[Samba] Joining Domain

Andre Kruger Andre.Kruger at TRW.COM
Wed Sep 3 07:36:49 MDT 2014


Hi Rowland

Could you re-join your domain with the -d5 option added to your "net ads join" and post back the results? I want to compare what is happening on my system with someone else because I recompiled Samba adding the "./configure --with-shared-modules=idmap_ad" option and I edited my smb.conf to be the same as yours but I can still not join my domain. I still get the same two errors as before:

ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Can't contact LDAP server


André


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: 03 September 2014 11:08
To: samba at lists.samba.org
Subject: Re: [Samba] Joining Domain

On 03/09/14 09:40, Andre Kruger wrote:
> On 03/09/14 09:20, Andre Kruger wrote:
>> Sorry for another long debug reply, but previously I did not have the samba or winbind services started when trying to join the domain. The guidance from the internet is conflicting. Some say the services have to be disabled when joining and then started afterwards others say to restart the services after joining. This time I had the services started before attempting the join. I can see now that Kerberos is creating a ticket during the join:
>> I always stop all samba services before attempting to join the domain, also I cannot see anywhere that the kerberos ticket is created, what I do see is that a krb5.conf file is created.
> Should a ticket be created during the join? If I do kinit and klist before the join I can definitely see it working:

No, but the kerberos keytab 'krb5.keytab' should. Running 'kinit' just 
shows that you can connect to the kdc.

>
> kinit krugersa at AD.DOMAIN.COM
> Password for krugersa at AD.DOMAIN.COM:
> root at sambatest:/usr/local/samba/bin# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: krugersa at AD.DOMAIN.COM
>
> Valid starting               Expires               Service principal
> 03/09/2014 10:36  03/09/2014 20:36  krbtgt/AD.DOMAIN.COM at AD.DOMAIN.COM
>          renew until 10/09/2014 10:36
OK, this is what I did:
installed and update openindiana
checked what I would have installed to compile samba4 if I was doing the 
compile on debian and installed anything that was required, mostly gcc, 
make etc

downloaded latest samba tarball and unpacked it
cd into unpacked directory
ran
./configure --with-shared-modules=idmap_ad
make
sudo make install

This installed samba4 into its default dir /usr/local/samba

Created /usr/local/samba/etc/smb.conf

[global]
         workgroup = EXAMPLE
         security = ADS
         realm = EXAMPLE.COM
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = Samba 4 Client %h
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = yes
         winbind normalize names = Yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config EXAMPLE : backend  = ad
         idmap config EXAMPLE : range = 10000-999999
         idmap config EXAMPLE:schema_mode = rfc2307
         printcap name = cups
         cups options = raw
         usershare allow guests = yes
         domain master = no
         local master = no
         preferred master = no
         os level = 20
         map to guest = bad user
         log level = 6

altered /etc/krb5/krb5.conf

[libdefaults]
      default_realm = EXAMPLE.COM
      dns_lookup_realm = false
      dns_lookup_kdc = true
      ticket_lifetime = 24h
      forwardable = yes

Checked if any samba daemons were running (there weren't)

altered the PATH variable

PATH="/usr/local/samb/bin:/usr/local/samba/sbin:$PATH"

joined the domain

sudo net ads join -U Administrator at EXAMPLE.COM
Enter Administrator at EXAMPLE.COM's password:
Using short domain name -- EXAMPLE
Joined 'INDIANA' to realm 'example.com'

started the samba daemons

sudo smbd
sudo nmbd
sudo winbindd

wbinfo -u shows all domain users
wbinfo -g shows all domain groups

This is where I hit the problem, 'getent passwd' does not show any 
domain users and I cannot get it to!

Rowland
>
> André
>
>> Rowland
>>
>> ./net ads join -U krugersa -d5
>> INFO: Current debug levels:
>>     all: 5
>>     tdb: 5
>>     printdrivers: 5
>>     lanman: 5
>>     smb: 5
>>     rpc_parse: 5
>>     rpc_srv: 5
>>     rpc_cli: 5
>>     passdb: 5
>>     sam: 5
>>     auth: 5
>>     winbind: 5
>>     vfs: 5
>>     idmap: 5
>>     quota: 5
>>     acls: 5
>>     locking: 5
>>     msdfs: 5
>>     dmapi: 5
>>     registry: 5
>>     scavenger: 5
>>     dns: 5
>>     ldb: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (256) to minimum Windows limit
>> (16384)
>> INFO: Current debug levels:
>>     all: 5
>>     tdb: 5
>>     printdrivers: 5
>>     lanman: 5
>>     smb: 5
>>     rpc_parse: 5
>>     rpc_srv: 5
>>     rpc_cli: 5
>>     passdb: 5
>>     sam: 5
>>     auth: 5
>>     winbind: 5
>>     vfs: 5
>>     idmap: 5
>>     quota: 5
>>     acls: 5
>>     locking: 5
>>     msdfs: 5
>>     dmapi: 5
>>     registry: 5
>>     scavenger: 5
>>     dns: 5
>>     ldb: 5
>> params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = DOMAIN
>> doing parameter realm = AD.DOMAIN.COM
>> doing parameter server string = Samba Server doing parameter security
>> = ADS doing parameter log file = /var/samba/log/log.%m doing parameter
>> max log size = 50000 doing parameter client signing = required doing
>> parameter client ldap sasl wrapping = sign doing parameter load
>> printers = No doing parameter local master = No doing parameter domain
>> master = No doing parameter dns proxy = No doing parameter winbind
>> enum users = Yes doing parameter winbind enum groups = Yes doing
>> parameter winbind use default domain = Yes doing parameter winbind nss
>> info = rfc2307 doing parameter idmap config DOMAIN:range =
>> 70001-400000 doing parameter idmap config DOMAIN:schema_mode = rfc2307
>> doing parameter idmap config DOMAIN:backend = ad doing parameter idmap
>> config *:range = 70001-800000 doing parameter idmap config * : backend
>> = tdb
>> pm_process() returned Yes
>> Netbios name list:-
>> my_netbios_names[0]="SAMBATEST"
>> added interface e1000g0 ip=1.1.1.19 bcast=1.1.1.255
>> netmask=255.255.255.0 Registering messaging pointer for type 2 -
>> private_data=0 Registering messaging pointer for type 9 -
>> private_data=0 Registered MSG_REQ_POOL_USAGE Registering messaging
>> pointer for type 11 - private_data=0 Registering messaging pointer for
>> type 12 - private_data=0 Registered MSG_REQ_DMALLOC_MARK and
>> LOG_CHANGED Registering messaging pointer for type 1 - private_data=0
>> Registering messaging pointer for type 5 - private_data=0 Enter
>> krugersa's password:
>> libnet_Join:
>>       libnet_JoinCtx: struct libnet_JoinCtx
>>           in: struct libnet_JoinCtx
>>               dc_name                  : NULL
>>               machine_name             : 'SAMBATEST'
>>               domain_name              : *
>>                   domain_name              : 'AD.DOMAIN.COM'
>>               account_ou               : NULL
>>               admin_account            : 'krugersa'
>>               machine_password         : NULL
>>               join_flags               : 0x00000023 (35)
>>                      0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>                      0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>                      0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>                      0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>                      0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>                      0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>                      1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>                      0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>                      0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>                      1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>                      1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>               os_version               : NULL
>>               os_name                  : NULL
>>               create_upn               : 0x00 (0)
>>               upn                      : NULL
>>               modify_config            : 0x00 (0)
>>               ads                      : NULL
>>               debug                    : 0x01 (1)
>>               use_kerberos             : 0x00 (0)
>>               secure_channel_type      : SEC_CHAN_WKSTA (2)
>> Opening cache file at /usr/local/samba/var/cache/gencache.tdb
>> Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
>> ads_dns_lookup_srv: 2 records returned in the answer section.
>> ads_dns_lookup_srv: 2 records returned in the answer section.
>> sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
>> name DC1.ad.domain.com#20 found.
>> Connecting to 1.1.1.144 at port 445
>> Socket options:
>>           SO_KEEPALIVE = 0
>>           SO_REUSEADDR = 0
>>           SO_BROADCAST = 0
>>           TCP_NODELAY = 1
>>           TCP_KEEPCNT = 0
>>           TCP_KEEPIDLE = 7200
>>           TCP_KEEPINTVL = 0
>>           IPTOS_LOWDELAY = 0
>>           IPTOS_THROUGHPUT = 0
>>           SO_SNDBUF = 49152
>>           SO_RCVBUF = 128872
>>           Could not test socket option SO_SNDLOWAT.
>>           Could not test socket option SO_RCVLOWAT.
>>           Could not test socket option SO_SNDTIMEO.
>>           Could not test socket option SO_RCVTIMEO.
>>           TCP_KEEPALIVE_THRESHOLD = 7200000
>>           TCP_KEEPALIVE_ABORT_THRESHOLD = 480000 Doing spnego session
>> setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got
>> OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got
>> OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got
>> principal=not_defined_in_RFC4178 at please_ignore
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x62898215
>>     NTLMSSP_NEGOTIATE_UNICODE
>>     NTLMSSP_REQUEST_TARGET
>>     NTLMSSP_NEGOTIATE_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM
>>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM2
>>     NTLMSSP_NEGOTIATE_TARGET_INFO
>>     NTLMSSP_NEGOTIATE_VERSION
>>     NTLMSSP_NEGOTIATE_128
>>     NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>>     NTLMSSP_NEGOTIATE_UNICODE
>>     NTLMSSP_REQUEST_TARGET
>>     NTLMSSP_NEGOTIATE_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM
>>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM2
>>     NTLMSSP_NEGOTIATE_128
>>     NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>>     NTLMSSP_NEGOTIATE_UNICODE
>>     NTLMSSP_REQUEST_TARGET
>>     NTLMSSP_NEGOTIATE_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM
>>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM2
>>     NTLMSSP_NEGOTIATE_128
>>     NTLMSSP_NEGOTIATE_KEY_EXCH
>> Bind RPC Pipe: host DC1.ad.domain.com auth_type 0, auth_level 1
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 180
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> saf_fetch[join]: Returning "-DC1.ad.domain.com" for "ad.domain.com"
>> domain
>> get_dc_list: preferred server list: "DC1.ad.domain.com, *"
>> name ad.domain.com#1C found.
>> sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
>> name DC1.ad.domain.com#20 found.
>> get_dc_list: returning 2 ip addresses in an ordered list
>> get_dc_list: 1.1.1.144:389 2.2.2.5:389
>> create_local_private_krb5_conf_for_domain: wrote file /usr/local/samba/var/lock/smb_krb5/krb5.conf.DOMAIN with realm AD.DOMAIN.COM KDC list =       kdc = 1.1.1.144   <---------  Looks like Kerberos is working here.
>>           kdc = 2.2.2.5
>>
>> Bind RPC Pipe: host DC1.ad.domain.com auth_type 0, auth_level 1
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 40
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 44
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1.ad.domain.com
>> rpc_read_send: data_to_read: 32
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
>> name DC1.ad.domain.com#20 found.
>> ads_try_connect: sending CLDAP request to 1.1.1.144 (realm:
>> ad.domain.com) Successfully contacted LDAP server 1.1.1.144 Connected
>> to LDAP server DC1.ad.domain.com KDC time offset is 0 seconds Found
>> SASL mechanism GSS-SPNEGO
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>> succeeded but ads_sasl_spnego_krb5_bind failed:
>> NT_STATUS_NOT_SUPPORTED
>> libnet_Join:
>>       libnet_JoinCtx: struct libnet_JoinCtx
>>           out: struct libnet_JoinCtx
>>               account_name             : NULL
>>               netbios_domain_name      : 'DOMAIN'
>>               dns_domain_name          : 'ad.domain.com'
>>               forest_name              : 'ad.domain.com'
>>               dn                       : NULL
>>               domain_sid               : *
>>                   domain_sid               : S-1-5-21-1234552445-1234508259-1234564994
>>               modified_config          : 0x00 (0)
>>               error_string             : 'failed to connect to AD: NT_STATUS_NOT_SUPPORTED'
>>               domain_is_ad             : 0x01 (1)
>>               result                   : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD:
>> NT_STATUS_NOT_SUPPORTED return code = -1
>>
>>
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Andre Kruger
>> Sent: 03 September 2014 10:07
>> To: sambalist
>> Subject: Re: [Samba] Joining Domain
>>
>> I did some more digging and found that you can run the "net ads join" command in debug mode. After doing this, this is the output:
>>
>>
>> ./net ads join -U krugersa -S DC1 -d5
>> INFO: Current debug levels:
>>     all: 5
>>     tdb: 5
>>     printdrivers: 5
>>     lanman: 5
>>     smb: 5
>>     rpc_parse: 5
>>     rpc_srv: 5
>>     rpc_cli: 5
>>     passdb: 5
>>     sam: 5
>>     auth: 5
>>     winbind: 5
>>     vfs: 5
>>     idmap: 5
>>     quota: 5
>>     acls: 5
>>     locking: 5
>>     msdfs: 5
>>     dmapi: 5
>>     registry: 5
>>     scavenger: 5
>>     dns: 5
>>     ldb: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (256) to minimum Windows limit
>> (16384)
>> INFO: Current debug levels:
>>     all: 5
>>     tdb: 5
>>     printdrivers: 5
>>     lanman: 5
>>     smb: 5
>>     rpc_parse: 5
>>     rpc_srv: 5
>>     rpc_cli: 5
>>     passdb: 5
>>     sam: 5
>>     auth: 5
>>     winbind: 5
>>     vfs: 5
>>     idmap: 5
>>     quota: 5
>>     acls: 5
>>     locking: 5
>>     msdfs: 5
>>     dmapi: 5
>>     registry: 5
>>     scavenger: 5
>>     dns: 5
>>     ldb: 5
>> params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = DOMAIN
>> doing parameter realm = AD.DOMAIN.COM
>> doing parameter server string = Samba Server doing parameter security
>> = ADS doing parameter log file = /var/samba/log/log.%m doing parameter
>> max log size = 50000 doing parameter client signing = required doing
>> parameter client ldap sasl wrapping = sign doing parameter load
>> printers = No doing parameter local master = No doing parameter domain
>> master = No doing parameter dns proxy = No doing parameter winbind
>> enum users = Yes doing parameter winbind enum groups = Yes doing
>> parameter winbind use default domain = Yes doing parameter winbind nss
>> info = rfc2307 doing parameter idmap config DOMAIN:range =
>> 70001-400000 doing parameter idmap config DOMAIN:schema_mode = rfc2307
>> doing parameter idmap config DOMAIN:backend = ad doing parameter idmap
>> config *:range = 70001-800000 doing parameter idmap config * : backend
>> = tdb
>> pm_process() returned Yes
>> Netbios name list:-
>> my_netbios_names[0]="SAMBATEST"
>> added interface e1000g0 ip=1.1.1.1 bcast=1.1.1.255 netmask=255.255.255.0 Registering messaging pointer for type 2 - private_data=0 Registering messaging pointer for type 9 - private_data=0 Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=0 Registering messaging pointer for type 12 - private_data=0 Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=0 Registering messaging pointer for type 5 - private_data=0 Enter krugersa's password:
>> libnet_Join:
>>       libnet_JoinCtx: struct libnet_JoinCtx
>>           in: struct libnet_JoinCtx
>>               dc_name                  : 'DC1'
>>               machine_name             : 'SAMBATEST'
>>               domain_name              : *
>>                   domain_name              : 'AD.DOMAIN.COM'
>>               account_ou               : NULL
>>               admin_account            : 'krugersa'
>>               machine_password         : NULL
>>               join_flags               : 0x00000023 (35)
>>                      0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>                      0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>                      0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>                      0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>                      0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>                      0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>                      1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>                      0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>                      0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>                      1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>                      1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>               os_version               : NULL
>>               os_name                  : NULL
>>               create_upn               : 0x00 (0)
>>               upn                      : NULL
>>               modify_config            : 0x00 (0)
>>               ads                      : NULL
>>               debug                    : 0x01 (1)
>>               use_kerberos             : 0x00 (0)
>>               secure_channel_type      : SEC_CHAN_WKSTA (2)
>> Opening cache file at /usr/local/samba/var/cache/gencache.tdb
>> Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
>> no entry for DC1#20 found.
>> resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
>> resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
>> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
>> Error was No such file or directory
>> resolve_wins: WINS server resolution selected and no WINS servers listed.
>> resolve_hosts: Attempting host lookup for name DC1<0x20>
>> namecache_store: storing 1 address for DC1#20: 1.1.1.144 Connecting to 1.1.1.144 at port 445 Socket options:
>>           SO_KEEPALIVE = 0
>>           SO_REUSEADDR = 0
>>           SO_BROADCAST = 0
>>           TCP_NODELAY = 1
>>           TCP_KEEPCNT = 0
>>           TCP_KEEPIDLE = 7200
>>           TCP_KEEPINTVL = 0
>>           IPTOS_LOWDELAY = 0
>>           IPTOS_THROUGHPUT = 0
>>           SO_SNDBUF = 49152
>>           SO_RCVBUF = 128872
>>           Could not test socket option SO_SNDLOWAT.
>>           Could not test socket option SO_RCVLOWAT.
>>           Could not test socket option SO_SNDTIMEO.
>>           Could not test socket option SO_RCVTIMEO.
>>           TCP_KEEPALIVE_THRESHOLD = 7200000
>>           TCP_KEEPALIVE_ABORT_THRESHOLD = 480000 Doing spnego session
>> setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got
>> OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got
>> OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got
>> principal=not_defined_in_RFC4178 at please_ignore
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x62898215
>>     NTLMSSP_NEGOTIATE_UNICODE
>>     NTLMSSP_REQUEST_TARGET
>>     NTLMSSP_NEGOTIATE_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM
>>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM2
>>     NTLMSSP_NEGOTIATE_TARGET_INFO
>>     NTLMSSP_NEGOTIATE_VERSION
>>     NTLMSSP_NEGOTIATE_128
>>     NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>>     NTLMSSP_NEGOTIATE_UNICODE
>>     NTLMSSP_REQUEST_TARGET
>>     NTLMSSP_NEGOTIATE_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM
>>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM2
>>     NTLMSSP_NEGOTIATE_128
>>     NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>>     NTLMSSP_NEGOTIATE_UNICODE
>>     NTLMSSP_REQUEST_TARGET
>>     NTLMSSP_NEGOTIATE_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM
>>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>     NTLMSSP_NEGOTIATE_NTLM2
>>     NTLMSSP_NEGOTIATE_128
>>     NTLMSSP_NEGOTIATE_KEY_EXCH
>> Bind RPC Pipe: host DC1 auth_type 0, auth_level 1
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 180
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> saf_fetch[join]: Returning "DC1" for "ad.domain.com" domain
>> get_dc_list: preferred server list: "DC1, *"
>> no entry for ad.domain.com#1C found.
>> resolve_ads: Attempting to resolve KDCs for ad.domain.com using DNS
>> ads_dns_lookup_srv: 157 records returned in the answer section.
>> interpret_string_addr_internal: getaddrinfo failed for name scolmx-dc1.ad.domain.com (flags 0) [node name or service name not known]  <---------   I have no idea where this is coming from??
>> sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
>> name DC1#20 found.
>> get_dc_list: returning 157 ip addresses in an ordered list
>> get_dc_list: A whole bunch of IPs is listed here emoved for security reasons
>> create_local_private_krb5_conf_for_domain: wrote file /usr/local/samba/var/lock/smb_krb5/krb5.conf.DOMAIN with realm AD.DOMAIN.COM KDC list =       kdc = 1.1.1.144
>>           kdc = 1.1.2.1
>>           kdc = 1.1.3.251
>>
>> Bind RPC Pipe: host DC1 auth_type 0, auth_level 1
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 40
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 44
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host DC1
>> rpc_read_send: data_to_read: 32
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> check lock order 1 for /usr/local/samba/private/secrets.tdb
>> release lock order 1 for /usr/local/samba/private/secrets.tdb
>> sitename_fetch: Returning sitename for AD.DOMAIN.COM: "AtlZA"
>> name DC1#20 found.
>> ads_try_connect: sending CLDAP request to 1.1.1.144 (realm: ad.domain.com) Successfully contacted LDAP server 1.1.1.144
>> Connected to LDAP server DC1.ad.domain.com   <----------  The connection is definitely made.
>> KDC time offset is 0 seconds
>> Found SASL mechanism GSS-SPNEGO
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore
>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED   <----------------   I am still in the dark as to what is causing this particular error????????
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed:
>> NT_STATUS_NOT_SUPPORTED
>> libnet_Join:
>>       libnet_JoinCtx: struct libnet_JoinCtx
>>           out: struct libnet_JoinCtx
>>               account_name             : NULL
>>               netbios_domain_name      : 'DOMAIN'
>>               dns_domain_name          : 'ad.domain.com'
>>               forest_name              : 'ad.domain.com'
>>               dn                       : NULL
>>               domain_sid               : *
>>                   domain_sid               : S-1-5-21-1234552445-1234508259-1243564994
>>               modified_config          : 0x00 (0)
>>               error_string             : 'failed to connect to AD: NT_STATUS_NOT_SUPPORTED'
>>               domain_is_ad             : 0x01 (1)
>>               result                   : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD:
>> NT_STATUS_NOT_SUPPORTED return code = -1
>>
>>
>> I can clearly see a connection being made to the LDAP (AD) server but then...first the "ads_setup_sasl_wrapping()" error and the afterwards probably as a result "kinit succeeded but ads_sasl_spnego_krb5_bind failed". Logic tells me if the connection to the LDAP server failed it would have been very likely to see the two previous error messages, but after the connection is successful?
>>
>> Can anyone shed some light on this? Is this Kerberos related or should I be digging somewhere else?
>>
>>
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: 30 August 2014 12:17
>> To: sambalist
>> Subject: Re: [Samba] Joining Domain
>>
>> On 29/08/14 12:37, Andre Kruger wrote:
>>> You could install samba from the package repository but it is old 3.5.x.
>>>
>>> I compiled samba from source. I downloaded the latest tarball from the samba.org site.
>>>
>>> I also struggled a bit with gcc but eventually figured out installing the "developer/gcc-3" package satisfied the samba configure script.
>>>
>>> I also installed "system/library/math/header-math" as well as one or two other packages which I can't remember off the top of my head what they were.
>>>
>>> Thanks for the support Roland. I was just thinking that if Kerberos was at fault I would expect an error from klist, but it could be certain pieces that are broken I suppose.
>>>
>>> "ads_setup_sasl_wrapping()" and "ads_sasl_spnego_krb5_bind" seem to be at the root of my problem.
>>>
>>>
>>> Regards
>>> André
>>>
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>> Sent: 29 August 2014 11:33
>>> To: sambalist
>>> Subject: Re: [Samba] Joining Domain
>>>
>>> On 29/08/14 09:53, Andre Kruger wrote:
>>>> I am still stumped on this one. My enctypes are as follows in this particular order as well. Are they correct?:
>>>>
>>>> default_tgs_enctypes = aes256-cts-hmac-sha1-96
>>>> aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>>>> default_tkt_enctypes =
>>>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC
>>>> DES-CBC-MD5 preferred_enctypes = aes256-cts-hmac-sha1-96
>>>> aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>>>>
>>>> I am not sure but if my Kerberos was the problem wouldn't kinit fail?
>>>>
>>>> Further to the problem the following commands all return valid results:
>>>>
>>>> ./wbinfo -p
>>>> Ping to winbindd succeeded
>>>>
>>>> ./wbinfo -P
>>>> checking the NETLOGON dc connection to "DC1.ad.domain.com" succeeded
>>>>
>>>> ./wbinfo --dc-info=ad.domain.com
>>>> DC1.ad.domain.com (1.1.1.1)  <---- just changed for security purposes but the correct IP is returned.
>>>>
>>>> ./wbinfo -t
>>>> checking the trust secret for domain DOMAIN via RPC calls succeeded
>>>>
>>>> ./wbinfo --domain-info=ad.domain.com
>>>> Name              : DOMAIN
>>>> Alt_Name          : ad.domain.com
>>>> SID               : S-1-5-21-2387652445-1625808259-2938664994
>>>> Active Directory  : Yes
>>>> Native            : Yes
>>>> Primary           : Yes
>>>>
>>>> By looking at the above I'd say that everything is working as it should? Is there something I may have missed?
>>> Well everything seems OK (aka it matches what I get on an Linux AD
>>> client)
>>>
>>>> However, I am still unable to list users and groups or assign an AD user or group to my file system. I am sure this stems from the fact that I am unable to use "net ads join" to join my domain but instead I have to use "net rpc join". Even now after joining with "net rpc join" I seem to have problem with the RPC calls, but the ADS calls succeed.
>>>>
>>>> ./net rpc info -U krugera
>>>> Unable to find a suitable server for domain DOMAIN
>>>>
>>>> ./net ads info -U krugera
>>>> Enter krugera's password:
>>>> LDAP server: 1.1.1.1
>>>> LDAP server name: DC1.ad.domain.com
>>>> Realm: AD.DOMAIN.COM
>>>> Bind Path: dc=AD,dc=DOMAIN,dc=COM
>>>> LDAP port: 389
>>>> Server time: Fri, 29 Aug 2014 10:38:24 SAST KDC server: 1.1.1.1
>>>> Server time offset: 0
>>>>
>>>>
>>>> I do get the same error messages in my logs now as I do when I try to join my domain with the "net ads join" command. I don't understand the error messages and google doesn't help and I see a long history on the list about this problem. Is there anybody can shed light on these particular failures:
>>>>
>>>>
>>>> When I execute wbinfo -u I get the following showing up in my logs:
>>>>
>>>> ==> /var/adm/messages <==
>>>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] [2014/08/29 10:04:56.014638,  0] ../source3/libads/sasl.c:673(ads_sasl_spnego_gsskrb5_bind)
>>>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error]   ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] [2014/08/29 10:04:56.187569,  0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
>>>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error]   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Can't contact LDAP server
>>>>
>>>> ==> /var/samba/log/log.wb-DOMAIN <==
>>>> [2014/08/29 10:04:56.014638,  0] ../source3/libads/sasl.c:673(ads_sasl_spnego_gsskrb5_bind)
>>>>       ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>>> [2014/08/29 10:04:56.187569,  0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
>>>>       kinit succeeded but ads_sasl_spnego_krb5_bind failed: Can't
>>>> contact LDAP server
>>>>
>>>>
>>>> ads_sasl_spnego_gsskrb5_bind  <----  This error seems to be the source off all my problems.
>>>>
>>> Which is why I was suspecting kerberos.
>>> Just how did you build samba4 ?, what packages did you install and where from ?
>>> I installed openindiana in a VM, but that was just about as far as I got, probably need to do a bit more investigation, I couldn't get samba configure to find gcc, it is so much easier on Linux.
>>>
>>> Rowland
>>>
>>>> -----Original Message-----
>>>> From: samba-bounces at lists.samba.org
>>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>> Sent: 27 August 2014 17:18
>>>> To: samba at lists.samba.org
>>>> Subject: Re: [Samba] Joining Domain
>>>>
>>>> On 27/08/14 15:52, Andre Kruger wrote:
>>>>> UPDATE:
>>>>>
>>>>> I got the samba server to join my domain using
>>>>>
>>>>> net rpc join -U krugersa
>>>>>
>>>>> instead of
>>>>>
>>>>> net ads join -U krugersa
>>>>>
>>>>> The new problem I have now is similar to my previous problem. First things first. I started winbindd interactively, ""winbindd -I". I can then list all of our domains using "wbinfo --all-domains". The command returns results as expected.
>>>>>
>>>>> Next I can check the secret between my samba server and AD using "wbindo -t". I get expected results:
>>>>> "checking the trust secret for domain DOMAIN via RPC calls succeeded".
>>>>>
>>>>>
>>>>> However, when I try and list either AD users or groups using "wbinfo -u" or "wibinfo -g", immediately after issuing the command I get the following on the winbinnd interactive window:
>>>>>
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>>> succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED  <-----  This is the same error message as before when I was trying to join my domain using "net ads join..."
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> kerberos_kinit_password SAMBATEST$@AD.DOMAIN.COM failed: Clock skew too great  <-----  I have no idea where this is coming from. The clocks on my samba server and my DC are exactly the same. And SAMBATEST??
>>>>> ===============================================================
>>>>> INTERNAL ERROR: Signal 11 in pid 1167 (4.1.11) Please read the
>>>>> Trouble-Shooting section of the Samba HOWTO
>>>>> ===============================================================
>>>>> PANIC (pid 1167): internal error
>>>>> BACKTRACE: 37 stack frames:
>>>>>       #0 /usr/local/samba/lib/libsmbconf.so.0'log_stack_trace+0x27 [0xfea32d1c]
>>>>>       #1 /usr/local/samba/lib/libsmbconf.so.0'smb_panic_s3+0x63 [0xfea32bc0]
>>>>>       #2 /usr/local/samba/lib/libsamba-util.so.0.0.1'smb_panic+0x2a [0xfedba2fa]
>>>>>       #3 /usr/local/samba/lib/libsamba-util.so.0.0.1'sig_fault+0x0 [0xfedba05a]
>>>>>       #4 /usr/local/samba/lib/libsamba-util.so.0.0.1'sig_fault+0x11 [0xfedba06b]
>>>>>       #5 /lib/libc.so.1'__sighndlr+0x15 [0xfeeefc25]
>>>>>       #6 /lib/libc.so.1'call_user_handler+0x2a2 [0xfeee298e]
>>>>>       #7 /lib/libnsl.so.1'inet_pton4+0x1c [0xfeb03c3c]
>>>>>       #8 /lib/libnsl.so.1'inet_pton+0x29 [0xfeb03bed]
>>>>>       #9 /usr/local/samba/lib/libsamba-util.so.0.0.1'is_ipaddress_v4+0x2b [0xfedb5cf1]
>>>>>       #10 /usr/local/samba/lib/libsamba-util.so.0.0.1'is_ipaddress+0x22 [0xfedb5e27]
>>>>>       #11 /usr/local/samba/lib/private/libgse.so'internal_resolve_name+0x9d [0xfeabb4ed]
>>>>>       #12 /usr/local/samba/lib/private/libgse.so'get_dc_list+0x333 [0xfeabc8c2]
>>>>>       #13 /usr/local/samba/lib/private/libgse.so'get_sorted_dc_list+0xba [0xfeabcffe]
>>>>>       #14 /usr/local/samba/sbin/winbindd'get_dcs+0x1b2 [0x809a4c3]
>>>>>       #15 /usr/local/samba/sbin/winbindd'find_new_dc+0x59 [0x809a809]
>>>>>       #16 /usr/local/samba/sbin/winbindd'cm_open_connection+0x3d5 [0x809b19a]
>>>>>       #17 /usr/local/samba/sbin/winbindd'init_dc_connection_network+0x90 [0x809b799]
>>>>>       #18 /usr/local/samba/sbin/winbindd'init_dc_connection+0x51 [0x809b819]
>>>>>       #19 /usr/local/samba/sbin/winbindd'get_cache+0x99 [0x8084209]
>>>>>       #20 /usr/local/samba/sbin/winbindd'enum_dom_groups+0x20 [0x8087e0c]
>>>>>       #21 /usr/local/samba/sbin/winbindd'_wbint_QueryGroupList+0x67 [0x80ae7c8]
>>>>>       #22 /usr/local/samba/sbin/winbindd'api_wbint_QueryGroupList+0x196 [0x80ce945]
>>>>>       #23 /usr/local/samba/sbin/winbindd'winbindd_dual_ndrcmd+0x15e [0x80ada27]
>>>>>       #24 /usr/local/samba/sbin/winbindd'child_process_request+0xd0 [0x80aa143]
>>>>>       #25 /usr/local/samba/sbin/winbindd'child_handler+0xea [0x80ac590]
>>>>>       #26 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_poll+0x55b [0xfed7789a]
>>>>>       #27 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_once+0x98 [0xfed77ac0]
>>>>>       #28 /usr/local/samba/lib/private/libtevent.so.0.9.18'_tevent_loop_once+0xc9 [0xfed74178]
>>>>>       #29 /usr/local/samba/sbin/winbindd'fork_domain_child+0x8c3 [0x80acfe0]
>>>>>       #30 /usr/local/samba/sbin/winbindd'wb_child_request_trigger+0x55 [0x80a92a0]
>>>>>       #31 /usr/local/samba/lib/private/libtevent.so.0.9.18'tevent_queue_immediate_trigger+0x6b [0xfed75007]
>>>>>       #32 /usr/local/samba/lib/private/libtevent.so.0.9.18'tevent_common_loop_immediate+0x18b [0xfed74cea]
>>>>>       #33 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_once+0x4b [0xfed77a73]
>>>>>       #34 /usr/local/samba/lib/private/libtevent.so.0.9.18'_tevent_loop_once+0xc9 [0xfed74178]
>>>>>       #35 /usr/local/samba/sbin/winbindd'main+0xac5 [0x8080dc1]
>>>>>       #36 /usr/local/samba/sbin/winbindd'_start+0x83 [0x8074053]
>>>>> dumping core in /var/samba/log/cores/winbindd
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>>> NT_STATUS_NOT_SUPPORTED
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>>> NT_STATUS_NOT_SUPPORTED
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>>> NT_STATUS_NOT_SUPPORTED
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>>> NT_STATUS_NOT_SUPPORTED
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
>>>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
>>>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
>>>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>>> NT_STATUS_NOT_SUPPORTED
>>>>>
>>>>> When I stop winbindd interactive I get the following output:
>>>>>
>>>>> Kinit failed: Clock skew too great
>>>>> ^CGot sig[2] terminate (is_parent=1) Got sig[2] terminate
>>>>> (is_parent=0) Got sig[2] terminate (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0) Got sig[2] terminate (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>>>> (is_parent=0)
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found
>>>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>>>> idmap_close: referenced symbol not found Killed
>>>>>
>>>>>
>>>>> My smb.conf
>>>>>
>>>>> [global]
>>>>>              workgroup = DOMAIN
>>>>>              realm = AD.DOMAIN.COM
>>>>>              server string = Samba
>>>>>              security = ADS
>>>>>              log file = /var/samba/log/log.%m
>>>>>              max log size = 50000
>>>>>              client ldap sasl wrapping = sign
>>>>>              load printers = No
>>>>>              local master = No
>>>>>              domain master = No
>>>>>              dns proxy = No
>>>>>              winbind enum users = Yes
>>>>>              winbind enum groups = Yes
>>>>>              winbind use default domain = Yes
>>>>>              winbind nss info = rfc2307
>>>>>              idmap config *:range = 70001-800000
>>>>>              idmap config SAMDOM:backend = ad
>>>>>              idmap config SAMDOM:schema_mode = rfc2307
>>>>>              idmap config SAMDOM:range = 500-40000
>>>>>              idmap config * : backend = tdb
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: samba-bounces at lists.samba.org
>>>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Andre Kruger
>>>>> Sent: 27 August 2014 13:18
>>>>> To: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Joining Domain
>>>>>
>>>>> I made the change that you suggest but I still get the exact same error message. Just to clarify:
>>>>>
>>>>> 1. I added " idmap config DOMAIN : schema_mode = rfc2307"
>>>>> 1. Yes, the krugersa account has the rights required. I join other machines to my domain using this account. Administrator isn't used.
>>>>> 2. idmap config DOMAIN : backend = ad/rid  <-  I assume this does not impact joining the domain? It is used after the domain has been joined successfully.
>>>>>
>>>>> The is my global section as it is now:
>>>>>
>>>>> [global]
>>>>>              workgroup = DOMAIN
>>>>>              realm = AD.DOMAIN.COM
>>>>>              server string = Samba
>>>>>              security = ADS
>>>>>              log file = /var/samba/log/log.%m
>>>>>              max log size = 50000
>>>>>              client ldap sasl wrapping = sign
>>>>>              load printers = No
>>>>>              local master = No
>>>>>              domain master = No
>>>>>              dns proxy = No
>>>>>              winbind separator = +
>>>>>              winbind enum users = Yes
>>>>>              winbind enum groups = Yes
>>>>>              winbind use default domain = Yes
>>>>>              idmap config DOMAIN : range = 20000-800000
>>>>>              idmap config DOMAIN : backend = ad
>>>>>              idmap config DOMAIN : schema_mode = rfc2307
>>>>>              idmap config * : backend = tdb      <-   I don't get this line, it is not in my smb.conf file but when I parse the file with testparm it is in the output. Why?
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: samba-bounces at lists.samba.org
>>>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>> Sent: 27 August 2014 11:31
>>>>> To: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Joining Domain
>>>>>
>>>>> On 27/08/14 10:21, Andre Kruger wrote:
>>>>>> I have successfully compiled and installed Samba 4.1.11 from source on OpenIndiana 151a8.
>>>>>>
>>>>>> I tested the server by creating a folder and adding a local samba user (smbpasswd -a) and mapping a drive from my Windows machine which successded. I was able to access the test file in the folder as well as edit and save it.
>>>>>>
>>>>>> Now I am trying to join my samba server to my domain but it is failing and the error messages are not helping much and google's responses aren't really helping.
>>>>>>
>>>>>> Can anybody on the list help? When I try and join the domain I get the following error message:
>>>>>>
>>>>>> ./net ads join -U krugersa
>>>>>> Enter krugersa's password:
>>>>> Does 'krugersa' have the required permissions to join to the domain ?
>>>>> have you tried with 'Administrator' ?
>>>>>
>>>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>>>> NT_STATUS_NOT_SUPPORTED Failed to join domain: failed to connect
>>>>>> to
>>>>>> AD: NT_STATUS_NOT_SUPPORTED
>>>>>>
>>>>>>
>>>>>> What causes samba to output this particular error message? "NT_STATUS_NOT_SUPPORTED" is very general...
>>>>>>
>>>>>> A copy of my smb.conf file:
>>>>>>
>>>>>> [global]
>>>>>>               workgroup = DOMAIN
>>>>>>               realm = AD.DOMAIN.COM
>>>>>>               server string = Samba
>>>>>>               security = ADS
>>>>>>               log file = /var/samba/log/log.%m
>>>>>>               max log size = 50000
>>>>>>               client ldap sasl wrapping = sign
>>>>>>               load printers = No
>>>>>>               local master = No
>>>>>>               domain master = No
>>>>>>               dns proxy = No
>>>>>>               winbind separator = +
>>>>>>               winbind enum users = Yes
>>>>>>               winbind enum groups = Yes
>>>>>>               winbind use default domain = Yes
>>>>>>               idmap config * : range = 20000-800000
>>>>>>               idmap config * : backend = tdb
>>>>> You appear to have a portion missing:
>>>>>
>>>>>               idmap config DOMAIN : backend  = ad
>>>>>               idmap config DOMAIN : range = 10000-999999
>>>>>               idmap config DOMAIN : schema_mode = rfc2307
>>>>>
>>>>> Adjust the range to suit your setup, if your AD users do not have uidNumber's change 'ad' to 'rid'
>>>>>
>>>>> Rowland
>>>>>
>>>>>> [homes]
>>>>>>               comment = Home Directories
>>>>>>               read only = No
>>>>>>               browseable = No
>>>>>>
>>>>>> [printers]
>>>>>>               comment = All Printers
>>>>>>               path = /var/spool/samba
>>>>>>               printable = Yes
>>>>>>               print ok = Yes
>>>>>>               browseable = No
>>>>>>
>>>>>> [testperm]
>>>>>>               path = /testperm
>>>>>>               valid users = @DOMAIN+Admins
>>>>>>               read only = No
>>>>>>               create mask = 0770
>>>>>>               directory mask = 0770
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>> I 'think' that your problem has something to do with kerberos, can
>>>> you check that you have the required enctypes in krb5.conf
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> OK, I finally got samba4 to build on openindiana and set it up as a client (based on how I would do it for Debian) and joined it to the domain, so far so good. Running the 'wbinfo -u' & 'wbinfo -g' commands worked as expected, but getent wouldn't.
>>
>> I then remembered that when I used to compile samba4 myself, that I had to create the the links to 'libnss_winbind.so' to get winbind to work.
>> So I went looking for the file, this was problem one, I couldn't find it, but I did find 'nss_winbind.so.1' so copied it to /usr/lib and setup symlinks to ~.so & ~.so.2, no good, tried the same in /usr/lib/amd64 but just the same, no domain users from 'getent' . I am convinced that this is the problem, but do not know why I got nss_winbind.so.1 instead of nss_winbind.so and if this is the correct file, then just where do I need to put it.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list