[Samba] Failed to join domain

Thomas Sondag thomas.sondag at gmail.com
Fri Nov 21 13:15:12 GMT 2008


hi all,
I've got an issue during a machine join, my kerberos setup seem to be
good (tested with kinit), my current version of samba is : samba
2:3.2.3-1ubuntu3

Example :
net ads join -U adm-tsondag
Enter adm-tsondag's password:
Failed to join domain: failed to set machine spn: Out of memory

We've got a very complex AD setup with something like 16 AD servers on
distant sites, if you have a look to the detailed log at the this
mail, you could spot that the join is performed on the server DC05
rather than on the server DC01.

I would like to know how and why this server have been chosen, and If
I could restrict the join on the DC01 server ?

Any help would be appreciated.


#########################################
smb.conf

[global]
        workgroup                  = MY
        realm                      = MY.REALM
        encrypt passwords = yes

        password server            = DC01.my.domain
        security                   = ads
        allow trusted domains      = no
        socket options             = TCP_NODELAY IPTOS_LOWDELAY
SO_RCVBUF=8576 SO_SNDBUF=8576
        template shell             = /bin/bash
        template homedir           = /home/%D/%U
        restrict anonymous         = 2
        use kerberos keytab        = yes

        winbind use default domain = yes
        winbind enum users         = no
        winbind enum groups        = no
        winbind nested groups      = yes
        winbind cache time         = 172800
        winbind refresh tickets    = yes
#       winbind offline logon      = yes

        log level =     16


        idmap domains = MY

        idmap config EP:backend    = rid
        idmap config EP:base_rid   = 0
        idmap config EP:range      = 5000-10000000
        idmap config EP:readonly   = yes
        idmap uid                  = 5000-10000000
        idmap gid                  = 5000-10000000
        idmap negative cache time  = 5
        idmap cache time           = 172800

        printing = cups
        printcap name = cups
        load printers = yes

###############################################
krb5.conf

[logging]
        default = FILE:/var/log/krb5libs.log

[libdefaults]
        default_realm        =  MY.REALM
        default_tkt_enctypes = des-cbc-md5
        default_tgs_enctypes = des-cbc-md5
        renew_lifetime       = 7d
        forwardable          = true


[appdefaults]
        pam = {
                minimum_uid = 1000
                ignore_root = true
        }

[realms]
        MY.REALM = {
                kdc = DC01.my.domain:88
        }

       REALM = {
                kdc = DC01.my.domain:88
        }

[domain_realm]
        .my.domain = MY.REALM
        my.domain  =  MY.REALM

###############################################
 debug :
[2008/11/21 14:03:26,  5] libads/ldap.c:ads_try_connect(188)
  ads_try_connect: sending CLDAP request to dc05.my.domain (realm: my.domain)
      r                        : union nbt_cldap_netlogon(case 6)
      logon5: struct nbt_cldap_netlogon_5
          type                     : NETLOGON_RESPONSE_FROM_PDC2 (23)
          sbz                      : 0x0000 (0)
          server_type              : 0x000001fd (509)
                 1: NBT_SERVER_PDC
                 1: NBT_SERVER_GC
                 1: NBT_SERVER_LDAP
                 1: NBT_SERVER_DS
                 1: NBT_SERVER_KDC
                 1: NBT_SERVER_TIMESERV
                 1: NBT_SERVER_CLOSEST
                 1: NBT_SERVER_WRITABLE
                 0: NBT_SERVER_GOOD_TIMESERV
                 0: NBT_SERVER_NDNC
                 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
                 0: NBT_SERVER_FULL_SECRET_DOMAIN_6
          domain_uuid              : 38e84847-17c8-4c72-a3ff-9c11911f7637
          forest                   : 'parl.union.eu'
          dns_domain               : 'my.domain'
          pdc_dns_name             : 'epluxsdc05.my.domain'
          domain                   : 'MY'
          pdc_name                 : 'DC05'
          user_name                : ''
          server_site              : 'Luxembourg'
          client_site              : 'Luxembourg'
          nt_version               : 0x00000005 (5)
                 1: NETLOGON_VERSION_1
                 0: NETLOGON_VERSION_5
                 1: NETLOGON_VERSION_5EX
                 0: NETLOGON_VERSION_5EX_WITH_IP
                 0: NETLOGON_VERSION_WITH_CLOSEST_SITE
                 0: NETLOGON_VERSION_AVOID_NT4_EMUL
                 0: NETLOGON_VERSION_PDC
                 0: NETLOGON_VERSION_IP
                 0: NETLOGON_VERSION_LOCAL
                 0: NETLOGON_VERSION_GC
          lmnt_token               : 0xffff (65535)
          lm20_token               : 0xffff (65535)
[2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
  sitename_store: realm = [MY], sitename = [Luxembourg], expire = [2147483647]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = AD_SITENAME/DOMAIN/MY; value =
Luxembourg and timeout = Tue Jan 19 04:14:07 2038
   (920211041 seconds ahead)
[2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
  sitename_store: realm = [my.domain], sitename = [Luxembourg], expire
= [2147483647]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = AD_SITENAME/DOMAIN/MY.REALM; value =
Luxembourg and timeout = Tue Jan 19 04:14:07 2038
   (920211041 seconds ahead)
[2008/11/21 14:03:26,  3] libads/ldap.c:ads_connect(430)
  Successfully contacted LDAP server 136.173.22.162
[2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(62)
  Opening connection to LDAP server 'epluxsdc05.my.domain:389',
timeout 15 seconds
[2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(76)
  Connected to LDAP server 'epluxsdc05.my.domain:389'
[2008/11/21 14:03:26,  3] libads/ldap.c:ads_connect(480)
  Connected to LDAP server epluxsdc05.my.domain
[2008/11/21 14:03:26, 10] libads/ldap.c:ads_closest_dc(155)
  ads_closest_dc: NBT_SERVER_CLOSEST flag set
[2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
  saf_store: domain = [MY], server = [136.173.22.162], expire = [1227273506]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = SAF/DOMAIN/MY; value = 136.173.22.162
and timeout = Fri Nov 21 14:18:26 2008
   (900 seconds ahead)
[2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
  saf_store: domain = [my.domain], server = [136.173.22.162], expire =
[1227273506]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
  Adding cache entry with key = SAF/DOMAIN/MY.REALM; value =
136.173.22.162 and timeout = Fri Nov 21 14:18:26 2008
   (900 seconds ahead)
[2008/11/21 14:03:26,  4] libads/ldap.c:ads_current_time(2607)
  time offset is -9 seconds
[2008/11/21 14:03:26,  4] libads/sasl.c:ads_sasl_bind(1112)
  Found SASL mechanism GSS-SPNEGO
[2008/11/21 14:03:26,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/11/21 14:03:26,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/11/21 14:03:26,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/11/21 14:03:26,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/11/21 14:03:26,  3] libads/sasl.c:ads_sasl_spnego_bind(789)
  ads_sasl_spnego_bind: got server principal name = epluxsdc05$@MY.REALM
[2008/11/21 14:03:26,  3] libsmb/clikrb5.c:ads_krb5_mk_req(671)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2008/11/21 14:03:26, 10] libads/sasl.c:ads_sasl_spnego_bind(810)
  ads_sasl_spnego_krb5_bind failed with: No credentials cache found,
calling kinit
[2008/11/21 14:03:26, 10] libads/kerberos.c:kerberos_kinit_password_ext(217)
  kerberos_kinit_password: as adm-tsondag at MY.REALM using
[MEMORY:net_ads] as ccache and config [(null)]
[2008/11/21 14:03:26,  3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Sat, 22 Nov 2008 00:03:17 CET
[2008/11/21 14:03:26, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702)
  ads_krb5_mk_req: Ticket (epluxsdc05$@MY.REALM) in ccache
(MEMORY:net_ads) is valid until: (Sat, 22 Nov 2008 00:03:17 CET -
1227308597)
[2008/11/21 14:03:26,  3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
  ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2008/11/21 14:03:26, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868)
  Got KRB5 session key of length 16
[2008/11/21 14:03:26,  6] libsmb/clientgen.c:write_socket(236)
  write_socket(6,39)
[2008/11/21 14:03:26,  6] libsmb/clientgen.c:write_socket(239)
  write_socket(6,39) wrote 39
[2008/11/21 14:03:26, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118)
  got smb length of 35
[2008/11/21 14:03:26,  5] lib/util.c:show_msg(642)
[2008/11/21 14:03:26,  5] lib/util.c:show_msg(652)
  size=35
  smb_com=0x71
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=2050
  smb_pid=6058
  smb_uid=2050
  smb_mid=23
  smt_wct=0
  smb_bcc=0
[2008/11/21 14:03:26,  1] libnet/libnet_join.c:libnet_Join(1801)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : 'MY'
              dns_domain_name          : 'my.domain'
              dn                       : NULL
              domain_sid               : *
                  domain_sid               :
S-1-5-21-1981966997-181496175-623647154
              modified_config          : 0x00 (0)
              error_string             : 'failed to set machine spn:
Out of memory'
              domain_is_ad             : 0x01 (1)
              result                   : WERR_GENERAL_FAILURE
[2008/11/21 14:03:26, 10] intl/lang_tdb.c:lang_tdb_init(138)
  lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
Failed to join domain: failed to set machine spn: Out of memory
[2008/11/21 14:03:26,  2] utils/net.c:main(1172)
  return code = -1


More information about the samba mailing list