[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

Thu, 19 Mar 2009 12:29:35 -0700 

Hello all,
As the subject says, as far as I can tell everything works on my ads integrated samba server. Domain accounts can be used for ssh, and accessing shares, I just can't leave the domain. Here is a successful join command followed by an unsuccessful leave command at debug level 4. Any ideas? 

TIA,
Mark

u...@dordal:~$ sudo net ads join -U administra...@mydomain.com -d 4
[2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063)
 lp_load: refreshing parameters
[2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448)
 Initialising global parameters
[2009/03/19 14:00:07, 3] param/params.c:pm_process(572)

 params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"

[2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802)
 Processing section "[global]"
 doing parameter workgroup = MYDOMAIN
 doing parameter realm = MYDOMAIN.COM
 doing parameter security = ADS

 doing parameter password server = dal-dc1.mydomain.com, 
den-dc1.mydomain.com

 doing parameter client schannel = Yes
 doing parameter server schannel = Yes
 doing parameter username map = /etc/samba/smbusers
 doing parameter obey pam restrictions = Yes
 doing parameter enable privileges = Yes
 doing parameter restrict anonymous = 2
 doing parameter allow trusted domains = No
 doing parameter lanman auth = No
 doing parameter ntlm auth = No
 doing parameter client NTLMv2 auth = Yes
 doing parameter log level = 1
 doing parameter syslog = 0
 doing parameter min protocol = NT1
 doing parameter client signing = Yes
 doing parameter server signing = Yes
 doing parameter load printers = No
 doing parameter preferred master = No
 doing parameter local master = No
 doing parameter domain master = No
 doing parameter dns proxy = No
 doing parameter ldap ssl = no
 doing parameter host msdfs = No
 doing parameter idmap domains = MYDOMAIN
 doing parameter idmap alloc backend = ldap
 doing parameter template shell = /bin/false
 doing parameter winbind enum users = Yes
 doing parameter winbind enum groups = Yes
 doing parameter winbind use default domain = Yes
 doing parameter winbind refresh tickets = Yes
 doing parameter idmap alloc config:range = 100000 - 500000

 doing parameter idmap alloc config:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
 doing parameter idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
 doing parameter idmap alloc config:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com

 doing parameter idmap config MYDOMAIN:range = 100000 - 500000

 doing parameter idmap config MYDOMAIN:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
 doing parameter idmap config MYDOMAIN:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
 doing parameter idmap config MYDOMAIN:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com

 doing parameter idmap config MYDOMAIN:backend = ldap
 doing parameter idmap config MYDOMAIN:default = yes

 doing parameter hosts allow = 10.0.0.0/255.255.254.0 
10.1.0.0/255.255.254.0

 doing parameter map acl inherit = No
 doing parameter hide special files = Yes
 doing parameter map archive = No
 doing parameter map readonly = No
 doing parameter map system = No
 doing parameter map hidden = No
 doing parameter ea support = No
 doing parameter store dos attributes = No
 doing parameter wide links = No
 doing parameter follow symlinks = No
 doing parameter dos filemode = No
 doing parameter add share command = /etc/samba/command.pl
 doing parameter delete share command = /etc/samba/command.pl
 doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094)
 pm_process() returned Yes
[2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81)
 added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73)
 ads_dc_name: domain=MYDOMAIN
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)

 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394)
 Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)

 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)

 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(139)
 ads_dc_name: using server='DAL-DC1.MYDOMAIN.COM' IP=10.0.1.30
administra...@mydomain.com's password:
[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)

 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
 Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
 time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
 Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
 ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
 ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)

 ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration 
Fri, 20 Mar 2009 00:00:14 CDT

[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)

 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
 Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
 time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
 Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
 ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)

 ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration 
Fri, 20 Mar 2009 00:00:14 CDT

[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
 Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
 Connecting to 10.0.1.30 at port 445
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(795)
 Doing spnego session setup (blob length=113)
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
 got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
 got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
 got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
 got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(828)
 got principal=dal-d...@mydomain.com
[2009/03/19 14:00:14, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(615)
 Doing kerberos session setup
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)

 ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
expiration Fri, 20 Mar 2009 00:00:14 CDT

[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

 rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \lsarpc fnum 
0x10 bind request returned ok.

[2009/03/19 14:00:14, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
 lsa_io_sec_qos: length c does not match size 8
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

 rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \samr fnum 
0x1e bind request returned ok.

Using short domain name -- MYDOMAIN
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
 Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
 Connecting to 10.0.1.30 at port 445
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

 rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON fnum 
0x400a bind request returned ok.

[2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_req_chal(46)

 cli_net_req_chal: LSA Request Challenge from DORDAL to 
\\DAL-DC1.mydomain.com

[2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_auth2(170)

 cli_net_auth2: srv:\\DAL-DC1.mydomain.com acct:DORDAL$ sc:2 mc: DORDAL 
neg: 600fffff

[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

 rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON fnum 
0x400b bind request returned ok.

[2009/03/19 14:00:14, 3] libads/ldap.c:ads_domain_func_level(2471)
 ads_domain_func_level: 2

[2009/03/19 14:00:14, 3] 
libads/kerberos.c:kerberos_secrets_store_des_salt(337)
 kerberos_secrets_store_des_salt: Storing salt 
"host/dordal.mydomain....@mydomain.com"

[2009/03/19 14:00:14, 4] libads/dns.c:ads_dns_lookup_ns(508)
 ads_dns_lookup_ns: 2 records returned in the answer section.
Joined 'DORDAL' to realm 'MYDOMAIN.COM'
[2009/03/19 14:00:14, 2] utils/net.c:main(1046)
 return code = 0




u...@dordal:~$ sudo net ads leave -U administra...@mydomain.com -d 4
[2009/03/19 14:02:44, 3] param/loadparm.c:lp_load(5063)
 lp_load: refreshing parameters
[2009/03/19 14:02:44, 3] param/loadparm.c:init_globals(1448)
 Initialising global parameters
[2009/03/19 14:02:44, 3] param/params.c:pm_process(572)

 params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"

[2009/03/19 14:02:44, 3] param/loadparm.c:do_section(3802)
 Processing section "[global]"
 doing parameter workgroup = MYDOMAIN
 doing parameter realm = MYDOMAIN.COM
 doing parameter security = ADS

 doing parameter password server = dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com

 doing parameter client schannel = Yes
 doing parameter server schannel = Yes
 doing parameter username map = /etc/samba/smbusers
 doing parameter obey pam restrictions = Yes
 doing parameter enable privileges = Yes
 doing parameter restrict anonymous = 2
 doing parameter allow trusted domains = No
 doing parameter lanman auth = No
 doing parameter ntlm auth = No
 doing parameter client NTLMv2 auth = Yes
 doing parameter log level = 1
 doing parameter syslog = 0
 doing parameter min protocol = NT1
 doing parameter client signing = Yes
 doing parameter server signing = Yes
 doing parameter load printers = No
 doing parameter preferred master = No
 doing parameter local master = No
 doing parameter domain master = No
 doing parameter dns proxy = No
 doing parameter ldap ssl = no
 doing parameter host msdfs = No
 doing parameter idmap domains = MYDOMAIN
 doing parameter idmap alloc backend = ldap
 doing parameter template shell = /bin/false
 doing parameter winbind enum users = Yes
 doing parameter winbind enum groups = Yes
 doing parameter winbind use default domain = Yes
 doing parameter winbind refresh tickets = Yes
 doing parameter idmap alloc config:range = 100000 - 500000

 doing parameter idmap alloc config:ldap_url = 
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
 doing parameter idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
 doing parameter idmap alloc config:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com

 doing parameter idmap config MYDOMAIN:range = 100000 - 500000

 doing parameter idmap config MYDOMAIN:ldap_url = 
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
 doing parameter idmap config MYDOMAIN:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
 doing parameter idmap config MYDOMAIN:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com

 doing parameter idmap config MYDOMAIN:backend = ldap
 doing parameter idmap config MYDOMAIN:default = yes

 doing parameter hosts allow = 10.0.0.0/255.255.254.0 
10.1.0.0/255.255.254.0

 doing parameter map acl inherit = No
 doing parameter hide special files = Yes
 doing parameter map archive = No
 doing parameter map readonly = No
 doing parameter map system = No
 doing parameter map hidden = No
 doing parameter ea support = No
 doing parameter store dos attributes = No
 doing parameter wide links = No
 doing parameter follow symlinks = No
 doing parameter dos filemode = No
 doing parameter add share command = /etc/samba/command.pl
 doing parameter delete share command = /etc/samba/command.pl
 doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:02:44, 4] param/loadparm.c:lp_load(5094)
 pm_process() returned Yes
[2009/03/19 14:02:44, 2] lib/interface.c:add_interface(81)
 added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
administra...@mydomain.com's password:
[2009/03/19 14:02:47, 3] libsmb/namequery.c:get_dc_list(1489)

 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com"

[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:47, 3] libads/ldap.c:ads_connect(394)
 Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:47, 4] libads/ldap.c:ads_current_time(2414)
 time offset is 0 seconds
[2009/03/19 14:02:47, 4] libads/sasl.c:ads_sasl_bind(587)
 Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
 ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:02:47, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
 ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)

 ads_krb5_mk_req: krb5_get_credentials failed for dal-d...@mydomain.com 
(Ticket not yet valid)

[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
 kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid
[2009/03/19 14:02:48, 3] libsmb/namequery.c:get_dc_list(1489)

 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com"

[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:48, 3] libads/ldap.c:ads_connect(394)
 Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:48, 4] libads/ldap.c:ads_current_time(2414)
 time offset is 0 seconds
[2009/03/19 14:02:48, 4] libads/sasl.c:ads_sasl_bind(587)
 Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
 ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)

 ads_krb5_mk_req: krb5_get_credentials failed for dal-d...@mydomain.com 
(Ticket not yet valid)

[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)

 ads_krb5_mk_req: krb5_get_credentials failed for dal-d...@mydomain.com 
(Ticket not yet valid)

[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
 kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid
[2009/03/19 14:02:48, 2] utils/net.c:main(1046)
 return code = -1
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to