Re: [Samba] Joining a win2k3 ads fails

Fri, 09 Nov 2007 11:28:00 -0800

Hmm, you have a whole bunch of stuff in smb.conf that I would not put there. Some of them may be obsolete and won't matter, but whether it will break things is hard to tell. I think you should look at the Official Howto and pare the settings down to the bare necessities, then try again. 
Also have a look my guide here:
http://www.aeronetworks.ca/LinuxActiveDirectory.html
I have found that KISS is a very important principle with ADS. Make an OU for your Linux users, define your groups and users in that OU, then apply security policies to the OU and don't reference anything outside the OU.
Also note that it is possible to do things in ADS that you are not supposed to do, which can cause Winbind to get its balls in a twist. In general, don't rename records, don't drag records from one OU to another OU, don't make a user in one OU a member of a group in another OU. You are not supposed to do those things and it may cause ADS to complain, but while WinXP clients will still work, Winbind will blow up. The only way to fix it is to find the offending records and delete them, but how to find them? It is a situation that is best avoided! 

Cheers,

Herman


Lex Brugman wrote:

Hello,
I'm trying to join a win2k3 ADS domain using a working config on a debian 'Lenny' (arm processor) from another machine running gentoo (x86 processor) (only changed the netbios name). 

Samba versions are 3.0.26a on both the machines.
I'm pretty sure this is not a kerberos or ldap problem, anyone has a clue what else it could be? 


# net -d 3 ads join -U administrator
[2007/11/07 23:31:00, 3] param/loadparm.c:lp_load(5039)
  lp_load: refreshing parameters
[2007/11/07 23:31:00, 3] param/loadparm.c:init_globals(1438)
  Initialising global parameters
[2007/11/07 23:31:00, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" 
[2007/11/07 23:31:00, 3] param/loadparm.c:do_section(3778)
  Processing section "[global]"
[2007/11/07 23:31:01, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/dhcp.conf" 
[2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
  added interface ip=10.0.0.22 bcast=10.0.0.255 nmask=255.255.255.0
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:02, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.0.2, thuis.local"
administrator's password:
[2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED]
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) 
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 08 Nov 2007 09:31:23 CET 
[2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED]
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 08 Nov 2007 09:31:23 CET 
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_start_connection(1509)
  Connecting to host=server2.thuis.local
[2007/11/07 23:31:05, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 10.0.0.2 at port 445
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(793) 
  Doing spnego session setup (blob length=108)
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818) 
  got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818) 
  got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818) 
  got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818) 
  got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826) 
  got [EMAIL PROTECTED]
[2007/11/07 23:31:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(613) 
  Doing kerberos session setup
[2007/11/07 23:31:06, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 08 Nov 2007 
09:31:23 CET
[2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine server2.thuis.local pipe \lsarpc fnum 0x8001 bind request returned ok. 
[2007/11/07 23:31:06, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine server2.thuis.local pipe \samr fnum 0xa bind request returned ok. [2007/11/07 23:31:06, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_NDR received from remote machine 
server2.thuis.local pipe \samr fnum 0xa!
[2007/11/07 23:31:06, 1] utils/net_ads.c:net_ads_join(1548)
  call of net_join_domain failed: NT code 0x000006f7
Failed to join domain: NT code 0x000006f7
[2007/11/07 23:31:06, 2] utils/net.c:main(1036)
  return code = -1


smb.conf (relevant part only):
[global]
#       log level = 5
        enable privileges = Yes
        username map = /etc/samba/smbusers
        allow trusted domains = No
        idmap uid = 20000-30000
        idmap gid = 20000-30000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind separator = +
        winbind use default domain = Yes
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        use kerberos keytab = Yes
        winbind nss info = template
        template homedir = /home/%U
        template shell = /bin/bash
        client use spnego = Yes
        obey pam restrictions = No
        password server = thuis.local
        null passwords = No
        server signing = Auto
        client signing = Auto
        lm announce = No
        deadtime = 15
        encrypt passwords = Yes
        workgroup = THUIS
        realm = THUIS.LOCAL
        netbios name = BACKUP
        server string = Samba on %L
        interfaces = lo eth0
        bind interfaces only = Yes
        hosts deny = 0.0.0.0/0
        hosts allow = 10.0.0.0/24 127.0.0.1
        os level = 20
        wins support = No
        # get wins server address from dhcp
        include = /etc/samba/dhcp.conf
        name resolve order = wins lmhosts hosts bcast
        preferred master = No
        load printers = No
        log file = /var/log/samba/log.%m
        max log size = 0
        security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
        dns proxy = No
        time server = No
        hide dot files = Yes
        username level = 1
        admin users = @%D%w"Domain Admins"
        guest ok = No
        public = No
valid users = @%D%w"Domain Admins" @%D%w"Domain Power Users" @%D%w"Domain Users" 
@%D%w"Domain Controllers" @%D%w"Domain Computers"



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to