[Samba] net ads join explication ?
nathalie ramat
nathalie.ramat at univ-littoral.fr
Thu Nov 7 11:08:36 UTC 2019
Hello ,
I want to add my linux client in my ad .
I use net ads join -U administrator
passwd : xxxx
and I wait and I have no reponse but if I put 8 times t he key enter,
my machine is add to my add but I have this message error : error
reading from file descriptor 0 : empty password which come from the server
I don't understand why .
My server is samba 4.11 and my client use winbind .
I use the debug in my client and I have this result
root at clientblues2:/etc/samba# net ads join -d 5 -U administrator
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter security = ADS
doing parameter realm = SAMBADOM.CALAIS.FR
doing parameter workgroup = SAMBADOM
doing parameter netbios name = clientblues2
doing parameter winbind separator = /
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 1000-2000
doing parameter idmap config SAMBADOM : backend = ad
doing parameter idmap config SAMBADOM : schema_mode = rfc2307
doing parameter idmap config SAMBADOM : range = 10000-600000
doing parameter idmap config SAMBADOM : unix_nss_info = yes
doing parameter idmap config SAMBADOM : unix_primary_group = yes
doing parameter winbind nss info = template
doing parameter template homedir = /etudiants/%U
doing parameter template shell = /bin/bash
doing parameter kerberos method = secrets and keytab
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter winbind refresh tickets = yes
doing parameter username map = /etc/samba/user.map
doing parameter winbind use default domain = yes
doing parameter log file = /var/log/samba/log.%m
doing parameter log level = 5
doing parameter vfs object = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Registering messaging pointer for type 51 - private_data=(nil)
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter security = ADS
doing parameter realm = SAMBADOM.CALAIS.FR
doing parameter workgroup = SAMBADOM
doing parameter netbios name = clientblues2
doing parameter winbind separator = /
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 1000-2000
doing parameter idmap config SAMBADOM : backend = ad
doing parameter idmap config SAMBADOM : schema_mode = rfc2307
doing parameter idmap config SAMBADOM : range = 10000-600000
doing parameter idmap config SAMBADOM : unix_nss_info = yes
doing parameter idmap config SAMBADOM : unix_primary_group = yes
doing parameter winbind nss info = template
doing parameter template homedir = /etudiants/%U
doing parameter template shell = /bin/bash
doing parameter kerberos method = secrets and keytab
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter winbind refresh tickets = yes
doing parameter username map = /etc/samba/user.map
doing parameter winbind use default domain = yes
doing parameter log file = /var/log/samba/log.%m
doing parameter log level = 5
doing parameter vfs object = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="CLIENTBLUES2"
added interface ens18 ip=192.168.xx.xxx bcast=192.168.xx.255
netmask=255.255.255.0
Enter administrator's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'CLIENTBLUES2'
domain_name : *
domain_name : 'SAMBADOM.CALAIS.FR'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'SAMBADOM.CALAIS.FR':
"Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'SAMBADOM.CALAIS.FR':
"Default-First-Site-Name"
no entry for blueyestest.sambadom.calais.fr#20 found.
resolve_hosts: Attempting host lookup for name
blueyestest.sambadom.calais.fr<0x20>
namecache_store: storing 1 address for
blueyestest.sambadom.calais.fr#20: 192.168.xx.xxx
Connecting to 192.168.xx.xxx at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
got OID=1.2.840.48018.1.2.2
cli_session_setup_spnego_send: Connect to blueyestest.sambadom.calais.fr
as administrator at SAMBADOM.CALAIS.FR using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
on the server i have the following trace
ldb_wrap open of idmap.ldb
/usr/sbin/smbd: Allowed connection from 192.168.22.233 (192.168.22.233)
/usr/sbin/smbd: init_oplocks: initializing messages.
/usr/sbin/smbd: Transaction 0 of length 88 (0 toread)
/usr/sbin/smbd: switch message SMBnegprot (pid 12005) conn 0x0
/usr/sbin/smbd: Requested protocol [NT LANMAN 1.0]
/usr/sbin/smbd: Requested protocol [NT LM 0.12]
/usr/sbin/smbd: Requested protocol [SMB 2.002]
/usr/sbin/smbd: Requested protocol [SMB 2.???]
/usr/sbin/smbd: Selected protocol SMB2_FF
/usr/sbin/smbd: load_module_absolute_path: Module
'/usr/lib/x86_64-linux-gnu/samba/auth/samba4.so' loaded
/usr/sbin/smbd: GENSEC backend 'gssapi_spnego' registered
/usr/sbin/smbd: GENSEC backend 'gssapi_krb5' registered
/usr/sbin/smbd: GENSEC backend 'gssapi_krb5_sasl' registered
/usr/sbin/smbd: GENSEC backend 'spnego' registered
/usr/sbin/smbd: GENSEC backend 'schannel' registered
/usr/sbin/smbd: GENSEC backend 'naclrpc_as_system' registered
/usr/sbin/smbd: GENSEC backend 'sasl-EXTERNAL' registered
/usr/sbin/smbd: GENSEC backend 'ntlmssp' registered
/usr/sbin/smbd: GENSEC backend 'ntlmssp_resume_ccache' registered
/usr/sbin/smbd: GENSEC backend 'http_basic' registered
/usr/sbin/smbd: GENSEC backend 'http_ntlm' registered
/usr/sbin/smbd: GENSEC backend 'http_negotiate' registered
/usr/sbin/smbd: GENSEC backend 'krb5' registered
/usr/sbin/smbd: GENSEC backend 'fake_gssapi_krb5' registered
/usr/sbin/smbd: ldb_wrap open of secrets.ldb
/usr/sbin/smbd: AUTH backend 'sam' registered
/usr/sbin/smbd: AUTH backend 'sam_ignoredomain' registered
/usr/sbin/smbd: AUTH backend 'anonymous' registered
/usr/sbin/smbd: AUTH backend 'winbind' registered
/usr/sbin/smbd: AUTH backend 'name_to_ntstatus' registered
/usr/sbin/smbd: AUTH backend 'unix' registered
/usr/sbin/smbd: Selected protocol SMB 2.???
/usr/sbin/smbd: Selected protocol SMB3_11
/usr/sbin/smbd: ldb_wrap open of secrets.ldb
and after
/usr/sbin/smbd: Closing idle connection
/usr/sbin/smbd: got a SHUTDOWN message
/usr/sbin/smbd: Server exit (normal exit)
when i put the key Enter in my client client , I see the various backens
scroll in the trace
Error reading password from file descriptor 0: empty password
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Error reading password from file descriptor 0: empty password
get_dc_list: preferred server list: "blueyestest.sambadom.calais.fr, *"
get_dc_list: preferred server list: "blueyestest.sambadom.calais.fr, *"
Successfully contacted LDAP server 192.168.22.230
Connected to LDAP server blueyestest.sambadom.calais.fr
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Error reading password from file descriptor 0: empty password
ads_domain_func_level: 4
The machine account already exists in the specified OU.
I probably made a mistake in a configuration file - But I can’t find.
Can I choose the good backend for add immediately the machine without
error ?
my smb.conf on my client is :
[global]
security =ADS
realm = SAMBADOM.CALAIS.FR
workgroup =SAMBADOM
netbios name = clientblues2
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend=tdb
idmap config * : range=1000-2000
idmap config SAMBADOM : backend = ad
idmap config SAMBADOM : schema_mode =rfc2307
idmap config SAMBADOM : range = 10000-600000
idmap config SAMBADOM : unix_nss_info = yes
idmap config SAMBADOM : unix_primary_group = yes
winbind nss info = template
template homedir =/etudiants/%U
template shell =/bin/bash
kerberos method = secrets and keytab
dedicated keytab file =/etc/krb5.keytab
winbind refresh tickets =yes
#
username map = /etc/samba/user.map
winbind use default domain = yes
log file =/var/log/samba/log.%m
log level = 5
# for acl support on members servers with shares
vfs object = acl_xattr
map acl inherit = yes
store dos attributes = yes
Thanks for your help
--
Nathalie RAMAT-LECLERCQ
Service Informatique
Universite du Littoral-Côte d'Opale
SCoSI - Service Commun du Système d'Information
Pôle Systèmes et réseaux
Centre de Gestion Universitaire de Calais
50 rue ferdinand Buisson
C.S 80699
62228 CALAIS CEDEX
More information about the samba
mailing list