Hello, On Wed, May 23, 2012 at 1:59 PM, Jim McDonough <j...@samba.org> wrote: > On Mon, May 21, 2012 at 12:17 PM, <alex.rans...@free.fr> wrote: >> We're having trouble joining an AD domain with 3.6.5 >> >> This message when running net join looks fishy : >> "got principal=not_defined_in_RFC4178@please_ignore" > I'm sure it looks fishy, but it's not. This is normal for newer > versions of windows (windows is sending it back).
Thanks for the explanation, sorry about the misdiagnosis then :-) >> >> OS : Solaris 10 x64 >> Kerberos : MIT krb5 1.10.1 >> DC servers are running Windows 2008 >> >> The error message is : >> ./net join -U aranskis >> Enter aranskis's password: [...] >> [..] > What's cut out here might be more helpful. However, please see below > and try that first. >> relevant configuration options : >> >> [global] >> realm=CORP.NET >> workgroup=CORP.NET > Please try changing this to just CORP (or whatever the "short" netbios > name is for the domain...not the dns name). OK, did that (workgroup = CORP instead of workgroup = CORP.NET), the join still fails, here's more of the log below. I hope it is enough, if not the whole output is available here : http://pastebin.com/r3LTaXCx Now, what seems suspicious (to me, at least !) is the line : ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP (Connection timed out) Shouldn't it try to resolve "_ldap._tcp.pdc._msdcs.CORP.NET" instead ? INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384) INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 params.c:pm_process() - Processing configuration file "/local/users_ncs/product/samba-3.6.5/lib/smb.conf" Processing section "[global]" doing parameter realm = CORP.NET doing parameter workgroup = CORP doing parameter security = ADS doing parameter encrypt passwords = yes doing parameter bind interfaces only = true doing parameter interfaces = msusersncs doing parameter lock dir = /local/users_ncs/product/samba/lock doing parameter netbios name = msusersncs handle_netbios_name: set global_myname to: MSUSERSNCS doing parameter pid directory = /local/users_ncs/product/samba/pid doing parameter log file = /local/users_ncs/product/samba/log/samba.log doing parameter username map = /local/users_ncs/product/samba/lib/users.map ...skipping... domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE ADS join did not work, falling back to RPC... no entry for CORP#1B found. resolve_ads: Attempting to resolve PDC for CORP using DNS ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP (Connection timed out) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT) no entry for CORP#1B found. resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> startlmhosts: Can't open lmhosts file /local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name CORP<0x1b> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1b> name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b> Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 4 SO_BROADCAST = 32 Could not test socket option TCP_NODELAY. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 57344 SO_RCVBUF = 57344 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. Unable to resolve PDC server address Unable to find a suitable server for domain CORP failed to make ipc connection: NT_STATUS_UNSUCCESSFUL no entry for CORP#1B found. resolve_ads: Attempting to resolve PDC for CORP using DNS ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT) no entry for CORP#1B found. resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> startlmhosts: Can't open lmhosts file /local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name CORP<0x1b> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1b> name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b> Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 4 SO_BROADCAST = 32 Could not test socket option TCP_NODELAY. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 57344 SO_RCVBUF = 57344 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. Unable to resolve PDC server address Unable to find a suitable server for domain CORP return code = 1 Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure [root@msnfsmut03]:/local/users_ncs/product/samba/bin # ls -ltr /var/tmp/log8.txt -rw-r--r-- 1 root root 12195 May 23 14:54 /var/tmp/log8.txt [root@msnfsmut03]:/local/users_ncs/product/samba/bin # less /var/tmp/log8.txt INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384) INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 params.c:pm_process() - Processing configuration file "/local/users_ncs/product/samba-3.6.5/lib/smb.conf" Processing section "[global]" doing parameter realm = CORP.NET doing parameter workgroup = CORP doing parameter security = ADS doing parameter encrypt passwords = yes doing parameter bind interfaces only = true doing parameter interfaces = msusersncs doing parameter lock dir = /local/users_ncs/product/samba/lock doing parameter netbios name = msusersncs handle_netbios_name: set global_myname to: MSUSERSNCS doing parameter pid directory = /local/users_ncs/product/samba/pid doing parameter log file = /local/users_ncs/product/samba/log/samba.log doing parameter username map = /local/users_ncs/product/samba/lib/users.map doing parameter guest account = nobody doing parameter invalid users = root bin doing parameter server string = Serveur NCS Users doing parameter log level = 2 doing parameter max log size = 800000 doing parameter msdfs root = yes pm_process() returned Yes lp_servicenumber: couldn't find homes Substituting charset '646' for LOCALE Netbios name list:- my_netbios_names[0]="MSUSERSNCS" added interface e1000g4:4 ip=10.20.198.67 bcast=10.20.198.255 netmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Opening cache file at /local/users_ncs/product/samba/lock/gencache.tdb Opening cache file at /local/users_ncs/product/samba/lock/gencache_notrans.tdb sitename_fetch: Returning sitename for CORP.NET: "Site-Paris" lp_servicenumber: couldn't find homes Substituting charset '646' for LOCALE Netbios name list:- my_netbios_names[0]="MSUSERSNCS" added interface e1000g4:4 ip=10.20.198.67 bcast=10.20.198.255 netmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Opening cache file at /local/users_ncs/product/samba/lock/gencache.tdb Opening cache file at /local/users_ncs/product/samba/lock/gencache_notrans.tdb sitename_fetch: Returning sitename for CORP.NET: "Site-Paris" ads_find_dc: (cldap) looking for realm 'CORP.NET' get_sorted_dc_list: attempting lookup for name CORP.NET (sitename Site-Paris) using [ads] saf_fetch: failed to find server for "CORP.NET" domain get_dc_list: preferred server list: ", *" no entry for CORP.NET#1C found. resolve_ads: Attempting to resolve DCs for CORP.NET using DNS ads_dns_lookup_srv: 18 records returned in the answer section. namecache_store: storing 18 addresses for CORP.NET#1c: 10.220.244.253,10.9.62.70,10.219.244.29,10.219.244.38,10.219.244.21,10.220.244.254,10.219.216.13,10.220.245.254,10.220.245.253,10.219.244.253,10.14.12.40,10.219.245.51,10.14.12.32,10.9.62.74,10.15.48.204,10.9.192.133,10.219.244.28,10.14.11.134 Adding 18 DC's from auto lookup check_negative_conn_cache returning result 0 for domain CORP.NET server 10.220.244.253 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.9.62.70 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.219.244.29 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.219.244.38 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.219.244.21 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.220.244.254 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.219.216.13 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.220.245.254 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.220.245.253 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.219.244.253 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.14.12.40 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.219.245.51 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.14.12.32 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.9.62.74 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.15.48.204 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.9.192.133 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.219.244.28 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.14.11.134 get_dc_list: returning 18 ip addresses in an ordered list get_dc_list: 10.220.244.253:389 10.9.62.70:389 10.219.244.29:389 10.219.244.38:389 10.219.244.21:389 10.220.244.254:389 10.219.216.13:389 10.220.245.254:389 10.220.245.253:389 10.219.244.253:389 10.14.12.40:389 10.219.245.51:389 10.14.12.32:389 10.9.62.74:389 10.15.48.204:389 10.9.192.133:389 10.219.244.28:389 10.14.11.134:389 check_negative_conn_cache returning result 0 for domain CORP.NET server 10.220.244.253 ads_try_connect: sending CLDAP request to 10.220.244.253 (realm: CORP.NET) Successfully contacted LDAP server 10.220.244.253 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'MSUSERSNCS' domain_name : * domain_name : 'CORP.NET' account_ou : NULL admin_account : 'aranskis' machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT ...skipping... got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE ADS join did not work, falling back to RPC... no entry for CORP#1B found. resolve_ads: Attempting to resolve PDC for CORP using DNS ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP (Connection timed out) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT) no entry for CORP#1B found. resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> startlmhosts: Can't open lmhosts file /local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name CORP<0x1b> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1b> name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b> Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 4 SO_BROADCAST = 32 Could not test socket option TCP_NODELAY. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 57344 SO_RCVBUF = 57344 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. Unable to resolve PDC server address Unable to find a suitable server for domain CORP failed to make ipc connection: NT_STATUS_UNSUCCESSFUL no entry for CORP#1B found. resolve_ads: Attempting to resolve PDC for CORP using DNS ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT) no entry for CORP#1B found. resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b> startlmhosts: Can't open lmhosts file /local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name CORP<0x1b> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1b> name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b> Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 4 SO_BROADCAST = 32 Could not test socket option TCP_NODELAY. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 57344 SO_RCVBUF = 57344 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. Unable to resolve PDC server address Unable to find a suitable server for domain CORP return code = 1 Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure > >> security=ADS >> encrypt passwords = yes >> bind interfaces only = true >> interfaces = msusersncs >> >> >> >> Any hints on the best way to try and figure out what is wrong when >> trying to register in the AD ? >> (the same config worked with samba 3.4.x, but the DCs were running Windows >> 2003) > > > -- > Jim McDonough > Samba Team > SUSE labs > jmcd at samba dot org > jmcd at themcdonoughs dot org > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba