[Samba] net ads join : ads_connect: No logon servers

D G Teed donald.teed at gmail.com
Wed Jan 30 15:32:37 GMT 2008 

I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain.  When I run net ads join
I get the error (debug trace below):

ads_connect: No logon servers

Here is my krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = BEER
[realms]
 BEER = {
  kdc = ADC1.AD.BEERU.CA
 }
[domain_realm]
 beer.ca = BEER
 .beer.ca = BEER

Here is my rpc join status:
# net rpc testjoin
Join to 'BEER' is OK

Here is my attempt to graduate this to ADS levels, with debug:

# net ads join -Ubeeruser%beeruserpw -d3
[2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
  lp_load: refreshing parameters
[2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
  Initialising global parameters
[2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
  Processing section "[global]"
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
  added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
  added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
  Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 111.111.200.66 failed.
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
  Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 111.111.200.67 failed.
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
  Could not look up dc's for domain BEER
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
  ads_connect: No logon servers
[2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
  error on ads_startup: No logon servers
Failed to join domain: No logon servers
[2008/01/30 11:06:08, 2] utils/net.c:main(1032)
  return code = -1

Can this user achieve such a goal?

Here is beeruser's rights via rpc:
net rpc rights list -Ubeeruser
Password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares

I've had various toggles done to my smb.conf, but here is what the
global section
of smb.conf looks like at the moment, following the hints of someone else who
solved this on the list...

[global]
        netbios name = www2
        workgroup = BEER
        unix charset = LOCALE
        realm = BEER
        server string = Web Server
        security = ADS
        password server = 111.111.200.67
        idmap backend = rid:BEER=5000-100000000
        idmap uid = 10000-10000000
        idmap gid = 10000-10000000
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        allow trusted domains = No
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 50
        dns proxy = No
        winbind use default domain = Yes
        hosts allow = 111.111.
        encrypt passwords = yes

I had great results with the last question I put on the list.  I hope
someone can help us graduate to ads with kerberos level authentication.

It feels like there is something missing on the AD end, but I know
nothing about this
other than that it is Windows Server 2003 and it has been in production for
awhile with good performance.

--Donald

More information about the samba mailing list