[Samba] 3.6.5 and "not_defined_in_RFC4178@please_ignore" error

On Mon, May 21, 2012 at 12:17 PM, wrote:

We're having trouble joining an AD domain with 3.6.5

This message when running net join looks fishy :
"got principal="

I'm sure it looks fishy, but it's not. This is normal for newer
versions of windows (windows is sending it back).

OS : Solaris 10 x64
Kerberos : MIT krb5 1.10.1
DC servers are running Windows 2008

The error message is :
./net join -U aranskis
Enter aranskis's password:
Failed to join domain: failed to lookup DC info for domain 'CORP.NET'
over rpc: Logon failure
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain CORP
Unable to find a suitable server for domain CORP

with -d9, here's the hopefully relevant output :

ads_dns_lookup_srv: 18 records returned in the answer section.
namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of
DCs IP follows]
[..]
Successfully contacted LDAP server 10.219.244.253
[..]
got principal=
[..]

What's cut out here might be more helpful. However, please see below
and try that first.

SPNEGO login failed: Logon failure
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
   libnet_JoinCtx: struct libnet_JoinCtx
       out: struct libnet_JoinCtx
           account_name             : NULL
           netbios_domain_name      : NULL
           dns_domain_name          : NULL
           forest_name              : NULL
           dn                       : NULL
           domain_sid               : NULL
               domain_sid               : (NULL SID)
           modified_config          : 0x00 (0)
           error_string             : 'failed to lookup DC info for domain
'CIB.NET' over rpc: Logon failure'
           domain_is_ad             : 0x00 (0)
           result                   : WERR_LOGON_FAILURE


relevant configuration options :

[global]
       realm=CORP.NET
       workgroup=CORP.NET

Please try changing this to just CORP (or whatever the "short" netbios
name is for the domain...not the dns name).

       security­S
       encrypt passwords = yes
       bind interfaces only = true
       interfaces = msusersncs



Any hints on the best way to try and figure out what is wrong when
trying to register in the AD ?
(the same config worked with samba 3.4.x, but the DCs were running Windows 2003)

Jim McDonough
Samba Team
SUSE labs
jmcd at samba dot org
jmcd at themcdonoughs dot org
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Hello,

On Wed, May 23, 2012 at 1:59 PM, Jim McDonough wrote:

On Mon, May 21, 2012 at 12:17 PM,   wrote:

We're having trouble joining an AD domain with 3.6.5

This message when running net join looks fishy :
"got principal="

I'm sure it looks fishy, but it's not.  This is normal for newer
versions of windows (windows is sending it back).

Thanks for the explanation, sorry about the misdiagnosis then :-)

OS : Solaris 10 x64
Kerberos : MIT krb5 1.10.1
DC servers are running Windows 2008

The error message is :
./net join -U aranskis
Enter aranskis's password:

[...]

[..]

What's cut out here might be more helpful.  However, please see below
and try that first.

relevant configuration options :

[global]
       realm=CORP.NET
       workgroup=CORP.NET

Please try changing this to just CORP (or whatever the "short" netbios
name is for the domain...not the dns name).

OK, did that (workgroup = CORP instead of workgroup = CORP.NET), the
join still fails, here's more of the log below.
I hope it is enough, if not the whole output is available here :
http://pastebin.com/r3LTaXCx

Now, what seems suspicious (to me, at least !) is the line :
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP
(Connection timed out)

Shouldn't it try to resolve "_ldap._tcp.pdc._msdcs.CORP.NET" instead ?



INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
params.c:pm_process() - Processing configuration file
"/local/users_ncs/product/samba-3.6.5/lib/smb.conf"
Processing section "[global]"
doing parameter realm = CORP.NET
doing parameter workgroup = CORP
doing parameter security = ADS
doing parameter encrypt passwords = yes
doing parameter bind interfaces only = true
doing parameter interfaces = msusersncs
doing parameter lock dir = /local/users_ncs/product/samba/lock
doing parameter netbios name = msusersncs
handle_netbios_name: set global_myname to: MSUSERSNCS
doing parameter pid directory = /local/users_ncs/product/samba/pid
doing parameter log file = /local/users_ncs/product/samba/log/samba.log
doing parameter username map = /local/users_ncs/product/samba/lib/users.map
...skipping...
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
ADS join did not work, falling back to RPC...
no entry for CORP#1B found.
resolve_ads: Attempting to resolve PDC for CORP using DNS
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP
(Connection timed out)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
no entry for CORP#1B found.
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
startlmhosts: Can't open lmhosts file
/local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such
file or directory
resolve_wins: Attempting wins lookup for name CORP<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1b>
name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b>
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 4
SO_BROADCAST = 32
Could not test socket option TCP_NODELAY.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 57344
SO_RCVBUF = 57344
Could not test socket option SO_SNDLOWAT.
Could not test socket option SO_RCVLOWAT.
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
Unable to resolve PDC server address
Unable to find a suitable server for domain CORP
failed to make ipc connection: NT_STATUS_UNSUCCESSFUL
no entry for CORP#1B found.
resolve_ads: Attempting to resolve PDC for CORP using DNS
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
no entry for CORP#1B found.
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
startlmhosts: Can't open lmhosts file
/local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such
file or directory
resolve_wins: Attempting wins lookup for name CORP<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1b>
name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b>
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 4
SO_BROADCAST = 32
Could not test socket option TCP_NODELAY.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 57344
SO_RCVBUF = 57344
Could not test socket option SO_SNDLOWAT.
Could not test socket option SO_RCVLOWAT.
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
Unable to resolve PDC server address
Unable to find a suitable server for domain CORP
return code = 1
Failed to join domain: failed to lookup DC info for domain 'CORP.NET'
over rpc: Logon failure
[]:/local/users_ncs/product/samba/bin # ls -ltr /var/tmp/log8.txt
-rw-r--r-- 1 root root 12195 May 23 14:54 /var/tmp/log8.txt
[]:/local/users_ncs/product/samba/bin # less /var/tmp/log8.txt
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
params.c:pm_process() - Processing configuration file
"/local/users_ncs/product/samba-3.6.5/lib/smb.conf"
Processing section "[global]"
doing parameter realm = CORP.NET
doing parameter workgroup = CORP
doing parameter security = ADS
doing parameter encrypt passwords = yes
doing parameter bind interfaces only = true
doing parameter interfaces = msusersncs
doing parameter lock dir = /local/users_ncs/product/samba/lock
doing parameter netbios name = msusersncs
handle_netbios_name: set global_myname to: MSUSERSNCS
doing parameter pid directory = /local/users_ncs/product/samba/pid
doing parameter log file = /local/users_ncs/product/samba/log/samba.log
doing parameter username map = /local/users_ncs/product/samba/lib/users.map
doing parameter guest account = nobody
doing parameter invalid users = root bin
doing parameter server string = Serveur NCS Users
doing parameter log level = 2
doing parameter max log size = 800000
doing parameter msdfs root = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Substituting charset '646' for LOCALE
Netbios name list:-
my_netbios_names[0]="MSUSERSNCS"
added interface e1000g4:4 ip.20.198.67 bcast.20.198.255
netmask%5.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Opening cache file at /local/users_ncs/product/samba/lock/gencache.tdb
Opening cache file at /local/users_ncs/product/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for CORP.NET: "Site-Paris"
lp_servicenumber: couldn't find homes
Substituting charset '646' for LOCALE
Netbios name list:-
my_netbios_names[0]="MSUSERSNCS"
added interface e1000g4:4 ip.20.198.67 bcast.20.198.255
netmask%5.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Opening cache file at /local/users_ncs/product/samba/lock/gencache.tdb
Opening cache file at /local/users_ncs/product/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for CORP.NET: "Site-Paris"
ads_find_dc: (cldap) looking for realm 'CORP.NET'
get_sorted_dc_list: attempting lookup for name CORP.NET (sitename
Site-Paris) using [ads]
saf_fetch: failed to find server for "CORP.NET" domain
get_dc_list: preferred server list: ", *"
no entry for CORP.NET#1C found.
resolve_ads: Attempting to resolve DCs for CORP.NET using DNS
ads_dns_lookup_srv: 18 records returned in the answer section.
namecache_store: storing 18 addresses for CORP.NET#1c:
10.220.244.253,10.9.62.70,10.219.244.29,10.219.244.38,10.219.244.21,10.220.244.254,10.219.216.13,10.220.245.254,10.220.245.253,10.219.244.253,10.14.12.40,10.219.245.51,10.14.12.32,10.9.62.74,10.15.48.204,10.9.192.133,10.219.244.28,10.14.11.134
Adding 18 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.220.244.253
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.9.62.70
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.219.244.29
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.219.244.38
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.219.244.21
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.220.244.254
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.219.216.13
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.220.245.254
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.220.245.253
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.219.244.253
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.14.12.40
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.219.245.51
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.14.12.32
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.9.62.74
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.15.48.204
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.9.192.133
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.219.244.28
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.14.11.134
get_dc_list: returning 18 ip addresses in an ordered list
get_dc_list: 10.220.244.253:389 10.9.62.70:389 10.219.244.29:389
10.219.244.38:389 10.219.244.21:389 10.220.244.254:389
10.219.216.13:389 10.220.245.254:389 10.220.245.253:389
10.219.244.253:389 10.14.12.40:389 10.219.245.51:389 10.14.12.32:389
10.9.62.74:389 10.15.48.204:389 10.9.192.133:389 10.219.244.28:389
10.14.11.134:389
check_negative_conn_cache returning result 0 for domain CORP.NET
server 10.220.244.253
ads_try_connect: sending CLDAP request to 10.220.244.253 (realm: CORP.NET)
Successfully contacted LDAP server 10.220.244.253
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'MSUSERSNCS'
domain_name : *
domain_name : 'CORP.NET'
account_ou : NULL
admin_account : 'aranskis'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
...skipping...
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for
domain 'CORP.NET' over rpc: Logon failure'
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
ADS join did not work, falling back to RPC...
no entry for CORP#1B found.
resolve_ads: Attempting to resolve PDC for CORP using DNS
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP
(Connection timed out)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
no entry for CORP#1B found.
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
startlmhosts: Can't open lmhosts file
/local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such
file or directory
resolve_wins: Attempting wins lookup for name CORP<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1b>
name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b>
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 4
SO_BROADCAST = 32
Could not test socket option TCP_NODELAY.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 57344
SO_RCVBUF = 57344
Could not test socket option SO_SNDLOWAT.
Could not test socket option SO_RCVLOWAT.
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
Unable to resolve PDC server address
Unable to find a suitable server for domain CORP
failed to make ipc connection: NT_STATUS_UNSUCCESSFUL
no entry for CORP#1B found.
resolve_ads: Attempting to resolve PDC for CORP using DNS
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
no entry for CORP#1B found.
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
startlmhosts: Can't open lmhosts file
/local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such
file or directory
resolve_wins: Attempting wins lookup for name CORP<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1b>
name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b>
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 4
SO_BROADCAST = 32
Could not test socket option TCP_NODELAY.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 57344
SO_RCVBUF = 57344
Could not test socket option SO_SNDLOWAT.
Could not test socket option SO_RCVLOWAT.
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
Unable to resolve PDC server address
Unable to find a suitable server for domain CORP
return code = 1
Failed to join domain: failed to lookup DC info for domain 'CORP.NET'
over rpc: Logon failure

       security­S
       encrypt passwords = yes
       bind interfaces only = true
       interfaces = msusersncs



Any hints on the best way to try and figure out what is wrong when
trying to register in the AD ?
(the same config worked with samba 3.4.x, but the DCs were running Windows 2003)

Jim McDonough
Samba Team
SUSE labs
jmcd at samba dot org
jmcd at themcdonoughs dot org
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Now, what seems suspicious (to me, at least !) is the line :
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP
(Connection timed out)

Shouldn't it try to resolve "_ldap._tcp.pdc._msdcs.CORP.NET" instead ?

Now I've tried running it through dbx

(dbx) where
=>[1] ads_dns_lookup_srv(0x87dd2e8, 0x87de1c8, 0x8047008, 0x804700c),
at 0x822ff84
[2] ads_dns_query_internal(0x87dd2e8, 0x86c1630, 0x86c162c,
0x87ddef0, 0x87d8668, 0x8047008, 0x804700c, 0x8230d3f), at 0x8230d1f
[3] ads_dns_query_dcs(0x87dd2e8, 0x87ddef0, 0x87d8668, 0x8047008,
0x804700c, 0xfe8c297c, 0xfe940680, 0x8574b79), at 0x8230d6b
[4] discover_dc_dns(0x87dd2e8, 0x87ddef0, 0x0, 0x40001011,
0x87d8668, 0x8047058, 0x804705c, 0x857562f), at 0x8574c18
[5] dsgetdcname_rediscover(0x87dd2e8, 0x87dc2f8, 0x87ddef0, 0x0,
0x40001011, 0x87d8668, 0x804709c, 0x857581d), at 0x85756b2
[6] dsgetdcname(0x87dd2e8, 0x87dc2f8, 0x87ddef0, 0x0, 0x0,
0x40001011, 0x80470ec, 0x858aa71), at 0x8575960
[7] libnet_DomainJoin(0x87dd2e8, 0x87dd580, 0x28, 0x858ae05), at 0x858aaa2
[8] libnet_Join(0x87dd2e8, 0x87dd580, 0x80471f8, 0x80dfe08), at 0x858aec9
[9] net_ads_join(0x87d8ad0, 0x0, 0x87d9d6c, 0x8115a91), at 0x80e00bd
[10] net_run_function(0x87d8ad0, 0x1, 0x87d9d68, 0x85edf5c,
0x8047270, 0x8047270, 0x87b9ee0, 0x190), at 0x8115af9
[11] net_ads(0x87d8ad0, 0x1, 0x87d9d68, 0x8115a91), at 0x80e30b1
[12] net_run_function(0x87d8ad0, 0x2, 0x87d9d64, 0x85ec140,
0x87b9b58, 0x87dc280, 0x80479b8, 0x80dbed5), at 0x8115af9
[13] main(0x5, 0x80479e4, 0x80479fc, 0x80daa4f), at 0x80dbf84


The log is the same, but the argument seems correct (it has ".NET" at the end)

0x087de1c8: "_ldap._tcp.Site-Paris._sites.dc._msdcs.CORP.NET"


i'll cool down and think about it again tomorrow.. I've probably
missed something stupid
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Selon Jim McDonough :

On Mon, May 21, 2012 at 12:17 PM, wrote:
> We're having trouble joining an AD domain with 3.6.5
>
> This message when running net join looks fishy :
> "got principal="
I'm sure it looks fishy, but it's not. This is normal for newer
versions of windows (windows is sending it back).

>
> OS : Solaris 10 x64
> Kerberos : MIT krb5 1.10.1
> DC servers are running Windows 2008
>
> The error message is :
> ./net join -U aranskis
> Enter aranskis's password:
> Failed to join domain: failed to lookup DC info for domain 'CORP.NET'
> over rpc: Logon failure
> ADS join did not work, falling back to RPC...
> Unable to find a suitable server for domain CORP
> Unable to find a suitable server for domain CORP
>
> with -d9, here's the hopefully relevant output :
>
> ads_dns_lookup_srv: 18 records returned in the answer section.
> namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253,
[List of
> DCs IP follows]
> [..]
> Successfully contacted LDAP server 10.219.244.253
> [..]
> got principal=
> [..]
What's cut out here might be more helpful. However, please see below
and try that first.

> SPNEGO login failed: Logon failure
> failed session setup with NT_STATUS_LOGON_FAILURE
> libnet_Join:
>    libnet_JoinCtx: struct libnet_JoinCtx
>        out: struct libnet_JoinCtx
>            account_name             : NULL
>            netbios_domain_name      : NULL
>            dns_domain_name          : NULL
>            forest_name              : NULL
>            dn                       : NULL
>            domain_sid               : NULL
>                domain_sid               : (NULL SID)
>            modified_config          : 0x00 (0)
>            error_string             : 'failed to lookup DC info for domain
> 'CIB.NET' over rpc: Logon failure'
>            domain_is_ad             : 0x00 (0)
>            result                   : WERR_LOGON_FAILURE
>
>
> relevant configuration options :
>
> [global]
>        realm=CORP.NET
>        workgroup=CORP.NET
Please try changing this to just CORP (or whatever the "short" netbios
name is for the domain...not the dns name).

>        security­S
>        encrypt passwords = yes
>        bind interfaces only = true
>        interfaces = msusersncs
>
>
>
> Any hints on the best way to try and figure out what is wrong when
> trying to register in the AD ?
> (the same config worked with samba 3.4.x, but the DCs were running Windows
2003)

Still stuck, if anyone can help me find what looks wrong in the log below when
trying to join the domain, I'd be most grateful !
(In addition to Jim's suggestion I have also tried reverting to the previouse
security default : client ntlmv2 auth, client use spnego, send spnego principal
- which didn't help either)

check_negative_conn_cache returning result 0 for domain CORP.NET server
10.220.244.253
ads_try_connect: sending CLDAP request to 10.220.244.253 (realm: CORP.NET)
Successfully contacted LDAP server 10.220.244.253
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'MSUSERSNCS'
domain_name : *
domain_name : 'CORP.NET'
account_ou : NULL
admin_account : 'aranskis'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
...skipping...
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain
'CORP.NET' over rpc: Logon failure'
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
ADS join did not work, falling back to RPC...
no entry for CORP#1B found.
resolve_ads: Attempting to resolve PDC for CORP using DNS
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.pdc._msdcs.CORP (Connection
timed out)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
no entry for CORP#1B found.
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
startlmhosts: Can't open lmhosts file
/local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or
directory
resolve_wins: Attempting wins lookup for name CORP<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1b>
name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b>
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 4
SO_BROADCAST = 32
Could not test socket option TCP_NODELAY.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 57344
SO_RCVBUF = 57344
Could not test socket option SO_SNDLOWAT.
Could not test socket option SO_RCVLOWAT.
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
Unable to resolve PDC server address
Unable to find a suitable server for domain CORP
failed to make ipc connection: NT_STATUS_UNSUCCESSFUL
no entry for CORP#1B found.
resolve_ads: Attempting to resolve PDC for CORP using DNS
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
no entry for CORP#1B found.
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name CORP<0x1b>
startlmhosts: Can't open lmhosts file
/local/users_ncs/product/samba-3.6.5/lib/lmhosts. Error was No such file or
directory
resolve_wins: Attempting wins lookup for name CORP<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1b>
name_resolve_bcast: Attempting broadcast lookup for name CORP<0x1b>
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 4
SO_BROADCAST = 32
Could not test socket option TCP_NODELAY.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 57344
SO_RCVBUF = 57344
Could not test socket option SO_SNDLOWAT.
Could not test socket option SO_RCVLOWAT.
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
Unable to resolve PDC server address
Unable to find a suitable server for domain CORP
return code = 1
Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc:
Logon failure


Cheers,
Alex

Jim McDonough
Samba Team
SUSE labs
jmcd at samba dot org
jmcd at themcdonoughs dot org

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba