[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"

Akash Jain akash.jain110683 at gmail.com
Fri Dec 1 11:25:58 UTC 2017


Hello All

I am seeing following error intermittently when I try to join the samba
machine into AD controlled by windows machine.

Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM'
over rpc: The transport connection is now disconnected.

If we repeat the same command with same configuration and credentials, it
succeeds.

Detailed logs at log level 5 are at end of the message.


Command:
net ads join -d5 -e -I <AD Controller IP>  -U administrator%<password>

configuration details are as follows

-------------------- smb.conf -----------------------
[global]
max log size = 0
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
passdb backend = tdbsam

------------------- krb5.conf ------------------------
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.COM = {
kdc = PDC.DOMAIN.COM
admin_server = PDC.DOMAIN.COM
}
[domain_realm]
domain = DOMAIN.COM
.domain = DOMAIN.COM


----------------------------------------------------------------------------------------------

Log level 5 logs for net ads command are:


Enter Administrator's password:libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'Hostname'
            domain_name              : *
                domain_name              : 'DOMAIN.COM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'Administrator'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller IP>
Connecting to <AD Controller IP> at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM'
Connecting to <AD Controller IP> at port 139
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 367360
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Server claims it's principal name is not_defined_in_RFC4178 at PLEASE_IGNORE
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: The transport connection is now disconnected.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to lookup DC info for domain
'DOMAIN.COM' over rpc: The transport connection is now disconnected.'
            domain_is_ad             : 0x00 (0)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_NETNAME_DELETED
return code = -1
Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
over rpc: The transport connection is now disconnected.

------------------------------------------------------------------------------------------------------------------------------

If we compare the Success vs Failure logs, we see only difference of
following lines:


Below lines are missing in Failure case:
----------------------------------------------
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan  1
05:30:00 1970 IST] (-1511892480 seconds in the past)
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov 28
23:49:00 2017 IST] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
-------------------------------------------------

Also, OIDs are different.

Please help me understand in what scenarios does domain controller will
revoke the transport connection with SPNEGO failed for same flags and same
inputs

Thanks
Akash


More information about the samba mailing list