Re: [Samba] net ads testjoin
Hi all, thanks for your replies! Is it correct to assume that net ads testjoin will only ask for a password if the secrets.tdb is missing or if it is corrupt. I understand that the secrets.tdb stores the account password and thus if that file exists and can be read the account password should be available to net and thus no need to ask for a password? Regards, Khaled 2010/7/6 Rob Moser rob.mo...@nau.edu: If you want to know what the net command is doing in more detail, try running it with the -d debuglevel option. debuglevel should be some number between 0 and 10, with 10 being the highest. I'd work your way up - 10 will flood you with so much information its hard to see whats going on. More details about the debug option and other net command-line options can be found in the man page for net. - rob. On 07/06/2010 01:49 AM, Khaled Blah wrote: Is there anyone who can help with this question? Regards, Khaled 2010/4/30 Khaled Blah khaled.b...@googlemail.com: Can anyone give me any hints please? I've read the man pages for smb.conf and for net and then I read the manual about the net command. Still, I don't know what testjoin actually does or tries to do. Regards, Khaled 2010/4/26 Khaled Blah khaled.b...@googlemail.com: I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
I just noticed that I have replied to the wrong thread. Although my question is about net what I wanted to know I asked in a different thread. I'll quote my question to make clear what I was interested in: quote is it possible to execute net ads testjoin without net asking for a password (in any circumstance)? The reason for my question is that I want to use it in a script and thus won't be able to supply a password to net (net does not ask for a password on stdin). /quote Regards, Khaled 2010/7/7 Khaled Blah khaled.b...@googlemail.com: Hi all, thanks for your replies! Is it correct to assume that net ads testjoin will only ask for a password if the secrets.tdb is missing or if it is corrupt. I understand that the secrets.tdb stores the account password and thus if that file exists and can be read the account password should be available to net and thus no need to ask for a password? Regards, Khaled 2010/7/6 Rob Moser rob.mo...@nau.edu: If you want to know what the net command is doing in more detail, try running it with the -d debuglevel option. debuglevel should be some number between 0 and 10, with 10 being the highest. I'd work your way up - 10 will flood you with so much information its hard to see whats going on. More details about the debug option and other net command-line options can be found in the man page for net. - rob. On 07/06/2010 01:49 AM, Khaled Blah wrote: Is there anyone who can help with this question? Regards, Khaled 2010/4/30 Khaled Blah khaled.b...@googlemail.com: Can anyone give me any hints please? I've read the man pages for smb.conf and for net and then I read the manual about the net command. Still, I don't know what testjoin actually does or tries to do. Regards, Khaled 2010/4/26 Khaled Blah khaled.b...@googlemail.com: I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
Is there anyone who can help with this question? Regards, Khaled 2010/4/30 Khaled Blah khaled.b...@googlemail.com: Can anyone give me any hints please? I've read the man pages for smb.conf and for net and then I read the manual about the net command. Still, I don't know what testjoin actually does or tries to do. Regards, Khaled 2010/4/26 Khaled Blah khaled.b...@googlemail.com: I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled 2010/4/30 Khaled Blah khaled.b...@googlemail.com: Can anyone give me any hints please? I've read the man pages for smb.conf and for net and then I read the manual about the net command. Still, I don't know what testjoin actually does or tries to do. Regards, Khaled 2010/4/26 Khaled Blah khaled.b...@googlemail.com: I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
It seems you didn't even read my initial question. Quoting myself here: quote Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? /quote Regards, Khaled 2010/7/6 t...@tms3.com: SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
On Tuesday 06/07/2010 at 8:03 am, Khaled Blah wrote: It seems you didn't even read my initial question. Quoting myself here: It seems you are asking for the answer to the ultimate question, the answer of which is 42. However, you haven't asked THE question. quote Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. It tests the validity of the Samba server's AD machine account status. You can see what's happening with wireshark or other packet sniffer. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I dunno, what are you looking for? /quote Regards, Khaled 2010/7/6 t...@tms3.com: SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
On Tue, Jul 6, 2010 at 10:01 AM, t...@tms3.com wrote: On Tuesday 06/07/2010 at 8:03 am, Khaled Blah wrote: It seems you didn't even read my initial question. Quoting myself here: It seems you are asking for the answer to the ultimate question, the answer of which is 42. However, you haven't asked THE question. quote Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. It tests the validity of the Samba server's AD machine account status. You can see what's happening with wireshark or other packet sniffer. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I dunno, what are you looking for? /quote Regards, Khaled 2010/7/6 t...@tms3.com: SNIP Is there anyone who can help with this question? prism# net ads testjoin Join is OK That's about it. Pretty simple. Regards, Khaled You may find some information in chapter 10 of the book Using Samba by **Gerald Carter http://www.oreillynet.com/pub/au/1035; Jay Tshttp://www.oreillynet.com/pub/au/996; Robert Eckstein http://www.oreillynet.com/pub/au/155 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin without asking for password
Hi Robert, I've already tried that and it wouldn't work :( If I understand it correctly, then net writes the account password for the joining account to the secrets.tdb file and if that file still is there say after a reboot then net ads testjoin should not ask for a password right? Regards, Khaled 2010/7/1 Atkinson, Robert ratkin...@tbs-ltd.co.uk: Try :- -U username%password on the command. Rob. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Khaled Blah Sent: 01 July 2010 15:05 To: samba@lists.samba.org Subject: [Samba] net ads testjoin without asking for password Hello all, is it possible to execute net ads testjoin without net asking for a password (in any circumstance)? The reason for my question is that I want to use it in a script and thus won't be able to supply a password to net (net does not ask for a password on stdin). Thanks in advance to anyone who can shed some light on this for me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba *** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin without asking for password
You seem to be correct :- $ NET RPC TESTJOIN Join to 'UK' is OK $ Note this is an OpenVMS server, not Linux/Unix. Rob. -Original Message- From: Khaled Blah [mailto:khaled.b...@googlemail.com] Sent: 01 July 2010 15:41 To: Atkinson, Robert Cc: samba@lists.samba.org Subject: Re: [Samba] net ads testjoin without asking for password Hi Robert, I've already tried that and it wouldn't work :( If I understand it correctly, then net writes the account password for the joining account to the secrets.tdb file and if that file still is there say after a reboot then net ads testjoin should not ask for a password right? Regards, Khaled 2010/7/1 Atkinson, Robert ratkin...@tbs-ltd.co.uk: Try :- -U username%password on the command. Rob. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Khaled Blah Sent: 01 July 2010 15:05 To: samba@lists.samba.org Subject: [Samba] net ads testjoin without asking for password Hello all, is it possible to execute net ads testjoin without net asking for a password (in any circumstance)? The reason for my question is that I want to use it in a script and thus won't be able to supply a password to net (net does not ask for a password on stdin). Thanks in advance to anyone who can shed some light on this for me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba * ** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 * ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
Can anyone give me any hints please? I've read the man pages for smb.conf and for net and then I read the manual about the net command. Still, I don't know what testjoin actually does or tries to do. Regards, Khaled 2010/4/26 Khaled Blah khaled.b...@googlemail.com: I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin
I hope bumping is not frowned upon in this list :) cheers, Khaled 2010/4/24 Khaled Blah khaled.b...@googlemail.com: Hello all, I am new to this list and hopefully I am at the right place. Firstly, thanks to everyone involved in this project. You do a great job! Now, I use net to join Windows AD domains and was wondering where I can find out more information on what happens during a net ads testjoin. The information I found on the documentation pages of net or smb.conf on the website did not say much about it. I have noticed that a testjoin will ask for a password when the domain membership is not valid and it'll ignore kerberos tickets. Is there something I am missing here? I am grateful to any insight you guys could give me! Regards, Khaled -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin failed but net rpc testjoin work
Volker,
I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed :(
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response
== /var/log/samba/wb-EMPIRE.log ==
[2010/04/22 08:25:34, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
[ 3235]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 08:25:34, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
== /var/log/samba/winbindd.log ==
[2010/04/22 08:25:34, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 8479]: request interface version
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 8479]: request location of privileged pipe
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
[ 8479]: pam auth EMPIRE\NuteGunray
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
[ 8479]: request misc info
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
[ 8479]: request domain name
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
[ 8479]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray
Yesterday, I saw a little error in my krb5.conf, I forgot last newline.
This morning after your test, I corrected it but wbinfo -t failed the
RPC with error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
(0xc233) :(
After few search, I resolved the problem by adding lines in my
configurations files.
In my smb.conf it the general section, I add this 2 lines:
winbind use default domain = Yes
winbind nested groups = Yes
In My krb5.conf, I add this section
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
After a restart of winbind, wbinto -t worked
I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed but in my
/var/log/samba/wb-EMPIRE.log, I saw dual pam auth
EMPIRE+EMPIRE\NuteGunray.
+ is my winbind separator, it's look like, samba used 2 EMPIRE one as the
domain implicit, and one as a group explicit in my wbinfo command.
I joined the domain again with a net join ads.
net ads testjoin don't work and net rpc testjoin work like yesterday.
wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response
== /var/log/samba/wb-EMPIRE.log ==
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
[ 8693]: dual pam auth EMPIRE+EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1584)
Plain-text authentication for user EMPIRE+EMPIRE\NuteGunray returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2010/04/22 11:54:47, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
[ 8693]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
== /var/log/samba/winbindd.log ==
[2010/04/22 11:54:47, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 8950]: request interface version
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 8950]: request location of privileged pipe
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
[ 8950]: pam auth EMPIRE\NuteGunray
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
[ 8950]: request misc info
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
[ 8950]: request domain name
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
[ 8950]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray
wbinfo -a EMPIRE+NuteGunray%CatoNeimoida
plaintext password authentication succeeded
challenge/response password authentication succeeded
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
[ 8693]: dual pam auth EMPIRE+NuteGunray
[2010/04/22 13:10:23, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
[ 8693]: pam auth crap domain: EMPIRE user: NuteGunray
== /var/log/samba/winbindd.log ==
[2010/04/22 13:10:23,
Re: [Samba] net ads testjoin failed but net rpc testjoin work
On Thu, Apr 22, 2010 at 01:38:53PM +0200, Thierry Leurent wrote: wbinfo -a EMPIRE+NuteGunray%CatoNeimoida plaintext password authentication succeeded challenge/response password authentication succeeded Sorry, I had not seen that you have set your winbind separator to + . I really have some troubles to understand Samba and Active Directory. Samba is a very flexible tool. You might start out with an almost empty smb.conf tool just using the workgroup parameter and make that work. The advantage of this approach is that much of the documentation out there does not take many of the possible settings into account. Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads testjoin failed but net rpc testjoin work
On Wed, Apr 21, 2010 at 04:29:27PM +0200, Thierry Leurent wrote: - wbinfo -a NuteGunray%CatoNeimoida return plaintext password Please try wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
