[Samba] I can't join the new AD server with Samba4

Daniel Carrasco Marín danielmadrid19 at gmail.com
Sat Apr 25 08:44:49 MDT 2015


2015-04-25 15:17 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:

> On 25/04/15 14:02, Daniel Carrasco Marín wrote:
>
>> Sorry, I forgot to revert another test i did, but the result is the same:
>>
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>> sudo net ads join -U "Administrator" -d 5
>> INFO: Current debug levels:
>>   all: 5
>>   tdb: 5
>>   printdrivers: 5
>>   lanman: 5
>>   smb: 5
>>   rpc_parse: 5
>>   rpc_srv: 5
>>   rpc_cli: 5
>>   passdb: 5
>>   sam: 5
>>   auth: 5
>>   winbind: 5
>>   vfs: 5
>>   idmap: 5
>>   quota: 5
>>   acls: 5
>>   locking: 5
>>   msdfs: 5
>>   dmapi: 5
>>   registry: 5
>>   scavenger: 5
>>   dns: 5
>>   ldb: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> INFO: Current debug levels:
>>   all: 5
>>   tdb: 5
>>   printdrivers: 5
>>   lanman: 5
>>   smb: 5
>>   rpc_parse: 5
>>   rpc_srv: 5
>>   rpc_cli: 5
>>   passdb: 5
>>   sam: 5
>>   auth: 5
>>   winbind: 5
>>   vfs: 5
>>   idmap: 5
>>   quota: 5
>>   acls: 5
>>   locking: 5
>>   msdfs: 5
>>   dmapi: 5
>>   registry: 5
>>   scavenger: 5
>>   dns: 5
>>   ldb: 5
>> params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = TTU
>> doing parameter security = ADS
>> doing parameter realm = TTU.RED
>> doing parameter dedicated keytab file = /etc/krb5.keytab
>> doing parameter kerberos method = secrets and keytab
>> doing parameter idmap config *:backend = tdb
>> doing parameter idmap config *:range = 2000-9999
>> doing parameter idmap config TTU:backend = ad
>> doing parameter idmap config TTU:schema_mode = rfc2307
>> doing parameter idmap config TTU:range = 10000-99999
>> doing parameter winbind nss info = rfc2307
>> doing parameter winbind trusted domains only = no
>> doing parameter winbind use default domain = yes
>> doing parameter winbind enum users = yes
>> doing parameter winbind enum groups = yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter winbind expand groups = 4
>> doing parameter winbind normalize names = Yes
>> doing parameter domain master = no
>> doing parameter local master = no
>> doing parameter vfs objects = acl_xattr
>> doing parameter map acl inherit = Yes
>> doing parameter store dos attributes = Yes
>> pm_process() returned Yes
>> Netbios name list:-
>> my_netbios_names[0]="GLOTON"
>> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
>> netmask=255.255.255.0
>> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
>> netmask=255.255.255.0
>> Registering messaging pointer for type 2 - private_data=(nil)
>> Registering messaging pointer for type 9 - private_data=(nil)
>> Registered MSG_REQ_POOL_USAGE
>> Registering messaging pointer for type 11 - private_data=(nil)
>> Registering messaging pointer for type 12 - private_data=(nil)
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> Registering messaging pointer for type 1 - private_data=(nil)
>> Registering messaging pointer for type 5 - private_data=(nil)
>> Enter Administrator's password:
>> libnet_Join:
>>     libnet_JoinCtx: struct libnet_JoinCtx
>>         in: struct libnet_JoinCtx
>>             dc_name                  : NULL
>>             machine_name             : 'GLOTON'
>>             domain_name              : *
>>                 domain_name              : 'TTU.RED'
>>             account_ou               : NULL
>>             admin_account            : 'Administrator'
>>             machine_password         : NULL
>>             join_flags               : 0x00000023 (35)
>>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>             os_version               : NULL
>>             os_name                  : NULL
>>             create_upn               : 0x00 (0)
>>             upn                      : NULL
>>             modify_config            : 0x00 (0)
>>             ads                      : NULL
>>             debug                    : 0x01 (1)
>>             use_kerberos             : 0x00 (0)
>>             secure_channel_type      : SEC_CHAN_WKSTA (2)
>> Opening cache file at /var/cache/samba/gencache.tdb
>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> Connecting to 192.168.2.251 at port 445
>> Socket options:
>>         SO_KEEPALIVE = 0
>>         SO_REUSEADDR = 0
>>         SO_BROADCAST = 0
>>         TCP_NODELAY = 1
>>         TCP_KEEPCNT = 9
>>         TCP_KEEPIDLE = 7200
>>         TCP_KEEPINTVL = 75
>>         IPTOS_LOWDELAY = 0
>>         IPTOS_THROUGHPUT = 0
>>         SO_SNDBUF = 24040
>>         SO_RCVBUF = 87380
>>         SO_SNDLOWAT = 1
>>         SO_RCVLOWAT = 1
>>         SO_SNDTIMEO = 0
>>         SO_RCVTIMEO = 0
>>         TCP_QUICKACK = 1
>>         TCP_DEFER_ACCEPT = 0
>> Doing spnego session setup (blob length=96)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178 at please_ignore
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_NEGOTIATE_TARGET_INFO
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 168
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
>> get_dc_list: preferred server list: "pdc.ttu.red, *"
>> name ttu.red#1C found.
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> get_dc_list: returning 1 ip addresses in an ordered list
>> get_dc_list: 192.168.2.251:389 <http://192.168.2.251:389>
>>
>> create_local_private_krb5_conf_for_domain: wrote file
>> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list =
>>  kdc = 192.168.2.251
>>
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 40
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 44
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red)
>> Successfully contacted LDAP server 192.168.2.251
>> Connected to LDAP server pdc.ttu.red
>> KDC time offset is 0 seconds
>> Found SASL mechanism GSS-SPNEGO
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
>> directorio)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
>> dom, 26 abr 2015 00:59:09 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
>> libnet_Join:
>>     libnet_JoinCtx: struct libnet_JoinCtx
>>         out: struct libnet_JoinCtx
>>             account_name             : NULL
>>             netbios_domain_name      : 'TTU'
>>             dns_domain_name          : 'ttu.red'
>>             forest_name              : 'ttu.red'
>>             dn                       : NULL
>>             domain_sid               : *
>>                 domain_sid               : S-1-5-21-127850397-371183867-
>> 665961664
>>             modified_config          : 0x00 (0)
>>             error_string             : 'failed to connect to AD: Invalid
>> credentials'
>>             domain_is_ad             : 0x01 (1)
>>             result                   : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD: Invalid credentials
>> return code = -1
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------
>>
>> Greetings!!
>>
>> 2015-04-25 14:52 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>>
>>     On 25/04/15 13:27, Daniel Carrasco Marín wrote:
>>
>>         Hi, I'm sorry for my english.
>>
>>         i've migrated an old 3.6 samba domain to Samba 4.1 and the
>>         windows part is
>>         working fine (i can join and manage the server from a Windows
>>         Machine), but
>>         when I try to join the domain from another linux server it fails.
>>
>>         I've followed this guide to migrate:
>>
>> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
>>
>>         and this for join:
>>         https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>>         Mi config file looks like the guide
>>
>>
>>     From what you have posted, your smb.conf doesn't seem to look
>>     anything like the one on the member server page:
>>
>>     [global]
>>     security = domain
>>     workgroup = TTU
>>     realm = ttu.red
>>     wins server = 192.168.2.251
>>     server role = standalone server
>>     passdb backend = tdbsam
>>     domain master = no
>>     server string = Print Server
>>     encrypt passwords = yes
>>     winbind nss info = rfc2307
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     winbind use default domain = Yes
>>     winbind refresh tickets = Yes
>>     winbind normalize names = yes
>>     idmap config TTU : backend = ad
>>     idmap config * : backend = tdb
>>     idmap config * : range = 1000-20000000
>>
>>     There is also this:
>>
>>     params.c:Parameter() - Ignoring badly formed line in configuration
>>     file: rfc2307
>>
>>     Rowland
>>
>>
>>           and the join command shows:
>>
>> -----------------------------------------------------------------------
>>
>> -----------------------------------------------------------------------
>>         # net ads join -UAdministrator -d 5
>>         INFO: Current debug levels:
>>            all: 5
>>            tdb: 5
>>            printdrivers: 5
>>            lanman: 5
>>            smb: 5
>>            rpc_parse: 5
>>            rpc_srv: 5
>>            rpc_cli: 5
>>            passdb: 5
>>            sam: 5
>>            auth: 5
>>            winbind: 5
>>            vfs: 5
>>            idmap: 5
>>            quota: 5
>>            acls: 5
>>            locking: 5
>>            msdfs: 5
>>            dmapi: 5
>>            registry: 5
>>            scavenger: 5
>>            dns: 5
>>            ldb: 5
>>         lp_load_ex: refreshing parameters
>>         Initialising global parameters
>>         rlimit_max: increasing rlimit_max (1024) to minimum Windows
>>         limit (16384)
>>         INFO: Current debug levels:
>>            all: 5
>>            tdb: 5
>>            printdrivers: 5
>>            lanman: 5
>>            smb: 5
>>            rpc_parse: 5
>>            rpc_srv: 5
>>            rpc_cli: 5
>>            passdb: 5
>>            sam: 5
>>            auth: 5
>>            winbind: 5
>>            vfs: 5
>>            idmap: 5
>>            quota: 5
>>            acls: 5
>>            locking: 5
>>            msdfs: 5
>>            dmapi: 5
>>            registry: 5
>>            scavenger: 5
>>            dns: 5
>>            ldb: 5
>>         params.c:pm_process() - Processing configuration file
>>         "/etc/samba/smb.conf"
>>         params.c:Parameter() - Ignoring badly formed line in
>>         configuration file:
>>         rfc2307[global]
>>         doing parameter security = domain
>>         doing parameter workgroup = TTU
>>         doing parameter realm = ttu.red
>>         doing parameter wins server = 192.168.2.251
>>         doing parameter server role = standalone server
>>         doing parameter passdb backend = tdbsam
>>         doing parameter domain master = no
>>         doing parameter server string = Print Server
>>         doing parameter encrypt passwords = yes
>>         doing parameter winbind nss info = rfc2307
>>         doing parameter winbind enum users = Yes
>>         doing parameter winbind enum groups = Yes
>>         doing parameter winbind use default domain = Yes
>>         doing parameter winbind refresh tickets = Yes
>>         doing parameter winbind normalize names = yes
>>         doing parameter idmap config TTU : backend = ad
>>         doing parameter idmap config * : backend = tdb
>>         doing parameter idmap config * : range = 1000-20000000
>>         pm_process() returned Yes
>>         Netbios name list:-
>>         my_netbios_names[0]="GLOTON"
>>         added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
>>         netmask=255.255.255.0
>>         added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
>>         netmask=255.255.255.0
>>         Registering messaging pointer for type 2 - private_data=(nil)
>>         Registering messaging pointer for type 9 - private_data=(nil)
>>         Registered MSG_REQ_POOL_USAGE
>>         Registering messaging pointer for type 11 - private_data=(nil)
>>         Registering messaging pointer for type 12 - private_data=(nil)
>>         Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>         Registering messaging pointer for type 1 - private_data=(nil)
>>         Registering messaging pointer for type 5 - private_data=(nil)
>>         Enter Administrator's password:
>>         libnet_Join:
>>              libnet_JoinCtx: struct libnet_JoinCtx
>>                  in: struct libnet_JoinCtx
>>                      dc_name                  : NULL
>>                      machine_name             : 'GLOTON'
>>                      domain_name              : *
>>                          domain_name              : 'TTU.RED'
>>                      account_ou               : NULL
>>                      admin_account            : 'Administrator'
>>                      machine_password         : NULL
>>                      join_flags               : 0x00000023 (35)
>>                             0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>                             0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>                             0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>                             0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>                             0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>                             0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>                             1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>                             0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>                             0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>                             1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>                             1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>                      os_version               : NULL
>>                      os_name                  : NULL
>>                      create_upn               : 0x00 (0)
>>                      upn                      : NULL
>>                      modify_config            : 0x00 (0)
>>                      ads                      : NULL
>>                      debug                    : 0x01 (1)
>>                      use_kerberos             : 0x00 (0)
>>                      secure_channel_type      : SEC_CHAN_WKSTA (2)
>>         Opening cache file at /var/cache/samba/gencache.tdb
>>         Opening cache file at /var/run/samba/gencache_notrans.tdb
>>         sitename_fetch: Returning sitename for TTU.RED:
>>         "Default-First-Site-Name"
>>         ads_dns_lookup_srv: 1 records returned in the answer section.
>>         sitename_fetch: Returning sitename for TTU.RED:
>>         "Default-First-Site-Name"
>>         no entry for pdc.ttu.red#20 found.
>>         resolve_lmhosts: Attempting lmhosts lookup for name
>>         pdc.ttu.red<0x20>
>>         resolve_lmhosts: Attempting lmhosts lookup for name
>>         pdc.ttu.red<0x20>
>>         startlmhosts: Can't open lmhosts file /etc/samba/lmhosts.
>>         Error was No
>>         existe el fichero o el directorio
>>         wins_srv_is_dead: 192.168.2.251 is alive
>>         resolve_wins: using WINS server 192.168.2.251 and tag '*'
>>         samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0]
>>         mpx_fde[(nil)]
>>         fd[13] - disabling
>>         wins_srv_is_dead: 192.168.2.251 is alive
>>         Marking wins server 192.168.2.251 dead for 600 seconds from source
>>         192.168.2.251
>>         resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20>
>>         namecache_store: storing 1 address for pdc.ttu.red#20:
>>         192.168.2.251
>>         Connecting to 192.168.2.251 at port 445
>>         Socket options:
>>                  SO_KEEPALIVE = 0
>>                  SO_REUSEADDR = 0
>>                  SO_BROADCAST = 0
>>                  TCP_NODELAY = 1
>>                  TCP_KEEPCNT = 9
>>                  TCP_KEEPIDLE = 7200
>>                  TCP_KEEPINTVL = 75
>>                  IPTOS_LOWDELAY = 0
>>                  IPTOS_THROUGHPUT = 0
>>                  SO_SNDBUF = 24040
>>                  SO_RCVBUF = 87380
>>                  SO_SNDLOWAT = 1
>>                  SO_RCVLOWAT = 1
>>                  SO_SNDTIMEO = 0
>>                  SO_RCVTIMEO = 0
>>                  TCP_QUICKACK = 1
>>                  TCP_DEFER_ACCEPT = 0
>>         Doing spnego session setup (blob length=96)
>>         got OID=1.2.840.48018.1.2.2
>>         got OID=1.2.840.113554.1.2.2
>>         got OID=1.3.6.1.4.1.311.2.2.10
>>         got principal=not_defined_in_RFC4178 at please_ignore
>>         Got challenge flags:
>>         Got NTLMSSP neg_flags=0x60898215
>>            NTLMSSP_NEGOTIATE_UNICODE
>>            NTLMSSP_REQUEST_TARGET
>>            NTLMSSP_NEGOTIATE_SIGN
>>            NTLMSSP_NEGOTIATE_NTLM
>>            NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>            NTLMSSP_NEGOTIATE_NTLM2
>>            NTLMSSP_NEGOTIATE_TARGET_INFO
>>            NTLMSSP_NEGOTIATE_128
>>            NTLMSSP_NEGOTIATE_KEY_EXCH
>>         NTLMSSP: Set final flags:
>>         Got NTLMSSP neg_flags=0x60088215
>>            NTLMSSP_NEGOTIATE_UNICODE
>>            NTLMSSP_REQUEST_TARGET
>>            NTLMSSP_NEGOTIATE_SIGN
>>            NTLMSSP_NEGOTIATE_NTLM
>>            NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>            NTLMSSP_NEGOTIATE_NTLM2
>>            NTLMSSP_NEGOTIATE_128
>>            NTLMSSP_NEGOTIATE_KEY_EXCH
>>         NTLMSSP Sign/Seal - Initialising with flags:
>>         Got NTLMSSP neg_flags=0x60088215
>>            NTLMSSP_NEGOTIATE_UNICODE
>>            NTLMSSP_REQUEST_TARGET
>>            NTLMSSP_NEGOTIATE_SIGN
>>            NTLMSSP_NEGOTIATE_NTLM
>>            NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>            NTLMSSP_NEGOTIATE_NTLM2
>>            NTLMSSP_NEGOTIATE_128
>>            NTLMSSP_NEGOTIATE_KEY_EXCH
>>         Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 52
>>         check_bind_response: accepted!
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 168
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain
>>         get_dc_list: preferred server list: "pdc.ttu.red, *"
>>         no entry for ttu.red#1C found.
>>         resolve_ads: Attempting to resolve KDCs for ttu.red using DNS
>>         ads_dns_lookup_srv: 1 records returned in the answer section.
>>         sitename_fetch: Returning sitename for TTU.RED:
>>         "Default-First-Site-Name"
>>         name pdc.ttu.red#20 found.
>>         get_dc_list: returning 2 ip addresses in an ordered list
>>         get_dc_list: 192.168.2.251:0 <http://192.168.2.251:0>
>>         192.168.2.251:88 <http://192.168.2.251:88>
>>
>>         create_local_private_krb5_conf_for_domain: wrote file
>>         /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC
>>         list =
>>         kdc = 192.168.2.251
>>
>>         Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 52
>>         check_bind_response: accepted!
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 40
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 44
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 12
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 12
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         rpc_api_pipe: host pdc.ttu.red
>>         rpc_read_send: data_to_read: 32
>>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>>         check lock order 1 for /var/lib/samba/private/secrets.tdb
>>         release lock order 1 for /var/lib/samba/private/secrets.tdb
>>         sitename_fetch: Returning sitename for TTU.RED:
>>         "Default-First-Site-Name"
>>         name pdc.ttu.red#20 found.
>>         ads_try_connect: sending CLDAP request to 192.168.2.251
>>         (realm: ttu.red)
>>         Successfully contacted LDAP server 192.168.2.251
>>         Connected to LDAP server pdc.ttu.red
>>         KDC time offset is 0 seconds
>>         Found SASL mechanism GSS-SPNEGO
>>         ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>>         ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>>         ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>>         ads_sasl_spnego_bind: got server principal name =
>>         not_defined_in_RFC4178 at please_ignore
>>         ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el
>>         fichero o el
>>         directorio)
>>         ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
>>         expiration dom,
>>         26 abr 2015 00:04:50 CEST
>>         kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>>         credentials
>>         libnet_Join:
>>              libnet_JoinCtx: struct libnet_JoinCtx
>>                  out: struct libnet_JoinCtx
>>                      account_name             : NULL
>>                      netbios_domain_name      : 'TTU'
>>                      dns_domain_name          : 'ttu.red'
>>                      forest_name              : 'ttu.red'
>>                      dn                       : NULL
>>                      domain_sid               : *
>>                          domain_sid               :
>>         S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>>                      modified_config          : 0x00 (0)
>>                      error_string             : 'failed to connect to
>>         AD: Invalid
>>         credentials'
>>                      domain_is_ad             : 0x01 (1)
>>                      result                   : WERR_GENERAL_FAILURE
>>         Failed to join domain: failed to connect to AD: Invalid
>>         credentials
>>         return code = -1
>>
>> -----------------------------------------------------------------------
>>
>> -----------------------------------------------------------------------
>>
>>         I've tried commands like:
>>         smbclient -L 192.168.2.251 -U%
>>         kinit administrator@ <administrator at CASA.RED>TTU.RED
>>         klist -c
>>
>>         All are workign.
>>         I've tried to create a test domain instead upgrade, with same
>>         config and
>>         join ads is working... ¿can be the upgrade progress?
>>
>>         Thanks!!
>>
>>
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, there is this:
> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
> directorio)
>
> The last part seems to translate to: There is no such file or directory,
> so what have you got in /etc/krb5.conf ?
>

Thanks!!

On AD server i've linked the kerberos file on samba folder:
lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
/var/lib/samba/private/krb5.conf

On client i've the default:
[libdefaults]
        default_realm = TTU.RED

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
........

[realms]
        TTU.RED = {
                kdc = pdc
                admin_server = pdc
        }
........



> Does /etc/krb5.keytab exist, if it does, remove it.
>

Deleted, but nothing changed.


> Does /etc/resolv.conf point to the DC ?
>

Yes:
cat /etc/resolv.conf
domain TTU
nameserver 192.168.2.251


> Are you sure that you are using the correct password for Administrator ?
>

Yes, even i've tried to cange the PW to another, and other commands works
fine, for example with "kinit administrator at TTU.RED" and "klist -c":
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TTU.RED

Valid starting     Expires            Service principal
25/04/15 16:36:10  26/04/15 02:36:10  krbtgt/TTU.RED at TTU.RED
        renew until 26/04/15 16:36:06


I've linked the file showed on log to krb5.conf:
ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf

I got the same error:
.......
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
directorio)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration dom,
26 abr 2015 02:37:30 CEST
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'TTU'
            dns_domain_name          : 'ttu.red'
            forest_name              : 'ttu.red'
            dn                       : NULL
            domain_sid               : *
                domain_sid               :
S-1-5-21-127850397-371183867-665961664
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: Invalid
credentials'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Invalid credentials
return code = -1

I can run commands like "net ads rpc -U "Administrator" and works fine, i
even can get some AD info:
# net rpc info -U Administrator
Enter Administrator's password:
Domain Name: TTU
Domain SID: S-1-5-21-127850397-371183867-665961664
Sequence number: 1
Num users: 144
Num domain groups: 42
Num local groups: 26


Is strange because as i said, if i create a new domain without upgrade then
i can join that domain even without krb5-client installed.

Greetings!!


>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list