[Samba] I can't join the new AD server with Samba4

Sat Apr 25 06:27:55 MDT 2015

Hi, I'm sorry for my english.

i've migrated an old 3.6 samba domain to Samba 4.1 and the windows part is
working fine (i can join and manage the server from a Windows Machine), but
when I try to join the domain from another linux server it fails.

I've followed this guide to migrate:
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29

and this for join:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Mi config file looks like the guide and the join command shows:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
# net ads join -UAdministrator -d 5
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
params.c:Parameter() - Ignoring badly formed line in configuration file:
rfc2307[global]
doing parameter security = domain
doing parameter workgroup = TTU
doing parameter realm = ttu.red
doing parameter wins server = 192.168.2.251
doing parameter server role = standalone server
doing parameter passdb backend = tdbsam
doing parameter domain master = no
doing parameter server string = Print Server
doing parameter encrypt passwords = yes
doing parameter winbind nss info = rfc2307
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter winbind use default domain = Yes
doing parameter winbind refresh tickets = Yes
doing parameter winbind normalize names = yes
doing parameter idmap config TTU : backend = ad
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 1000-20000000
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="GLOTON"
added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
netmask=255.255.255.0
added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Enter Administrator's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'GLOTON'
            domain_name              : *
                domain_name              : 'TTU.RED'
            account_ou               : NULL
            admin_account            : 'Administrator'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
no entry for pdc.ttu.red#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name pdc.ttu.red<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name pdc.ttu.red<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
existe el fichero o el directorio
wins_srv_is_dead: 192.168.2.251 is alive
resolve_wins: using WINS server 192.168.2.251 and tag '*'
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0] mpx_fde[(nil)]
fd[13] - disabling
wins_srv_is_dead: 192.168.2.251 is alive
Marking wins server 192.168.2.251 dead for 600 seconds from source
192.168.2.251
resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20>
namecache_store: storing 1 address for pdc.ttu.red#20: 192.168.2.251
Connecting to 192.168.2.251 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 24040
        SO_RCVBUF = 87380
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 168
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
get_dc_list: preferred server list: "pdc.ttu.red, *"
no entry for ttu.red#1C found.
resolve_ads: Attempting to resolve KDCs for ttu.red using DNS
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
name pdc.ttu.red#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.2.251:0 192.168.2.251:88
create_local_private_krb5_conf_for_domain: wrote file
/var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list =
kdc = 192.168.2.251

Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 40
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 44
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 12
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 12
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
name pdc.ttu.red#20 found.
ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red)
Successfully contacted LDAP server 192.168.2.251
Connected to LDAP server pdc.ttu.red
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
directorio)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration dom,
26 abr 2015 00:04:50 CEST
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'TTU'
            dns_domain_name          : 'ttu.red'
            forest_name              : 'ttu.red'
            dn                       : NULL
            domain_sid               : *
                domain_sid               :
S-1-5-21-127850397-371183867-665961664
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: Invalid
credentials'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Invalid credentials
return code = -1
-----------------------------------------------------------------------
-----------------------------------------------------------------------

I've tried commands like:
smbclient -L 192.168.2.251 -U%
kinit administrator@ <administrator at CASA.RED>TTU.RED
klist -c

All are workign.
I've tried to create a test domain instead upgrade, with same config and
join ads is working... ¿can be the upgrade progress?

Thanks!!