Discussion:
[Samba] net ads join fails
(too old to reply)
Roman Dilken
2015-03-10 18:10:01 UTC
Permalink
Hi,

i've got a problem joining a domain with samba 4.1.17 on freebsd.

Everytime I try it, the join fails with a core dump.
Debugging it, it seems that it is stuck on authentication. Kerberos
works, I get credentials, but if I try to join the domain, it fails.

The problem seems to be somwhere in this debug-output:

1. net ads join:

Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=***@please_ignore
kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
ccache and config [(null)]
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/***@AD.DILKEN.EU
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Mi, 11 Mär 2015 05:00:16 CET
ads_krb5_mk_req: Ticket (cifs/***@AD.DILKEN.EU) in ccache
(MEMORY:cliconnect) is valid until: (Mi, 11 Mär 2015 05:00:16 CET -
1426046416)
Got KRB5 session key of length 16

2. samba-tool domain join

added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 4
TCP_KEEPCNT = 0
TCP_KEEPIDLE = 0
TCP_KEEPINTVL = 0
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 66608
SO_RCVBUF = 66608
SO_SNDLOWAT = 2048
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 292
Received smb_krb5 packet of length 1293
Received smb_krb5 packet of length 1310
Received smb_krb5 packet of length 1288
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
Bus error (Speicherabzug geschrieben)

Any hints? I try the whole day but I don't find where the failure is..

Oh, and via samba36, it worked.. I think there is some issue with krb5?

my smb4.conf:

[global]

netbios name = fileserver
workgroup = AD
security = ADS
realm = AD.DILKEN.EU
dedicated keytab file = /usr/local/etc/krb5.keytab
nsupdate command = /usr/local/bin/samba-nsupdate -g
server role = member server
winbind refresh tickets = yes
#socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072

use sendfile = true

idmap_ldp:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 10000-99999

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

log level = 10

read only = no
inherit permissions = No
inherit acls = No
inherit owner = No
force unknown acl user = No
store dos attributes = Yes
map read only = No
vfs objects = zfsacl

And krb5.conf:
[libdefaults]
default_realm = AD.DILKEN.EU
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
ticket_lifetime = 24h
renew_lifetime = 7d




Greetings,

Roman
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/o
Rowland Penny
2015-03-10 18:30:02 UTC
Permalink
Post by Roman Dilken
Hi,
i've got a problem joining a domain with samba 4.1.17 on freebsd.
Everytime I try it, the join fails with a core dump.
Debugging it, it seems that it is stuck on authentication. Kerberos
works, I get credentials, but if I try to join the domain, it fails.
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
ccache and config [(null)]
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Mi, 11 Mär 2015 05:00:16 CET
(MEMORY:cliconnect) is valid until: (Mi, 11 Mär 2015 05:00:16 CET -
1426046416)
Got KRB5 session key of length 16
2. samba-tool domain join
added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 4
TCP_KEEPCNT = 0
TCP_KEEPIDLE = 0
TCP_KEEPINTVL = 0
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 66608
SO_RCVBUF = 66608
SO_SNDLOWAT = 2048
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 292
Received smb_krb5 packet of length 1293
Received smb_krb5 packet of length 1310
Received smb_krb5 packet of length 1288
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
Bus error (Speicherabzug geschrieben)
Any hints? I try the whole day but I don't find where the failure is..
Oh, and via samba36, it worked.. I think there is some issue with krb5?
[global]
netbios name = fileserver
workgroup = AD
security = ADS
realm = AD.DILKEN.EU
dedicated keytab file = /usr/local/etc/krb5.keytab
nsupdate command = /usr/local/bin/samba-nsupdate -g
server role = member server
winbind refresh tickets = yes
#socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072
use sendfile = true
idmap_ldp:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 10000-99999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
log level = 10
read only = no
inherit permissions = No
inherit acls = No
inherit owner = No
force unknown acl user = No
store dos attributes = Yes
map read only = No
vfs objects = zfsacl
[libdefaults]
default_realm = AD.DILKEN.EU
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
ticket_lifetime = 24h
renew_lifetime = 7d
Greetings,
Roman
Hi, what are you trying to join to?

Remove this line 'idmap_ldp:use rfc2307 = yes'

one) it should be 'idmap_ldb:use rfc2307 = yes'
two) it is only used on a DC.

How are you trying to do the join ?

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.sam
Roman Dilken
2015-03-10 19:10:02 UTC
Permalink
Post by Rowland Penny
Hi, what are you trying to join to?
Remove this line 'idmap_ldp:use rfc2307 = yes'
one) it should be 'idmap_ldb:use rfc2307 = yes' two) it is only
used on a DC.
How are you trying to do the join ?
Rowland
Hi,

I commented it out but it didn't change the behaviour.

I tried the following commands:

1.) samba-tool domain join ad.dilken.eu MEMBER -UAdministrator
--realm=AD.DILKEN.EU --site=Neuoetting -d 10


Result (last lines): Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 291
Received smb_krb5 packet of length 1293
Received smb_krb5 packet of length 1310
Received smb_krb5 packet of length 1288
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection



2.) net ads join -UAdministrator -d 10 -k

Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=***@please_ignore
kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
ccache and config [(null)]
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/***@AD.DILKEN.EU
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Mi, 11 Mär 2015 05:58:30 CET
ads_krb5_mk_req: Ticket (cifs/***@AD.DILKEN.EU) in ccache
(MEMORY:cliconnect) is valid until: (Mi, 11 Mär 2015 05:58:30 CET -
1426049910)
Got KRB5 session key of length 16


I want to join the freebsd-machine as member-server for winbind. It's
my workstation.

Greetings,

Roman
--
To unsubscribe from this list go to the following URL and read the
instru
Rowland Penny
2015-03-10 19:30:02 UTC
Permalink
Post by Roman Dilken
Post by Rowland Penny
Hi, what are you trying to join to?
Remove this line 'idmap_ldp:use rfc2307 = yes'
one) it should be 'idmap_ldb:use rfc2307 = yes' two) it is only
used on a DC.
How are you trying to do the join ?
Rowland
Hi,
I commented it out but it didn't change the behaviour.
1.) samba-tool domain join ad.dilken.eu MEMBER -UAdministrator
--realm=AD.DILKEN.EU --site=Neuoetting -d 10
Result (last lines): Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 291
Received smb_krb5 packet of length 1293
Received smb_krb5 packet of length 1310
Received smb_krb5 packet of length 1288
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
2.) net ads join -UAdministrator -d 10 -k
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
ccache and config [(null)]
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Mi, 11 Mär 2015 05:58:30 CET
(MEMORY:cliconnect) is valid until: (Mi, 11 Mär 2015 05:58:30 CET -
1426049910)
Got KRB5 session key of length 16
I want to join the freebsd-machine as member-server for winbind. It's
my workstation.
Greetings,
Roman
OK, the first will not work (well not yet), the second should, I take it
you ran 'kinit ***@AD.DILKEN.EU' as root before the join ?

You could try 'net ads join -U Administrator' and enter the password
when prompted, I personally have never seen the point in using kerberos
during the join, either way you have to enter the Administrator password
:-)

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: h
Roman Dilken
2015-03-10 20:40:02 UTC
Permalink
Oh, I have a pair of samba-4.1.17-DC's, raspberry-pi and dc2 to which make the domain ad.dilken.eu on site Neuoetting.

resolv.conf points to the two dc's:

search ad.dilken.eu
nameserver 192.168.2.33
nameserver 192.168.2.2

In the output I find some relations to dc2 resp. 192.168.2.2, but perhaps it doesn't work as expected..

Greetings
Post by Rowland Penny
OK, the first will not work (well not yet), the second should, I
the join ?
You could try 'net ads join -U Administrator' and enter the
password when prompted, I personally have never seen the point in
using kerberos during the join, either way you have to enter the
Administrator password :-)
Rowland
always to enter the passowrd with or without kerberos.
net ads join -UAdministrator -d 10
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
params.c:pm_process() - Processing configuration file
"/usr/local/etc/smb4.conf"
Processing section "[global]"
doing parameter netbios name = fileserver
doing parameter workgroup = AD
doing parameter security = ADS
doing parameter realm = AD.DILKEN.EU
doing parameter dedicated keytab file = /usr/local/etc/krb5.keytab
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server role = member server
doing parameter winbind refresh tickets = yes
doing parameter use sendfile = true
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config AD:backend = ad
doing parameter idmap config AD:schema_mode = rfc2307
doing parameter idmap config AD:range = 10000-99999
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter log level = 10
doing parameter read only = no
doing parameter inherit permissions = No
doing parameter inherit acls = No
doing parameter inherit owner = No
doing parameter force unknown acl user = No
doing parameter store dos attributes = Yes
doing parameter map read only = No
doing parameter vfs objects = zfsacl
doing parameter nfs4:mode = special
doing parameter nfs4:acedup = merge
doing parameter nfs4:chown = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="FILESERVER"
added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'FILESERVER'
domain_name : *
domain_name : 'AD.DILKEN.EU'
account_ou : NULL
admin_account : 'Administrator'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/db/samba4/gencache.tdb
Opening cache file at /var/db/samba4/gencache_notrans.tdb
sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
dsgetdcname_internal: domain_name: AD.DILKEN.EU, domain_guid: (null),
site_name: Neuoetting, flags: 0x40001011
debug_dsdcinfo_flags: 0x40001011
DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed dc2.ad.dilken.eu [0, 100, 389]
LDAP ping to dc2.ad.dilken.eu
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000003fc (1020)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
0: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 56b6b4e7-d3f5-448d-ae4b-5b68a3662b2f
forest : 'ad.dilken.eu'
dns_domain : 'ad.dilken.eu'
pdc_dns_name : 'dc2.ad.dilken.eu'
domain_name : 'AD'
pdc_name : 'DC2'
user_name : ''
server_site : 'Neuoetting'
client_site : 'Neuoetting'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
Did not store value for DSGETDCNAME/DOMAIN/AD, we already got it
sitename_store: realm = [AD], sitename = [Neuoetting], expire =
[2147483647]
Did not store value for AD_SITENAME/DOMAIN/AD, we already got it
Adding cache entry with key=[DSGETDCNAME/DOMAIN/AD.DILKEN.EU] and
timeout=[Di Mär 10 21:25:28 2015 CET] (900 seconds ahead)
sitename_store: realm = [ad.dilken.eu], sitename = [Neuoetting],
expire = [2147483647]
Did not store value for AD_SITENAME/DOMAIN/AD.DILKEN.EU, we already got it
sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
internal_resolve_name: looking up dc2.ad.dilken.eu#20 (sitename
Neuoetting)
Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Do
Jan 1 01:00:00 1970 CET] (-1426018228 seconds in the past)
no entry for dc2.ad.dilken.eu#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error
was No such file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name dc2.ad.dilken.eu<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for dc2.ad.dilken.eu#20: 192.168.2.2
Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Di
Mär 10 21:21:28 2015 CET] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 192.168.2.2:0
Connecting to 192.168.2.2 at port 445
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 4
TCP_KEEPCNT = 0
TCP_KEEPIDLE = 0
TCP_KEEPINTVL = 0
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 66608
SO_RCVBUF = 66608
SO_SNDLOWAT = 2048
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x60088215 (1611170325)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0002 (2)
DomainNameMaxLen : 0x0002 (2)
DomainName : *
DomainName : 'AD'
WorkstationLen : 0x000a (10)
WorkstationMaxLen : 0x000a (10)
Workstation : *
Workstation : 'FILESERVER'
challenge: struct CHALLENGE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmChallenge (0x2)
TargetNameLen : 0x0004 (4)
TargetNameMaxLen : 0x0004 (4)
TargetName : *
TargetName : 'AD'
NegotiateFlags : 0x60898215 (1619624469)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
ServerChallenge : 5de2f6f04d891106
Reserved : 0000000000000000
TargetInfoLen : 0x0056 (86)
TargetNameInfoMaxLen : 0x0056 (86)
TargetInfo : *
TargetInfo: struct AV_PAIR_LIST
count : 0x00000005 (5)
pair: ARRAY(5)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName (0x2)
AvLen : 0x0004 (4)
Value : union
ntlmssp_AvValue(case 0x2)
AvNbDomainName : 'AD'
pair: struct AV_PAIR
AvId : MsvAvNbComputerName
(0x1)
AvLen : 0x0006 (6)
Value : union
ntlmssp_AvValue(case 0x1)
AvNbComputerName : 'DC2'
pair: struct AV_PAIR
AvId : MsvAvDnsDomainName
(0x4)
AvLen : 0x0018 (24)
Value : union
ntlmssp_AvValue(case 0x4)
AvDnsDomainName : 'ad.dilken.eu'
pair: struct AV_PAIR
MsvAvDnsComputerName (0x3)
AvLen : 0x0020 (32)
Value : union
ntlmssp_AvValue(case 0x3)
AvDnsComputerName : 'dc2.ad.dilken.eu'
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union
ntlmssp_AvValue(case 0x0)
Got NTLMSSP neg_flags=0x60898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Bus error (Speicherabzug geschrieben)
The final result is the same as above.
Greetings,
Roman
It looks like it cannot find a DC.
You never did say what you are trying to join to, Samba 4 AD server, windows AD server or what ?
What does /etc.resolv.conf point to ??
Is it your AD DC server ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-03-10 20:50:01 UTC
Permalink
Post by Roman Dilken
Oh, I have a pair of samba-4.1.17-DC's, raspberry-pi and dc2 to which make the domain ad.dilken.eu on site Neuoetting.
search ad.dilken.eu
nameserver 192.168.2.33
nameserver 192.168.2.2
In the output I find some relations to dc2 resp. 192.168.2.2, but perhaps it doesn't work as expected..
Greetings
Post by Rowland Penny
OK, the first will not work (well not yet), the second should, I
the join ?
You could try 'net ads join -U Administrator' and enter the
password when prompted, I personally have never seen the point in
using kerberos during the join, either way you have to enter the
Administrator password :-)
Rowland
always to enter the passowrd with or without kerberos.
net ads join -UAdministrator -d 10
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
params.c:pm_process() - Processing configuration file
"/usr/local/etc/smb4.conf"
Processing section "[global]"
doing parameter netbios name = fileserver
doing parameter workgroup = AD
doing parameter security = ADS
doing parameter realm = AD.DILKEN.EU
doing parameter dedicated keytab file = /usr/local/etc/krb5.keytab
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server role = member server
doing parameter winbind refresh tickets = yes
doing parameter use sendfile = true
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config AD:backend = ad
doing parameter idmap config AD:schema_mode = rfc2307
doing parameter idmap config AD:range = 10000-99999
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter log level = 10
doing parameter read only = no
doing parameter inherit permissions = No
doing parameter inherit acls = No
doing parameter inherit owner = No
doing parameter force unknown acl user = No
doing parameter store dos attributes = Yes
doing parameter map read only = No
doing parameter vfs objects = zfsacl
doing parameter nfs4:mode = special
doing parameter nfs4:acedup = merge
doing parameter nfs4:chown = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="FILESERVER"
added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'FILESERVER'
domain_name : *
domain_name : 'AD.DILKEN.EU'
account_ou : NULL
admin_account : 'Administrator'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/db/samba4/gencache.tdb
Opening cache file at /var/db/samba4/gencache_notrans.tdb
sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
dsgetdcname_internal: domain_name: AD.DILKEN.EU, domain_guid: (null),
site_name: Neuoetting, flags: 0x40001011
debug_dsdcinfo_flags: 0x40001011
DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed dc2.ad.dilken.eu [0, 100, 389]
LDAP ping to dc2.ad.dilken.eu
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000003fc (1020)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
0: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 56b6b4e7-d3f5-448d-ae4b-5b68a3662b2f
forest : 'ad.dilken.eu'
dns_domain : 'ad.dilken.eu'
pdc_dns_name : 'dc2.ad.dilken.eu'
domain_name : 'AD'
pdc_name : 'DC2'
user_name : ''
server_site : 'Neuoetting'
client_site : 'Neuoetting'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
Did not store value for DSGETDCNAME/DOMAIN/AD, we already got it
sitename_store: realm = [AD], sitename = [Neuoetting], expire =
[2147483647]
Did not store value for AD_SITENAME/DOMAIN/AD, we already got it
Adding cache entry with key=[DSGETDCNAME/DOMAIN/AD.DILKEN.EU] and
timeout=[Di Mär 10 21:25:28 2015 CET] (900 seconds ahead)
sitename_store: realm = [ad.dilken.eu], sitename = [Neuoetting],
expire = [2147483647]
Did not store value for AD_SITENAME/DOMAIN/AD.DILKEN.EU, we already got it
sitename_fetch: Returning sitename for AD.DILKEN.EU: "Neuoetting"
internal_resolve_name: looking up dc2.ad.dilken.eu#20 (sitename
Neuoetting)
Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Do
Jan 1 01:00:00 1970 CET] (-1426018228 seconds in the past)
no entry for dc2.ad.dilken.eu#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc2.ad.dilken.eu<0x20>
startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error
was No such file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name dc2.ad.dilken.eu<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for dc2.ad.dilken.eu#20: 192.168.2.2
Adding cache entry with key=[NBT/DC2.AD.DILKEN.EU#20] and timeout=[Di
Mär 10 21:21:28 2015 CET] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 192.168.2.2:0
Connecting to 192.168.2.2 at port 445
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 4
TCP_KEEPCNT = 0
TCP_KEEPIDLE = 0
TCP_KEEPINTVL = 0
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 66608
SO_RCVBUF = 66608
SO_SNDLOWAT = 2048
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x60088215 (1611170325)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0002 (2)
DomainNameMaxLen : 0x0002 (2)
DomainName : *
DomainName : 'AD'
WorkstationLen : 0x000a (10)
WorkstationMaxLen : 0x000a (10)
Workstation : *
Workstation : 'FILESERVER'
challenge: struct CHALLENGE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmChallenge (0x2)
TargetNameLen : 0x0004 (4)
TargetNameMaxLen : 0x0004 (4)
TargetName : *
TargetName : 'AD'
NegotiateFlags : 0x60898215 (1619624469)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
ServerChallenge : 5de2f6f04d891106
Reserved : 0000000000000000
TargetInfoLen : 0x0056 (86)
TargetNameInfoMaxLen : 0x0056 (86)
TargetInfo : *
TargetInfo: struct AV_PAIR_LIST
count : 0x00000005 (5)
pair: ARRAY(5)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName (0x2)
AvLen : 0x0004 (4)
Value : union
ntlmssp_AvValue(case 0x2)
AvNbDomainName : 'AD'
pair: struct AV_PAIR
AvId : MsvAvNbComputerName
(0x1)
AvLen : 0x0006 (6)
Value : union
ntlmssp_AvValue(case 0x1)
AvNbComputerName : 'DC2'
pair: struct AV_PAIR
AvId : MsvAvDnsDomainName
(0x4)
AvLen : 0x0018 (24)
Value : union
ntlmssp_AvValue(case 0x4)
AvDnsDomainName : 'ad.dilken.eu'
pair: struct AV_PAIR
MsvAvDnsComputerName (0x3)
AvLen : 0x0020 (32)
Value : union
ntlmssp_AvValue(case 0x3)
AvDnsComputerName : 'dc2.ad.dilken.eu'
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union
ntlmssp_AvValue(case 0x0)
Got NTLMSSP neg_flags=0x60898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Bus error (Speicherabzug geschrieben)
The final result is the same as above.
Greetings,
Roman
It looks like it cannot find a DC.
You never did say what you are trying to join to, Samba 4 AD server, windows AD server or what ?
What does /etc.resolv.conf point to ??
Is it your AD DC server ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I wonder if it is a time problem, does 'date' return the same time
(allowing for being run on different machines), they need to be very
close together.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Roman Dilken
2015-03-10 21:40:02 UTC
Permalink
Post by Rowland Penny
I wonder if it is a time problem, does 'date' return the same time
(allowing for being run on different machines), they need to be very
close together.
Rowland
Time seems okay, the system is getting it from the first DC, but I found
something interesting in the serverlog:

Not authoritative for '_kerberos.dilken.eu', forwarding
[2015/03/10 22:31:34.148561, 2]
../source4/dns_server/dns_query.c:629(dns_serve
r_process_query_send)


Seems that net ads does not correctly set domain name and/or realm. The
DNS-question should be _kerberos.ad.dilken.eu for which the DNS is
authoritative...

Greetings,

Roman
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-03-10 22:00:02 UTC
Permalink
Post by Roman Dilken
Post by Rowland Penny
I wonder if it is a time problem, does 'date' return the same time
(allowing for being run on different machines), they need to be very
close together.
Rowland
Time seems okay, the system is getting it from the first DC, but I found
Not authoritative for '_kerberos.dilken.eu', forwarding
[2015/03/10 22:31:34.148561, 2]
../source4/dns_server/dns_query.c:629(dns_serve
r_process_query_send)
Seems that net ads does not correctly set domain name and/or realm. The
DNS-question should be _kerberos.ad.dilken.eu for which the DNS is
authoritative...
Greetings,
Roman
Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in
/etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Roman Dilken
2015-03-11 05:00:02 UTC
Permalink
smb.conf and krb5.conf on dc2:

# Global parameters
[global] workgroup = AD
realm = ad.dilken.eu
netbios name = DC2
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log level = 5

[netlogon]
path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = AD.DILKEN.EU

smb.conf and krb5.conf on raspberry-pi:

[libdefaults]
default_realm = AD.DILKEN.EU
dns_lookup_realm = true
dns_lookup_kdc = true

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

# Global parameters
[global]
workgroup = AD
realm = AD.DILKEN.EU
netbios name = RASPBERRY-PI
server role = active directory domain controller
dns forwarder = 192.71.247.247
idmap_ldb:use rfc2307 = yes
log level = 5

[netlogon]
path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

I'll check the DNS entries later again.

Greetings
Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in /etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-03-11 09:10:03 UTC
Permalink
Post by Roman Dilken
# Global parameters
[global] workgroup = AD
realm = ad.dilken.eu
netbios name = DC2
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log level = 5
[netlogon]
path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = AD.DILKEN.EU
[libdefaults]
default_realm = AD.DILKEN.EU
dns_lookup_realm = true
dns_lookup_kdc = true
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
# Global parameters
[global]
workgroup = AD
realm = AD.DILKEN.EU
netbios name = RASPBERRY-PI
server role = active directory domain controller
dns forwarder = 192.71.247.247
idmap_ldb:use rfc2307 = yes
log level = 5
[netlogon]
path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
I'll check the DNS entries later again.
Greetings
Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in /etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I would expect the smb.conf on both DCs to identical (apart from netbios
name), but DC2 doesn't have a forwarder, are you using bind9 on this DC ?

If you are using bind, you are missing the 'server services' line, I use
bind9 and have this in smb.conf:

[global]
workgroup = EXAMPLE
realm = example.com
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
; log level = 3

[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


/etc/krb5.conf on both my DCs is this:

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EXAMPLE.COM

/etc/resolv.conf on both my DCs is this:

search example.com
nameserver 127.0.0.1


Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Roman Dilken
2015-03-20 10:10:02 UTC
Permalink
Hi,

I tested again and found out that the ports-version is broken.
If i Install out of the package-collection, samba and winbindd work
correct and net ads join does its job.

Greetings,

Roman
Post by Rowland Penny
Post by Roman Dilken
# Global parameters
[global] workgroup = AD
realm = ad.dilken.eu
netbios name = DC2
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log level = 5
[netlogon]
path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = AD.DILKEN.EU
[libdefaults]
default_realm = AD.DILKEN.EU
dns_lookup_realm = true
dns_lookup_kdc = true
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
# Global parameters
[global]
workgroup = AD
realm = AD.DILKEN.EU
netbios name = RASPBERRY-PI
server role = active directory domain controller
dns forwarder = 192.71.247.247
idmap_ldb:use rfc2307 = yes
log level = 5
[netlogon]
path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
I'll check the DNS entries later again.
Greetings
Post by Rowland Penny
Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in
/etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I would expect the smb.conf on both DCs to identical (apart from netbios
name), but DC2 doesn't have a forwarder, are you using bind9 on this DC ?
If you are using bind, you are missing the 'server services' line, I use
[global]
workgroup = EXAMPLE
realm = example.com
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
; log level = 3
[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EXAMPLE.COM
search example.com
nameserver 127.0.0.1
Rowland
Loading...