Re: [Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Darren, please try: net ads join -U domainadmin%password GTX Lars -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3927648.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Lars, I tried this with success using my 3.4.2 build but failure using my 3.6.0 build (both buillt on the same server and using the same configure options). Using Wireshark I was able to see that the two builds differ in their SMB negotiation and specifically in their handling of authentication info. I don't know the protocol stack; it appears that one offers the credentials up front while the other leaves the same fields blank (domains, usernames, IDs) but offers the same details later in the packet (or exchange) in the form of options. I'm not sure if this different behavior in is due to my error or it is an intentional refinement to the software/protocol that my 2008 R2 servers can't handle. I was hoping that someone might have some insight to my observations but there has been no response so far and I'm about to try other variants; 3.6.1 and 3.6.1 with Heimdal Kerberos. Thanks for your thoughts, Darren -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3928347.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.x build and 'net ads join' no longer work in 3.6.0
On Sat, Oct 22, 2011 at 08:16:48AM -0700, Darren Kinley wrote: I tried this with success using my 3.4.2 build but failure using my 3.6.0 build (both buillt on the same server and using the same configure options). What is your platform? Sparc? Volker Using Wireshark I was able to see that the two builds differ in their SMB negotiation and specifically in their handling of authentication info. I don't know the protocol stack; it appears that one offers the credentials up front while the other leaves the same fields blank (domains, usernames, IDs) but offers the same details later in the packet (or exchange) in the form of options. I'm not sure if this different behavior in is due to my error or it is an intentional refinement to the software/protocol that my 2008 R2 servers can't handle. I was hoping that someone might have some insight to my observations but there has been no response so far and I'm about to try other variants; 3.6.1 and 3.6.1 with Heimdal Kerberos. Thanks for your thoughts, Darren -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3928347.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Gurus, I've been trying to compile SaMBa 3.6.0 for its SMB2 support on/off half time for about two weeks. I've built ealier versions of 3.x and most recently 3.4.2 following the same procedure but it no longer works for 3.6.0. I'm about ready to give up and hope that someone here might be able to give me a clue. I would grab a pre-built package but neither sunfreeware nor blastwave have the latest releases. Debugging reveals that the problem _appears_ to lie in the NTLMSSP negotiation/authentication. 'kinit domainad...@ds.xxx.ca' followed by 'net ads join -U domainadmin' results in 'Failed to join domain: failed to lookup DC info for domain 'DS.XXX.CA' over rpc: Logon failure' I think that these are the relevant details; Solaris 10 SPARC Kerberos 1.9.1 SaMBa 3.6.0 Windows Server 2008 R2 AD NTLM disabled, NTLM2 allowed, kerberos is preferred configure options; LDFLAGS=-L/usr/local/xxx-ads/lib -lintl -lresolv LIBS=-lintl -lresolv \ ./configure --prefix=/usr/local/xxx-ads/samba --with-krb5=/usr/local/xxx-ads/krb5 \ --with-ads --with-ldap --with-acl-support --with-winbind --with-pam smb.conf; (client ntlmv2 auth changed default settings and I've tried with both yes and no) [global] workgroup = DS realm = DS.XXX.CA server string = harry47.ds.xxx.ca security = ADS allow trusted domains = No username map = /usr/local/xxx-ads/samba/lib/smbusers log file = /var/log/xxx-samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No show add printer wizard = No dns proxy = No map acl inherit = Yes client ntlmv2 auth = yes One thing I am curious about is use_kerberos is off. net -d 10 ads join -U domainadmin output; ... libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'HARRY47' domain_name : * domain_name : 'DS.XXX.CA' account_ou : NULL admin_account: 'domainadmin' machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config: 0x00 (0) ads : NULL debug: 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) ... negotiate: struct NEGOTIATE_MESSAGE ... challenge: struct CHALLENGE_MESSAGE ... authenticate: struct AUTHENTICATE_MESSAGE Signature: 'NTLMSSP' MessageType : NtLmAuthenticate (3) LmChallengeResponseLen : 0x0018 (24) LmChallengeResponseMaxLen: 0x0018 (24) LmChallengeResponse : * LmChallengeResponse : union ntlmssp_LM_RESPONSE(case 24) v1: struct LM_RESPONSE Response : fb3bc06d202cf55d212e91453073beeba275df3da9655dd8 NtChallengeResponseLen : 0x00a4 (164) NtChallengeResponseMaxLen: 0x00a4 (164) NtChallengeResponse : * NtChallengeResponse : union ntlmssp_NTLM_RESPONSE(case 164) v2: struct NTLMv2_RESPONSE Response : 13a07b3f696f6507c5b03f9de96b8dab Challenge: struct NTLMv2_CLIENT_CHALLENGE RespType : 0x01 (1) HiRespType : 0x01 (1) Reserved1: 0x (0) Reserved2: 0x (0) TimeStamp: Thu Oct 13 14:48:46 2011 PDT ChallengeFromClient : 934c469337007bc4 Reserved3: 0x (0) AvPairs: struct AV_PAIR_LIST count: 0x0007 (7) pair: ARRAY(7) pair: struct AV_PAIR AvId : MsvAvNbDomainName (0x2) AvLen: 0x0004 (4)