[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"
Akash Jain
akash.jain110683 at gmail.com
Fri Dec 1 11:25:58 UTC 2017
Hello All
I am seeing following error intermittently when I try to join the samba
machine into AD controlled by windows machine.
Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM'
over rpc: The transport connection is now disconnected.
If we repeat the same command with same configuration and credentials, it
succeeds.
Detailed logs at log level 5 are at end of the message.
Command:
net ads join -d5 -e -I <AD Controller IP> -U administrator%<password>
configuration details are as follows
-------------------- smb.conf -----------------------
[global]
max log size = 0
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
passdb backend = tdbsam
------------------- krb5.conf ------------------------
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.COM = {
kdc = PDC.DOMAIN.COM
admin_server = PDC.DOMAIN.COM
}
[domain_realm]
domain = DOMAIN.COM
.domain = DOMAIN.COM
----------------------------------------------------------------------------------------------
Log level 5 logs for net ads command are:
Enter Administrator's password:libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'Hostname'
domain_name : *
domain_name : 'DOMAIN.COM'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'Administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller IP>
Connecting to <AD Controller IP> at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM'
Connecting to <AD Controller IP> at port 139
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 367360
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Server claims it's principal name is not_defined_in_RFC4178 at PLEASE_IGNORE
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: The transport connection is now disconnected.
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain
'DOMAIN.COM' over rpc: The transport connection is now disconnected.'
domain_is_ad : 0x00 (0)
set_encryption_types : 0x00000000 (0)
result : WERR_NETNAME_DELETED
return code = -1
Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
over rpc: The transport connection is now disconnected.
------------------------------------------------------------------------------------------------------------------------------
If we compare the Success vs Failure logs, we see only difference of
following lines:
Below lines are missing in Failure case:
----------------------------------------------
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan 1
05:30:00 1970 IST] (-1511892480 seconds in the past)
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov 28
23:49:00 2017 IST] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
-------------------------------------------------
Also, OIDs are different.
Please help me understand in what scenarios does domain controller will
revoke the transport connection with SPNEGO failed for same flags and same
inputs
Thanks
Akash
More information about the samba
mailing list