[Samba] net ads join : ads_connect: No logon servers
D G Teed
donald.teed at gmail.com
Wed Jan 30 15:32:37 GMT 2008
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
[domain_realm]
beer.ca = BEER
.beer.ca = BEER
Here is my rpc join status:
# net rpc testjoin
Join to 'BEER' is OK
Here is my attempt to graduate this to ADS levels, with debug:
# net ads join -Ubeeruser%beeruserpw -d3
[2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
lp_load: refreshing parameters
[2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
Initialising global parameters
[2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
Processing section "[global]"
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.66 failed.
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.67 failed.
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
Could not look up dc's for domain BEER
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "ADC2, 111.111.200.67"
[2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
[2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: No logon servers
Failed to join domain: No logon servers
[2008/01/30 11:06:08, 2] utils/net.c:main(1032)
return code = -1
Can this user achieve such a goal?
Here is beeruser's rights via rpc:
net rpc rights list -Ubeeruser
Password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
I've had various toggles done to my smb.conf, but here is what the
global section
of smb.conf looks like at the moment, following the hints of someone else who
solved this on the list...
[global]
netbios name = www2
workgroup = BEER
unix charset = LOCALE
realm = BEER
server string = Web Server
security = ADS
password server = 111.111.200.67
idmap backend = rid:BEER=5000-100000000
idmap uid = 10000-10000000
idmap gid = 10000-10000000
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
allow trusted domains = No
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
winbind use default domain = Yes
hosts allow = 111.111.
encrypt passwords = yes
I had great results with the last question I put on the list. I hope
someone can help us graduate to ads with kerberos level authentication.
It feels like there is something missing on the AD end, but I know
nothing about this
other than that it is Windows Server 2003 and it has been in production for
awhile with good performance.
--Donald
More information about the samba
mailing list