[Samba] net ads join fails
Rowland Penny
rowlandpenny at googlemail.com
Tue Mar 10 14:23:14 MDT 2015
On 10/03/15 20:14, Roman Dilken wrote:
> On 10.03.2015 20:20, Rowland Penny wrote:
>
>> OK, the first will not work (well not yet), the second should, I
>> take it you ran 'kinit Administrator at AD.DILKEN.EU' as root before
>> the join ?
>>
>> You could try 'net ads join -U Administrator' and enter the
>> password when prompted, I personally have never seen the point in
>> using kerberos during the join, either way you have to enter the
>> Administrator password :-)
>>
>> Rowland
>>
> OK, new try... I did kinit Administrator at AD.DILKEN.EU, but I have
> always to enter the passowrd with or without kerberos.
>
> Now I try it without -k:
>
> net ads join -UAdministrator -d 10
>
> Result:
>
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> lp_load_ex: refreshing parameters
> Initialising global parameters
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> params.c:pm_process() - Processing configuration file
> "/usr/local/etc/smb4.conf"
> Processing section "[global]"
> doing parameter netbios name = fileserver
> doing parameter workgroup = AD
> doing parameter security = ADS
> doing parameter realm = AD.DILKEN.EU
> doing parameter dedicated keytab file = /usr/local/etc/krb5.keytab
> doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
> doing parameter server role = member server
> doing parameter winbind refresh tickets = yes
> doing parameter use sendfile = true
> doing parameter idmap config *:backend = tdb
> doing parameter idmap config *:range = 2000-9999
> doing parameter idmap config AD:backend = ad
> doing parameter idmap config AD:schema_mode = rfc2307
> doing parameter idmap config AD:range = 10000-99999
> doing parameter winbind nss info = rfc2307
> doing parameter winbind trusted domains only = no
> doing parameter winbind use default domain = yes
> doing parameter winbind enum users = yes
> doing parameter winbind enum groups = yes
> doing parameter log level = 10
> doing parameter read only = no
> doing parameter inherit permissions = No
> doing parameter inherit acls = No
> doing parameter inherit owner = No
> doing parameter force unknown acl user = No
> doing parameter store dos attributes = Yes
> doing parameter map read only = No
> doing parameter vfs objects = zfsacl
> doing parameter nfs4:mode = special
> doing parameter nfs4:acedup = merge
> doing parameter nfs4:chown = yes
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> Netbios name list:-
> my_netbios_names[0]="FILESERVER"
> added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
> netmask=255.255.255.0
> Registering messaging pointer for type 2 - private_data=0x0
> Registering messaging pointer for type 9 - private_data=0x0
> Registered MSG_REQ_POOL_USAGE
> Registering messaging pointer for type 11 - private_data=0x0
> Registering messaging pointer for type 12 - private_data=0x0
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Registering messaging pointer for type 1 - private_data=0x0
> Registering messaging pointer for type 5 - private_data=0x0
> Enter Administrator's password:
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : NULL
> machine_name : 'FILESERVER'
> domain_name : *
> domain_name : 'AD.DILKEN.EU'
> account_ou : NULL
> admin_account : 'Administrator'
> machine_password : NULL
> join_flags : 0x00000023 (35)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> create_upn : 0x00 (0)
> upn : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> Opening cache file at /var/db/samba4/gencache.tdb
> Opening cache file at /var/db/samba4/gencache_notrans.tdb
> sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
> dsgetdcname_internal: domain_name: AD.DILKEN.EU, domain_guid: (null),
> site_name: Neuoetting, flags: 0x40001011
> debug_dsdcinfo_flags: 0x40001011
> DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
> DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
> dsgetdcname_rediscover
> ads_dns_lookup_srv: 1 records returned in the answer section.
> ads_dns_parse_rr_srv: Parsed dc2.ad.dilken.eu [0, 100, 389]
> LDAP ping to dc2.ad.dilken.eu
> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
> sbz : 0x0000 (0)
> server_type : 0x000003fc (1020)
> 0: NBT_SERVER_PDC
> 1: NBT_SERVER_GC
> 1: NBT_SERVER_LDAP
> 1: NBT_SERVER_DS
> 1: NBT_SERVER_KDC
> 1: NBT_SERVER_TIMESERV
> 1: NBT_SERVER_CLOSEST
> 1: NBT_SERVER_WRITABLE
> 1: NBT_SERVER_GOOD_TIMESERV
> 0: NBT_SERVER_NDNC
> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
> 0: NBT_SERVER_FULL_SECRET_DOMAIN_6
> 0: NBT_SERVER_ADS_WEB_SERVICE
> 0: NBT_SERVER_HAS_DNS_NAME
> 0: NBT_SERVER_IS_DEFAULT_NC
> 0: NBT_SERVER_FOREST_ROOT
> domain_uuid : 56b6b4e7-d3f5-448d-ae4b-5b68a3662b2f
> forest : 'ad.dilken.eu'
> dns_domain : 'ad.dilken.eu'
> pdc_dns_name : 'dc2.ad.dilken.eu'
> domain_name : 'AD'
> pdc_name : 'DC2'
> user_name : ''
> server_site : 'Neuoetting'
> client_site : 'Neuoetting'
> sockaddr_size : 0x00 (0)
> sockaddr: struct nbt_sockaddr
> sockaddr_family : 0x00000000 (0)
> pdc_ip : (null)
> remaining : DATA_BLOB length=0
> next_closest_site : NULL
> nt_version : 0x00000005 (5)
> 1: NETLOGON_NT_VERSION_1
> 0: NETLOGON_NT_VERSION_5
> 1: NETLOGON_NT_VERSION_5EX
> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
> 0: NETLOGON_NT_VERSION_PDC
> 0: NETLOGON_NT_VERSION_IP
> 0: NETLOGON_NT_VERSION_LOCAL
> 0: NETLOGON_NT_VERSION_GC
> lmnt_token : 0xffff (65535)
> lm20_token : 0xffff (65535)
> Did not store value for DSGETDCNAME/DOMAIN/AD, we already got it
> sitename_store: realm = [AD], sitename = [Neuoetting], expire =
> [2147483647]
> Did not store value for AD_SITENAME/DOMAIN/AD, we already got it
> Adding cache entry with key=[DSGETDCNAME/DOMAIN/AD.DILKEN.EU] and
> timeout=[Di Mär 10 21:25:28 2015 CET] (900 seconds ahead)
> sitename_store: realm = [ad.dilken.eu], sitename = [Neuoetting],
> expire = [2147483647]
> Did not store value for AD_SITENAME/DOMAIN/AD.DILKEN.EU, we already got it
> sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
> internal_resolve_name: looking up dc2.ad.dilken.eu#20 (sitename
> Neuoetting)
> Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Do
> Jan 1 01:00:00 1970 CET] (-1426018228 seconds in the past)
> no entry for dc2.ad.dilken.eu#20 found.
> resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error
> was No such file or directory
> resolve_wins: WINS server resolution selected and no WINS servers listed.
> resolve_hosts: Attempting host lookup for name dc2.ad.dilken.eu<0x20>
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> namecache_store: storing 1 address for dc2.ad.dilken.eu#20: 192.168.2.2
> Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Di
> Mär 10 21:21:28 2015 CET] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: 192.168.2.2:0
> Connecting to 192.168.2.2 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 4
> TCP_KEEPCNT = 0
> TCP_KEEPIDLE = 0
> TCP_KEEPINTVL = 0
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 66608
> SO_RCVBUF = 66608
> SO_SNDLOWAT = 2048
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> negotiate: struct NEGOTIATE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmNegotiate (1)
> NegotiateFlags : 0x60088215 (1611170325)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 0: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> 0: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> DomainNameLen : 0x0002 (2)
> DomainNameMaxLen : 0x0002 (2)
> DomainName : *
> DomainName : 'AD'
> WorkstationLen : 0x000a (10)
> WorkstationMaxLen : 0x000a (10)
> Workstation : *
> Workstation : 'FILESERVER'
> challenge: struct CHALLENGE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmChallenge (0x2)
> TargetNameLen : 0x0004 (4)
> TargetNameMaxLen : 0x0004 (4)
> TargetName : *
> TargetName : 'AD'
> NegotiateFlags : 0x60898215 (1619624469)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 1: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 1: NTLMSSP_NEGOTIATE_TARGET_INFO
> 0: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> ServerChallenge : 5de2f6f04d891106
> Reserved : 0000000000000000
> TargetInfoLen : 0x0056 (86)
> TargetNameInfoMaxLen : 0x0056 (86)
> TargetInfo : *
> TargetInfo: struct AV_PAIR_LIST
> count : 0x00000005 (5)
> pair: ARRAY(5)
> pair: struct AV_PAIR
> AvId : MsvAvNbDomainName (0x2)
> AvLen : 0x0004 (4)
> Value : union
> ntlmssp_AvValue(case 0x2)
> AvNbDomainName : 'AD'
> pair: struct AV_PAIR
> AvId : MsvAvNbComputerName
> (0x1)
> AvLen : 0x0006 (6)
> Value : union
> ntlmssp_AvValue(case 0x1)
> AvNbComputerName : 'DC2'
> pair: struct AV_PAIR
> AvId : MsvAvDnsDomainName
> (0x4)
> AvLen : 0x0018 (24)
> Value : union
> ntlmssp_AvValue(case 0x4)
> AvDnsDomainName : 'ad.dilken.eu'
> pair: struct AV_PAIR
> AvId :
> MsvAvDnsComputerName (0x3)
> AvLen : 0x0020 (32)
> Value : union
> ntlmssp_AvValue(case 0x3)
> AvDnsComputerName : 'dc2.ad.dilken.eu'
> pair: struct AV_PAIR
> AvId : MsvAvEOL (0x0)
> AvLen : 0x0000 (0)
> Value : union
> ntlmssp_AvValue(case 0x0)
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> Bus error (Speicherabzug geschrieben)
>
> The final result is the same as above.
>
> Greetings,
>
> Roman
It looks like it cannot find a DC.
You never did say what you are trying to join to, Samba 4 AD server,
windows AD server or what ?
What does /etc.resolv.conf point to ??
Is it your AD DC server ?
Rowland
More information about the samba
mailing list