[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server

Michael Evans michael.evans at nor-consult.com
Sun Nov 21 00:30:48 UTC 2021


Is there a known bug related to Samba and IPv6 Samba AD DCs?

I've seen this both in 4.13.13-Debian and 4.13-5-Debian (because I forgot to add the security backports to my test setup).

Created two new debian 11 VMs.

Both only have DHCPed addresses.

I will be using:
DNS domain: test.nc.nor-consult.com
Realm: TEST.NC.NOR-CONSULT.COM
'workgroup': TEST

Hostnames: dtdc and dtdm

I will configure hosts/DNS to be isolated from the normal network and be served from dtdc / hosts on dtdc.

Attempting with IPv6 enabled.

BOTH # apt update ; apt install samba winbind libnss-winbind libpam-winbind libpam-krb5 krb5-user libgssapi3-heimdal libgssapi-krb5-2 bind9-dnsutils sntp

BOTH # systemctl stop smbd nmbd winbind samba-ad-dc ; systemctl disable smbd nmbd winbind samba-ad-dc

# hostnamectl set-hostname ...

hostnamectl now displays a 'static hostname' with no domain portion.

# cat /etc/resolv.conf 
search test.nor-consult.com ... more internal and external DNS realms to search ...
nameserver 127.0.0.1

# tail -n 2 /etc/hosts
10.2.0.46       dtdc.test.nor-consult.com dtdc
fd00:6959:d45d:200:a800:ff:fe2a:ddcf    dtdc.test.nor-consult.com dtdc

# hostname -s; hostname -d; hostname -f; hostname -i; hostname -I
dtdc
test.nor-consult.com
dtdc.test.nor-consult.com
fd00:6959:d45d:200:a800:ff:fe2a:ddcf 10.2.0.46
10.2.0.46 REDACTED(management IPv4) fd00:6959:d45d:200:a800:ff:fe2a:ddcf REDACTED:a800:ff:fe2a:ddcf

dtdm
test.nor-consult.com
dtdm.test.nor-consult.com
fd00:6959:d45d:200:a800:ff:fec5:be0f 10.2.0.47
10.2.0.47 REDACTED fd00:6959:d45d:200:a800:ff:fec5:be0f REDACTED:a800:ff:fec5:be0f

Automate sntp to run ~1 time per day or another regular basis. (In this case once per day)

BOTH: mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

BOTH: rm -r /run/samba/*.?db /var/cache/samba/*.?db /var/lib/samba/*.?db /var/lib/samba/private/*.?db

systemctl unmask samba-ad-dc

  samba-tool \
 domain provision \
 --use-rfc2307 \
 --realm=TEST.NOR-CONSULT.COM --domain=TEST \
 --server-role=dc --dns-backend=SAMBA_INTERNAL \
 --option="interfaces=lo 10.2.0.46 fd00:6959:d45d:200:a800:ff:fe2a:ddcf" --option="bind interfaces only=yes" \
 --adminpass=bad_Test.pass \
 --host-ip=10.2.0.46 --host-ip6=fd00:6959:d45d:200:a800:ff:fe2a:ddcf 2>&1 | tee /root/samba-tool-provision-test.txt

INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above files are installed, your Samba AD server will be ready to use
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role:           active directory domain controller
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname:              dtdc
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain:        TEST
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain:            test.nor-consult.com
INFO 2021-11-20 23:48:01,351 pid:13524 /usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID:            S-1-5-21-1856739620-2608707231-3517554343

systemctl start samba-ad-dc ;\

# host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV _kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
_ldap._tcp.test.nor-consult.com has SRV record 0 100 389 dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88 dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52624
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;dtdc.test.nor-consult.com.     IN      ANY

;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900  IN      A       10.2.0.46
dtdc.test.nor-consult.com. 900  IN      AAAA    fd00:6959:d45d:200:a800:ff:fe2a:ddcf

;; AUTHORITY SECTION:
test.nor-consult.com.   3600    IN      SOA     dtdc.test.nor-consult.com. hostmaster.test.nor-consult.com. 1 900 600 86400 3600

Received 134 bytes from 127.0.0.1#53 in 0 ms


## Both

mv /etc/krb5.conf /etc/krb5.conf.dist

editor /etc/krb5.conf
[libdefaults]
  default_realm = TEST.NOR-CONSULT.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true

chmod 644 /etc/krb5.conf

On a NON-VM host, setup a full NTP server.  For a VM only periodically (and at boot too) run sntp to correct the local clock offset.


# samba already stopped and disabled above.

mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

dtdc # cat /etc/samba/smb.conf
# Global parameters
[global]
        bind interfaces only = Yes
        dns forwarder = 127.0.0.1
        interfaces = lo 10.2.0.46 fd00:6959:d45d:200:a800:ff:fe2a:ddcf
        netbios name = DTDC
        realm = TEST.NOR-CONSULT.COM
        server role = active directory domain controller
        workgroup = TEST
        idmap_ldb:use rfc2307 = yes

        ### WARNING ### DO NOT config __ idmap __ on a domain controller!

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/test.nor-consult.com/scripts
        read only = No

editor /etc/samba/smb.conf
[global]
    security = ads
    realm = TEST.NOR-CONSULT.COM
    workgroup = TEST
    server string = Samba Client %h

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind use default domain = yes
    winbind expand groups = 2
    winbind refresh tickets = Yes
    winbind normalize names = Yes
    disable netbios = yes

    # Just copied this from the recommended configuration, modify to reflect your needs.
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999
    idmap config SAMDOM : unix_nss_info = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes

    # turn off usershares
    usershare max shares = 0

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S

# editor /etc/samba/user.map
!root = TEST\Administrator


# editor /etc/resolv.conf
search test.nor-consult.com
nameserver 10.2.0.46

net ads join -d5 -U Administrator

signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host dtdc.test.nor-consult.com auth_type 0, auth_level 1
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 216
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "test.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88 fd00:6959:d45d:200:a800:ff:fe2a:ddcf:88 
saf_fetch: failed to find server for "test.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88 fd00:6959:d45d:200:a800:ff:fe2a:ddcf:88 
create_local_private_krb5_conf_for_domain: wrote file /run/samba/smb_krb5/krb5.conf.TEST with realm TEST.NOR-CONSULT.COM KDC list =             kdc = [fd00:6959:d45d:200:a800:ff:fe2a:ddcf]:88
                kdc = 10.2.0.46

sitename_fetch: Returning sitename for realm 'TEST.NOR-CONSULT.COM': "Default-First-Site-Name"
name dtdc.test.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.46 (realm: test.nor-consult.com)
Successfully contacted LDAP server 10.2.0.46
Connecting to 10.2.0.46 at port 389
Connected to LDAP server dtdc.test.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5

--- STALLS here for ~15 min.  Replicable test-case on my setup.  eth1 and related IPs should be ignored by Samba as they are on a different 10. subnet mask entirely and the server is only listening on specified IPs.

kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Can't contact LDAP server
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Can't contact LDAP server, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm=[TEST.NOR-CONSULT.COM]: Can't contact LDAP server
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'DTDM$'
            netbios_domain_name      : 'TEST'
            dns_domain_name          : 'test.nor-consult.com'
            forest_name              : 'test.nor-consult.com'
            dn                       : NULL
            domain_guid              : 11bb1fdb-22b6-4bfc-9f75-6604b90790e5
            domain_sid               : *
                domain_sid               : S-1-5-21-1856739620-2608707231-3517554343
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: Can't contact LDAP server'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            krb5_salt                : NULL
            result                   : WERR_NERR_DEFAULTJOINREQUIRED
Failed to join domain: failed to connect to AD: Can't contact LDAP server
return code = -1


The big difference I notice between my config and Rowland Penny's provided working outline?  No IPv6.

It looks easier to nuke the 1 ADDC only domain and restart from scratch.


systemctl stop samba-ad-dc
rm -r /run/samba/*.?db /var/cache/samba/*.?db /var/lib/samba/*.?db /var/lib/samba/private/*.?db

  samba-tool \
 domain provision \
 --use-rfc2307 \
 --realm=TEST.NOR-CONSULT.COM --domain=TEST \
 --server-role=dc --dns-backend=SAMBA_INTERNAL \
 --option="interfaces=lo 10.2.0.46" --option="bind interfaces only=yes" \
 --adminpass=bad_Test.pass \
 --host-ip=10.2.0.46 2>&1 | tee /root/samba-tool-provision-test2.txt
INFO 2021-11-21 00:22:37,440 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: Looking up IPv6 addresses
WARNING 2021-11-21 00:22:37,440 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No IPv6 address will be assigned
INFO 2021-11-21 00:22:37,650 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2290: Setting up share.ldb
INFO 2021-11-21 00:22:39,284 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2294: Setting up secrets.ldb
INFO 2021-11-21 00:22:40,449 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2299: Setting up the registry
INFO 2021-11-21 00:22:43,338 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2302: Setting up the privileges database
INFO 2021-11-21 00:22:45,408 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2305: Setting up idmap db
INFO 2021-11-21 00:22:46,704 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2312: Setting up SAM db
INFO 2021-11-21 00:22:46,852 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings
INFO 2021-11-21 00:22:46,853 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE
INFO 2021-11-21 00:22:46,962 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1322: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2021-11-21 00:22:47,628 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1400: Adding DomainDN: DC=test,DC=nor-consult,DC=com
INFO 2021-11-21 00:22:47,769 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1432: Adding configuration container
INFO 2021-11-21 00:22:48,010 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1447: Setting up sam.ldb schema
INFO 2021-11-21 00:22:50,125 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1465: Setting up sam.ldb configuration data
INFO 2021-11-21 00:22:50,244 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1506: Setting up display specifiers
INFO 2021-11-21 00:22:51,632 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1514: Modifying display specifiers and extended rights
INFO 2021-11-21 00:22:51,661 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1521: Adding users container
INFO 2021-11-21 00:22:51,662 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1527: Modifying users container
INFO 2021-11-21 00:22:51,663 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1530: Adding computers container
INFO 2021-11-21 00:22:51,664 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1536: Modifying computers container
INFO 2021-11-21 00:22:51,664 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1540: Setting up sam.ldb data
INFO 2021-11-21 00:22:51,772 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1570: Setting up well known security principals
INFO 2021-11-21 00:22:51,804 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1584: Setting up sam.ldb users and groups
INFO 2021-11-21 00:22:51,894 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1592: Setting up self join
Repacking database from v1 to v2 format (first record CN=Cost,CN=Schema,CN=Configuration,DC=test,DC=nor-consult,DC=com)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=domainDNS-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=test,DC=nor-consult,DC=com)
Repacking database from v1 to v2 format (first record CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=test,DC=nor-consult,DC=com)
INFO 2021-11-21 00:22:58,209 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1143: Adding DNS accounts
INFO 2021-11-21 00:22:59,214 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1177: Creating CN=MicrosoftDNS,CN=System,DC=test,DC=nor-consult,DC=com
INFO 2021-11-21 00:22:59,228 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1190: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2021-11-21 00:22:59,797 pid:13690 /usr/lib/python3/dist-packages/samba/provision/sambadns.py #1195: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=nor-consult,DC=com)
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.dc,DC=_msdcs.test.nor-consult.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=nor-consult,DC=com)
INFO 2021-11-21 00:23:01,933 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2026: Setting up sam.ldb rootDSE marking as synchronized
INFO 2021-11-21 00:23:01,965 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2031: Fixing provision GUIDs
INFO 2021-11-21 00:23:03,865 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2364: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
INFO 2021-11-21 00:23:03,866 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2366: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2021-11-21 00:23:04,417 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2096: Setting up fake yp server settings
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above files are installed, your Samba AD server will be ready to use
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role:           active directory domain controller
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname:              dtdc
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain:        TEST
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain:            test.nor-consult.com
INFO 2021-11-21 00:23:05,376 pid:13690 /usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID:            S-1-5-21-2402865183-1479636081-2572501061

# systemctl start samba-ad-dc
# host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV _kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
ldap._tcp.test.nor-consult.com has SRV record 0 100 389 dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88 dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63904
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;dtdc.test.nor-consult.com.     IN      ANY

;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900  IN      A       10.2.0.46

;; AUTHORITY SECTION:
test.nor-consult.com.   3600    IN      SOA     dtdc.test.nor-consult.com. hostmaster.test.nor-consult.com. 1 900 600 86400 3600

Received 106 bytes from 127.0.0.1#53 in 0 ms

--

Retry joining the client

dtdm # net ads join -d5 -U Administrator

KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password Administrator at TEST.NOR-CONSULT.COM failed: Cannot contact any KDC for requested realm
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Cannot contact any KDC for requested realm, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:                                                                                      
Got NTLMSSP neg_flags=0x62898235                                                                          
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET                 
  NTLMSSP_NEGOTIATE_SIGN          
  NTLMSSP_NEGOTIATE_SEAL                      
  NTLMSSP_NEGOTIATE_NTLM                     
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN                                                                           
  NTLMSSP_TARGET_TYPE_DOMAIN                                                                              
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO                                                                           
  NTLMSSP_NEGOTIATE_VERSION             
  NTLMSSP_NEGOTIATE_128                                                                                   
  NTLMSSP_NEGOTIATE_KEY_EXCH                   
NTLMSSP: Set final flags:                                                                                 
Got NTLMSSP neg_flags=0x62088235                                                                          
  NTLMSSP_NEGOTIATE_UNICODE                    
  NTLMSSP_REQUEST_TARGET                                                                                  
  NTLMSSP_NEGOTIATE_SIGN                   
  NTLMSSP_NEGOTIATE_SEAL                                                                                  
  NTLMSSP_NEGOTIATE_NTLM                                                                                  
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN                                                                           
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION                                                                               
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH                                                                              
NTLMSSP Sign/Seal - Initialising with flags:                                                              
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE                                                                               
  NTLMSSP_REQUEST_TARGET                 
  NTLMSSP_NEGOTIATE_SIGN                                                                                  
  NTLMSSP_NEGOTIATE_SEAL                                                                                  
  NTLMSSP_NEGOTIATE_NTLM  
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN                                                                                                                                                                                     
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY         
  NTLMSSP_NEGOTIATE_VERSION                                                                               
  NTLMSSP_NEGOTIATE_128                 
  NTLMSSP_NEGOTIATE_KEY_EXCH                                                                              
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235   
  NTLMSSP_NEGOTIATE_UNICODE                       
  NTLMSSP_REQUEST_TARGET    
  NTLMSSP_NEGOTIATE_SIGN       
  NTLMSSP_NEGOTIATE_SEAL                         
  NTLMSSP_NEGOTIATE_NTLM                          
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN                     
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY                                                                                                                                                                        
  NTLMSSP_NEGOTIATE_VERSION                                                                                                                                                                                         
  NTLMSSP_NEGOTIATE_128         
  NTLMSSP_NEGOTIATE_KEY_EXCH        
ads_gen_add: AD LDAP: Adding cn=DTDM,CN=Computers,dc=TEST,dc=NOR-CONSULT,dc=COM                           
libnet_join_precreate_machine_acct: Machine account successfully created                                  
libnet_Join:               
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'DTDM$'
            netbios_domain_name      : 'TEST'
            dns_domain_name          : 'test.nor-consult.com'                                             
            forest_name              : 'test.nor-consult.com'                                             
            dn                       : NULL 
            domain_guid              : 9ffd802f-662b-430e-8e49-5218e62b57a1                               
            domain_sid               : *
                domain_sid               : S-1-5-21-2402865183-1479636081-2572501061                      
            modified_config          : 0x00 (0)
            error_string             : 'Failed to set machine spn: Time limit exceeded                    
Do you have sufficient permissions to create machine accounts?'                                           
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)                                                     
            krb5_salt                : NULL
            result                   : WERR_GEN_FAILURE                                                   
Failed to join domain: Failed to set machine spn: Time limit exceeded                                     
Do you have sufficient permissions to create machine accounts?                                            
return code = -1                            
Freed frame ../../source3/utils/net.c:957, expected ../../source3/libnet/libnet_join.c:506.


This succeeded; only when the AD DC was __not listening on an IPv6 interface__ / did not have a KDC listed on the domain in IPv6.

NOTE: IPv6 was still fully enabled on both hosts, the only changes I made from fail to "working" were binding samba to IPv4 only (as show in the setup command).




More information about the samba mailing list