[Samba] net ads join fails
Rowland Penny
rowlandpenny at googlemail.com
Tue Mar 10 14:43:17 MDT 2015
On 10/03/15 20:29, Roman Dilken wrote:
> Oh, I have a pair of samba-4.1.17-DC's, raspberry-pi and dc2 to which make the domain ad.dilken.eu on site Neuoetting.
>
> resolv.conf points to the two dc's:
>
> search ad.dilken.eu
> nameserver 192.168.2.33
> nameserver 192.168.2.2
>
> In the output I find some relations to dc2 resp. 192.168.2.2, but perhaps it doesn't work as expected..
>
> Greetings
>
> Am 10.03.2015 um 21:23 schrieb Rowland Penny:
>
>> On 10/03/15 20:14, Roman Dilken wrote:
>>> On 10.03.2015 20:20, Rowland Penny wrote:
>>>
>>>> OK, the first will not work (well not yet), the second should, I
>>>> take it you ran 'kinit Administrator at AD.DILKEN.EU' as root before
>>>> the join ?
>>>>
>>>> You could try 'net ads join -U Administrator' and enter the
>>>> password when prompted, I personally have never seen the point in
>>>> using kerberos during the join, either way you have to enter the
>>>> Administrator password :-)
>>>>
>>>> Rowland
>>>>
>>> OK, new try... I did kinit Administrator at AD.DILKEN.EU, but I have
>>> always to enter the passowrd with or without kerberos.
>>>
>>> Now I try it without -k:
>>>
>>> net ads join -UAdministrator -d 10
>>>
>>> Result:
>>>
>>> INFO: Current debug levels:
>>> all: 10
>>> tdb: 10
>>> printdrivers: 10
>>> lanman: 10
>>> smb: 10
>>> rpc_parse: 10
>>> rpc_srv: 10
>>> rpc_cli: 10
>>> passdb: 10
>>> sam: 10
>>> auth: 10
>>> winbind: 10
>>> vfs: 10
>>> idmap: 10
>>> quota: 10
>>> acls: 10
>>> locking: 10
>>> msdfs: 10
>>> dmapi: 10
>>> registry: 10
>>> scavenger: 10
>>> dns: 10
>>> ldb: 10
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> INFO: Current debug levels:
>>> all: 10
>>> tdb: 10
>>> printdrivers: 10
>>> lanman: 10
>>> smb: 10
>>> rpc_parse: 10
>>> rpc_srv: 10
>>> rpc_cli: 10
>>> passdb: 10
>>> sam: 10
>>> auth: 10
>>> winbind: 10
>>> vfs: 10
>>> idmap: 10
>>> quota: 10
>>> acls: 10
>>> locking: 10
>>> msdfs: 10
>>> dmapi: 10
>>> registry: 10
>>> scavenger: 10
>>> dns: 10
>>> ldb: 10
>>> params.c:pm_process() - Processing configuration file
>>> "/usr/local/etc/smb4.conf"
>>> Processing section "[global]"
>>> doing parameter netbios name = fileserver
>>> doing parameter workgroup = AD
>>> doing parameter security = ADS
>>> doing parameter realm = AD.DILKEN.EU
>>> doing parameter dedicated keytab file = /usr/local/etc/krb5.keytab
>>> doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
>>> doing parameter server role = member server
>>> doing parameter winbind refresh tickets = yes
>>> doing parameter use sendfile = true
>>> doing parameter idmap config *:backend = tdb
>>> doing parameter idmap config *:range = 2000-9999
>>> doing parameter idmap config AD:backend = ad
>>> doing parameter idmap config AD:schema_mode = rfc2307
>>> doing parameter idmap config AD:range = 10000-99999
>>> doing parameter winbind nss info = rfc2307
>>> doing parameter winbind trusted domains only = no
>>> doing parameter winbind use default domain = yes
>>> doing parameter winbind enum users = yes
>>> doing parameter winbind enum groups = yes
>>> doing parameter log level = 10
>>> doing parameter read only = no
>>> doing parameter inherit permissions = No
>>> doing parameter inherit acls = No
>>> doing parameter inherit owner = No
>>> doing parameter force unknown acl user = No
>>> doing parameter store dos attributes = Yes
>>> doing parameter map read only = No
>>> doing parameter vfs objects = zfsacl
>>> doing parameter nfs4:mode = special
>>> doing parameter nfs4:acedup = merge
>>> doing parameter nfs4:chown = yes
>>> pm_process() returned Yes
>>> lp_servicenumber: couldn't find homes
>>> Netbios name list:-
>>> my_netbios_names[0]="FILESERVER"
>>> added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
>>> netmask=255.255.255.0
>>> Registering messaging pointer for type 2 - private_data=0x0
>>> Registering messaging pointer for type 9 - private_data=0x0
>>> Registered MSG_REQ_POOL_USAGE
>>> Registering messaging pointer for type 11 - private_data=0x0
>>> Registering messaging pointer for type 12 - private_data=0x0
>>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>> Registering messaging pointer for type 1 - private_data=0x0
>>> Registering messaging pointer for type 5 - private_data=0x0
>>> Enter Administrator's password:
>>> libnet_Join:
>>> libnet_JoinCtx: struct libnet_JoinCtx
>>> in: struct libnet_JoinCtx
>>> dc_name : NULL
>>> machine_name : 'FILESERVER'
>>> domain_name : *
>>> domain_name : 'AD.DILKEN.EU'
>>> account_ou : NULL
>>> admin_account : 'Administrator'
>>> machine_password : NULL
>>> join_flags : 0x00000023 (35)
>>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>> os_version : NULL
>>> os_name : NULL
>>> create_upn : 0x00 (0)
>>> upn : NULL
>>> modify_config : 0x00 (0)
>>> ads : NULL
>>> debug : 0x01 (1)
>>> use_kerberos : 0x00 (0)
>>> secure_channel_type : SEC_CHAN_WKSTA (2)
>>> Opening cache file at /var/db/samba4/gencache.tdb
>>> Opening cache file at /var/db/samba4/gencache_notrans.tdb
>>> sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
>>> dsgetdcname_internal: domain_name: AD.DILKEN.EU, domain_guid: (null),
>>> site_name: Neuoetting, flags: 0x40001011
>>> debug_dsdcinfo_flags: 0x40001011
>>> DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
>>> DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
>>> dsgetdcname_rediscover
>>> ads_dns_lookup_srv: 1 records returned in the answer section.
>>> ads_dns_parse_rr_srv: Parsed dc2.ad.dilken.eu [0, 100, 389]
>>> LDAP ping to dc2.ad.dilken.eu
>>> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
>>> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
>>> sbz : 0x0000 (0)
>>> server_type : 0x000003fc (1020)
>>> 0: NBT_SERVER_PDC
>>> 1: NBT_SERVER_GC
>>> 1: NBT_SERVER_LDAP
>>> 1: NBT_SERVER_DS
>>> 1: NBT_SERVER_KDC
>>> 1: NBT_SERVER_TIMESERV
>>> 1: NBT_SERVER_CLOSEST
>>> 1: NBT_SERVER_WRITABLE
>>> 1: NBT_SERVER_GOOD_TIMESERV
>>> 0: NBT_SERVER_NDNC
>>> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
>>> 0: NBT_SERVER_FULL_SECRET_DOMAIN_6
>>> 0: NBT_SERVER_ADS_WEB_SERVICE
>>> 0: NBT_SERVER_HAS_DNS_NAME
>>> 0: NBT_SERVER_IS_DEFAULT_NC
>>> 0: NBT_SERVER_FOREST_ROOT
>>> domain_uuid : 56b6b4e7-d3f5-448d-ae4b-5b68a3662b2f
>>> forest : 'ad.dilken.eu'
>>> dns_domain : 'ad.dilken.eu'
>>> pdc_dns_name : 'dc2.ad.dilken.eu'
>>> domain_name : 'AD'
>>> pdc_name : 'DC2'
>>> user_name : ''
>>> server_site : 'Neuoetting'
>>> client_site : 'Neuoetting'
>>> sockaddr_size : 0x00 (0)
>>> sockaddr: struct nbt_sockaddr
>>> sockaddr_family : 0x00000000 (0)
>>> pdc_ip : (null)
>>> remaining : DATA_BLOB length=0
>>> next_closest_site : NULL
>>> nt_version : 0x00000005 (5)
>>> 1: NETLOGON_NT_VERSION_1
>>> 0: NETLOGON_NT_VERSION_5
>>> 1: NETLOGON_NT_VERSION_5EX
>>> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
>>> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
>>> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
>>> 0: NETLOGON_NT_VERSION_PDC
>>> 0: NETLOGON_NT_VERSION_IP
>>> 0: NETLOGON_NT_VERSION_LOCAL
>>> 0: NETLOGON_NT_VERSION_GC
>>> lmnt_token : 0xffff (65535)
>>> lm20_token : 0xffff (65535)
>>> Did not store value for DSGETDCNAME/DOMAIN/AD, we already got it
>>> sitename_store: realm = [AD], sitename = [Neuoetting], expire =
>>> [2147483647]
>>> Did not store value for AD_SITENAME/DOMAIN/AD, we already got it
>>> Adding cache entry with key=[DSGETDCNAME/DOMAIN/AD.DILKEN.EU] and
>>> timeout=[Di Mär 10 21:25:28 2015 CET] (900 seconds ahead)
>>> sitename_store: realm = [ad.dilken.eu], sitename = [Neuoetting],
>>> expire = [2147483647]
>>> Did not store value for AD_SITENAME/DOMAIN/AD.DILKEN.EU, we already got it
>>> sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
>>> internal_resolve_name: looking up dc2.ad.dilken.eu#20 (sitename
>>> Neuoetting)
>>> Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Do
>>> Jan 1 01:00:00 1970 CET] (-1426018228 seconds in the past)
>>> no entry for dc2.ad.dilken.eu#20 found.
>>> resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
>>> resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
>>> startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error
>>> was No such file or directory
>>> resolve_wins: WINS server resolution selected and no WINS servers listed.
>>> resolve_hosts: Attempting host lookup for name dc2.ad.dilken.eu<0x20>
>>> remove_duplicate_addrs2: looking for duplicate address/port pairs
>>> namecache_store: storing 1 address for dc2.ad.dilken.eu#20: 192.168.2.2
>>> Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Di
>>> Mär 10 21:21:28 2015 CET] (660 seconds ahead)
>>> internal_resolve_name: returning 1 addresses: 192.168.2.2:0
>>> Connecting to 192.168.2.2 at port 445
>>> Socket options:
>>> SO_KEEPALIVE = 0
>>> SO_REUSEADDR = 0
>>> SO_BROADCAST = 0
>>> TCP_NODELAY = 4
>>> TCP_KEEPCNT = 0
>>> TCP_KEEPIDLE = 0
>>> TCP_KEEPINTVL = 0
>>> IPTOS_LOWDELAY = 0
>>> IPTOS_THROUGHPUT = 0
>>> SO_REUSEPORT = 0
>>> SO_SNDBUF = 66608
>>> SO_RCVBUF = 66608
>>> SO_SNDLOWAT = 2048
>>> SO_RCVLOWAT = 1
>>> SO_SNDTIMEO = 0
>>> SO_RCVTIMEO = 0
>>> Doing spnego session setup (blob length=96)
>>> got OID=1.2.840.48018.1.2.2
>>> got OID=1.2.840.113554.1.2.2
>>> got OID=1.3.6.1.4.1.311.2.2.10
>>> got principal=not_defined_in_RFC4178 at please_ignore
>>> negotiate: struct NEGOTIATE_MESSAGE
>>> Signature : 'NTLMSSP'
>>> MessageType : NtLmNegotiate (1)
>>> NegotiateFlags : 0x60088215 (1611170325)
>>> 1: NTLMSSP_NEGOTIATE_UNICODE
>>> 0: NTLMSSP_NEGOTIATE_OEM
>>> 1: NTLMSSP_REQUEST_TARGET
>>> 1: NTLMSSP_NEGOTIATE_SIGN
>>> 0: NTLMSSP_NEGOTIATE_SEAL
>>> 0: NTLMSSP_NEGOTIATE_DATAGRAM
>>> 0: NTLMSSP_NEGOTIATE_LM_KEY
>>> 0: NTLMSSP_NEGOTIATE_NETWARE
>>> 1: NTLMSSP_NEGOTIATE_NTLM
>>> 0: NTLMSSP_NEGOTIATE_NT_ONLY
>>> 0: NTLMSSP_ANONYMOUS
>>> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>>> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>>> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>>> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> 0: NTLMSSP_TARGET_TYPE_DOMAIN
>>> 0: NTLMSSP_TARGET_TYPE_SERVER
>>> 0: NTLMSSP_TARGET_TYPE_SHARE
>>> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>> 0: NTLMSSP_NEGOTIATE_IDENTIFY
>>> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>>> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
>>> 0: NTLMSSP_NEGOTIATE_VERSION
>>> 1: NTLMSSP_NEGOTIATE_128
>>> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
>>> 0: NTLMSSP_NEGOTIATE_56
>>> DomainNameLen : 0x0002 (2)
>>> DomainNameMaxLen : 0x0002 (2)
>>> DomainName : *
>>> DomainName : 'AD'
>>> WorkstationLen : 0x000a (10)
>>> WorkstationMaxLen : 0x000a (10)
>>> Workstation : *
>>> Workstation : 'FILESERVER'
>>> challenge: struct CHALLENGE_MESSAGE
>>> Signature : 'NTLMSSP'
>>> MessageType : NtLmChallenge (0x2)
>>> TargetNameLen : 0x0004 (4)
>>> TargetNameMaxLen : 0x0004 (4)
>>> TargetName : *
>>> TargetName : 'AD'
>>> NegotiateFlags : 0x60898215 (1619624469)
>>> 1: NTLMSSP_NEGOTIATE_UNICODE
>>> 0: NTLMSSP_NEGOTIATE_OEM
>>> 1: NTLMSSP_REQUEST_TARGET
>>> 1: NTLMSSP_NEGOTIATE_SIGN
>>> 0: NTLMSSP_NEGOTIATE_SEAL
>>> 0: NTLMSSP_NEGOTIATE_DATAGRAM
>>> 0: NTLMSSP_NEGOTIATE_LM_KEY
>>> 0: NTLMSSP_NEGOTIATE_NETWARE
>>> 1: NTLMSSP_NEGOTIATE_NTLM
>>> 0: NTLMSSP_NEGOTIATE_NT_ONLY
>>> 0: NTLMSSP_ANONYMOUS
>>> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>>> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>>> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>>> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> 1: NTLMSSP_TARGET_TYPE_DOMAIN
>>> 0: NTLMSSP_TARGET_TYPE_SERVER
>>> 0: NTLMSSP_TARGET_TYPE_SHARE
>>> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>> 0: NTLMSSP_NEGOTIATE_IDENTIFY
>>> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>>> 1: NTLMSSP_NEGOTIATE_TARGET_INFO
>>> 0: NTLMSSP_NEGOTIATE_VERSION
>>> 1: NTLMSSP_NEGOTIATE_128
>>> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
>>> 0: NTLMSSP_NEGOTIATE_56
>>> ServerChallenge : 5de2f6f04d891106
>>> Reserved : 0000000000000000
>>> TargetInfoLen : 0x0056 (86)
>>> TargetNameInfoMaxLen : 0x0056 (86)
>>> TargetInfo : *
>>> TargetInfo: struct AV_PAIR_LIST
>>> count : 0x00000005 (5)
>>> pair: ARRAY(5)
>>> pair: struct AV_PAIR
>>> AvId : MsvAvNbDomainName (0x2)
>>> AvLen : 0x0004 (4)
>>> Value : union
>>> ntlmssp_AvValue(case 0x2)
>>> AvNbDomainName : 'AD'
>>> pair: struct AV_PAIR
>>> AvId : MsvAvNbComputerName
>>> (0x1)
>>> AvLen : 0x0006 (6)
>>> Value : union
>>> ntlmssp_AvValue(case 0x1)
>>> AvNbComputerName : 'DC2'
>>> pair: struct AV_PAIR
>>> AvId : MsvAvDnsDomainName
>>> (0x4)
>>> AvLen : 0x0018 (24)
>>> Value : union
>>> ntlmssp_AvValue(case 0x4)
>>> AvDnsDomainName : 'ad.dilken.eu'
>>> pair: struct AV_PAIR
>>> AvId :
>>> MsvAvDnsComputerName (0x3)
>>> AvLen : 0x0020 (32)
>>> Value : union
>>> ntlmssp_AvValue(case 0x3)
>>> AvDnsComputerName : 'dc2.ad.dilken.eu'
>>> pair: struct AV_PAIR
>>> AvId : MsvAvEOL (0x0)
>>> AvLen : 0x0000 (0)
>>> Value : union
>>> ntlmssp_AvValue(case 0x0)
>>> Got challenge flags:
>>> Got NTLMSSP neg_flags=0x60898215
>>> NTLMSSP_NEGOTIATE_UNICODE
>>> NTLMSSP_REQUEST_TARGET
>>> NTLMSSP_NEGOTIATE_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM
>>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM2
>>> NTLMSSP_NEGOTIATE_TARGET_INFO
>>> NTLMSSP_NEGOTIATE_128
>>> NTLMSSP_NEGOTIATE_KEY_EXCH
>>> NTLMSSP: Set final flags:
>>> Got NTLMSSP neg_flags=0x60088215
>>> NTLMSSP_NEGOTIATE_UNICODE
>>> NTLMSSP_REQUEST_TARGET
>>> NTLMSSP_NEGOTIATE_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM
>>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> NTLMSSP_NEGOTIATE_NTLM2
>>> NTLMSSP_NEGOTIATE_128
>>> NTLMSSP_NEGOTIATE_KEY_EXCH
>>> Bus error (Speicherabzug geschrieben)
>>>
>>> The final result is the same as above.
>>>
>>> Greetings,
>>>
>>> Roman
>> It looks like it cannot find a DC.
>>
>> You never did say what you are trying to join to, Samba 4 AD server, windows AD server or what ?
>>
>> What does /etc.resolv.conf point to ??
>>
>> Is it your AD DC server ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
I wonder if it is a time problem, does 'date' return the same time
(allowing for being run on different machines), they need to be very
close together.
Rowland
More information about the samba
mailing list