[Samba] Unable to join domain I think.
Rowland Penny
rpenny at samba.org
Sat Sep 17 15:58:49 UTC 2022
On 17/09/2022 16:20, Rob Campbell wrote:
>
>
>
>
> [Sat Sep 17 11:15:03] [root at d02~$] net ads join -U Administrator -d3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> added interface enp3s0 ip=10.0.0.9 bcast=10.0.0.255 netmask=255.255.255.0
> Enter Administrator's password:
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : NULL
> machine_name : 'D02'
> domain_name : *
> domain_name : 'HOME.ROB-CAMPBELL.LAN'
> domain_name_type : JoinDomNameTypeDNS (1)
> account_ou : NULL
> admin_account : 'Administrator'
> admin_domain : NULL
> machine_password : NULL
> join_flags : 0x00000023 (35)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> os_servicepack : NULL
> create_upn : 0x00 (0)
> upn : NULL
> dnshostname : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> desired_encryption_types : 0x0000001f (31)
> resolve_hosts: Attempting host lookup for name
> dc01.home.rob-campbell.lan<0x20>
> Connecting to 10.0.0.10 at port 445
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> get_dc_list: preferred server list: "dc01.home.rob-campbell.lan, *"
> get_dc_list: preferred server list: "dc01.home.rob-campbell.lan, *"
> Successfully contacted LDAP server 10.0.0.10
> Connecting to 10.0.0.10 at port 389
> Connected to LDAP server dc01.home.rob-campbell.lan
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> libnet_join_precreate_machine_acct: Machine account successfully created
> ads_domain_func_level: 4
> join: struct secrets_domain_infoB
> version : SECRETS_DOMAIN_INFO_VERSION_1 (1)
> reserved : 0x00000000 (0)
> info : union secrets_domain_infoU(case 1)
> info1 : *
> info1: struct secrets_domain_info1
> reserved_flags : 0x0000000000000000 (0)
> join_time : Sat Sep 17 11:15:50 AM 2022 EDT
> computer_name : 'D02'
> account_name : 'D02$'
> secure_channel_type : SEC_CHAN_WKSTA (2)
> domain_info: struct lsa_DnsDomainInfo
> name: struct lsa_StringLarge
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : 'HOME'
> dns_domain: struct lsa_StringLarge
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string :
> 'home.rob-campbell.lan'
> dns_forest: struct lsa_StringLarge
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string :
> 'home.rob-campbell.lan'
> domain_guid :
> c1c018e3-6250-407d-9b57-42fda446aa97
> sid : *
> sid :
> S-1-5-21-3671967812-2164588398-1947807301
> trust_flags : 0x0000001a (26)
> 0: NETR_TRUST_FLAG_IN_FOREST
> 1: NETR_TRUST_FLAG_OUTBOUND
> 0: NETR_TRUST_FLAG_TREEROOT
> 1: NETR_TRUST_FLAG_PRIMARY
> 1: NETR_TRUST_FLAG_NATIVE
> 0: NETR_TRUST_FLAG_INBOUND
> 0: NETR_TRUST_FLAG_MIT_KRB5
> 0: NETR_TRUST_FLAG_AES
> trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
> trust_attributes : 0x00000040 (64)
> 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
> 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
> 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
> 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
> 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
> 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
> 1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
> 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
> 0:
> LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
> 0: LSA_TRUST_ATTRIBUTE_PIM_TRUST
> 0:
> LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
> reserved_routing : NULL
> supported_enc_types : 0x0000001f (31)
> 1: KERB_ENCTYPE_DES_CBC_CRC
> 1: KERB_ENCTYPE_DES_CBC_MD5
> 1: KERB_ENCTYPE_RC4_HMAC_MD5
> 1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
> 1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> 0: KERB_ENCTYPE_FAST_SUPPORTED
> 0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
> 0: KERB_ENCTYPE_CLAIMS_SUPPORTED
> 0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
> salt_principal : *
> salt_principal :
> 'host/d02.home.rob-campbell.lan at HOME.ROB-CAMPBELL.LAN'
> password_last_change : Sat Sep 17 11:15:50 AM 2022 EDT
> password_changes : 0x0000000000000001 (1)
> next_change : NULL
> password : *
> password: struct secrets_domain_info1_password
> change_time : Sat Sep 17 11:15:50
> AM 2022 EDT
> change_server :
> 'dc01.home.rob-campbell.lan'
> cleartext_blob : DATA_BLOB length=260
> nt_hash: struct samr_Password
> hash: ARRAY(16): <REDACTED SECRET VALUES>
> salt_data : *
> salt_data :
> 'HOME.ROB-CAMPBELL.LANhostd02.home.rob-campbell.lan'
> default_iteration_count : 0x00001000 (4096)
> num_keys : 0x0003 (3)
> keys: ARRAY(3)
> keys: struct secrets_domain_info1_kerberos_key
> keytype : 0x00000012 (18)
> iteration_count : 0x00001000
> (4096)
> value : DATA_BLOB
> length=32
> keys: struct secrets_domain_info1_kerberos_key
> keytype : 0x00000011 (17)
> iteration_count : 0x00001000
> (4096)
> value : DATA_BLOB
> length=16
> keys: struct secrets_domain_info1_kerberos_key
> keytype : 0x00000017 (23)
> iteration_count : 0x00001000
> (4096)
> value : DATA_BLOB
> length=16
> old_password : *
> old_password: struct secrets_domain_info1_password
> change_time : Sat Sep 17 11:14:05
> AM 2022 EDT
> change_server :
> 'dc01.home.rob-campbell.lan'
> cleartext_blob : DATA_BLOB length=416
> nt_hash: struct samr_Password
> hash: ARRAY(16): <REDACTED SECRET VALUES>
> salt_data : *
> salt_data :
> 'HOME.ROB-CAMPBELL.LANhostd02.home.rob-campbell.lan'
> default_iteration_count : 0x00001000 (4096)
> num_keys : 0x0003 (3)
> keys: ARRAY(3)
> keys: struct secrets_domain_info1_kerberos_key
> keytype : 0x00000012 (18)
> iteration_count : 0x00001000
> (4096)
> value : DATA_BLOB
> length=32
> keys: struct secrets_domain_info1_kerberos_key
> keytype : 0x00000011 (17)
> iteration_count : 0x00001000
> (4096)
> value : DATA_BLOB
> length=16
> keys: struct secrets_domain_info1_kerberos_key
> keytype : 0x00000017 (23)
> iteration_count : 0x00001000
> (4096)
> value : DATA_BLOB
> length=16
> older_password : NULL
> ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex: could
> not open file /var/lib/samba/private/secrets.ldb: No such file or directory
>
> ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
> file or directory
> ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
> backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb':
> No such file or directory
You can ignore errors like the above, there will never be a file called
'secrets.ldb' on a Unix domain member.
> Connecting to 10.0.0.10 at port 445
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : 'D02$'
> netbios_domain_name : 'HOME'
> dns_domain_name : 'home.rob-campbell.lan'
> forest_name : 'home.rob-campbell.lan'
> dn :
> 'CN=D02,CN=Computers,DC=home,DC=rob-campbell,DC=lan'
> domain_guid : c1c018e3-6250-407d-9b57-42fda446aa97
> domain_sid : *
> domain_sid :
> S-1-5-21-3671967812-2164588398-1947807301
> modified_config : 0x00 (0)
> error_string : NULL
> domain_is_ad : 0x01 (1)
> set_encryption_types : 0x0000001f (31)
> krb5_salt :
> 'host/d02.home.rob-campbell.lan at HOME.ROB-CAMPBELL.LAN'
> result : WERR_OK
> Using short domain name -- HOME
> Joined 'D02' to dns domain 'home.rob-campbell.lan'
> added interface enp3s0 ip=10.0.0.9 bcast=10.0.0.255 netmask=255.255.255.0
> DoDNSUpdate: signed update failed
There is your error, something is stopping the update, is there a
firewall in the way, or is apparmor running ?
Rowland
More information about the samba
mailing list