[Samba] I can't join the new AD server with Samba4

Rowland Penny rowlandpenny at googlemail.com
Sat Apr 25 07:17:57 MDT 2015


On 25/04/15 14:02, Daniel Carrasco Marín wrote:
> Sorry, I forgot to revert another test i did, but the result is the same:
>
> ---------------------------------------------------------------------------------------------------------------------------------------
> ---------------------------------------------------------------------------------------------------------------------------------------
> sudo net ads join -U "Administrator" -d 5
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
>   scavenger: 5
>   dns: 5
>   ldb: 5
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
>   scavenger: 5
>   dns: 5
>   ldb: 5
> params.c:pm_process() - Processing configuration file 
> "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = TTU
> doing parameter security = ADS
> doing parameter realm = TTU.RED
> doing parameter dedicated keytab file = /etc/krb5.keytab
> doing parameter kerberos method = secrets and keytab
> doing parameter idmap config *:backend = tdb
> doing parameter idmap config *:range = 2000-9999
> doing parameter idmap config TTU:backend = ad
> doing parameter idmap config TTU:schema_mode = rfc2307
> doing parameter idmap config TTU:range = 10000-99999
> doing parameter winbind nss info = rfc2307
> doing parameter winbind trusted domains only = no
> doing parameter winbind use default domain = yes
> doing parameter winbind enum users = yes
> doing parameter winbind enum groups = yes
> doing parameter winbind refresh tickets = Yes
> doing parameter winbind expand groups = 4
> doing parameter winbind normalize names = Yes
> doing parameter domain master = no
> doing parameter local master = no
> doing parameter vfs objects = acl_xattr
> doing parameter map acl inherit = Yes
> doing parameter store dos attributes = Yes
> pm_process() returned Yes
> Netbios name list:-
> my_netbios_names[0]="GLOTON"
> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255 
> netmask=255.255.255.0
> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255 
> netmask=255.255.255.0
> Registering messaging pointer for type 2 - private_data=(nil)
> Registering messaging pointer for type 9 - private_data=(nil)
> Registered MSG_REQ_POOL_USAGE
> Registering messaging pointer for type 11 - private_data=(nil)
> Registering messaging pointer for type 12 - private_data=(nil)
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Registering messaging pointer for type 1 - private_data=(nil)
> Registering messaging pointer for type 5 - private_data=(nil)
> Enter Administrator's password:
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         in: struct libnet_JoinCtx
>             dc_name                  : NULL
>             machine_name             : 'GLOTON'
>             domain_name              : *
>                 domain_name              : 'TTU.RED'
>             account_ou               : NULL
>             admin_account            : 'Administrator'
>             machine_password         : NULL
>             join_flags               : 0x00000023 (35)
>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>             os_version               : NULL
>             os_name                  : NULL
>             create_upn               : 0x00 (0)
>             upn                      : NULL
>             modify_config            : 0x00 (0)
>             ads                      : NULL
>             debug                    : 0x01 (1)
>             use_kerberos             : 0x00 (0)
>             secure_channel_type      : SEC_CHAN_WKSTA (2)
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> ads_dns_lookup_srv: 1 records returned in the answer section.
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> name pdc.ttu.red#20 found.
> Connecting to 192.168.2.251 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_SNDBUF = 24040
>         SO_RCVBUF = 87380
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_NEGOTIATE_TARGET_INFO
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 168
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
> get_dc_list: preferred server list: "pdc.ttu.red, *"
> name ttu.red#1C found.
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> name pdc.ttu.red#20 found.
> get_dc_list: returning 1 ip addresses in an ordered list
> get_dc_list: 192.168.2.251:389 <http://192.168.2.251:389>
> create_local_private_krb5_conf_for_domain: wrote file 
> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list 
> =       kdc = 192.168.2.251
>
> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 40
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 44
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 12
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 12
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host pdc.ttu.red
> rpc_read_send: data_to_read: 32
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
> name pdc.ttu.red#20 found.
> ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red)
> Successfully contacted LDAP server 192.168.2.251
> Connected to LDAP server pdc.ttu.red
> KDC time offset is 0 seconds
> Found SASL mechanism GSS-SPNEGO
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name = 
> not_defined_in_RFC4178 at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o 
> el directorio)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration 
> dom, 26 abr 2015 00:59:09 CEST
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'TTU'
>             dns_domain_name          : 'ttu.red'
>             forest_name              : 'ttu.red'
>             dn                       : NULL
>             domain_sid               : *
>                 domain_sid               : 
> S-1-5-21-127850397-371183867-665961664
>             modified_config          : 0x00 (0)
>             error_string             : 'failed to connect to AD: 
> Invalid credentials'
>             domain_is_ad             : 0x01 (1)
>             result                   : WERR_GENERAL_FAILURE
> Failed to join domain: failed to connect to AD: Invalid credentials
> return code = -1
> ---------------------------------------------------------------------------------------------------------------------------------------
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Greetings!!
>
> 2015-04-25 14:52 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>:
>
>     On 25/04/15 13:27, Daniel Carrasco Marín wrote:
>
>         Hi, I'm sorry for my english.
>
>         i've migrated an old 3.6 samba domain to Samba 4.1 and the
>         windows part is
>         working fine (i can join and manage the server from a Windows
>         Machine), but
>         when I try to join the domain from another linux server it fails.
>
>         I've followed this guide to migrate:
>         https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
>
>         and this for join:
>         https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
>         Mi config file looks like the guide
>
>
>     From what you have posted, your smb.conf doesn't seem to look
>     anything like the one on the member server page:
>
>     [global]
>     security = domain
>     workgroup = TTU
>     realm = ttu.red
>     wins server = 192.168.2.251
>     server role = standalone server
>     passdb backend = tdbsam
>     domain master = no
>     server string = Print Server
>     encrypt passwords = yes
>     winbind nss info = rfc2307
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind normalize names = yes
>     idmap config TTU : backend = ad
>     idmap config * : backend = tdb
>     idmap config * : range = 1000-20000000
>
>     There is also this:
>
>     params.c:Parameter() - Ignoring badly formed line in configuration
>     file: rfc2307
>
>     Rowland
>
>
>           and the join command shows:
>         -----------------------------------------------------------------------
>         -----------------------------------------------------------------------
>         # net ads join -UAdministrator -d 5
>         INFO: Current debug levels:
>            all: 5
>            tdb: 5
>            printdrivers: 5
>            lanman: 5
>            smb: 5
>            rpc_parse: 5
>            rpc_srv: 5
>            rpc_cli: 5
>            passdb: 5
>            sam: 5
>            auth: 5
>            winbind: 5
>            vfs: 5
>            idmap: 5
>            quota: 5
>            acls: 5
>            locking: 5
>            msdfs: 5
>            dmapi: 5
>            registry: 5
>            scavenger: 5
>            dns: 5
>            ldb: 5
>         lp_load_ex: refreshing parameters
>         Initialising global parameters
>         rlimit_max: increasing rlimit_max (1024) to minimum Windows
>         limit (16384)
>         INFO: Current debug levels:
>            all: 5
>            tdb: 5
>            printdrivers: 5
>            lanman: 5
>            smb: 5
>            rpc_parse: 5
>            rpc_srv: 5
>            rpc_cli: 5
>            passdb: 5
>            sam: 5
>            auth: 5
>            winbind: 5
>            vfs: 5
>            idmap: 5
>            quota: 5
>            acls: 5
>            locking: 5
>            msdfs: 5
>            dmapi: 5
>            registry: 5
>            scavenger: 5
>            dns: 5
>            ldb: 5
>         params.c:pm_process() - Processing configuration file
>         "/etc/samba/smb.conf"
>         params.c:Parameter() - Ignoring badly formed line in
>         configuration file:
>         rfc2307[global]
>         doing parameter security = domain
>         doing parameter workgroup = TTU
>         doing parameter realm = ttu.red
>         doing parameter wins server = 192.168.2.251
>         doing parameter server role = standalone server
>         doing parameter passdb backend = tdbsam
>         doing parameter domain master = no
>         doing parameter server string = Print Server
>         doing parameter encrypt passwords = yes
>         doing parameter winbind nss info = rfc2307
>         doing parameter winbind enum users = Yes
>         doing parameter winbind enum groups = Yes
>         doing parameter winbind use default domain = Yes
>         doing parameter winbind refresh tickets = Yes
>         doing parameter winbind normalize names = yes
>         doing parameter idmap config TTU : backend = ad
>         doing parameter idmap config * : backend = tdb
>         doing parameter idmap config * : range = 1000-20000000
>         pm_process() returned Yes
>         Netbios name list:-
>         my_netbios_names[0]="GLOTON"
>         added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
>         netmask=255.255.255.0
>         added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
>         netmask=255.255.255.0
>         Registering messaging pointer for type 2 - private_data=(nil)
>         Registering messaging pointer for type 9 - private_data=(nil)
>         Registered MSG_REQ_POOL_USAGE
>         Registering messaging pointer for type 11 - private_data=(nil)
>         Registering messaging pointer for type 12 - private_data=(nil)
>         Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>         Registering messaging pointer for type 1 - private_data=(nil)
>         Registering messaging pointer for type 5 - private_data=(nil)
>         Enter Administrator's password:
>         libnet_Join:
>              libnet_JoinCtx: struct libnet_JoinCtx
>                  in: struct libnet_JoinCtx
>                      dc_name                  : NULL
>                      machine_name             : 'GLOTON'
>                      domain_name              : *
>                          domain_name              : 'TTU.RED'
>                      account_ou               : NULL
>                      admin_account            : 'Administrator'
>                      machine_password         : NULL
>                      join_flags               : 0x00000023 (35)
>                             0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                             0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                             0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                             0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                             0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                             0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                             1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                             0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                             0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                             1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                             1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>                      os_version               : NULL
>                      os_name                  : NULL
>                      create_upn               : 0x00 (0)
>                      upn                      : NULL
>                      modify_config            : 0x00 (0)
>                      ads                      : NULL
>                      debug                    : 0x01 (1)
>                      use_kerberos             : 0x00 (0)
>                      secure_channel_type      : SEC_CHAN_WKSTA (2)
>         Opening cache file at /var/cache/samba/gencache.tdb
>         Opening cache file at /var/run/samba/gencache_notrans.tdb
>         sitename_fetch: Returning sitename for TTU.RED:
>         "Default-First-Site-Name"
>         ads_dns_lookup_srv: 1 records returned in the answer section.
>         sitename_fetch: Returning sitename for TTU.RED:
>         "Default-First-Site-Name"
>         no entry for pdc.ttu.red#20 found.
>         resolve_lmhosts: Attempting lmhosts lookup for name
>         pdc.ttu.red<0x20>
>         resolve_lmhosts: Attempting lmhosts lookup for name
>         pdc.ttu.red<0x20>
>         startlmhosts: Can't open lmhosts file /etc/samba/lmhosts.
>         Error was No
>         existe el fichero o el directorio
>         wins_srv_is_dead: 192.168.2.251 is alive
>         resolve_wins: using WINS server 192.168.2.251 and tag '*'
>         samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0]
>         mpx_fde[(nil)]
>         fd[13] - disabling
>         wins_srv_is_dead: 192.168.2.251 is alive
>         Marking wins server 192.168.2.251 dead for 600 seconds from source
>         192.168.2.251
>         resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20>
>         namecache_store: storing 1 address for pdc.ttu.red#20:
>         192.168.2.251
>         Connecting to 192.168.2.251 at port 445
>         Socket options:
>                  SO_KEEPALIVE = 0
>                  SO_REUSEADDR = 0
>                  SO_BROADCAST = 0
>                  TCP_NODELAY = 1
>                  TCP_KEEPCNT = 9
>                  TCP_KEEPIDLE = 7200
>                  TCP_KEEPINTVL = 75
>                  IPTOS_LOWDELAY = 0
>                  IPTOS_THROUGHPUT = 0
>                  SO_SNDBUF = 24040
>                  SO_RCVBUF = 87380
>                  SO_SNDLOWAT = 1
>                  SO_RCVLOWAT = 1
>                  SO_SNDTIMEO = 0
>                  SO_RCVTIMEO = 0
>                  TCP_QUICKACK = 1
>                  TCP_DEFER_ACCEPT = 0
>         Doing spnego session setup (blob length=96)
>         got OID=1.2.840.48018.1.2.2
>         got OID=1.2.840.113554.1.2.2
>         got OID=1.3.6.1.4.1.311.2.2.10
>         got principal=not_defined_in_RFC4178 at please_ignore
>         Got challenge flags:
>         Got NTLMSSP neg_flags=0x60898215
>            NTLMSSP_NEGOTIATE_UNICODE
>            NTLMSSP_REQUEST_TARGET
>            NTLMSSP_NEGOTIATE_SIGN
>            NTLMSSP_NEGOTIATE_NTLM
>            NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>            NTLMSSP_NEGOTIATE_NTLM2
>            NTLMSSP_NEGOTIATE_TARGET_INFO
>            NTLMSSP_NEGOTIATE_128
>            NTLMSSP_NEGOTIATE_KEY_EXCH
>         NTLMSSP: Set final flags:
>         Got NTLMSSP neg_flags=0x60088215
>            NTLMSSP_NEGOTIATE_UNICODE
>            NTLMSSP_REQUEST_TARGET
>            NTLMSSP_NEGOTIATE_SIGN
>            NTLMSSP_NEGOTIATE_NTLM
>            NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>            NTLMSSP_NEGOTIATE_NTLM2
>            NTLMSSP_NEGOTIATE_128
>            NTLMSSP_NEGOTIATE_KEY_EXCH
>         NTLMSSP Sign/Seal - Initialising with flags:
>         Got NTLMSSP neg_flags=0x60088215
>            NTLMSSP_NEGOTIATE_UNICODE
>            NTLMSSP_REQUEST_TARGET
>            NTLMSSP_NEGOTIATE_SIGN
>            NTLMSSP_NEGOTIATE_NTLM
>            NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>            NTLMSSP_NEGOTIATE_NTLM2
>            NTLMSSP_NEGOTIATE_128
>            NTLMSSP_NEGOTIATE_KEY_EXCH
>         Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 52
>         check_bind_response: accepted!
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 168
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
>         get_dc_list: preferred server list: "pdc.ttu.red, *"
>         no entry for ttu.red#1C found.
>         resolve_ads: Attempting to resolve KDCs for ttu.red using DNS
>         ads_dns_lookup_srv: 1 records returned in the answer section.
>         sitename_fetch: Returning sitename for TTU.RED:
>         "Default-First-Site-Name"
>         name pdc.ttu.red#20 found.
>         get_dc_list: returning 2 ip addresses in an ordered list
>         get_dc_list: 192.168.2.251:0 <http://192.168.2.251:0>
>         192.168.2.251:88 <http://192.168.2.251:88>
>         create_local_private_krb5_conf_for_domain: wrote file
>         /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC
>         list =
>         kdc = 192.168.2.251
>
>         Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 52
>         check_bind_response: accepted!
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 40
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 44
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 12
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 12
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         rpc_api_pipe: host pdc.ttu.red
>         rpc_read_send: data_to_read: 32
>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>         sitename_fetch: Returning sitename for TTU.RED:
>         "Default-First-Site-Name"
>         name pdc.ttu.red#20 found.
>         ads_try_connect: sending CLDAP request to 192.168.2.251
>         (realm: ttu.red)
>         Successfully contacted LDAP server 192.168.2.251
>         Connected to LDAP server pdc.ttu.red
>         KDC time offset is 0 seconds
>         Found SASL mechanism GSS-SPNEGO
>         ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>         ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>         ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>         ads_sasl_spnego_bind: got server principal name =
>         not_defined_in_RFC4178 at please_ignore
>         ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el
>         fichero o el
>         directorio)
>         ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
>         expiration dom,
>         26 abr 2015 00:04:50 CEST
>         kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>         credentials
>         libnet_Join:
>              libnet_JoinCtx: struct libnet_JoinCtx
>                  out: struct libnet_JoinCtx
>                      account_name             : NULL
>                      netbios_domain_name      : 'TTU'
>                      dns_domain_name          : 'ttu.red'
>                      forest_name              : 'ttu.red'
>                      dn                       : NULL
>                      domain_sid               : *
>                          domain_sid               :
>         S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>                      modified_config          : 0x00 (0)
>                      error_string             : 'failed to connect to
>         AD: Invalid
>         credentials'
>                      domain_is_ad             : 0x01 (1)
>                      result                   : WERR_GENERAL_FAILURE
>         Failed to join domain: failed to connect to AD: Invalid
>         credentials
>         return code = -1
>         -----------------------------------------------------------------------
>         -----------------------------------------------------------------------
>
>         I've tried commands like:
>         smbclient -L 192.168.2.251 -U%
>         kinit administrator@ <administrator at CASA.RED>TTU.RED
>         klist -c
>
>         All are workign.
>         I've tried to create a test domain instead upgrade, with same
>         config and
>         join ads is working... ¿can be the upgrade progress?
>
>         Thanks!!
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

OK, there is this:
ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el 
directorio)

The last part seems to translate to: There is no such file or directory, 
so what have you got in /etc/krb5.conf ?
Does /etc/krb5.keytab exist, if it does, remove it.
Does /etc/resolv.conf point to the DC ?
Are you sure that you are using the correct password for Administrator ?

Rowland



More information about the samba mailing list