[Samba] net ads join fails

Roman Dilken rdilken at gmx.de
Tue Mar 10 14:29:23 MDT 2015


Oh, I have a pair of samba-4.1.17-DC's, raspberry-pi and dc2 to which make the domain ad.dilken.eu on site Neuoetting.

resolv.conf points to the two dc's:

search ad.dilken.eu
nameserver 192.168.2.33
nameserver 192.168.2.2

In the output I find some relations to dc2 resp. 192.168.2.2, but perhaps it doesn't work as expected..

Greetings

Am 10.03.2015 um 21:23 schrieb Rowland Penny:

> On 10/03/15 20:14, Roman Dilken wrote:
>> On 10.03.2015 20:20, Rowland Penny wrote:
>> 
>>> OK, the first will not work (well not yet), the second should, I
>>> take it you ran 'kinit Administrator at AD.DILKEN.EU' as root before
>>> the join ?
>>> 
>>> You could try 'net ads join -U Administrator' and enter the
>>> password when prompted, I personally have never seen the point in
>>> using kerberos during the join, either way you have to enter the
>>> Administrator password :-)
>>> 
>>> Rowland
>>> 
>> OK, new try... I did kinit Administrator at AD.DILKEN.EU, but I have
>> always to enter the passowrd with or without kerberos.
>> 
>> Now I try it without -k:
>> 
>>  net ads join -UAdministrator -d 10
>> 
>> Result:
>> 
>> INFO: Current debug levels:
>>   all: 10
>>   tdb: 10
>>   printdrivers: 10
>>   lanman: 10
>>   smb: 10
>>   rpc_parse: 10
>>   rpc_srv: 10
>>   rpc_cli: 10
>>   passdb: 10
>>   sam: 10
>>   auth: 10
>>   winbind: 10
>>   vfs: 10
>>   idmap: 10
>>   quota: 10
>>   acls: 10
>>   locking: 10
>>   msdfs: 10
>>   dmapi: 10
>>   registry: 10
>>   scavenger: 10
>>   dns: 10
>>   ldb: 10
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> INFO: Current debug levels:
>>   all: 10
>>   tdb: 10
>>   printdrivers: 10
>>   lanman: 10
>>   smb: 10
>>   rpc_parse: 10
>>   rpc_srv: 10
>>   rpc_cli: 10
>>   passdb: 10
>>   sam: 10
>>   auth: 10
>>   winbind: 10
>>   vfs: 10
>>   idmap: 10
>>   quota: 10
>>   acls: 10
>>   locking: 10
>>   msdfs: 10
>>   dmapi: 10
>>   registry: 10
>>   scavenger: 10
>>   dns: 10
>>   ldb: 10
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/etc/smb4.conf"
>> Processing section "[global]"
>> doing parameter netbios name = fileserver
>> doing parameter workgroup = AD
>> doing parameter security = ADS
>> doing parameter realm = AD.DILKEN.EU
>> doing parameter dedicated keytab file = /usr/local/etc/krb5.keytab
>> doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
>> doing parameter server role = member server
>> doing parameter winbind refresh tickets = yes
>> doing parameter use sendfile = true
>> doing parameter idmap config *:backend = tdb
>> doing parameter idmap config *:range = 2000-9999
>> doing parameter idmap config AD:backend = ad
>> doing parameter idmap config AD:schema_mode = rfc2307
>> doing parameter idmap config AD:range = 10000-99999
>> doing parameter winbind nss info = rfc2307
>> doing parameter winbind trusted domains only = no
>> doing parameter winbind use default domain = yes
>> doing parameter winbind enum users = yes
>> doing parameter winbind enum groups = yes
>> doing parameter log level = 10
>> doing parameter read only = no
>> doing parameter inherit permissions = No
>> doing parameter inherit acls = No
>> doing parameter inherit owner = No
>> doing parameter force unknown acl user = No
>> doing parameter store dos attributes = Yes
>> doing parameter map read only = No
>> doing parameter vfs objects = zfsacl
>> doing parameter nfs4:mode = special
>> doing parameter nfs4:acedup = merge
>> doing parameter nfs4:chown = yes
>> pm_process() returned Yes
>> lp_servicenumber: couldn't find homes
>> Netbios name list:-
>> my_netbios_names[0]="FILESERVER"
>> added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
>> netmask=255.255.255.0
>> Registering messaging pointer for type 2 - private_data=0x0
>> Registering messaging pointer for type 9 - private_data=0x0
>> Registered MSG_REQ_POOL_USAGE
>> Registering messaging pointer for type 11 - private_data=0x0
>> Registering messaging pointer for type 12 - private_data=0x0
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> Registering messaging pointer for type 1 - private_data=0x0
>> Registering messaging pointer for type 5 - private_data=0x0
>> Enter Administrator's password:
>> libnet_Join:
>>     libnet_JoinCtx: struct libnet_JoinCtx
>>         in: struct libnet_JoinCtx
>>             dc_name                  : NULL
>>             machine_name             : 'FILESERVER'
>>             domain_name              : *
>>                 domain_name              : 'AD.DILKEN.EU'
>>             account_ou               : NULL
>>             admin_account            : 'Administrator'
>>             machine_password         : NULL
>>             join_flags               : 0x00000023 (35)
>>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>             os_version               : NULL
>>             os_name                  : NULL
>>             create_upn               : 0x00 (0)
>>             upn                      : NULL
>>             modify_config            : 0x00 (0)
>>             ads                      : NULL
>>             debug                    : 0x01 (1)
>>             use_kerberos             : 0x00 (0)
>>             secure_channel_type      : SEC_CHAN_WKSTA (2)
>> Opening cache file at /var/db/samba4/gencache.tdb
>> Opening cache file at /var/db/samba4/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
>> dsgetdcname_internal: domain_name: AD.DILKEN.EU, domain_guid: (null),
>> site_name: Neuoetting, flags: 0x40001011
>> debug_dsdcinfo_flags: 0x40001011
>>         DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
>> DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
>> dsgetdcname_rediscover
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> ads_dns_parse_rr_srv: Parsed dc2.ad.dilken.eu [0, 100, 389]
>> LDAP ping to dc2.ad.dilken.eu
>>      &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
>>         command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
>>         sbz                      : 0x0000 (0)
>>         server_type              : 0x000003fc (1020)
>>                0: NBT_SERVER_PDC
>>                1: NBT_SERVER_GC
>>                1: NBT_SERVER_LDAP
>>                1: NBT_SERVER_DS
>>                1: NBT_SERVER_KDC
>>                1: NBT_SERVER_TIMESERV
>>                1: NBT_SERVER_CLOSEST
>>                1: NBT_SERVER_WRITABLE
>>                1: NBT_SERVER_GOOD_TIMESERV
>>                0: NBT_SERVER_NDNC
>>                0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
>>                0: NBT_SERVER_FULL_SECRET_DOMAIN_6
>>                0: NBT_SERVER_ADS_WEB_SERVICE
>>                0: NBT_SERVER_HAS_DNS_NAME
>>                0: NBT_SERVER_IS_DEFAULT_NC
>>                0: NBT_SERVER_FOREST_ROOT
>>         domain_uuid              : 56b6b4e7-d3f5-448d-ae4b-5b68a3662b2f
>>         forest                   : 'ad.dilken.eu'
>>         dns_domain               : 'ad.dilken.eu'
>>         pdc_dns_name             : 'dc2.ad.dilken.eu'
>>         domain_name              : 'AD'
>>         pdc_name                 : 'DC2'
>>         user_name                : ''
>>         server_site              : 'Neuoetting'
>>         client_site              : 'Neuoetting'
>>         sockaddr_size            : 0x00 (0)
>>         sockaddr: struct nbt_sockaddr
>>             sockaddr_family          : 0x00000000 (0)
>>             pdc_ip                   : (null)
>>             remaining                : DATA_BLOB length=0
>>         next_closest_site        : NULL
>>         nt_version               : 0x00000005 (5)
>>                1: NETLOGON_NT_VERSION_1
>>                0: NETLOGON_NT_VERSION_5
>>                1: NETLOGON_NT_VERSION_5EX
>>                0: NETLOGON_NT_VERSION_5EX_WITH_IP
>>                0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
>>                0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
>>                0: NETLOGON_NT_VERSION_PDC
>>                0: NETLOGON_NT_VERSION_IP
>>                0: NETLOGON_NT_VERSION_LOCAL
>>                0: NETLOGON_NT_VERSION_GC
>>         lmnt_token               : 0xffff (65535)
>>         lm20_token               : 0xffff (65535)
>> Did not store value for DSGETDCNAME/DOMAIN/AD, we already got it
>> sitename_store: realm = [AD], sitename = [Neuoetting], expire =
>> [2147483647]
>> Did not store value for AD_SITENAME/DOMAIN/AD, we already got it
>> Adding cache entry with key=[DSGETDCNAME/DOMAIN/AD.DILKEN.EU] and
>> timeout=[Di Mär 10 21:25:28 2015 CET] (900 seconds ahead)
>> sitename_store: realm = [ad.dilken.eu], sitename = [Neuoetting],
>> expire = [2147483647]
>> Did not store value for AD_SITENAME/DOMAIN/AD.DILKEN.EU, we already got it
>> sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
>> internal_resolve_name: looking up dc2.ad.dilken.eu#20 (sitename
>> Neuoetting)
>> Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Do
>> Jan  1 01:00:00 1970 CET] (-1426018228 seconds in the past)
>> no entry for dc2.ad.dilken.eu#20 found.
>> resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
>> resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
>> startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error
>> was No such file or directory
>> resolve_wins: WINS server resolution selected and no WINS servers listed.
>> resolve_hosts: Attempting host lookup for name dc2.ad.dilken.eu<0x20>
>> remove_duplicate_addrs2: looking for duplicate address/port pairs
>> namecache_store: storing 1 address for dc2.ad.dilken.eu#20: 192.168.2.2
>> Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Di
>> Mär 10 21:21:28 2015 CET] (660 seconds ahead)
>> internal_resolve_name: returning 1 addresses: 192.168.2.2:0
>> Connecting to 192.168.2.2 at port 445
>> Socket options:
>>         SO_KEEPALIVE = 0
>>         SO_REUSEADDR = 0
>>         SO_BROADCAST = 0
>>         TCP_NODELAY = 4
>>         TCP_KEEPCNT = 0
>>         TCP_KEEPIDLE = 0
>>         TCP_KEEPINTVL = 0
>>         IPTOS_LOWDELAY = 0
>>         IPTOS_THROUGHPUT = 0
>>         SO_REUSEPORT = 0
>>         SO_SNDBUF = 66608
>>         SO_RCVBUF = 66608
>>         SO_SNDLOWAT = 2048
>>         SO_RCVLOWAT = 1
>>         SO_SNDTIMEO = 0
>>         SO_RCVTIMEO = 0
>> Doing spnego session setup (blob length=96)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178 at please_ignore
>>      negotiate: struct NEGOTIATE_MESSAGE
>>         Signature                : 'NTLMSSP'
>>         MessageType              : NtLmNegotiate (1)
>>         NegotiateFlags           : 0x60088215 (1611170325)
>>                1: NTLMSSP_NEGOTIATE_UNICODE
>>                0: NTLMSSP_NEGOTIATE_OEM
>>                1: NTLMSSP_REQUEST_TARGET
>>                1: NTLMSSP_NEGOTIATE_SIGN
>>                0: NTLMSSP_NEGOTIATE_SEAL
>>                0: NTLMSSP_NEGOTIATE_DATAGRAM
>>                0: NTLMSSP_NEGOTIATE_LM_KEY
>>                0: NTLMSSP_NEGOTIATE_NETWARE
>>                1: NTLMSSP_NEGOTIATE_NTLM
>>                0: NTLMSSP_NEGOTIATE_NT_ONLY
>>                0: NTLMSSP_ANONYMOUS
>>                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>>                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>>                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>>                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>                0: NTLMSSP_TARGET_TYPE_DOMAIN
>>                0: NTLMSSP_TARGET_TYPE_SERVER
>>                0: NTLMSSP_TARGET_TYPE_SHARE
>>                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>                0: NTLMSSP_NEGOTIATE_IDENTIFY
>>                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>>                0: NTLMSSP_NEGOTIATE_TARGET_INFO
>>                0: NTLMSSP_NEGOTIATE_VERSION
>>                1: NTLMSSP_NEGOTIATE_128
>>                1: NTLMSSP_NEGOTIATE_KEY_EXCH
>>                0: NTLMSSP_NEGOTIATE_56
>>         DomainNameLen            : 0x0002 (2)
>>         DomainNameMaxLen         : 0x0002 (2)
>>         DomainName               : *
>>             DomainName               : 'AD'
>>         WorkstationLen           : 0x000a (10)
>>         WorkstationMaxLen        : 0x000a (10)
>>         Workstation              : *
>>             Workstation              : 'FILESERVER'
>>      challenge: struct CHALLENGE_MESSAGE
>>         Signature                : 'NTLMSSP'
>>         MessageType              : NtLmChallenge (0x2)
>>         TargetNameLen            : 0x0004 (4)
>>         TargetNameMaxLen         : 0x0004 (4)
>>         TargetName               : *
>>             TargetName               : 'AD'
>>         NegotiateFlags           : 0x60898215 (1619624469)
>>                1: NTLMSSP_NEGOTIATE_UNICODE
>>                0: NTLMSSP_NEGOTIATE_OEM
>>                1: NTLMSSP_REQUEST_TARGET
>>                1: NTLMSSP_NEGOTIATE_SIGN
>>                0: NTLMSSP_NEGOTIATE_SEAL
>>                0: NTLMSSP_NEGOTIATE_DATAGRAM
>>                0: NTLMSSP_NEGOTIATE_LM_KEY
>>                0: NTLMSSP_NEGOTIATE_NETWARE
>>                1: NTLMSSP_NEGOTIATE_NTLM
>>                0: NTLMSSP_NEGOTIATE_NT_ONLY
>>                0: NTLMSSP_ANONYMOUS
>>                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>>                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>>                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>>                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>                1: NTLMSSP_TARGET_TYPE_DOMAIN
>>                0: NTLMSSP_TARGET_TYPE_SERVER
>>                0: NTLMSSP_TARGET_TYPE_SHARE
>>                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>                0: NTLMSSP_NEGOTIATE_IDENTIFY
>>                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>>                1: NTLMSSP_NEGOTIATE_TARGET_INFO
>>                0: NTLMSSP_NEGOTIATE_VERSION
>>                1: NTLMSSP_NEGOTIATE_128
>>                1: NTLMSSP_NEGOTIATE_KEY_EXCH
>>                0: NTLMSSP_NEGOTIATE_56
>>         ServerChallenge          : 5de2f6f04d891106
>>         Reserved                 : 0000000000000000
>>         TargetInfoLen            : 0x0056 (86)
>>         TargetNameInfoMaxLen     : 0x0056 (86)
>>         TargetInfo               : *
>>             TargetInfo: struct AV_PAIR_LIST
>>                 count                    : 0x00000005 (5)
>>                 pair: ARRAY(5)
>>                     pair: struct AV_PAIR
>>                         AvId                     : MsvAvNbDomainName (0x2)
>>                         AvLen                    : 0x0004 (4)
>>                         Value                    : union
>> ntlmssp_AvValue(case 0x2)
>>                         AvNbDomainName           : 'AD'
>>                     pair: struct AV_PAIR
>>                         AvId                     : MsvAvNbComputerName
>> (0x1)
>>                         AvLen                    : 0x0006 (6)
>>                         Value                    : union
>> ntlmssp_AvValue(case 0x1)
>>                         AvNbComputerName         : 'DC2'
>>                     pair: struct AV_PAIR
>>                         AvId                     : MsvAvDnsDomainName
>> (0x4)
>>                         AvLen                    : 0x0018 (24)
>>                         Value                    : union
>> ntlmssp_AvValue(case 0x4)
>>                         AvDnsDomainName          : 'ad.dilken.eu'
>>                     pair: struct AV_PAIR
>>                         AvId                     :
>> MsvAvDnsComputerName (0x3)
>>                         AvLen                    : 0x0020 (32)
>>                         Value                    : union
>> ntlmssp_AvValue(case 0x3)
>>                         AvDnsComputerName        : 'dc2.ad.dilken.eu'
>>                     pair: struct AV_PAIR
>>                         AvId                     : MsvAvEOL (0x0)
>>                         AvLen                    : 0x0000 (0)
>>                         Value                    : union
>> ntlmssp_AvValue(case 0x0)
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_NEGOTIATE_TARGET_INFO
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> Bus error (Speicherabzug geschrieben)
>> 
>> The final result is the same as above.
>> 
>> Greetings,
>> 
>> Roman
> 
> It looks like it cannot find a DC.
> 
> You never did say what you are trying to join to, Samba 4 AD server, windows AD server or what ?
> 
> What does /etc.resolv.conf point to ??
> 
> Is it your AD DC server ?
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list