Re: [Samba] 3.x build and 'net ads join' no longer work in 3.6.0

[mathwig]

Hi Darren,

please try: net ads join -U domainadmin%password

GTX
Lars

--
View this message in context: 
http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3927648.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.x build and 'net ads join' no longer work in 3.6.0

[Darren Kinley]

Hi Lars,

I tried this with success using my 3.4.2 build but failure using my 3.6.0
build (both buillt
on the same server and using the same configure options).

Using Wireshark I was able to see that the two builds differ in their SMB
negotiation and specifically
in their handling of authentication info. I don't know the protocol stack;
it appears that one offers
the credentials up front while the other leaves the same fields blank
(domains, usernames, IDs)
but offers the same details later in the packet (or exchange) in the form of
options.

I'm not sure if this different behavior in is due to my error or it is an
intentional refinement to the
software/protocol that my 2008 R2 servers can't handle.

I was hoping that someone might have some insight to my observations but
there has been no
response so far and I'm about to try other variants; 3.6.1 and 3.6.1 with
Heimdal Kerberos.

Thanks for your thoughts,
Darren

--
View this message in context: 
http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3928347.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.x build and 'net ads join' no longer work in 3.6.0

[Volker Lendecke]

On Sat, Oct 22, 2011 at 08:16:48AM -0700, Darren Kinley wrote:
 I tried this with success using my 3.4.2 build but failure using my 3.6.0
 build (both buillt
 on the same server and using the same configure options).

What is your platform? Sparc?

Volker

 
 Using Wireshark I was able to see that the two builds differ in their SMB
 negotiation and specifically
 in their handling of authentication info. I don't know the protocol stack;
 it appears that one offers
 the credentials up front while the other leaves the same fields blank
 (domains, usernames, IDs)
 but offers the same details later in the packet (or exchange) in the form of
 options.
 
 I'm not sure if this different behavior in is due to my error or it is an
 intentional refinement to the
 software/protocol that my 2008 R2 servers can't handle.
 
 I was hoping that someone might have some insight to my observations but
 there has been no
 response so far and I'm about to try other variants; 3.6.1 and 3.6.1 with
 Heimdal Kerberos.
 
 Thanks for your thoughts,
 Darren
 
 --
 View this message in context: 
 http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3928347.html
 Sent from the Samba - General mailing list archive at Nabble.com.
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] 3.x build and 'net ads join' no longer work in 3.6.0

[Darren Kinley]

Hi Gurus,

I've been trying to compile SaMBa 3.6.0 for its SMB2 support on/off half
time
for about two weeks. I've built ealier versions of 3.x and most recently
3.4.2
following the same procedure but it no longer works for 3.6.0. I'm about 
ready to give up and hope that someone here might be able to give me a clue.
I would grab a pre-built package but neither sunfreeware nor blastwave have
the latest releases.

Debugging reveals that the problem _appears_ to lie in the NTLMSSP
negotiation/authentication.
'kinit domainad...@ds.xxx.ca' followed by 'net ads join -U domainadmin'
results in
'Failed to join domain: failed to lookup DC info for domain 'DS.XXX.CA' over
rpc: Logon failure'

I think that these are the relevant details;

Solaris 10 SPARC
Kerberos 1.9.1
SaMBa 3.6.0

Windows Server 2008 R2 AD 
NTLM disabled, NTLM2 allowed, kerberos is preferred

configure options;

LDFLAGS=-L/usr/local/xxx-ads/lib -lintl -lresolv LIBS=-lintl -lresolv \
./configure --prefix=/usr/local/xxx-ads/samba
--with-krb5=/usr/local/xxx-ads/krb5 \
 --with-ads --with-ldap --with-acl-support --with-winbind --with-pam


smb.conf;
(client ntlmv2 auth changed default settings and I've tried with both yes
and no)

[global]
workgroup = DS
realm = DS.XXX.CA
server string = harry47.ds.xxx.ca
security = ADS
allow trusted domains = No
username map = /usr/local/xxx-ads/samba/lib/smbusers
log file = /var/log/xxx-samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
show add printer wizard = No
dns proxy = No
map acl inherit = Yes
client ntlmv2 auth = yes


One thing I am curious about is use_kerberos is off.

net -d 10 ads join -U domainadmin output;

...
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name  : NULL
machine_name : 'HARRY47'
domain_name  : *
domain_name  : 'DS.XXX.CA'
account_ou   : NULL
admin_account: 'domainadmin'
machine_password : NULL
join_flags   : 0x0023 (35)
   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version   : NULL
os_name  : NULL
create_upn   : 0x00 (0)
upn  : NULL
modify_config: 0x00 (0)
ads  : NULL
debug: 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type  : SEC_CHAN_WKSTA (2)
...
 negotiate: struct NEGOTIATE_MESSAGE
...
 challenge: struct CHALLENGE_MESSAGE
...
 authenticate: struct AUTHENTICATE_MESSAGE
Signature: 'NTLMSSP'
MessageType  : NtLmAuthenticate (3)
LmChallengeResponseLen   : 0x0018 (24)
LmChallengeResponseMaxLen: 0x0018 (24)
LmChallengeResponse  : *
LmChallengeResponse  : union ntlmssp_LM_RESPONSE(case 24)
v1: struct LM_RESPONSE
Response :
fb3bc06d202cf55d212e91453073beeba275df3da9655dd8
NtChallengeResponseLen   : 0x00a4 (164)
NtChallengeResponseMaxLen: 0x00a4 (164)
NtChallengeResponse  : *
NtChallengeResponse  : union ntlmssp_NTLM_RESPONSE(case 164)
v2: struct NTLMv2_RESPONSE
Response : 13a07b3f696f6507c5b03f9de96b8dab
Challenge: struct NTLMv2_CLIENT_CHALLENGE
RespType : 0x01 (1)
HiRespType   : 0x01 (1)
Reserved1: 0x (0)
Reserved2: 0x (0)
TimeStamp: Thu Oct 13 14:48:46 2011 PDT
ChallengeFromClient  : 934c469337007bc4
Reserved3: 0x (0)
AvPairs: struct AV_PAIR_LIST
count: 0x0007 (7)
pair: ARRAY(7)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName
(0x2)
AvLen: 0x0004 (4)