Re: [Samba] 3.6.5 and not_defined_in_RFC4178@please_ignore error
Selon Jim McDonough j...@samba.org: On Mon, May 21, 2012 at 12:17 PM, alex.rans...@free.fr wrote: We're having trouble joining an AD domain with 3.6.5 This message when running net join looks fishy : got principal=not_defined_in_RFC4178@please_ignore I'm sure it looks fishy, but it's not. This is normal for newer versions of windows (windows is sending it back). OS : Solaris 10 x64 Kerberos : MIT krb5 1.10.1 DC servers are running Windows 2008 The error message is : ./net join -U aranskis Enter aranskis's password: Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure ADS join did not work, falling back to RPC... Unable to find a suitable server for domain CORP Unable to find a suitable server for domain CORP with -d9, here's the hopefully relevant output : ads_dns_lookup_srv: 18 records returned in the answer section. namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of DCs IP follows] [..] Successfully contacted LDAP server 10.219.244.253 [..] got principal=not_defined_in_RFC4178@please_ignore [..] What's cut out here might be more helpful. However, please see below and try that first. SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'CIB.NET' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE relevant configuration options : [global] realm=CORP.NET workgroup=CORP.NET Please try changing this to just CORP (or whatever the short netbios name is for the domain...not the dns name). security=ADS encrypt passwords = yes bind interfaces only = true interfaces = msusersncs Any hints on the best way to try and figure out what is wrong when trying to register in the AD ? (the same config worked with samba 3.4.x, but the DCs were running Windows 2003) Still stuck, if anyone can help me find what looks wrong in the log below when trying to join the domain, I'd be most grateful ! (In addition to Jim's suggestion I have also tried reverting to the previouse security default : client ntlmv2 auth, client use spnego, send spnego principal - which didn't help either) check_negative_conn_cache returning result 0 for domain CORP.NET server 10.220.244.253 ads_try_connect: sending CLDAP request to 10.220.244.253 (realm: CORP.NET) Successfully contacted LDAP server 10.220.244.253 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'MSUSERSNCS' domain_name : * domain_name : 'CORP.NET' account_ou : NULL admin_account: 'aranskis' machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT ...skipping... got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx
Re: [Samba] 3.6.5 and not_defined_in_RFC4178@please_ignore error
On Mon, May 21, 2012 at 12:17 PM, alex.rans...@free.fr wrote: We're having trouble joining an AD domain with 3.6.5 This message when running net join looks fishy : got principal=not_defined_in_RFC4178@please_ignore I'm sure it looks fishy, but it's not. This is normal for newer versions of windows (windows is sending it back). OS : Solaris 10 x64 Kerberos : MIT krb5 1.10.1 DC servers are running Windows 2008 The error message is : ./net join -U aranskis Enter aranskis's password: Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure ADS join did not work, falling back to RPC... Unable to find a suitable server for domain CORP Unable to find a suitable server for domain CORP with -d9, here's the hopefully relevant output : ads_dns_lookup_srv: 18 records returned in the answer section. namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of DCs IP follows] [..] Successfully contacted LDAP server 10.219.244.253 [..] got principal=not_defined_in_RFC4178@please_ignore [..] What's cut out here might be more helpful. However, please see below and try that first. SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'CIB.NET' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE relevant configuration options : [global] realm=CORP.NET workgroup=CORP.NET Please try changing this to just CORP (or whatever the short netbios name is for the domain...not the dns name). security=ADS encrypt passwords = yes bind interfaces only = true interfaces = msusersncs Any hints on the best way to try and figure out what is wrong when trying to register in the AD ? (the same config worked with samba 3.4.x, but the DCs were running Windows 2003) -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.6.5 and not_defined_in_RFC4178@please_ignore error
Hello, On Wed, May 23, 2012 at 1:59 PM, Jim McDonough j...@samba.org wrote: On Mon, May 21, 2012 at 12:17 PM, alex.rans...@free.fr wrote: We're having trouble joining an AD domain with 3.6.5 This message when running net join looks fishy : got principal=not_defined_in_RFC4178@please_ignore I'm sure it looks fishy, but it's not. This is normal for newer versions of windows (windows is sending it back). Thanks for the explanation, sorry about the misdiagnosis then :-) OS : Solaris 10 x64 Kerberos : MIT krb5 1.10.1 DC servers are running Windows 2008 The error message is : ./net join -U aranskis Enter aranskis's password: [...] [..] What's cut out here might be more helpful. However, please see below and try that first. relevant configuration options : [global] realm=CORP.NET workgroup=CORP.NET Please try changing this to just CORP (or whatever the short netbios name is for the domain...not the dns name). OK, did that (workgroup = CORP instead of workgroup = CORP.NET), the join still fails, here's more of the log below. I hope it is enough, if not the whole output is available here : http://pastebin.com/r3LTaXCx Now, what seems suspicious (to me, at least !) is the line : ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP (Connection timed out) Shouldn't it try to resolve _ldap._tcp.pdc._msdcs.CORP.NET instead ? INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384) INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 params.c:pm_process() - Processing configuration file /local/users_ncs/product/samba-3.6.5/lib/smb.conf Processing section [global] doing parameter realm = CORP.NET doing parameter workgroup = CORP doing parameter security = ADS doing parameter encrypt passwords = yes doing parameter bind interfaces only = true doing parameter interfaces = msusersncs doing parameter lock dir = /local/users_ncs/product/samba/lock doing parameter netbios name = msusersncs handle_netbios_name: set global_myname to: MSUSERSNCS doing parameter pid directory = /local/users_ncs/product/samba/pid doing parameter log file = /local/users_ncs/product/samba/log/samba.log doing parameter username map = /local/users_ncs/product/samba/lib/users.map ...skipping... domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE ADS join did not work, falling back to RPC... no entry for CORP#1B found. resolve_ads: Attempting to resolve PDC for CORP using DNS ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP (Connection timed out) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT) no entry for CORP#1B found. resolve_lmhosts: Attempting lmhosts lookup for name CORP0x1b resolve_lmhosts: Attempting lmhosts lookup for name CORP0x1b startlmhosts: Can't open lmhosts file /local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name CORP0x1b resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type 0x1b name_resolve_bcast: Attempting broadcast lookup for name CORP0x1b Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 4 SO_BROADCAST = 32 Could not test socket option TCP_NODELAY. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 57344 SO_RCVBUF = 57344 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. Unable to resolve PDC server address Unable to find a suitable server for domain CORP failed to make ipc connection: NT_STATUS_UNSUCCESSFUL no entry for CORP#1B found. resolve_ads: Attempting to resolve PDC for CORP using DNS ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT) no entry for CORP#1B found. resolve_lmhosts: Attempting lmhosts lookup for name CORP0x1b resolve_lmhosts: Attempting lmhosts lookup for name CORP0x1b startlmhosts: Can't open lmhosts file /local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name CORP0x1b resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type 0x1b name_resolve_bcast: Attempting broadcast lookup for name CORP0x1b Socket options:
Re: [Samba] 3.6.5 and not_defined_in_RFC4178@please_ignore error
Now, what seems suspicious (to me, at least !) is the line : ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP (Connection timed out) Shouldn't it try to resolve _ldap._tcp.pdc._msdcs.CORP.NET instead ? Now I've tried running it through dbx (dbx) where =[1] ads_dns_lookup_srv(0x87dd2e8, 0x87de1c8, 0x8047008, 0x804700c), at 0x822ff84 [2] ads_dns_query_internal(0x87dd2e8, 0x86c1630, 0x86c162c, 0x87ddef0, 0x87d8668, 0x8047008, 0x804700c, 0x8230d3f), at 0x8230d1f [3] ads_dns_query_dcs(0x87dd2e8, 0x87ddef0, 0x87d8668, 0x8047008, 0x804700c, 0xfe8c297c, 0xfe940680, 0x8574b79), at 0x8230d6b [4] discover_dc_dns(0x87dd2e8, 0x87ddef0, 0x0, 0x40001011, 0x87d8668, 0x8047058, 0x804705c, 0x857562f), at 0x8574c18 [5] dsgetdcname_rediscover(0x87dd2e8, 0x87dc2f8, 0x87ddef0, 0x0, 0x40001011, 0x87d8668, 0x804709c, 0x857581d), at 0x85756b2 [6] dsgetdcname(0x87dd2e8, 0x87dc2f8, 0x87ddef0, 0x0, 0x0, 0x40001011, 0x80470ec, 0x858aa71), at 0x8575960 [7] libnet_DomainJoin(0x87dd2e8, 0x87dd580, 0x28, 0x858ae05), at 0x858aaa2 [8] libnet_Join(0x87dd2e8, 0x87dd580, 0x80471f8, 0x80dfe08), at 0x858aec9 [9] net_ads_join(0x87d8ad0, 0x0, 0x87d9d6c, 0x8115a91), at 0x80e00bd [10] net_run_function(0x87d8ad0, 0x1, 0x87d9d68, 0x85edf5c, 0x8047270, 0x8047270, 0x87b9ee0, 0x190), at 0x8115af9 [11] net_ads(0x87d8ad0, 0x1, 0x87d9d68, 0x8115a91), at 0x80e30b1 [12] net_run_function(0x87d8ad0, 0x2, 0x87d9d64, 0x85ec140, 0x87b9b58, 0x87dc280, 0x80479b8, 0x80dbed5), at 0x8115af9 [13] main(0x5, 0x80479e4, 0x80479fc, 0x80daa4f), at 0x80dbf84 The log is the same, but the argument seems correct (it has .NET at the end) 0x087de1c8: _ldap._tcp.Site-Paris._sites.dc._msdcs.CORP.NET i'll cool down and think about it again tomorrow.. I've probably missed something stupid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 3.6.5 and not_defined_in_RFC4178@please_ignore error
Hello, We're having trouble joining an AD domain with 3.6.5 This message when running net join looks fishy : got principal=not_defined_in_RFC4178@please_ignore OS : Solaris 10 x64 Kerberos : MIT krb5 1.10.1 DC servers are running Windows 2008 The error message is : ./net join -U aranskis Enter aranskis's password: Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure ADS join did not work, falling back to RPC... Unable to find a suitable server for domain CORP Unable to find a suitable server for domain CORP with -d9, here's the hopefully relevant output : ads_dns_lookup_srv: 18 records returned in the answer section. namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of DCs IP follows] [..] Successfully contacted LDAP server 10.219.244.253 [..] got principal=not_defined_in_RFC4178@please_ignore [..] SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'CIB.NET' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE relevant configuration options : [global] realm=CORP.NET workgroup=CORP.NET security=ADS encrypt passwords = yes bind interfaces only = true interfaces = msusersncs Any hints on the best way to try and figure out what is wrong when trying to register in the AD ? (the same config worked with samba 3.4.x, but the DCs were running Windows 2003) Cheers, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba