[Samba] net ads join : ads_connect: No logon servers

Douglas VanLeuven roamdad at sonic.net
Wed Jan 30 19:11:50 GMT 2008 

D G Teed wrote:
> I've been able to use security = ads in smb.conf, and connect OK,
> but it must be falling back to domain.  When I run net ads join
> I get the error (debug trace below):
> 
> ads_connect: No logon servers
> 
> Here is my krb5.conf:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
>  default_realm = BEER
> [realms]
>  BEER = {
>   kdc = ADC1.AD.BEERU.CA
>  }
> [domain_realm]
>  beer.ca = BEER
>  .beer.ca = BEER

This should be a mapping from DNS domain to Kerberos REALM.
Going by the kdc name, what you probably want is:
beer.ca = AD.BEERU.CA
.beer.ca = AD.BEERU.CA
www2.beer.ca = AD.BEERU.CA


> 
> Here is my rpc join status:
> # net rpc testjoin
> Join to 'BEER' is OK
> 
> Here is my attempt to graduate this to ADS levels, with debug:
> 
> # net ads join -Ubeeruser%beeruserpw -d3
> [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
>   lp_load: refreshing parameters
> [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
>   Initialising global parameters
> [2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
>   params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
>   Processing section "[global]"
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
>   added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
>   added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
>   Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
>   ads_try_connect: CLDAP request 111.111.200.66 failed.
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
>   Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
>   ads_try_connect: CLDAP request 111.111.200.67 failed.
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
>   Could not look up dc's for domain BEER
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
>   ads_connect: No logon servers
> [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
>   error on ads_startup: No logon servers
> Failed to join domain: No logon servers
> [2008/01/30 11:06:08, 2] utils/net.c:main(1032)
>   return code = -1
> 
> Can this user achieve such a goal?
> 
> Here is beeruser's rights via rpc:
> net rpc rights list -Ubeeruser
> Password:
>      SeMachineAccountPrivilege  Add machines to domain
>       SeTakeOwnershipPrivilege  Take ownership of files or other objects
>              SeBackupPrivilege  Back up files and directories
>             SeRestorePrivilege  Restore files and directories
>      SeRemoteShutdownPrivilege  Force shutdown from a remote system
>       SePrintOperatorPrivilege  Manage printers
>            SeAddUsersPrivilege  Add users and groups to the domain
>        SeDiskOperatorPrivilege  Manage disk shares
> 
> I've had various toggles done to my smb.conf, but here is what the
> global section
> of smb.conf looks like at the moment, following the hints of someone else who
> solved this on the list...
> 
> [global]
>         netbios name = www2
>         workgroup = BEER
>         unix charset = LOCALE
>         realm = BEER

Same here.
   realm = AD.BEERU.CA

>         server string = Web Server
>         security = ADS
>         password server = 111.111.200.67
>         idmap backend = rid:BEER=5000-100000000
>         idmap uid = 10000-10000000
>         idmap gid = 10000-10000000
>         template shell = /bin/bash
>         winbind use default domain = Yes
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         allow trusted domains = No
>         log level = 3
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         dns proxy = No
>         winbind use default domain = Yes
>         hosts allow = 111.111.
>         encrypt passwords = yes
> 
> I had great results with the last question I put on the list.  I hope
> someone can help us graduate to ads with kerberos level authentication.
> 
> It feels like there is something missing on the AD end, but I know
> nothing about this
> other than that it is Windows Server 2003 and it has been in production for
> awhile with good performance.
> 

There may be something else, but the REALM is what jumped out at me.

Regards, Doug

More information about the samba mailing list