[Samba] I can't join the new AD server with Samba4
Rowland Penny
rowlandpenny at googlemail.com
Sat Apr 25 06:52:40 MDT 2015
On 25/04/15 13:27, Daniel Carrasco Marín wrote:
> Hi, I'm sorry for my english.
>
> i've migrated an old 3.6 samba domain to Samba 4.1 and the windows part is
> working fine (i can join and manage the server from a Windows Machine), but
> when I try to join the domain from another linux server it fails.
>
> I've followed this guide to migrate:
> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
>
> and this for join:
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Mi config file looks like the guide
From what you have posted, your smb.conf doesn't seem to look anything
like the one on the member server page:
[global]
security = domain
workgroup = TTU
realm = ttu.red
wins server = 192.168.2.251
server role = standalone server
passdb backend = tdbsam
domain master = no
server string = Print Server
encrypt passwords = yes
winbind nss info = rfc2307
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind normalize names = yes
idmap config TTU : backend = ad
idmap config * : backend = tdb
idmap config * : range = 1000-20000000
There is also this:
params.c:Parameter() - Ignoring badly formed line in configuration file:
rfc2307
Rowland
> and the join command shows:
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> # net ads join -UAdministrator -d 5
> INFO: Current debug levels:
> all: 5
> tdb: 5
> printdrivers: 5
> lanman: 5
> smb: 5
> rpc_parse: 5
> rpc_srv: 5
> rpc_cli: 5
> passdb: 5
> sam: 5
> auth: 5
> winbind: 5
> vfs: 5
> idmap: 5
> quota: 5
> acls: 5
> locking: 5
> msdfs: 5
> dmapi: 5
> registry: 5
> scavenger: 5
> dns: 5
> ldb: 5
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
> all: 5
> tdb: 5
> printdrivers: 5
> lanman: 5
> smb: 5
> rpc_parse: 5
> rpc_srv: 5
> rpc_cli: 5
> passdb: 5
> sam: 5
> auth: 5
> winbind: 5
> vfs: 5
> idmap: 5
> quota: 5
> acls: 5
> locking: 5
> msdfs: 5
> dmapi: 5
> registry: 5
> scavenger: 5
> dns: 5
> ldb: 5
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> params.c:Parameter() - Ignoring badly formed line in configuration file:
> rfc2307[global]
> doing parameter security = domain
> doing parameter workgroup = TTU
> doing parameter realm = ttu.red
> doing parameter wins server = 192.168.2.251
> doing parameter server role = standalone server
> doing parameter passdb backend = tdbsam
> doing parameter domain master = no
> doing parameter server string = Print Server
> doing parameter encrypt passwords = yes
> doing parameter winbind nss info = rfc2307
> doing parameter winbind enum users = Yes
> doing parameter winbind enum groups = Yes
> doing parameter winbind use default domain = Yes
> doing parameter winbind refresh tickets = Yes
> doing parameter winbind normalize names = yes
> doing parameter idmap config TTU : backend = ad
> doing parameter idmap config * : backend = tdb
> doing parameter idmap config * : range = 1000-20000000
> pm_process() returned Yes
> Netbios name list:-
> my_netbios_names[0]="GLOTON"
> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
> netmask=255.255.255.0
> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
> netmask=255.255.255.0
> Registering messaging pointer for type 2 - private_data=(nil)
> Registering messaging pointer for type 9 - private_data=(nil)
> Registered MSG_REQ_POOL_USAGE
> Registering messaging pointer for type 11 - private_data=(nil)
> Registering messaging pointer for type 12 - private_data=(nil)
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Registering messaging pointer for type 1 - private_data=(nil)
> Registering messaging pointer for type 5 - private_data=(nil)
> Enter Administrator's password:
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : NULL
> machine_name : 'GLOTON'
> domain_name : *
> domain_name : 'TTU.RED'
> account_ou : NULL
> admin_account : 'Administrator'
> machine_password : NULL
> join_flags : 0x00000023 (35)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> create_upn : 0x00 (0)
> upn : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> ads_dns_lookup_srv: 1 records returned in the answer section.
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> no entry for pdc.ttu.red#20 found.
> resolve_lmhosts: Attempting lmhosts lookup for name pdc.ttu.red<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name pdc.ttu.red<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> existe el fichero o el directorio
> wins_srv_is_dead: 192.168.2.251 is alive
> resolve_wins: using WINS server 192.168.2.251 and tag '*'
> samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0] mpx_fde[(nil)]
> fd[13] - disabling
> wins_srv_is_dead: 192.168.2.251 is alive
> Marking wins server 192.168.2.251 dead for 600 seconds from source
> 192.168.2.251
> resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20>
> namecache_store: storing 1 address for pdc.ttu.red#20: 192.168.2.251
> Connecting to 192.168.2.251 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_SNDBUF = 24040
> SO_RCVBUF = 87380
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 168
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
> get_dc_list: preferred server list: "pdc.ttu.red, *"
> no entry for ttu.red#1C found.
> resolve_ads: Attempting to resolve KDCs for ttu.red using DNS
> ads_dns_lookup_srv: 1 records returned in the answer section.
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> name pdc.ttu.red#20 found.
> get_dc_list: returning 2 ip addresses in an ordered list
> get_dc_list: 192.168.2.251:0 192.168.2.251:88
> create_local_private_krb5_conf_for_domain: wrote file
> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list =
> kdc = 192.168.2.251
>
> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 40
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 44
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 12
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 12
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> name pdc.ttu.red#20 found.
> ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red)
> Successfully contacted LDAP server 192.168.2.251
> Connected to LDAP server pdc.ttu.red
> KDC time offset is 0 seconds
> Found SASL mechanism GSS-SPNEGO
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
> directorio)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration dom,
> 26 abr 2015 00:04:50 CEST
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'TTU'
> dns_domain_name : 'ttu.red'
> forest_name : 'ttu.red'
> dn : NULL
> domain_sid : *
> domain_sid :
> S-1-5-21-127850397-371183867-665961664
> modified_config : 0x00 (0)
> error_string : 'failed to connect to AD: Invalid
> credentials'
> domain_is_ad : 0x01 (1)
> result : WERR_GENERAL_FAILURE
> Failed to join domain: failed to connect to AD: Invalid credentials
> return code = -1
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
> I've tried commands like:
> smbclient -L 192.168.2.251 -U%
> kinit administrator@ <administrator at CASA.RED>TTU.RED
> klist -c
>
> All are workign.
> I've tried to create a test domain instead upgrade, with same config and
> join ads is working... ¿can be the upgrade progress?
>
> Thanks!!
More information about the samba
mailing list