5070)
  pm_process() returned Yes
[2008/02/23 13:54:41, 2] lib/interface.c:add_interface(81)
  added interface ip=10.0.0.21 bcast=10.255.255.255 nmask=255.0.0.0
[2008/02/23 13:54:41, 2] lib/interface.c:add_interface(81)
  added interface ip=100.100.100.199 bcast=100.100.100.255 nmask=255.255.255.0
[2008/02/23 13:54:41, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.0.21 bcast=192.168.0.255 nmask=255.255.255.0
[2008/02/23 13:54:41, 4] libsmb/namequery_dc.c:ads_dc_name(73)
  ads_dc_name: domain=MY-DOM
[2008/02/23 13:54:41, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:41, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 100.100.100.182
[2008/02/23 13:54:41, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:41, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:41, 4] libsmb/namequery_dc.c:ads_dc_name(139)
  ads_dc_name: using server='DC2.DOM.FOO.COM' IP=100.100.100.182
jharr's password:
[2008/02/23 13:54:43, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:43, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:43, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:43, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 100.100.100.182
[2008/02/23 13:54:43, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2008/02/23 13:54:43, 4] libads/sasl.c:ads_sasl_bind(521)
  Found SASL mechanism GSS-SPNEGO
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = dc2$@DOM.FOO.COM
[2008/02/23 13:54:43, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2008/02/23 13:54:43, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Sat, 23 Feb 2008 23:54:43 CST
[2008/02/23 13:54:43, 1] utils/net_ads.c:net_ads_join(1470)
  error on ads_startup: Strong(er) authentication required
Failed to join domain: Strong(er) authentication required
[2008/02/23 13:54:43, 2] utils/net.c:main(1036)
  return code = -1

More information about the samba mailing list