[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Michael Evans
michael.evans at nor-consult.com
Sun Nov 21 00:30:48 UTC 2021
Is there a known bug related to Samba and IPv6 Samba AD DCs?
I've seen this both in 4.13.13-Debian and 4.13-5-Debian (because I forgot to add the security backports to my test setup).
Created two new debian 11 VMs.
Both only have DHCPed addresses.
I will be using:
DNS domain: test.nc.nor-consult.com
Realm: TEST.NC.NOR-CONSULT.COM
'workgroup': TEST
Hostnames: dtdc and dtdm
I will configure hosts/DNS to be isolated from the normal network and be served from dtdc / hosts on dtdc.
Attempting with IPv6 enabled.
BOTH # apt update ; apt install samba winbind libnss-winbind libpam-winbind libpam-krb5 krb5-user libgssapi3-heimdal libgssapi-krb5-2 bind9-dnsutils sntp
BOTH # systemctl stop smbd nmbd winbind samba-ad-dc ; systemctl disable smbd nmbd winbind samba-ad-dc
# hostnamectl set-hostname ...
hostnamectl now displays a 'static hostname' with no domain portion.
# cat /etc/resolv.conf
search test.nor-consult.com ... more internal and external DNS realms to search ...
nameserver 127.0.0.1
# tail -n 2 /etc/hosts
10.2.0.46 dtdc.test.nor-consult.com dtdc
fd00:6959:d45d:200:a800:ff:fe2a:ddcf dtdc.test.nor-consult.com dtdc
# hostname -s; hostname -d; hostname -f; hostname -i; hostname -I
dtdc
test.nor-consult.com
dtdc.test.nor-consult.com
fd00:6959:d45d:200:a800:ff:fe2a:ddcf 10.2.0.46
10.2.0.46 REDACTED(management IPv4) fd00:6959:d45d:200:a800:ff:fe2a:ddcf REDACTED:a800:ff:fe2a:ddcf
dtdm
test.nor-consult.com
dtdm.test.nor-consult.com
fd00:6959:d45d:200:a800:ff:fec5:be0f 10.2.0.47
10.2.0.47 REDACTED fd00:6959:d45d:200:a800:ff:fec5:be0f REDACTED:a800:ff:fec5:be0f
Automate sntp to run ~1 time per day or another regular basis. (In this case once per day)
BOTH: mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
BOTH: rm -r /run/samba/*.?db /var/cache/samba/*.?db /var/lib/samba/*.?db /var/lib/samba/private/*.?db
systemctl unmask samba-ad-dc
samba-tool \
domain provision \
--use-rfc2307 \
--realm=TEST.NOR-CONSULT.COM --domain=TEST \
--server-role=dc --dns-backend=SAMBA_INTERNAL \
--option="interfaces=lo 10.2.0.46 fd00:6959:d45d:200:a800:ff:fe2a:ddcf" --option="bind interfaces only=yes" \
--adminpass=bad_Test.pass \
--host-ip=10.2.0.46 --host-ip6=fd00:6959:d45d:200:a800:ff:fe2a:ddcf 2>&1 | tee /root/samba-tool-provision-test.txt
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above files are installed, your Samba AD server will be ready to use
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role: active directory domain controller
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname: dtdc
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain: TEST
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain: test.nor-consult.com
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID: S-1-5-21-1856739620-2608707231-3517554343
systemctl start samba-ad-dc ;\
# host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV _kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
_ldap._tcp.test.nor-consult.com has SRV record 0 100 389 dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88 dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52624
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dtdc.test.nor-consult.com. IN ANY
;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900 IN A 10.2.0.46
dtdc.test.nor-consult.com. 900 IN AAAA fd00:6959:d45d:200:a800:ff:fe2a:ddcf
;; AUTHORITY SECTION:
test.nor-consult.com. 3600 IN SOA dtdc.test.nor-consult.com. hostmaster.test.nor-consult.com. 1 900 600 86400 3600
Received 134 bytes from 127.0.0.1#53 in 0 ms
## Both
mv /etc/krb5.conf /etc/krb5.conf.dist
editor /etc/krb5.conf
[libdefaults]
default_realm = TEST.NOR-CONSULT.COM
dns_lookup_realm = false
dns_lookup_kdc = true
chmod 644 /etc/krb5.conf
On a NON-VM host, setup a full NTP server. For a VM only periodically (and at boot too) run sntp to correct the local clock offset.
# samba already stopped and disabled above.
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
dtdc # cat /etc/samba/smb.conf
# Global parameters
[global]
bind interfaces only = Yes
dns forwarder = 127.0.0.1
interfaces = lo 10.2.0.46 fd00:6959:d45d:200:a800:ff:fe2a:ddcf
netbios name = DTDC
realm = TEST.NOR-CONSULT.COM
server role = active directory domain controller
workgroup = TEST
idmap_ldb:use rfc2307 = yes
### WARNING ### DO NOT config __ idmap __ on a domain controller!
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/test.nor-consult.com/scripts
read only = No
editor /etc/samba/smb.conf
[global]
security = ads
realm = TEST.NOR-CONSULT.COM
workgroup = TEST
server string = Samba Client %h
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
winbind normalize names = Yes
disable netbios = yes
# Just copied this from the recommended configuration, modify to reflect your needs.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : unix_nss_info = yes
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
# turn off usershares
usershare max shares = 0
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
# editor /etc/samba/user.map
!root = TEST\Administrator
# editor /etc/resolv.conf
search test.nor-consult.com
nameserver 10.2.0.46
net ads join -d5 -U Administrator
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host dtdc.test.nor-consult.com auth_type 0, auth_level 1
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 216
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "test.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88 fd00:6959:d45d:200:a800:ff:fe2a:ddcf:88
saf_fetch: failed to find server for "test.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88 fd00:6959:d45d:200:a800:ff:fe2a:ddcf:88
create_local_private_krb5_conf_for_domain: wrote file /run/samba/smb_krb5/krb5.conf.TEST with realm TEST.NOR-CONSULT.COM KDC list = kdc = [fd00:6959:d45d:200:a800:ff:fe2a:ddcf]:88
kdc = 10.2.0.46
sitename_fetch: Returning sitename for realm 'TEST.NOR-CONSULT.COM': "Default-First-Site-Name"
name dtdc.test.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.46 (realm: test.nor-consult.com)
Successfully contacted LDAP server 10.2.0.46
Connecting to 10.2.0.46 at port 389
Connected to LDAP server dtdc.test.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
--- STALLS here for ~15 min. Replicable test-case on my setup. eth1 and related IPs should be ignored by Samba as they are on a different 10. subnet mask entirely and the server is only listening on specified IPs.
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Can't contact LDAP server
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Can't contact LDAP server, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm=[TEST.NOR-CONSULT.COM]: Can't contact LDAP server
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'DTDM$'
netbios_domain_name : 'TEST'
dns_domain_name : 'test.nor-consult.com'
forest_name : 'test.nor-consult.com'
dn : NULL
domain_guid : 11bb1fdb-22b6-4bfc-9f75-6604b90790e5
domain_sid : *
domain_sid : S-1-5-21-1856739620-2608707231-3517554343
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Can't contact LDAP server'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
Failed to join domain: failed to connect to AD: Can't contact LDAP server
return code = -1
The big difference I notice between my config and Rowland Penny's provided working outline? No IPv6.
It looks easier to nuke the 1 ADDC only domain and restart from scratch.
systemctl stop samba-ad-dc
rm -r /run/samba/*.?db /var/cache/samba/*.?db /var/lib/samba/*.?db /var/lib/samba/private/*.?db
samba-tool \
domain provision \
--use-rfc2307 \
--realm=TEST.NOR-CONSULT.COM --domain=TEST \
--server-role=dc --dns-backend=SAMBA_INTERNAL \
--option="interfaces=lo 10.2.0.46" --option="bind interfaces only=yes" \
--adminpass=bad_Test.pass \
--host-ip=10.2.0.46 2>&1 | tee /root/samba-tool-provision-test2.txt
INFO 2021-11-21 00:22:37,440 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: Looking up IPv6 addresses
WARNING 2021-11-21 00:22:37,440 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No IPv6 address will be assigned
INFO 2021-11-21 00:22:37,650 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2290: Setting up share.ldb
INFO 2021-11-21 00:22:39,284 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2294: Setting up secrets.ldb
INFO 2021-11-21 00:22:40,449 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2299: Setting up the registry
INFO 2021-11-21 00:22:43,338 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2302: Setting up the privileges database
INFO 2021-11-21 00:22:45,408 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2305: Setting up idmap db
INFO 2021-11-21 00:22:46,704 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2312: Setting up SAM db
INFO 2021-11-21 00:22:46,852 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings
INFO 2021-11-21 00:22:46,853 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE
INFO 2021-11-21 00:22:46,962 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1322: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2021-11-21 00:22:47,628 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1400: Adding DomainDN: DC=test,DC=nor-consult,DC=com
INFO 2021-11-21 00:22:47,769 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1432: Adding configuration container
INFO 2021-11-21 00:22:48,010 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1447: Setting up sam.ldb schema
INFO 2021-11-21 00:22:50,125 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1465: Setting up sam.ldb configuration data
INFO 2021-11-21 00:22:50,244 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1506: Setting up display specifiers
INFO 2021-11-21 00:22:51,632 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1514: Modifying display specifiers and extended rights
INFO 2021-11-21 00:22:51,661 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1521: Adding users container
INFO 2021-11-21 00:22:51,662 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1527: Modifying users container
INFO 2021-11-21 00:22:51,663 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1530: Adding computers container
INFO 2021-11-21 00:22:51,664 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1536: Modifying computers container
INFO 2021-11-21 00:22:51,664 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1540: Setting up sam.ldb data
INFO 2021-11-21 00:22:51,772 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1570: Setting up well known security principals
INFO 2021-11-21 00:22:51,804 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1584: Setting up sam.ldb users and groups
INFO 2021-11-21 00:22:51,894 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1592: Setting up self join
Repacking database from v1 to v2 format (first record CN=Cost,CN=Schema,CN=Configuration,DC=test,DC=nor-consult,DC=com)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=domainDNS-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=test,DC=nor-consult,DC=com)
Repacking database from v1 to v2 format (first record CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=test,DC=nor-consult,DC=com)
INFO 2021-11-21 00:22:58,209 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1143: Adding DNS accounts
INFO 2021-11-21 00:22:59,214 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1177: Creating CN=MicrosoftDNS,CN=System,DC=test,DC=nor-consult,DC=com
INFO 2021-11-21 00:22:59,228 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1190: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2021-11-21 00:22:59,797 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1195: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=nor-consult,DC=com)
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.dc,DC=_msdcs.test.nor-consult.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=nor-consult,DC=com)
INFO 2021-11-21 00:23:01,933 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2026: Setting up sam.ldb rootDSE marking as synchronized
INFO 2021-11-21 00:23:01,965 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2031: Fixing provision GUIDs
INFO 2021-11-21 00:23:03,865 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2364: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
INFO 2021-11-21 00:23:03,866 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2366: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2021-11-21 00:23:04,417 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2096: Setting up fake yp server settings
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above files are installed, your Samba AD server will be ready to use
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role: active directory domain controller
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname: dtdc
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain: TEST
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain: test.nor-consult.com
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID: S-1-5-21-2402865183-1479636081-2572501061
# systemctl start samba-ad-dc
# host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV _kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
ldap._tcp.test.nor-consult.com has SRV record 0 100 389 dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88 dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63904
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dtdc.test.nor-consult.com. IN ANY
;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900 IN A 10.2.0.46
;; AUTHORITY SECTION:
test.nor-consult.com. 3600 IN SOA dtdc.test.nor-consult.com. hostmaster.test.nor-consult.com. 1 900 600 86400 3600
Received 106 bytes from 127.0.0.1#53 in 0 ms
--
Retry joining the client
dtdm # net ads join -d5 -U Administrator
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password Administrator at TEST.NOR-CONSULT.COM failed: Cannot contact any KDC for requested realm
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Cannot contact any KDC for requested realm, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
ads_gen_add: AD LDAP: Adding cn=DTDM,CN=Computers,dc=TEST,dc=NOR-CONSULT,dc=COM
libnet_join_precreate_machine_acct: Machine account successfully created
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'DTDM$'
netbios_domain_name : 'TEST'
dns_domain_name : 'test.nor-consult.com'
forest_name : 'test.nor-consult.com'
dn : NULL
domain_guid : 9ffd802f-662b-430e-8e49-5218e62b57a1
domain_sid : *
domain_sid : S-1-5-21-2402865183-1479636081-2572501061
modified_config : 0x00 (0)
error_string : 'Failed to set machine spn: Time limit exceeded
Do you have sufficient permissions to create machine accounts?'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_GEN_FAILURE
Failed to join domain: Failed to set machine spn: Time limit exceeded
Do you have sufficient permissions to create machine accounts?
return code = -1
Freed frame ../../source3/utils/net.c:957, expected ../../source3/libnet/libnet_join.c:506.
This succeeded; only when the AD DC was __not listening on an IPv6 interface__ / did not have a KDC listed on the domain in IPv6.
NOTE: IPv6 was still fully enabled on both hosts, the only changes I made from fail to "working" were binding samba to IPv4 only (as show in the setup command).
More information about the samba
mailing list