[Samba] Failed to join domain
Thomas Sondag
thomas.sondag at gmail.com
Fri Nov 21 13:15:12 GMT 2008
hi all,
I've got an issue during a machine join, my kerberos setup seem to be
good (tested with kinit), my current version of samba is : samba
2:3.2.3-1ubuntu3
Example :
net ads join -U adm-tsondag
Enter adm-tsondag's password:
Failed to join domain: failed to set machine spn: Out of memory
We've got a very complex AD setup with something like 16 AD servers on
distant sites, if you have a look to the detailed log at the this
mail, you could spot that the join is performed on the server DC05
rather than on the server DC01.
I would like to know how and why this server have been chosen, and If
I could restrict the join on the DC01 server ?
Any help would be appreciated.
#########################################
smb.conf
[global]
workgroup = MY
realm = MY.REALM
encrypt passwords = yes
password server = DC01.my.domain
security = ads
allow trusted domains = no
socket options = TCP_NODELAY IPTOS_LOWDELAY
SO_RCVBUF=8576 SO_SNDBUF=8576
template shell = /bin/bash
template homedir = /home/%D/%U
restrict anonymous = 2
use kerberos keytab = yes
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind cache time = 172800
winbind refresh tickets = yes
# winbind offline logon = yes
log level = 16
idmap domains = MY
idmap config EP:backend = rid
idmap config EP:base_rid = 0
idmap config EP:range = 5000-10000000
idmap config EP:readonly = yes
idmap uid = 5000-10000000
idmap gid = 5000-10000000
idmap negative cache time = 5
idmap cache time = 172800
printing = cups
printcap name = cups
load printers = yes
###############################################
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = MY.REALM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
renew_lifetime = 7d
forwardable = true
[appdefaults]
pam = {
minimum_uid = 1000
ignore_root = true
}
[realms]
MY.REALM = {
kdc = DC01.my.domain:88
}
REALM = {
kdc = DC01.my.domain:88
}
[domain_realm]
.my.domain = MY.REALM
my.domain = MY.REALM
###############################################
debug :
[2008/11/21 14:03:26, 5] libads/ldap.c:ads_try_connect(188)
ads_try_connect: sending CLDAP request to dc05.my.domain (realm: my.domain)
r : union nbt_cldap_netlogon(case 6)
logon5: struct nbt_cldap_netlogon_5
type : NETLOGON_RESPONSE_FROM_PDC2 (23)
sbz : 0x0000 (0)
server_type : 0x000001fd (509)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
domain_uuid : 38e84847-17c8-4c72-a3ff-9c11911f7637
forest : 'parl.union.eu'
dns_domain : 'my.domain'
pdc_dns_name : 'epluxsdc05.my.domain'
domain : 'MY'
pdc_name : 'DC05'
user_name : ''
server_site : 'Luxembourg'
client_site : 'Luxembourg'
nt_version : 0x00000005 (5)
1: NETLOGON_VERSION_1
0: NETLOGON_VERSION_5
1: NETLOGON_VERSION_5EX
0: NETLOGON_VERSION_5EX_WITH_IP
0: NETLOGON_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_VERSION_AVOID_NT4_EMUL
0: NETLOGON_VERSION_PDC
0: NETLOGON_VERSION_IP
0: NETLOGON_VERSION_LOCAL
0: NETLOGON_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
[2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
sitename_store: realm = [MY], sitename = [Luxembourg], expire = [2147483647]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = AD_SITENAME/DOMAIN/MY; value =
Luxembourg and timeout = Tue Jan 19 04:14:07 2038
(920211041 seconds ahead)
[2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
sitename_store: realm = [my.domain], sitename = [Luxembourg], expire
= [2147483647]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = AD_SITENAME/DOMAIN/MY.REALM; value =
Luxembourg and timeout = Tue Jan 19 04:14:07 2038
(920211041 seconds ahead)
[2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(430)
Successfully contacted LDAP server 136.173.22.162
[2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(62)
Opening connection to LDAP server 'epluxsdc05.my.domain:389',
timeout 15 seconds
[2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(76)
Connected to LDAP server 'epluxsdc05.my.domain:389'
[2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(480)
Connected to LDAP server epluxsdc05.my.domain
[2008/11/21 14:03:26, 10] libads/ldap.c:ads_closest_dc(155)
ads_closest_dc: NBT_SERVER_CLOSEST flag set
[2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
saf_store: domain = [MY], server = [136.173.22.162], expire = [1227273506]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = SAF/DOMAIN/MY; value = 136.173.22.162
and timeout = Fri Nov 21 14:18:26 2008
(900 seconds ahead)
[2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
saf_store: domain = [my.domain], server = [136.173.22.162], expire =
[1227273506]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = SAF/DOMAIN/MY.REALM; value =
136.173.22.162 and timeout = Fri Nov 21 14:18:26 2008
(900 seconds ahead)
[2008/11/21 14:03:26, 4] libads/ldap.c:ads_current_time(2607)
time offset is -9 seconds
[2008/11/21 14:03:26, 4] libads/sasl.c:ads_sasl_bind(1112)
Found SASL mechanism GSS-SPNEGO
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(789)
ads_sasl_spnego_bind: got server principal name = epluxsdc05$@MY.REALM
[2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(671)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2008/11/21 14:03:26, 10] libads/sasl.c:ads_sasl_spnego_bind(810)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found,
calling kinit
[2008/11/21 14:03:26, 10] libads/kerberos.c:kerberos_kinit_password_ext(217)
kerberos_kinit_password: as adm-tsondag at MY.REALM using
[MEMORY:net_ads] as ccache and config [(null)]
[2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Sat, 22 Nov 2008 00:03:17 CET
[2008/11/21 14:03:26, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702)
ads_krb5_mk_req: Ticket (epluxsdc05$@MY.REALM) in ccache
(MEMORY:net_ads) is valid until: (Sat, 22 Nov 2008 00:03:17 CET -
1227308597)
[2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2008/11/21 14:03:26, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868)
Got KRB5 session key of length 16
[2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(236)
write_socket(6,39)
[2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(239)
write_socket(6,39) wrote 39
[2008/11/21 14:03:26, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118)
got smb length of 35
[2008/11/21 14:03:26, 5] lib/util.c:show_msg(642)
[2008/11/21 14:03:26, 5] lib/util.c:show_msg(652)
size=35
smb_com=0x71
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=2050
smb_pid=6058
smb_uid=2050
smb_mid=23
smt_wct=0
smb_bcc=0
[2008/11/21 14:03:26, 1] libnet/libnet_join.c:libnet_Join(1801)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'MY'
dns_domain_name : 'my.domain'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-1981966997-181496175-623647154
modified_config : 0x00 (0)
error_string : 'failed to set machine spn:
Out of memory'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
[2008/11/21 14:03:26, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
Failed to join domain: failed to set machine spn: Out of memory
[2008/11/21 14:03:26, 2] utils/net.c:main(1172)
return code = -1
More information about the samba
mailing list