[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"
L.P.H. van Belle
belle at bazuin.nl
Tue Dec 12 11:18:32 UTC 2017
Your smb.conf is incorrect/incomplete.
Info here on these 2 links.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_rid
Your smb.conf
> >> [global]
> >> max log size = 0
> >> realm = DOMAIN.COM
> >> workgroup = DOMAIN
> >> security = ADS
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-19999999
But Yours should be something like:
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
# Template settings for login shell and home directory
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Akash Jain via samba
> Verzonden: dinsdag 12 december 2017 12:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Intermittent failure of net ads join
> command with error "The transport connection is now disconnected"
>
> Hello All
>
> Can I get some response on above email.
>
> More Setup Details
>
> My AD Controller is Windows 2008 R2
> My Linux machine which is trying to join domain is CentOS
> Linux release
> 7.2.1511
> Samba version is Version 4.6.2
>
> Kindly help and let me know if I need to include more
> information in the
> email.
>
> Thanks
> Akash
>
> On Wed, Dec 6, 2017 at 1:42 PM, Akash Jain
> <akash.jain110683 at gmail.com>
> wrote:
>
> > Hello All
> >
> > Can someone please help me understand what could be the
> reason SPENGO
> > fails with windows AD server?
> >
> > SPNEGO login failed: The transport connection is now disconnected.
> > error_string : 'failed to lookup DC info for domain '
> > DOMAIN.COM <http://domain.com/>' over rpc: The transport
> connection is
> > now disconnected.'
> >
> >
> >
> > Thanks in Advance
> >
> > Akash
> >
> > On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain
> <akash.jain110683 at gmail.com>
> > wrote:
> >
> >> Hello All
> >>
> >> I am seeing following error intermittently when I try to
> join the samba
> >> machine into AD controlled by windows machine.
> >>
> >> Failed to join domain: failed to lookup DC info for domain '
> >> 3DFSTESTAD.COM' over rpc: The transport connection is now
> disconnected.
> >>
> >> If we repeat the same command with same configuration and
> credentials, it
> >> succeeds.
> >>
> >> Detailed logs at log level 5 are at end of the message.
> >>
> >>
> >> Command:
> >> net ads join -d5 -e -I <AD Controller IP> -U
> administrator%<password>
> >>
> >> configuration details are as follows
> >>
> >> -------------------- smb.conf -----------------------
> >> [global]
> >> max log size = 0
> >> realm = DOMAIN.COM
> >> workgroup = DOMAIN
> >> security = ADS
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-19999999
> >> passdb backend = tdbsam
> >>
> >> ------------------- krb5.conf ------------------------
> >> [libdefaults]
> >> default_realm = DOMAIN.COM
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >> ticket_lifetime = 24h
> >> renew_lifetime = 7d
> >> forwardable = true
> >> rdns = false
> >> default_ccache_name = KEYRING:persistent:%{uid}
> >> [realms]
> >> DOMAIN.COM = {
> >> kdc = PDC.DOMAIN.COM
> >> admin_server = PDC.DOMAIN.COM
> >> }
> >> [domain_realm]
> >> domain = DOMAIN.COM
> >> .domain = DOMAIN.COM
> >>
> >>
> >> ------------------------------------------------------------
> >> ----------------------------------
> >>
> >> Log level 5 logs for net ads command are:
> >>
> >>
> >> Enter Administrator's password:libnet_Join:
> >> libnet_JoinCtx: struct libnet_JoinCtx
> >> in: struct libnet_JoinCtx
> >> dc_name : NULL
> >> machine_name : 'Hostname'
> >> domain_name : *
> >> domain_name : 'DOMAIN.COM'
> >> domain_name_type : JoinDomNameTypeDNS (1)
> >> account_ou : NULL
> >> admin_account : 'Administrator'
> >> admin_domain : NULL
> >> machine_password : NULL
> >> join_flags : 0x00000023 (35)
> >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> >> os_version : NULL
> >> os_name : NULL
> >> os_servicepack : NULL
> >> create_upn : 0x00 (0)
> >> upn : NULL
> >> modify_config : 0x00 (0)
> >> ads : NULL
> >> debug : 0x01 (1)
> >> use_kerberos : 0x00 (0)
> >> secure_channel_type : SEC_CHAN_WKSTA (2)
> >> desired_encryption_types : 0x0000001f (31)
> >> Opening cache file at /var/lib/samba/gencache.tdb
> >> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> >> "Default-First-Site-Name"
> >> ads_dns_lookup_srv: 1 records returned in the answer section.
> >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> >> "Default-First-Site-Name"
> >> no entry for PDC.DOMAIN.COM#20 found.
> >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> <AD Controller
> >> IP>
> >> Connecting to <AD Controller IP> at port 445
> >> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - '
> >> PDC.DOMAIN.COM'
> >> Connecting to <AD Controller IP> at port 139
> >> Socket options:
> >> SO_KEEPALIVE = 0
> >> SO_REUSEADDR = 0
> >> SO_BROADCAST = 0
> >> TCP_NODELAY = 1
> >> TCP_KEEPCNT = 9
> >> TCP_KEEPIDLE = 7200
> >> TCP_KEEPINTVL = 75
> >> IPTOS_LOWDELAY = 0
> >> IPTOS_THROUGHPUT = 0
> >> SO_REUSEPORT = 0
> >> SO_SNDBUF = 87040
> >> SO_RCVBUF = 367360
> >> SO_SNDLOWAT = 1
> >> SO_RCVLOWAT = 1
> >> SO_SNDTIMEO = 0
> >> SO_RCVTIMEO = 0
> >> TCP_QUICKACK = 1
> >> TCP_DEFER_ACCEPT = 0
> >> got OID=1.3.6.1.4.1.311.2.2.10
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'naclrpc_as_system' registered
> >> GENSEC backend 'sasl-EXTERNAL' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'ntlmssp_resume_ccache' registered
> >> GENSEC backend 'http_basic' registered
> >> GENSEC backend 'http_ntlm' registered
> >> Starting GENSEC mechanism spnego
> >> Server claims it's principal name is
> not_defined_in_RFC4178 at PLEASE_IGNORE
> >> Starting GENSEC submechanism ntlmssp
> >> Got challenge flags:
> >> Got NTLMSSP neg_flags=0x62898215
> >> NTLMSSP_NEGOTIATE_UNICODE
> >> NTLMSSP_REQUEST_TARGET
> >> NTLMSSP_NEGOTIATE_SIGN
> >> NTLMSSP_NEGOTIATE_NTLM
> >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >> NTLMSSP_TARGET_TYPE_DOMAIN
> >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >> NTLMSSP_NEGOTIATE_TARGET_INFO
> >> NTLMSSP_NEGOTIATE_VERSION
> >> NTLMSSP_NEGOTIATE_128
> >> NTLMSSP_NEGOTIATE_KEY_EXCH
> >> NTLMSSP: Set final flags:
> >> Got NTLMSSP neg_flags=0x62088215
> >> NTLMSSP_NEGOTIATE_UNICODE
> >> NTLMSSP_REQUEST_TARGET
> >> NTLMSSP_NEGOTIATE_SIGN
> >> NTLMSSP_NEGOTIATE_NTLM
> >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >> NTLMSSP_NEGOTIATE_VERSION
> >> NTLMSSP_NEGOTIATE_128
> >> NTLMSSP_NEGOTIATE_KEY_EXCH
> >> NTLMSSP Sign/Seal - Initialising with flags:
> >> Got NTLMSSP neg_flags=0x62088215
> >> NTLMSSP_NEGOTIATE_UNICODE
> >> NTLMSSP_REQUEST_TARGET
> >> NTLMSSP_NEGOTIATE_SIGN
> >> NTLMSSP_NEGOTIATE_NTLM
> >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >> NTLMSSP_NEGOTIATE_VERSION
> >> NTLMSSP_NEGOTIATE_128
> >> NTLMSSP_NEGOTIATE_KEY_EXCH
> >> SPNEGO login failed: The transport connection is now disconnected.
> >> libnet_Join:
> >> libnet_JoinCtx: struct libnet_JoinCtx
> >> out: struct libnet_JoinCtx
> >> account_name : NULL
> >> netbios_domain_name : NULL
> >> dns_domain_name : NULL
> >> forest_name : NULL
> >> dn : NULL
> >> domain_sid : NULL
> >> domain_sid : (NULL SID)
> >> modified_config : 0x00 (0)
> >> error_string : 'failed to lookup
> DC info for
> >> domain 'DOMAIN.COM' over rpc: The transport connection is now
> >> disconnected.'
> >> domain_is_ad : 0x00 (0)
> >> set_encryption_types : 0x00000000 (0)
> >> result : WERR_NETNAME_DELETED
> >> return code = -1
> >> Failed to join domain: failed to lookup DC info for domain
> 'DOMAIN.COM'
> >> over rpc: The transport connection is now disconnected.
> >>
> >> ------------------------------------------------------------
> >> ------------------------------------------------------------------
> >>
> >> If we compare the Success vs Failure logs, we see only
> difference of
> >> following lines:
> >>
> >>
> >> Below lines are missing in Failure case:
> >> ----------------------------------------------
> >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> timeout=[Thu
> >> Jan 1 05:30:00 1970 IST] (-1511892480 seconds in the past)
> >> no entry for PDC.DOMAIN.COM#20 found.
> >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> 172.16.72.124
> >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> timeout=[Tue Nov
> >> 28 23:49:00 2017 IST] (660 seconds ahead)
> >> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
> >> -------------------------------------------------
> >>
> >> Also, OIDs are different.
> >>
> >> Please help me understand in what scenarios does domain
> controller will
> >> revoke the transport connection with SPNEGO failed for
> same flags and same
> >> inputs
> >>
> >> Thanks
> >> Akash
> >>
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list