[Samba] Joining Domain

Andre Kruger Andre.Kruger at TRW.COM
Wed Sep 3 02:07:05 MDT 2014


I did some more digging and found that you can run the "net ads join" command in debug mode. After doing this, this is the output:


./net ads join -U krugersa -S DC1 -d5
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = DOMAIN
doing parameter realm = AD.DOMAIN.COM
doing parameter server string = Samba Server
doing parameter security = ADS
doing parameter log file = /var/samba/log/log.%m
doing parameter max log size = 50000
doing parameter client signing = required
doing parameter client ldap sasl wrapping = sign
doing parameter load printers = No
doing parameter local master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter winbind use default domain = Yes
doing parameter winbind nss info = rfc2307
doing parameter idmap config DOMAIN:range = 70001-400000
doing parameter idmap config DOMAIN:schema_mode = rfc2307
doing parameter idmap config DOMAIN:backend = ad
doing parameter idmap config *:range = 70001-800000
doing parameter idmap config * : backend = tdb
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="SAMBATEST"
added interface e1000g0 ip=1.1.1.1 bcast=1.1.1.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0
Registering messaging pointer for type 9 - private_data=0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0
Registering messaging pointer for type 12 - private_data=0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0
Registering messaging pointer for type 5 - private_data=0
Enter krugersa's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : 'DC1'
            machine_name             : 'SAMBATEST'
            domain_name              : *
                domain_name              : 'AD.DOMAIN.COM'
            account_ou               : NULL
            admin_account            : 'krugersa'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
Opening cache file at /usr/local/samba/var/cache/gencache.tdb
Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
no entry for DC1#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name DC1<0x20>
namecache_store: storing 1 address for DC1#20: 1.1.1.144
Connecting to 1.1.1.144 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 0
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 0
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 49152
        SO_RCVBUF = 128872
        Could not test socket option SO_SNDLOWAT.
        Could not test socket option SO_RCVLOWAT.
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_KEEPALIVE_THRESHOLD = 7200000
        TCP_KEEPALIVE_ABORT_THRESHOLD = 480000
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Bind RPC Pipe: host DC1 auth_type 0, auth_level 1
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 180
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
saf_fetch[join]: Returning "DC1" for "ad.domain.com" domain
get_dc_list: preferred server list: "DC1, *"
no entry for ad.domain.com#1C found.
resolve_ads: Attempting to resolve KDCs for ad.domain.com using DNS
ads_dns_lookup_srv: 157 records returned in the answer section.
interpret_string_addr_internal: getaddrinfo failed for name scolmx-dc1.ad.domain.com (flags 0) [node name or service name not known]  <---------   I have no idea where this is coming from??
sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
name DC1#20 found.
get_dc_list: returning 157 ip addresses in an ordered list
get_dc_list: A whole bunch of IPs is listed here emoved for security reasons
create_local_private_krb5_conf_for_domain: wrote file /usr/local/samba/var/lock/smb_krb5/krb5.conf.DOMAIN with realm AD.DOMAIN.COM KDC list =       kdc = 1.1.1.144
        kdc = 1.1.2.1
        kdc = 1.1.3.251

Bind RPC Pipe: host DC1 auth_type 0, auth_level 1
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 40
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 44
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 12
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 12
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1
rpc_read_send: data_to_read: 32
check lock order 1 for /usr/local/samba/private/secrets.tdb
release lock order 1 for /usr/local/samba/private/secrets.tdb
check lock order 1 for /usr/local/samba/private/secrets.tdb
release lock order 1 for /usr/local/samba/private/secrets.tdb
check lock order 1 for /usr/local/samba/private/secrets.tdb
release lock order 1 for /usr/local/samba/private/secrets.tdb
check lock order 1 for /usr/local/samba/private/secrets.tdb
release lock order 1 for /usr/local/samba/private/secrets.tdb
check lock order 1 for /usr/local/samba/private/secrets.tdb
release lock order 1 for /usr/local/samba/private/secrets.tdb
sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
name DC1#20 found.
ads_try_connect: sending CLDAP request to 1.1.1.144 (realm: ad.domain.com)
Successfully contacted LDAP server 1.1.1.144
Connected to LDAP server DC1.ad.domain.com   <----------  The connection is definitely made.
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore
ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED   <----------------   I am still in the dark as to what is causing this particular error????????
kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'DOMAIN'
            dns_domain_name          : 'ad.domain.com'
            forest_name              : 'ad.domain.com'
            dn                       : NULL
            domain_sid               : *
                domain_sid               : S-1-5-21-1234552445-1234508259-1243564994
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: NT_STATUS_NOT_SUPPORTED'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED
return code = -1


I can clearly see a connection being made to the LDAP (AD) server but then...first the "ads_setup_sasl_wrapping()" error and the afterwards probably as a result "kinit succeeded but ads_sasl_spnego_krb5_bind failed". Logic tells me if the connection to the LDAP server failed it would have been very likely to see the two previous error messages, but after the connection is successful? 

Can anyone shed some light on this? Is this Kerberos related or should I be digging somewhere else?



-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: 30 August 2014 12:17
To: sambalist
Subject: Re: [Samba] Joining Domain

On 29/08/14 12:37, Andre Kruger wrote:
> You could install samba from the package repository but it is old 3.5.x.
>
> I compiled samba from source. I downloaded the latest tarball from the samba.org site.
>
> I also struggled a bit with gcc but eventually figured out installing the "developer/gcc-3" package satisfied the samba configure script.
>
> I also installed "system/library/math/header-math" as well as one or two other packages which I can't remember off the top of my head what they were.
>
> Thanks for the support Roland. I was just thinking that if Kerberos was at fault I would expect an error from klist, but it could be certain pieces that are broken I suppose.
>
> "ads_setup_sasl_wrapping()" and "ads_sasl_spnego_krb5_bind" seem to be at the root of my problem.
>
>
> Regards
> André
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> Sent: 29 August 2014 11:33
> To: sambalist
> Subject: Re: [Samba] Joining Domain
>
> On 29/08/14 09:53, Andre Kruger wrote:
>> I am still stumped on this one. My enctypes are as follows in this particular order as well. Are they correct?:
>>
>> default_tgs_enctypes = aes256-cts-hmac-sha1-96 
>> aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 
>> default_tkt_enctypes =
>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC
>> DES-CBC-MD5 preferred_enctypes = aes256-cts-hmac-sha1-96
>> aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>>
>> I am not sure but if my Kerberos was the problem wouldn't kinit fail?
>>
>> Further to the problem the following commands all return valid results:
>>
>> ./wbinfo -p
>> Ping to winbindd succeeded
>>
>> ./wbinfo -P
>> checking the NETLOGON dc connection to "DC1.ad.domain.com" succeeded
>>
>> ./wbinfo --dc-info=ad.domain.com
>> DC1.ad.domain.com (1.1.1.1)  <---- just changed for security purposes but the correct IP is returned.
>>
>> ./wbinfo -t
>> checking the trust secret for domain DOMAIN via RPC calls succeeded
>>
>> ./wbinfo --domain-info=ad.domain.com
>> Name              : DOMAIN
>> Alt_Name          : ad.domain.com
>> SID               : S-1-5-21-2387652445-1625808259-2938664994
>> Active Directory  : Yes
>> Native            : Yes
>> Primary           : Yes
>>
>> By looking at the above I'd say that everything is working as it should? Is there something I may have missed?
> Well everything seems OK (aka it matches what I get on an Linux AD 
> client)
>
>> However, I am still unable to list users and groups or assign an AD user or group to my file system. I am sure this stems from the fact that I am unable to use "net ads join" to join my domain but instead I have to use "net rpc join". Even now after joining with "net rpc join" I seem to have problem with the RPC calls, but the ADS calls succeed.
>>
>> ./net rpc info -U krugera
>> Unable to find a suitable server for domain DOMAIN
>>
>> ./net ads info -U krugera
>> Enter krugera's password:
>> LDAP server: 1.1.1.1
>> LDAP server name: DC1.ad.domain.com
>> Realm: AD.DOMAIN.COM
>> Bind Path: dc=AD,dc=DOMAIN,dc=COM
>> LDAP port: 389
>> Server time: Fri, 29 Aug 2014 10:38:24 SAST KDC server: 1.1.1.1 
>> Server time offset: 0
>>
>>
>> I do get the same error messages in my logs now as I do when I try to join my domain with the "net ads join" command. I don't understand the error messages and google doesn't help and I see a long history on the list about this problem. Is there anybody can shed light on these particular failures:
>>
>>
>> When I execute wbinfo -u I get the following showing up in my logs:
>>
>> ==> /var/adm/messages <==
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] [2014/08/29 10:04:56.014638,  0] ../source3/libads/sasl.c:673(ads_sasl_spnego_gsskrb5_bind)
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error]   ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] [2014/08/29 10:04:56.187569,  0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error]   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Can't contact LDAP server
>>
>> ==> /var/samba/log/log.wb-DOMAIN <==
>> [2014/08/29 10:04:56.014638,  0] ../source3/libads/sasl.c:673(ads_sasl_spnego_gsskrb5_bind)
>>     ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>> [2014/08/29 10:04:56.187569,  0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
>>     kinit succeeded but ads_sasl_spnego_krb5_bind failed: Can't 
>> contact LDAP server
>>
>>
>> ads_sasl_spnego_gsskrb5_bind  <----  This error seems to be the source off all my problems.
>>
> Which is why I was suspecting kerberos.
> Just how did you build samba4 ?, what packages did you install and where from ?
> I installed openindiana in a VM, but that was just about as far as I got, probably need to do a bit more investigation, I couldn't get samba configure to find gcc, it is so much easier on Linux.
>
> Rowland
>
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: 27 August 2014 17:18
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Joining Domain
>>
>> On 27/08/14 15:52, Andre Kruger wrote:
>>> UPDATE:
>>>
>>> I got the samba server to join my domain using
>>>
>>> net rpc join -U krugersa
>>>
>>> instead of
>>>
>>> net ads join -U krugersa
>>>
>>> The new problem I have now is similar to my previous problem. First things first. I started winbindd interactively, ""winbindd -I". I can then list all of our domains using "wbinfo --all-domains". The command returns results as expected.
>>>
>>> Next I can check the secret between my samba server and AD using "wbindo -t". I get expected results:
>>> "checking the trust secret for domain DOMAIN via RPC calls succeeded".
>>>
>>>
>>> However, when I try and list either AD users or groups using "wbinfo -u" or "wibinfo -g", immediately after issuing the command I get the following on the winbinnd interactive window:
>>>
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
>>> succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED  <-----  This is the same error message as before when I was trying to join my domain using "net ads join..."
>>>
>>>
>>>
>>>
>>> kerberos_kinit_password SAMBATEST$@AD.DOMAIN.COM failed: Clock skew too great  <-----  I have no idea where this is coming from. The clocks on my samba server and my DC are exactly the same. And SAMBATEST??
>>> ===============================================================
>>> INTERNAL ERROR: Signal 11 in pid 1167 (4.1.11) Please read the 
>>> Trouble-Shooting section of the Samba HOWTO 
>>> ===============================================================
>>> PANIC (pid 1167): internal error
>>> BACKTRACE: 37 stack frames:
>>>     #0 /usr/local/samba/lib/libsmbconf.so.0'log_stack_trace+0x27 [0xfea32d1c]
>>>     #1 /usr/local/samba/lib/libsmbconf.so.0'smb_panic_s3+0x63 [0xfea32bc0]
>>>     #2 /usr/local/samba/lib/libsamba-util.so.0.0.1'smb_panic+0x2a [0xfedba2fa]
>>>     #3 /usr/local/samba/lib/libsamba-util.so.0.0.1'sig_fault+0x0 [0xfedba05a]
>>>     #4 /usr/local/samba/lib/libsamba-util.so.0.0.1'sig_fault+0x11 [0xfedba06b]
>>>     #5 /lib/libc.so.1'__sighndlr+0x15 [0xfeeefc25]
>>>     #6 /lib/libc.so.1'call_user_handler+0x2a2 [0xfeee298e]
>>>     #7 /lib/libnsl.so.1'inet_pton4+0x1c [0xfeb03c3c]
>>>     #8 /lib/libnsl.so.1'inet_pton+0x29 [0xfeb03bed]
>>>     #9 /usr/local/samba/lib/libsamba-util.so.0.0.1'is_ipaddress_v4+0x2b [0xfedb5cf1]
>>>     #10 /usr/local/samba/lib/libsamba-util.so.0.0.1'is_ipaddress+0x22 [0xfedb5e27]
>>>     #11 /usr/local/samba/lib/private/libgse.so'internal_resolve_name+0x9d [0xfeabb4ed]
>>>     #12 /usr/local/samba/lib/private/libgse.so'get_dc_list+0x333 [0xfeabc8c2]
>>>     #13 /usr/local/samba/lib/private/libgse.so'get_sorted_dc_list+0xba [0xfeabcffe]
>>>     #14 /usr/local/samba/sbin/winbindd'get_dcs+0x1b2 [0x809a4c3]
>>>     #15 /usr/local/samba/sbin/winbindd'find_new_dc+0x59 [0x809a809]
>>>     #16 /usr/local/samba/sbin/winbindd'cm_open_connection+0x3d5 [0x809b19a]
>>>     #17 /usr/local/samba/sbin/winbindd'init_dc_connection_network+0x90 [0x809b799]
>>>     #18 /usr/local/samba/sbin/winbindd'init_dc_connection+0x51 [0x809b819]
>>>     #19 /usr/local/samba/sbin/winbindd'get_cache+0x99 [0x8084209]
>>>     #20 /usr/local/samba/sbin/winbindd'enum_dom_groups+0x20 [0x8087e0c]
>>>     #21 /usr/local/samba/sbin/winbindd'_wbint_QueryGroupList+0x67 [0x80ae7c8]
>>>     #22 /usr/local/samba/sbin/winbindd'api_wbint_QueryGroupList+0x196 [0x80ce945]
>>>     #23 /usr/local/samba/sbin/winbindd'winbindd_dual_ndrcmd+0x15e [0x80ada27]
>>>     #24 /usr/local/samba/sbin/winbindd'child_process_request+0xd0 [0x80aa143]
>>>     #25 /usr/local/samba/sbin/winbindd'child_handler+0xea [0x80ac590]
>>>     #26 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_poll+0x55b [0xfed7789a]
>>>     #27 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_once+0x98 [0xfed77ac0]
>>>     #28 /usr/local/samba/lib/private/libtevent.so.0.9.18'_tevent_loop_once+0xc9 [0xfed74178]
>>>     #29 /usr/local/samba/sbin/winbindd'fork_domain_child+0x8c3 [0x80acfe0]
>>>     #30 /usr/local/samba/sbin/winbindd'wb_child_request_trigger+0x55 [0x80a92a0]
>>>     #31 /usr/local/samba/lib/private/libtevent.so.0.9.18'tevent_queue_immediate_trigger+0x6b [0xfed75007]
>>>     #32 /usr/local/samba/lib/private/libtevent.so.0.9.18'tevent_common_loop_immediate+0x18b [0xfed74cea]
>>>     #33 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_once+0x4b [0xfed77a73]
>>>     #34 /usr/local/samba/lib/private/libtevent.so.0.9.18'_tevent_loop_once+0xc9 [0xfed74178]
>>>     #35 /usr/local/samba/sbin/winbindd'main+0xac5 [0x8080dc1]
>>>     #36 /usr/local/samba/sbin/winbindd'_start+0x83 [0x8074053] 
>>> dumping core in /var/samba/log/cores/winbindd
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key 
>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key 
>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key 
>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>>
>>> When I stop winbindd interactive I get the following output:
>>>
>>> Kinit failed: Clock skew too great
>>> ^CGot sig[2] terminate (is_parent=1) Got sig[2] terminate 
>>> (is_parent=0) Got sig[2] terminate (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0) Got sig[2] terminate (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Killed
>>>
>>>
>>> My smb.conf
>>>
>>> [global]
>>>            workgroup = DOMAIN
>>>            realm = AD.DOMAIN.COM
>>>            server string = Samba
>>>            security = ADS
>>>            log file = /var/samba/log/log.%m
>>>            max log size = 50000
>>>            client ldap sasl wrapping = sign
>>>            load printers = No
>>>            local master = No
>>>            domain master = No
>>>            dns proxy = No
>>>            winbind enum users = Yes
>>>            winbind enum groups = Yes
>>>            winbind use default domain = Yes
>>>            winbind nss info = rfc2307
>>>            idmap config *:range = 70001-800000
>>>            idmap config SAMDOM:backend = ad
>>>            idmap config SAMDOM:schema_mode = rfc2307
>>>            idmap config SAMDOM:range = 500-40000
>>>            idmap config * : backend = tdb
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Andre Kruger
>>> Sent: 27 August 2014 13:18
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] Joining Domain
>>>
>>> I made the change that you suggest but I still get the exact same error message. Just to clarify:
>>>
>>> 1. I added " idmap config DOMAIN : schema_mode = rfc2307"
>>> 1. Yes, the krugersa account has the rights required. I join other machines to my domain using this account. Administrator isn't used.
>>> 2. idmap config DOMAIN : backend = ad/rid  <-  I assume this does not impact joining the domain? It is used after the domain has been joined successfully.
>>>
>>> The is my global section as it is now:
>>>
>>> [global]
>>>            workgroup = DOMAIN
>>>            realm = AD.DOMAIN.COM
>>>            server string = Samba
>>>            security = ADS
>>>            log file = /var/samba/log/log.%m
>>>            max log size = 50000
>>>            client ldap sasl wrapping = sign
>>>            load printers = No
>>>            local master = No
>>>            domain master = No
>>>            dns proxy = No
>>>            winbind separator = +
>>>            winbind enum users = Yes
>>>            winbind enum groups = Yes
>>>            winbind use default domain = Yes
>>>            idmap config DOMAIN : range = 20000-800000
>>>            idmap config DOMAIN : backend = ad
>>>            idmap config DOMAIN : schema_mode = rfc2307
>>>            idmap config * : backend = tdb      <-   I don't get this line, it is not in my smb.conf file but when I parse the file with testparm it is in the output. Why?
>>>
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>> Sent: 27 August 2014 11:31
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] Joining Domain
>>>
>>> On 27/08/14 10:21, Andre Kruger wrote:
>>>> I have successfully compiled and installed Samba 4.1.11 from source on OpenIndiana 151a8.
>>>>
>>>> I tested the server by creating a folder and adding a local samba user (smbpasswd -a) and mapping a drive from my Windows machine which successded. I was able to access the test file in the folder as well as edit and save it.
>>>>
>>>> Now I am trying to join my samba server to my domain but it is failing and the error messages are not helping much and google's responses aren't really helping.
>>>>
>>>> Can anybody on the list help? When I try and join the domain I get the following error message:
>>>>
>>>> ./net ads join -U krugersa
>>>> Enter krugersa's password:
>>> Does 'krugersa' have the required permissions to join to the domain ?
>>> have you tried with 'Administrator' ?
>>>
>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>> NT_STATUS_NOT_SUPPORTED Failed to join domain: failed to connect to
>>>> AD: NT_STATUS_NOT_SUPPORTED
>>>>
>>>>
>>>> What causes samba to output this particular error message? "NT_STATUS_NOT_SUPPORTED" is very general...
>>>>
>>>> A copy of my smb.conf file:
>>>>
>>>> [global]
>>>>             workgroup = DOMAIN
>>>>             realm = AD.DOMAIN.COM
>>>>             server string = Samba
>>>>             security = ADS
>>>>             log file = /var/samba/log/log.%m
>>>>             max log size = 50000
>>>>             client ldap sasl wrapping = sign
>>>>             load printers = No
>>>>             local master = No
>>>>             domain master = No
>>>>             dns proxy = No
>>>>             winbind separator = +
>>>>             winbind enum users = Yes
>>>>             winbind enum groups = Yes
>>>>             winbind use default domain = Yes
>>>>             idmap config * : range = 20000-800000
>>>>             idmap config * : backend = tdb
>>> You appear to have a portion missing:
>>>
>>>             idmap config DOMAIN : backend  = ad
>>>             idmap config DOMAIN : range = 10000-999999
>>>             idmap config DOMAIN : schema_mode = rfc2307
>>>
>>> Adjust the range to suit your setup, if your AD users do not have uidNumber's change 'ad' to 'rid'
>>>
>>> Rowland
>>>
>>>> [homes]
>>>>             comment = Home Directories
>>>>             read only = No
>>>>             browseable = No
>>>>
>>>> [printers]
>>>>             comment = All Printers
>>>>             path = /var/spool/samba
>>>>             printable = Yes
>>>>             print ok = Yes
>>>>             browseable = No
>>>>
>>>> [testperm]
>>>>             path = /testperm
>>>>             valid users = @DOMAIN+Admins
>>>>             read only = No
>>>>             create mask = 0770
>>>>             directory mask = 0770
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> I 'think' that your problem has something to do with kerberos, can 
>> you check that you have the required enctypes in krb5.conf
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
OK, I finally got samba4 to build on openindiana and set it up as a client (based on how I would do it for Debian) and joined it to the domain, so far so good. Running the 'wbinfo -u' & 'wbinfo -g' commands worked as expected, but getent wouldn't.

I then remembered that when I used to compile samba4 myself, that I had to create the the links to 'libnss_winbind.so' to get winbind to work. 
So I went looking for the file, this was problem one, I couldn't find it, but I did find 'nss_winbind.so.1' so copied it to /usr/lib and setup symlinks to ~.so & ~.so.2, no good, tried the same in /usr/lib/amd64 but just the same, no domain users from 'getent' . I am convinced that this is the problem, but do not know why I got nss_winbind.so.1 instead of nss_winbind.so and if this is the correct file, then just where do I need to put it.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list