[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"
Akash Jain
akash.jain110683 at gmail.com
Wed Dec 6 08:12:17 UTC 2017
Hello All
Can someone please help me understand what could be the reason SPENGO fails
with windows AD server?
SPNEGO login failed: The transport connection is now disconnected.
error_string : 'failed to lookup DC info for domain '
DOMAIN.COM <http://domain.com/>' over rpc: The transport connection is now
disconnected.'
Thanks in Advance
Akash
On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain <akash.jain110683 at gmail.com>
wrote:
> Hello All
>
> I am seeing following error intermittently when I try to join the samba
> machine into AD controlled by windows machine.
>
> Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM'
> over rpc: The transport connection is now disconnected.
>
> If we repeat the same command with same configuration and credentials, it
> succeeds.
>
> Detailed logs at log level 5 are at end of the message.
>
>
> Command:
> net ads join -d5 -e -I <AD Controller IP> -U administrator%<password>
>
> configuration details are as follows
>
> -------------------- smb.conf -----------------------
> [global]
> max log size = 0
> realm = DOMAIN.COM
> workgroup = DOMAIN
> security = ADS
> winbind enum users = yes
> winbind enum groups = yes
> idmap config * : backend = autorid
> idmap config * : range = 1000000-19999999
> passdb backend = tdbsam
>
> ------------------- krb5.conf ------------------------
> [libdefaults]
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_ccache_name = KEYRING:persistent:%{uid}
> [realms]
> DOMAIN.COM = {
> kdc = PDC.DOMAIN.COM
> admin_server = PDC.DOMAIN.COM
> }
> [domain_realm]
> domain = DOMAIN.COM
> .domain = DOMAIN.COM
>
>
> ------------------------------------------------------------
> ----------------------------------
>
> Log level 5 logs for net ads command are:
>
>
> Enter Administrator's password:libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : NULL
> machine_name : 'Hostname'
> domain_name : *
> domain_name : 'DOMAIN.COM'
> domain_name_type : JoinDomNameTypeDNS (1)
> account_ou : NULL
> admin_account : 'Administrator'
> admin_domain : NULL
> machine_password : NULL
> join_flags : 0x00000023 (35)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> os_servicepack : NULL
> create_upn : 0x00 (0)
> upn : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> desired_encryption_types : 0x0000001f (31)
> Opening cache file at /var/lib/samba/gencache.tdb
> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> "Default-First-Site-Name"
> ads_dns_lookup_srv: 1 records returned in the answer section.
> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> "Default-First-Site-Name"
> no entry for PDC.DOMAIN.COM#20 found.
> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller
> IP>
> Connecting to <AD Controller IP> at port 445
> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM
> '
> Connecting to <AD Controller IP> at port 139
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 87040
> SO_RCVBUF = 367360
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> got OID=1.3.6.1.4.1.311.2.2.10
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Starting GENSEC mechanism spnego
> Server claims it's principal name is not_defined_in_RFC4178 at PLEASE_IGNORE
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: The transport connection is now disconnected.
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : NULL
> dns_domain_name : NULL
> forest_name : NULL
> dn : NULL
> domain_sid : NULL
> domain_sid : (NULL SID)
> modified_config : 0x00 (0)
> error_string : 'failed to lookup DC info for
> domain 'DOMAIN.COM' over rpc: The transport connection is now
> disconnected.'
> domain_is_ad : 0x00 (0)
> set_encryption_types : 0x00000000 (0)
> result : WERR_NETNAME_DELETED
> return code = -1
> Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
> over rpc: The transport connection is now disconnected.
>
> ------------------------------------------------------------
> ------------------------------------------------------------------
>
> If we compare the Success vs Failure logs, we see only difference of
> following lines:
>
>
> Below lines are missing in Failure case:
> ----------------------------------------------
> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan
> 1 05:30:00 1970 IST] (-1511892480 seconds in the past)
> no entry for PDC.DOMAIN.COM#20 found.
> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov
> 28 23:49:00 2017 IST] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
> -------------------------------------------------
>
> Also, OIDs are different.
>
> Please help me understand in what scenarios does domain controller will
> revoke the transport connection with SPNEGO failed for same flags and same
> inputs
>
> Thanks
> Akash
>
>
More information about the samba
mailing list