[Samba] I can't join the new AD server with Samba4
Daniel Carrasco Marín
danielmadrid19 at gmail.com
Sat Apr 25 08:44:49 MDT 2015
2015-04-25 15:17 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 25/04/15 14:02, Daniel Carrasco Marín wrote:
>
>> Sorry, I forgot to revert another test i did, but the result is the same:
>>
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>> sudo net ads join -U "Administrator" -d 5
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> scavenger: 5
>> dns: 5
>> ldb: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> scavenger: 5
>> dns: 5
>> ldb: 5
>> params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = TTU
>> doing parameter security = ADS
>> doing parameter realm = TTU.RED
>> doing parameter dedicated keytab file = /etc/krb5.keytab
>> doing parameter kerberos method = secrets and keytab
>> doing parameter idmap config *:backend = tdb
>> doing parameter idmap config *:range = 2000-9999
>> doing parameter idmap config TTU:backend = ad
>> doing parameter idmap config TTU:schema_mode = rfc2307
>> doing parameter idmap config TTU:range = 10000-99999
>> doing parameter winbind nss info = rfc2307
>> doing parameter winbind trusted domains only = no
>> doing parameter winbind use default domain = yes
>> doing parameter winbind enum users = yes
>> doing parameter winbind enum groups = yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter winbind expand groups = 4
>> doing parameter winbind normalize names = Yes
>> doing parameter domain master = no
>> doing parameter local master = no
>> doing parameter vfs objects = acl_xattr
>> doing parameter map acl inherit = Yes
>> doing parameter store dos attributes = Yes
>> pm_process() returned Yes
>> Netbios name list:-
>> my_netbios_names[0]="GLOTON"
>> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
>> netmask=255.255.255.0
>> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
>> netmask=255.255.255.0
>> Registering messaging pointer for type 2 - private_data=(nil)
>> Registering messaging pointer for type 9 - private_data=(nil)
>> Registered MSG_REQ_POOL_USAGE
>> Registering messaging pointer for type 11 - private_data=(nil)
>> Registering messaging pointer for type 12 - private_data=(nil)
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> Registering messaging pointer for type 1 - private_data=(nil)
>> Registering messaging pointer for type 5 - private_data=(nil)
>> Enter Administrator's password:
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> in: struct libnet_JoinCtx
>> dc_name : NULL
>> machine_name : 'GLOTON'
>> domain_name : *
>> domain_name : 'TTU.RED'
>> account_ou : NULL
>> admin_account : 'Administrator'
>> machine_password : NULL
>> join_flags : 0x00000023 (35)
>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>> os_version : NULL
>> os_name : NULL
>> create_upn : 0x00 (0)
>> upn : NULL
>> modify_config : 0x00 (0)
>> ads : NULL
>> debug : 0x01 (1)
>> use_kerberos : 0x00 (0)
>> secure_channel_type : SEC_CHAN_WKSTA (2)
>> Opening cache file at /var/cache/samba/gencache.tdb
>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> Connecting to 192.168.2.251 at port 445
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_SNDBUF = 24040
>> SO_RCVBUF = 87380
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> TCP_DEFER_ACCEPT = 0
>> Doing spnego session setup (blob length=96)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178 at please_ignore
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_TARGET_INFO
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 168
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
>> get_dc_list: preferred server list: "pdc.ttu.red, *"
>> name ttu.red#1C found.
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> get_dc_list: returning 1 ip addresses in an ordered list
>> get_dc_list: 192.168.2.251:389 <http://192.168.2.251:389>
>>
>> create_local_private_krb5_conf_for_domain: wrote file
>> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list =
>> kdc = 192.168.2.251
>>
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 40
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 44
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red)
>> Successfully contacted LDAP server 192.168.2.251
>> Connected to LDAP server pdc.ttu.red
>> KDC time offset is 0 seconds
>> Found SASL mechanism GSS-SPNEGO
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
>> directorio)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
>> dom, 26 abr 2015 00:59:09 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : 'TTU'
>> dns_domain_name : 'ttu.red'
>> forest_name : 'ttu.red'
>> dn : NULL
>> domain_sid : *
>> domain_sid : S-1-5-21-127850397-371183867-
>> 665961664
>> modified_config : 0x00 (0)
>> error_string : 'failed to connect to AD: Invalid
>> credentials'
>> domain_is_ad : 0x01 (1)
>> result : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD: Invalid credentials
>> return code = -1
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>>
>> Greetings!!
>>
>> 2015-04-25 14:52 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>>
>> On 25/04/15 13:27, Daniel Carrasco Marín wrote:
>>
>> Hi, I'm sorry for my english.
>>
>> i've migrated an old 3.6 samba domain to Samba 4.1 and the
>> windows part is
>> working fine (i can join and manage the server from a Windows
>> Machine), but
>> when I try to join the domain from another linux server it fails.
>>
>> I've followed this guide to migrate:
>>
>> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
>>
>> and this for join:
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Mi config file looks like the guide
>>
>>
>> From what you have posted, your smb.conf doesn't seem to look
>> anything like the one on the member server page:
>>
>> [global]
>> security = domain
>> workgroup = TTU
>> realm = ttu.red
>> wins server = 192.168.2.251
>> server role = standalone server
>> passdb backend = tdbsam
>> domain master = no
>> server string = Print Server
>> encrypt passwords = yes
>> winbind nss info = rfc2307
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind refresh tickets = Yes
>> winbind normalize names = yes
>> idmap config TTU : backend = ad
>> idmap config * : backend = tdb
>> idmap config * : range = 1000-20000000
>>
>> There is also this:
>>
>> params.c:Parameter() - Ignoring badly formed line in configuration
>> file: rfc2307
>>
>> Rowland
>>
>>
>> and the join command shows:
>>
>> -----------------------------------------------------------------------
>>
>> -----------------------------------------------------------------------
>> # net ads join -UAdministrator -d 5
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> scavenger: 5
>> dns: 5
>> ldb: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows
>> limit (16384)
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> scavenger: 5
>> dns: 5
>> ldb: 5
>> params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> params.c:Parameter() - Ignoring badly formed line in
>> configuration file:
>> rfc2307[global]
>> doing parameter security = domain
>> doing parameter workgroup = TTU
>> doing parameter realm = ttu.red
>> doing parameter wins server = 192.168.2.251
>> doing parameter server role = standalone server
>> doing parameter passdb backend = tdbsam
>> doing parameter domain master = no
>> doing parameter server string = Print Server
>> doing parameter encrypt passwords = yes
>> doing parameter winbind nss info = rfc2307
>> doing parameter winbind enum users = Yes
>> doing parameter winbind enum groups = Yes
>> doing parameter winbind use default domain = Yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter winbind normalize names = yes
>> doing parameter idmap config TTU : backend = ad
>> doing parameter idmap config * : backend = tdb
>> doing parameter idmap config * : range = 1000-20000000
>> pm_process() returned Yes
>> Netbios name list:-
>> my_netbios_names[0]="GLOTON"
>> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
>> netmask=255.255.255.0
>> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
>> netmask=255.255.255.0
>> Registering messaging pointer for type 2 - private_data=(nil)
>> Registering messaging pointer for type 9 - private_data=(nil)
>> Registered MSG_REQ_POOL_USAGE
>> Registering messaging pointer for type 11 - private_data=(nil)
>> Registering messaging pointer for type 12 - private_data=(nil)
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> Registering messaging pointer for type 1 - private_data=(nil)
>> Registering messaging pointer for type 5 - private_data=(nil)
>> Enter Administrator's password:
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> in: struct libnet_JoinCtx
>> dc_name : NULL
>> machine_name : 'GLOTON'
>> domain_name : *
>> domain_name : 'TTU.RED'
>> account_ou : NULL
>> admin_account : 'Administrator'
>> machine_password : NULL
>> join_flags : 0x00000023 (35)
>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>> os_version : NULL
>> os_name : NULL
>> create_upn : 0x00 (0)
>> upn : NULL
>> modify_config : 0x00 (0)
>> ads : NULL
>> debug : 0x01 (1)
>> use_kerberos : 0x00 (0)
>> secure_channel_type : SEC_CHAN_WKSTA (2)
>> Opening cache file at /var/cache/samba/gencache.tdb
>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for TTU.RED:
>> "Default-First-Site-Name"
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> sitename_fetch: Returning sitename for TTU.RED:
>> "Default-First-Site-Name"
>> no entry for pdc.ttu.red#20 found.
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> pdc.ttu.red<0x20>
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> pdc.ttu.red<0x20>
>> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts.
>> Error was No
>> existe el fichero o el directorio
>> wins_srv_is_dead: 192.168.2.251 is alive
>> resolve_wins: using WINS server 192.168.2.251 and tag '*'
>> samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0]
>> mpx_fde[(nil)]
>> fd[13] - disabling
>> wins_srv_is_dead: 192.168.2.251 is alive
>> Marking wins server 192.168.2.251 dead for 600 seconds from source
>> 192.168.2.251
>> resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20>
>> namecache_store: storing 1 address for pdc.ttu.red#20:
>> 192.168.2.251
>> Connecting to 192.168.2.251 at port 445
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_SNDBUF = 24040
>> SO_RCVBUF = 87380
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> TCP_DEFER_ACCEPT = 0
>> Doing spnego session setup (blob length=96)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178 at please_ignore
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_TARGET_INFO
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 168
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
>> get_dc_list: preferred server list: "pdc.ttu.red, *"
>> no entry for ttu.red#1C found.
>> resolve_ads: Attempting to resolve KDCs for ttu.red using DNS
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> sitename_fetch: Returning sitename for TTU.RED:
>> "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> get_dc_list: returning 2 ip addresses in an ordered list
>> get_dc_list: 192.168.2.251:0 <http://192.168.2.251:0>
>> 192.168.2.251:88 <http://192.168.2.251:88>
>>
>> create_local_private_krb5_conf_for_domain: wrote file
>> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC
>> list =
>> kdc = 192.168.2.251
>>
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 40
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 44
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> sitename_fetch: Returning sitename for TTU.RED:
>> "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> ads_try_connect: sending CLDAP request to 192.168.2.251
>> (realm: ttu.red)
>> Successfully contacted LDAP server 192.168.2.251
>> Connected to LDAP server pdc.ttu.red
>> KDC time offset is 0 seconds
>> Found SASL mechanism GSS-SPNEGO
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el
>> fichero o el
>> directorio)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
>> expiration dom,
>> 26 abr 2015 00:04:50 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>> credentials
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : 'TTU'
>> dns_domain_name : 'ttu.red'
>> forest_name : 'ttu.red'
>> dn : NULL
>> domain_sid : *
>> domain_sid :
>> S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>> modified_config : 0x00 (0)
>> error_string : 'failed to connect to
>> AD: Invalid
>> credentials'
>> domain_is_ad : 0x01 (1)
>> result : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD: Invalid
>> credentials
>> return code = -1
>>
>> -----------------------------------------------------------------------
>>
>> -----------------------------------------------------------------------
>>
>> I've tried commands like:
>> smbclient -L 192.168.2.251 -U%
>> kinit administrator@ <administrator at CASA.RED>TTU.RED
>> klist -c
>>
>> All are workign.
>> I've tried to create a test domain instead upgrade, with same
>> config and
>> join ads is working... ¿can be the upgrade progress?
>>
>> Thanks!!
>>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, there is this:
> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
> directorio)
>
> The last part seems to translate to: There is no such file or directory,
> so what have you got in /etc/krb5.conf ?
>
Thanks!!
On AD server i've linked the kerberos file on samba folder:
lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
/var/lib/samba/private/krb5.conf
On client i've the default:
[libdefaults]
default_realm = TTU.RED
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
........
[realms]
TTU.RED = {
kdc = pdc
admin_server = pdc
}
........
> Does /etc/krb5.keytab exist, if it does, remove it.
>
Deleted, but nothing changed.
> Does /etc/resolv.conf point to the DC ?
>
Yes:
cat /etc/resolv.conf
domain TTU
nameserver 192.168.2.251
> Are you sure that you are using the correct password for Administrator ?
>
Yes, even i've tried to cange the PW to another, and other commands works
fine, for example with "kinit administrator at TTU.RED" and "klist -c":
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TTU.RED
Valid starting Expires Service principal
25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED
renew until 26/04/15 16:36:06
I've linked the file showed on log to krb5.conf:
ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf
I got the same error:
.......
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
directorio)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration dom,
26 abr 2015 02:37:30 CEST
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TTU'
dns_domain_name : 'ttu.red'
forest_name : 'ttu.red'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-127850397-371183867-665961664
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Invalid
credentials'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Invalid credentials
return code = -1
I can run commands like "net ads rpc -U "Administrator" and works fine, i
even can get some AD info:
# net rpc info -U Administrator
Enter Administrator's password:
Domain Name: TTU
Domain SID: S-1-5-21-127850397-371183867-665961664
Sequence number: 1
Num users: 144
Num domain groups: 42
Num local groups: 26
Is strange because as i said, if i create a new domain without upgrade then
i can join that domain even without krb5-client installed.
Greetings!!
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list