Intermittent failure of net ads join command with error "The transport connection is now disconnected"

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Intermittent failure of net ads join command with error "The transport connection is now disconnected"

Samba - General mailing list
Hello All

I am seeing following error intermittently when I try to join the samba
machine into AD controlled by windows machine.

Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM'
over rpc: The transport connection is now disconnected.

If we repeat the same command with same configuration and credentials, it
succeeds.

Detailed logs at log level 5 are at end of the message.


Command:
net ads join -d5 -e -I <AD Controller IP>  -U administrator%<password>

configuration details are as follows

-------------------- smb.conf -----------------------
[global]
max log size = 0
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
passdb backend = tdbsam

------------------- krb5.conf ------------------------
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.COM = {
kdc = PDC.DOMAIN.COM
admin_server = PDC.DOMAIN.COM
}
[domain_realm]
domain = DOMAIN.COM
.domain = DOMAIN.COM


----------------------------------------------------------------------------------------------

Log level 5 logs for net ads command are:


Enter Administrator's password:libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'Hostname'
            domain_name              : *
                domain_name              : 'DOMAIN.COM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'Administrator'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller IP>
Connecting to <AD Controller IP> at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM'
Connecting to <AD Controller IP> at port 139
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 367360
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Server claims it's principal name is not_defined_in_RFC4178@PLEASE_IGNORE
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: The transport connection is now disconnected.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to lookup DC info for domain
'DOMAIN.COM' over rpc: The transport connection is now disconnected.'
            domain_is_ad             : 0x00 (0)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_NETNAME_DELETED
return code = -1
Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
over rpc: The transport connection is now disconnected.

------------------------------------------------------------------------------------------------------------------------------

If we compare the Success vs Failure logs, we see only difference of
following lines:


Below lines are missing in Failure case:
----------------------------------------------
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan  1
05:30:00 1970 IST] (-1511892480 seconds in the past)
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov 28
23:49:00 2017 IST] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
-------------------------------------------------

Also, OIDs are different.

Please help me understand in what scenarios does domain controller will
revoke the transport connection with SPNEGO failed for same flags and same
inputs

Thanks
Akash
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Intermittent failure of net ads join command with error "The transport connection is now disconnected"

Samba - General mailing list
Hello All

Can someone please help me understand what could be the reason SPENGO fails
with windows AD server?

  SPNEGO login failed: The transport connection is now disconnected.
  error_string             : 'failed to lookup DC info for domain '
DOMAIN.COM <http://domain.com/>' over rpc: The transport connection is now
disconnected.'



Thanks in Advance

Akash

On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain <[hidden email]>
wrote:

> Hello All
>
> I am seeing following error intermittently when I try to join the samba
> machine into AD controlled by windows machine.
>
> Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM'
> over rpc: The transport connection is now disconnected.
>
> If we repeat the same command with same configuration and credentials, it
> succeeds.
>
> Detailed logs at log level 5 are at end of the message.
>
>
> Command:
> net ads join -d5 -e -I <AD Controller IP>  -U administrator%<password>
>
> configuration details are as follows
>
> -------------------- smb.conf -----------------------
> [global]
> max log size = 0
> realm = DOMAIN.COM
> workgroup = DOMAIN
> security = ADS
> winbind enum users = yes
> winbind enum groups = yes
> idmap config * : backend = autorid
> idmap config * : range = 1000000-19999999
> passdb backend = tdbsam
>
> ------------------- krb5.conf ------------------------
> [libdefaults]
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_ccache_name = KEYRING:persistent:%{uid}
> [realms]
> DOMAIN.COM = {
> kdc = PDC.DOMAIN.COM
> admin_server = PDC.DOMAIN.COM
> }
> [domain_realm]
> domain = DOMAIN.COM
> .domain = DOMAIN.COM
>
>
> ------------------------------------------------------------
> ----------------------------------
>
> Log level 5 logs for net ads command are:
>
>
> Enter Administrator's password:libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         in: struct libnet_JoinCtx
>             dc_name                  : NULL
>             machine_name             : 'Hostname'
>             domain_name              : *
>                 domain_name              : 'DOMAIN.COM'
>             domain_name_type         : JoinDomNameTypeDNS (1)
>             account_ou               : NULL
>             admin_account            : 'Administrator'
>             admin_domain             : NULL
>             machine_password         : NULL
>             join_flags               : 0x00000023 (35)
>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>             os_version               : NULL
>             os_name                  : NULL
>             os_servicepack           : NULL
>             create_upn               : 0x00 (0)
>             upn                      : NULL
>             modify_config            : 0x00 (0)
>             ads                      : NULL
>             debug                    : 0x01 (1)
>             use_kerberos             : 0x00 (0)
>             secure_channel_type      : SEC_CHAN_WKSTA (2)
>             desired_encryption_types : 0x0000001f (31)
> Opening cache file at /var/lib/samba/gencache.tdb
> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> "Default-First-Site-Name"
> ads_dns_lookup_srv: 1 records returned in the answer section.
> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> "Default-First-Site-Name"
> no entry for PDC.DOMAIN.COM#20 found.
> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller
> IP>
> Connecting to <AD Controller IP> at port 445
> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM
> '
> Connecting to <AD Controller IP> at port 139
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 87040
>         SO_RCVBUF = 367360
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
> got OID=1.3.6.1.4.1.311.2.2.10
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Starting GENSEC mechanism spnego
> Server claims it's principal name is not_defined_in_RFC4178@PLEASE_IGNORE
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_TARGET_TYPE_DOMAIN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_TARGET_INFO
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: The transport connection is now disconnected.
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : NULL
>             dns_domain_name          : NULL
>             forest_name              : NULL
>             dn                       : NULL
>             domain_sid               : NULL
>                 domain_sid               : (NULL SID)
>             modified_config          : 0x00 (0)
>             error_string             : 'failed to lookup DC info for
> domain 'DOMAIN.COM' over rpc: The transport connection is now
> disconnected.'
>             domain_is_ad             : 0x00 (0)
>             set_encryption_types     : 0x00000000 (0)
>             result                   : WERR_NETNAME_DELETED
> return code = -1
> Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
> over rpc: The transport connection is now disconnected.
>
> ------------------------------------------------------------
> ------------------------------------------------------------------
>
> If we compare the Success vs Failure logs, we see only difference of
> following lines:
>
>
> Below lines are missing in Failure case:
> ----------------------------------------------
> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan
> 1 05:30:00 1970 IST] (-1511892480 seconds in the past)
> no entry for PDC.DOMAIN.COM#20 found.
> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov
> 28 23:49:00 2017 IST] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
> -------------------------------------------------
>
> Also, OIDs are different.
>
> Please help me understand in what scenarios does domain controller will
> revoke the transport connection with SPNEGO failed for same flags and same
> inputs
>
> Thanks
> Akash
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Intermittent failure of net ads join command with error "The transport connection is now disconnected"

Samba - General mailing list
Hello All

Can I get some response on above email.

More Setup Details

My AD Controller is Windows 2008 R2
My Linux machine which is trying to join domain is CentOS Linux release
7.2.1511
Samba version is Version 4.6.2

Kindly help and let me know if I need to include more information in the
email.

Thanks
Akash

On Wed, Dec 6, 2017 at 1:42 PM, Akash Jain <[hidden email]>
wrote:

> Hello All
>
> Can someone please help me understand what could be the reason SPENGO
> fails with windows AD server?
>
>   SPNEGO login failed: The transport connection is now disconnected.
>   error_string             : 'failed to lookup DC info for domain '
> DOMAIN.COM <http://domain.com/>' over rpc: The transport connection is
> now disconnected.'
>
>
>
> Thanks in Advance
>
> Akash
>
> On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain <[hidden email]>
> wrote:
>
>> Hello All
>>
>> I am seeing following error intermittently when I try to join the samba
>> machine into AD controlled by windows machine.
>>
>> Failed to join domain: failed to lookup DC info for domain '
>> 3DFSTESTAD.COM' over rpc: The transport connection is now disconnected.
>>
>> If we repeat the same command with same configuration and credentials, it
>> succeeds.
>>
>> Detailed logs at log level 5 are at end of the message.
>>
>>
>> Command:
>> net ads join -d5 -e -I <AD Controller IP>  -U administrator%<password>
>>
>> configuration details are as follows
>>
>> -------------------- smb.conf -----------------------
>> [global]
>> max log size = 0
>> realm = DOMAIN.COM
>> workgroup = DOMAIN
>> security = ADS
>> winbind enum users = yes
>> winbind enum groups = yes
>> idmap config * : backend = autorid
>> idmap config * : range = 1000000-19999999
>> passdb backend = tdbsam
>>
>> ------------------- krb5.conf ------------------------
>> [libdefaults]
>> default_realm = DOMAIN.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> rdns = false
>> default_ccache_name = KEYRING:persistent:%{uid}
>> [realms]
>> DOMAIN.COM = {
>> kdc = PDC.DOMAIN.COM
>> admin_server = PDC.DOMAIN.COM
>> }
>> [domain_realm]
>> domain = DOMAIN.COM
>> .domain = DOMAIN.COM
>>
>>
>> ------------------------------------------------------------
>> ----------------------------------
>>
>> Log level 5 logs for net ads command are:
>>
>>
>> Enter Administrator's password:libnet_Join:
>>     libnet_JoinCtx: struct libnet_JoinCtx
>>         in: struct libnet_JoinCtx
>>             dc_name                  : NULL
>>             machine_name             : 'Hostname'
>>             domain_name              : *
>>                 domain_name              : 'DOMAIN.COM'
>>             domain_name_type         : JoinDomNameTypeDNS (1)
>>             account_ou               : NULL
>>             admin_account            : 'Administrator'
>>             admin_domain             : NULL
>>             machine_password         : NULL
>>             join_flags               : 0x00000023 (35)
>>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>             os_version               : NULL
>>             os_name                  : NULL
>>             os_servicepack           : NULL
>>             create_upn               : 0x00 (0)
>>             upn                      : NULL
>>             modify_config            : 0x00 (0)
>>             ads                      : NULL
>>             debug                    : 0x01 (1)
>>             use_kerberos             : 0x00 (0)
>>             secure_channel_type      : SEC_CHAN_WKSTA (2)
>>             desired_encryption_types : 0x0000001f (31)
>> Opening cache file at /var/lib/samba/gencache.tdb
>> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
>> "Default-First-Site-Name"
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
>> "Default-First-Site-Name"
>> no entry for PDC.DOMAIN.COM#20 found.
>> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
>> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller
>> IP>
>> Connecting to <AD Controller IP> at port 445
>> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - '
>> PDC.DOMAIN.COM'
>> Connecting to <AD Controller IP> at port 139
>> Socket options:
>>         SO_KEEPALIVE = 0
>>         SO_REUSEADDR = 0
>>         SO_BROADCAST = 0
>>         TCP_NODELAY = 1
>>         TCP_KEEPCNT = 9
>>         TCP_KEEPIDLE = 7200
>>         TCP_KEEPINTVL = 75
>>         IPTOS_LOWDELAY = 0
>>         IPTOS_THROUGHPUT = 0
>>         SO_REUSEPORT = 0
>>         SO_SNDBUF = 87040
>>         SO_RCVBUF = 367360
>>         SO_SNDLOWAT = 1
>>         SO_RCVLOWAT = 1
>>         SO_SNDTIMEO = 0
>>         SO_RCVTIMEO = 0
>>         TCP_QUICKACK = 1
>>         TCP_DEFER_ACCEPT = 0
>> got OID=1.3.6.1.4.1.311.2.2.10
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> Starting GENSEC mechanism spnego
>> Server claims it's principal name is not_defined_in_RFC4178@PLEASE_IGNORE
>> Starting GENSEC submechanism ntlmssp
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x62898215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_TARGET_TYPE_DOMAIN
>>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>   NTLMSSP_NEGOTIATE_TARGET_INFO
>>   NTLMSSP_NEGOTIATE_VERSION
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x62088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>   NTLMSSP_NEGOTIATE_VERSION
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x62088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>   NTLMSSP_NEGOTIATE_VERSION
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> SPNEGO login failed: The transport connection is now disconnected.
>> libnet_Join:
>>     libnet_JoinCtx: struct libnet_JoinCtx
>>         out: struct libnet_JoinCtx
>>             account_name             : NULL
>>             netbios_domain_name      : NULL
>>             dns_domain_name          : NULL
>>             forest_name              : NULL
>>             dn                       : NULL
>>             domain_sid               : NULL
>>                 domain_sid               : (NULL SID)
>>             modified_config          : 0x00 (0)
>>             error_string             : 'failed to lookup DC info for
>> domain 'DOMAIN.COM' over rpc: The transport connection is now
>> disconnected.'
>>             domain_is_ad             : 0x00 (0)
>>             set_encryption_types     : 0x00000000 (0)
>>             result                   : WERR_NETNAME_DELETED
>> return code = -1
>> Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
>> over rpc: The transport connection is now disconnected.
>>
>> ------------------------------------------------------------
>> ------------------------------------------------------------------
>>
>> If we compare the Success vs Failure logs, we see only difference of
>> following lines:
>>
>>
>> Below lines are missing in Failure case:
>> ----------------------------------------------
>> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu
>> Jan  1 05:30:00 1970 IST] (-1511892480 seconds in the past)
>> no entry for PDC.DOMAIN.COM#20 found.
>> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
>> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
>> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov
>> 28 23:49:00 2017 IST] (660 seconds ahead)
>> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
>> -------------------------------------------------
>>
>> Also, OIDs are different.
>>
>> Please help me understand in what scenarios does domain controller will
>> revoke the transport connection with SPNEGO failed for same flags and same
>> inputs
>>
>> Thanks
>> Akash
>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Intermittent failure of net ads join command with error "The transport connection is now disconnected"

Samba - General mailing list
Your smb.conf is incorrect/incomplete.

Info here on these 2 links.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
https://wiki.samba.org/index.php/Idmap_config_rid

Your smb.conf
 > >> [global]
> >> max log size = 0
> >> realm = DOMAIN.COM
> >> workgroup = DOMAIN
> >> security = ADS
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-19999999

But Yours should be something like:
[global]
       security = ADS
       workgroup = SAMDOM
       realm = SAMDOM.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 1

        # Default idmap config for local BUILTIN accounts and groups
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        # idmap config for the SAMDOM domain
        idmap config SAMDOM : backend = rid
        idmap config SAMDOM : range = 10000-999999

        # Template settings for login shell and home directory
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Akash Jain via samba
> Verzonden: dinsdag 12 december 2017 12:10
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Intermittent failure of net ads join
> command with error "The transport connection is now disconnected"
>
> Hello All
>
> Can I get some response on above email.
>
> More Setup Details
>
> My AD Controller is Windows 2008 R2
> My Linux machine which is trying to join domain is CentOS
> Linux release
> 7.2.1511
> Samba version is Version 4.6.2
>
> Kindly help and let me know if I need to include more
> information in the
> email.
>
> Thanks
> Akash
>
> On Wed, Dec 6, 2017 at 1:42 PM, Akash Jain
> <[hidden email]>
> wrote:
>
> > Hello All
> >
> > Can someone please help me understand what could be the
> reason SPENGO
> > fails with windows AD server?
> >
> >   SPNEGO login failed: The transport connection is now disconnected.
> >   error_string             : 'failed to lookup DC info for domain '
> > DOMAIN.COM <http://domain.com/>' over rpc: The transport
> connection is
> > now disconnected.'
> >
> >
> >
> > Thanks in Advance
> >
> > Akash
> >
> > On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain
> <[hidden email]>
> > wrote:
> >
> >> Hello All
> >>
> >> I am seeing following error intermittently when I try to
> join the samba
> >> machine into AD controlled by windows machine.
> >>
> >> Failed to join domain: failed to lookup DC info for domain '
> >> 3DFSTESTAD.COM' over rpc: The transport connection is now
> disconnected.
> >>
> >> If we repeat the same command with same configuration and
> credentials, it
> >> succeeds.
> >>
> >> Detailed logs at log level 5 are at end of the message.
> >>
> >>
> >> Command:
> >> net ads join -d5 -e -I <AD Controller IP>  -U
> administrator%<password>
> >>
> >> configuration details are as follows
> >>
> >> -------------------- smb.conf -----------------------
> >> [global]
> >> max log size = 0
> >> realm = DOMAIN.COM
> >> workgroup = DOMAIN
> >> security = ADS
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-19999999
> >> passdb backend = tdbsam
> >>
> >> ------------------- krb5.conf ------------------------
> >> [libdefaults]
> >> default_realm = DOMAIN.COM
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >> ticket_lifetime = 24h
> >> renew_lifetime = 7d
> >> forwardable = true
> >> rdns = false
> >> default_ccache_name = KEYRING:persistent:%{uid}
> >> [realms]
> >> DOMAIN.COM = {
> >> kdc = PDC.DOMAIN.COM
> >> admin_server = PDC.DOMAIN.COM
> >> }
> >> [domain_realm]
> >> domain = DOMAIN.COM
> >> .domain = DOMAIN.COM
> >>
> >>
> >> ------------------------------------------------------------
> >> ----------------------------------
> >>
> >> Log level 5 logs for net ads command are:
> >>
> >>
> >> Enter Administrator's password:libnet_Join:
> >>     libnet_JoinCtx: struct libnet_JoinCtx
> >>         in: struct libnet_JoinCtx
> >>             dc_name                  : NULL
> >>             machine_name             : 'Hostname'
> >>             domain_name              : *
> >>                 domain_name              : 'DOMAIN.COM'
> >>             domain_name_type         : JoinDomNameTypeDNS (1)
> >>             account_ou               : NULL
> >>             admin_account            : 'Administrator'
> >>             admin_domain             : NULL
> >>             machine_password         : NULL
> >>             join_flags               : 0x00000023 (35)
> >>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> >>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> >>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> >>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> >>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> >>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> >>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> >>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> >>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> >>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> >>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> >>             os_version               : NULL
> >>             os_name                  : NULL
> >>             os_servicepack           : NULL
> >>             create_upn               : 0x00 (0)
> >>             upn                      : NULL
> >>             modify_config            : 0x00 (0)
> >>             ads                      : NULL
> >>             debug                    : 0x01 (1)
> >>             use_kerberos             : 0x00 (0)
> >>             secure_channel_type      : SEC_CHAN_WKSTA (2)
> >>             desired_encryption_types : 0x0000001f (31)
> >> Opening cache file at /var/lib/samba/gencache.tdb
> >> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> >> "Default-First-Site-Name"
> >> ads_dns_lookup_srv: 1 records returned in the answer section.
> >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> >> "Default-First-Site-Name"
> >> no entry for PDC.DOMAIN.COM#20 found.
> >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> <AD Controller
> >> IP>
> >> Connecting to <AD Controller IP> at port 445
> >> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - '
> >> PDC.DOMAIN.COM'
> >> Connecting to <AD Controller IP> at port 139
> >> Socket options:
> >>         SO_KEEPALIVE = 0
> >>         SO_REUSEADDR = 0
> >>         SO_BROADCAST = 0
> >>         TCP_NODELAY = 1
> >>         TCP_KEEPCNT = 9
> >>         TCP_KEEPIDLE = 7200
> >>         TCP_KEEPINTVL = 75
> >>         IPTOS_LOWDELAY = 0
> >>         IPTOS_THROUGHPUT = 0
> >>         SO_REUSEPORT = 0
> >>         SO_SNDBUF = 87040
> >>         SO_RCVBUF = 367360
> >>         SO_SNDLOWAT = 1
> >>         SO_RCVLOWAT = 1
> >>         SO_SNDTIMEO = 0
> >>         SO_RCVTIMEO = 0
> >>         TCP_QUICKACK = 1
> >>         TCP_DEFER_ACCEPT = 0
> >> got OID=1.3.6.1.4.1.311.2.2.10
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'naclrpc_as_system' registered
> >> GENSEC backend 'sasl-EXTERNAL' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'ntlmssp_resume_ccache' registered
> >> GENSEC backend 'http_basic' registered
> >> GENSEC backend 'http_ntlm' registered
> >> Starting GENSEC mechanism spnego
> >> Server claims it's principal name is
> not_defined_in_RFC4178@PLEASE_IGNORE
> >> Starting GENSEC submechanism ntlmssp
> >> Got challenge flags:
> >> Got NTLMSSP neg_flags=0x62898215
> >>   NTLMSSP_NEGOTIATE_UNICODE
> >>   NTLMSSP_REQUEST_TARGET
> >>   NTLMSSP_NEGOTIATE_SIGN
> >>   NTLMSSP_NEGOTIATE_NTLM
> >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >>   NTLMSSP_TARGET_TYPE_DOMAIN
> >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >>   NTLMSSP_NEGOTIATE_TARGET_INFO
> >>   NTLMSSP_NEGOTIATE_VERSION
> >>   NTLMSSP_NEGOTIATE_128
> >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> >> NTLMSSP: Set final flags:
> >> Got NTLMSSP neg_flags=0x62088215
> >>   NTLMSSP_NEGOTIATE_UNICODE
> >>   NTLMSSP_REQUEST_TARGET
> >>   NTLMSSP_NEGOTIATE_SIGN
> >>   NTLMSSP_NEGOTIATE_NTLM
> >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >>   NTLMSSP_NEGOTIATE_VERSION
> >>   NTLMSSP_NEGOTIATE_128
> >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> >> NTLMSSP Sign/Seal - Initialising with flags:
> >> Got NTLMSSP neg_flags=0x62088215
> >>   NTLMSSP_NEGOTIATE_UNICODE
> >>   NTLMSSP_REQUEST_TARGET
> >>   NTLMSSP_NEGOTIATE_SIGN
> >>   NTLMSSP_NEGOTIATE_NTLM
> >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >>   NTLMSSP_NEGOTIATE_VERSION
> >>   NTLMSSP_NEGOTIATE_128
> >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> >> SPNEGO login failed: The transport connection is now disconnected.
> >> libnet_Join:
> >>     libnet_JoinCtx: struct libnet_JoinCtx
> >>         out: struct libnet_JoinCtx
> >>             account_name             : NULL
> >>             netbios_domain_name      : NULL
> >>             dns_domain_name          : NULL
> >>             forest_name              : NULL
> >>             dn                       : NULL
> >>             domain_sid               : NULL
> >>                 domain_sid               : (NULL SID)
> >>             modified_config          : 0x00 (0)
> >>             error_string             : 'failed to lookup
> DC info for
> >> domain 'DOMAIN.COM' over rpc: The transport connection is now
> >> disconnected.'
> >>             domain_is_ad             : 0x00 (0)
> >>             set_encryption_types     : 0x00000000 (0)
> >>             result                   : WERR_NETNAME_DELETED
> >> return code = -1
> >> Failed to join domain: failed to lookup DC info for domain
> 'DOMAIN.COM'
> >> over rpc: The transport connection is now disconnected.
> >>
> >> ------------------------------------------------------------
> >> ------------------------------------------------------------------
> >>
> >> If we compare the Success vs Failure logs, we see only
> difference of
> >> following lines:
> >>
> >>
> >> Below lines are missing in Failure case:
> >> ----------------------------------------------
> >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> timeout=[Thu
> >> Jan  1 05:30:00 1970 IST] (-1511892480 seconds in the past)
> >> no entry for PDC.DOMAIN.COM#20 found.
> >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> 172.16.72.124
> >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> timeout=[Tue Nov
> >> 28 23:49:00 2017 IST] (660 seconds ahead)
> >> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
> >> -------------------------------------------------
> >>
> >> Also, OIDs are different.
> >>
> >> Please help me understand in what scenarios does domain
> controller will
> >> revoke the transport connection with SPNEGO failed for
> same flags and same
> >> inputs
> >>
> >> Thanks
> >> Akash
> >>
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Intermittent failure of net ads join command with error "The transport connection is now disconnected"

Samba - General mailing list
Hi Louis

Thanks for your reply and the link. I have been following same document and
I do not see any major difference.
The SAMDOM.EXAMPLE.COM is the realm they are using for example but
DOMAIN.COM is also valid realm in my case.
Can you please pin point the configuration line which can cause this
intermittent failure? I believe if the configuration is not correct it will
not succeed even once.

Thanks
Akash



On Tue, Dec 12, 2017 at 4:48 PM, L.P.H. van Belle via samba <
[hidden email]> wrote:

> Your smb.conf is incorrect/incomplete.
>
> Info here on these 2 links.
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> Your smb.conf
>  > >> [global]
> > >> max log size = 0
> > >> realm = DOMAIN.COM
> > >> workgroup = DOMAIN
> > >> security = ADS
> > >> winbind enum users = yes
> > >> winbind enum groups = yes
> > >> idmap config * : backend = autorid
> > >> idmap config * : range = 1000000-19999999
>
> But Yours should be something like:
> [global]
>        security = ADS
>        workgroup = SAMDOM
>        realm = SAMDOM.EXAMPLE.COM
>
>        log file = /var/log/samba/%m.log
>        log level = 1
>
>         # Default idmap config for local BUILTIN accounts and groups
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>
>         # idmap config for the SAMDOM domain
>         idmap config SAMDOM : backend = rid
>         idmap config SAMDOM : range = 10000-999999
>
>         # Template settings for login shell and home directory
>         winbind nss info = template
>         template shell = /bin/bash
>         template homedir = /home/%U
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Akash Jain via samba
> > Verzonden: dinsdag 12 december 2017 12:10
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Intermittent failure of net ads join
> > command with error "The transport connection is now disconnected"
> >
> > Hello All
> >
> > Can I get some response on above email.
> >
> > More Setup Details
> >
> > My AD Controller is Windows 2008 R2
> > My Linux machine which is trying to join domain is CentOS
> > Linux release
> > 7.2.1511
> > Samba version is Version 4.6.2
> >
> > Kindly help and let me know if I need to include more
> > information in the
> > email.
> >
> > Thanks
> > Akash
> >
> > On Wed, Dec 6, 2017 at 1:42 PM, Akash Jain
> > <[hidden email]>
> > wrote:
> >
> > > Hello All
> > >
> > > Can someone please help me understand what could be the
> > reason SPENGO
> > > fails with windows AD server?
> > >
> > >   SPNEGO login failed: The transport connection is now disconnected.
> > >   error_string             : 'failed to lookup DC info for domain '
> > > DOMAIN.COM <http://domain.com/>' over rpc: The transport
> > connection is
> > > now disconnected.'
> > >
> > >
> > >
> > > Thanks in Advance
> > >
> > > Akash
> > >
> > > On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain
> > <[hidden email]>
> > > wrote:
> > >
> > >> Hello All
> > >>
> > >> I am seeing following error intermittently when I try to
> > join the samba
> > >> machine into AD controlled by windows machine.
> > >>
> > >> Failed to join domain: failed to lookup DC info for domain '
> > >> 3DFSTESTAD.COM' over rpc: The transport connection is now
> > disconnected.
> > >>
> > >> If we repeat the same command with same configuration and
> > credentials, it
> > >> succeeds.
> > >>
> > >> Detailed logs at log level 5 are at end of the message.
> > >>
> > >>
> > >> Command:
> > >> net ads join -d5 -e -I <AD Controller IP>  -U
> > administrator%<password>
> > >>
> > >> configuration details are as follows
> > >>
> > >> -------------------- smb.conf -----------------------
> > >> [global]
> > >> max log size = 0
> > >> realm = DOMAIN.COM
> > >> workgroup = DOMAIN
> > >> security = ADS
> > >> winbind enum users = yes
> > >> winbind enum groups = yes
> > >> idmap config * : backend = autorid
> > >> idmap config * : range = 1000000-19999999
> > >> passdb backend = tdbsam
> > >>
> > >> ------------------- krb5.conf ------------------------
> > >> [libdefaults]
> > >> default_realm = DOMAIN.COM
> > >> dns_lookup_realm = false
> > >> dns_lookup_kdc = true
> > >> ticket_lifetime = 24h
> > >> renew_lifetime = 7d
> > >> forwardable = true
> > >> rdns = false
> > >> default_ccache_name = KEYRING:persistent:%{uid}
> > >> [realms]
> > >> DOMAIN.COM = {
> > >> kdc = PDC.DOMAIN.COM
> > >> admin_server = PDC.DOMAIN.COM
> > >> }
> > >> [domain_realm]
> > >> domain = DOMAIN.COM
> > >> .domain = DOMAIN.COM
> > >>
> > >>
> > >> ------------------------------------------------------------
> > >> ----------------------------------
> > >>
> > >> Log level 5 logs for net ads command are:
> > >>
> > >>
> > >> Enter Administrator's password:libnet_Join:
> > >>     libnet_JoinCtx: struct libnet_JoinCtx
> > >>         in: struct libnet_JoinCtx
> > >>             dc_name                  : NULL
> > >>             machine_name             : 'Hostname'
> > >>             domain_name              : *
> > >>                 domain_name              : 'DOMAIN.COM'
> > >>             domain_name_type         : JoinDomNameTypeDNS (1)
> > >>             account_ou               : NULL
> > >>             admin_account            : 'Administrator'
> > >>             admin_domain             : NULL
> > >>             machine_password         : NULL
> > >>             join_flags               : 0x00000023 (35)
> > >>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> > >>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> > >>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> > >>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> > >>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> > >>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> > >>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> > >>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> > >>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> > >>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> > >>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> > >>             os_version               : NULL
> > >>             os_name                  : NULL
> > >>             os_servicepack           : NULL
> > >>             create_upn               : 0x00 (0)
> > >>             upn                      : NULL
> > >>             modify_config            : 0x00 (0)
> > >>             ads                      : NULL
> > >>             debug                    : 0x01 (1)
> > >>             use_kerberos             : 0x00 (0)
> > >>             secure_channel_type      : SEC_CHAN_WKSTA (2)
> > >>             desired_encryption_types : 0x0000001f (31)
> > >> Opening cache file at /var/lib/samba/gencache.tdb
> > >> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> > >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> > >> "Default-First-Site-Name"
> > >> ads_dns_lookup_srv: 1 records returned in the answer section.
> > >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> > >> "Default-First-Site-Name"
> > >> no entry for PDC.DOMAIN.COM#20 found.
> > >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> > >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> > <AD Controller
> > >> IP>
> > >> Connecting to <AD Controller IP> at port 445
> > >> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - '
> > >> PDC.DOMAIN.COM'
> > >> Connecting to <AD Controller IP> at port 139
> > >> Socket options:
> > >>         SO_KEEPALIVE = 0
> > >>         SO_REUSEADDR = 0
> > >>         SO_BROADCAST = 0
> > >>         TCP_NODELAY = 1
> > >>         TCP_KEEPCNT = 9
> > >>         TCP_KEEPIDLE = 7200
> > >>         TCP_KEEPINTVL = 75
> > >>         IPTOS_LOWDELAY = 0
> > >>         IPTOS_THROUGHPUT = 0
> > >>         SO_REUSEPORT = 0
> > >>         SO_SNDBUF = 87040
> > >>         SO_RCVBUF = 367360
> > >>         SO_SNDLOWAT = 1
> > >>         SO_RCVLOWAT = 1
> > >>         SO_SNDTIMEO = 0
> > >>         SO_RCVTIMEO = 0
> > >>         TCP_QUICKACK = 1
> > >>         TCP_DEFER_ACCEPT = 0
> > >> got OID=1.3.6.1.4.1.311.2.2.10
> > >> GENSEC backend 'gssapi_spnego' registered
> > >> GENSEC backend 'gssapi_krb5' registered
> > >> GENSEC backend 'gssapi_krb5_sasl' registered
> > >> GENSEC backend 'spnego' registered
> > >> GENSEC backend 'schannel' registered
> > >> GENSEC backend 'naclrpc_as_system' registered
> > >> GENSEC backend 'sasl-EXTERNAL' registered
> > >> GENSEC backend 'ntlmssp' registered
> > >> GENSEC backend 'ntlmssp_resume_ccache' registered
> > >> GENSEC backend 'http_basic' registered
> > >> GENSEC backend 'http_ntlm' registered
> > >> Starting GENSEC mechanism spnego
> > >> Server claims it's principal name is
> > not_defined_in_RFC4178@PLEASE_IGNORE
> > >> Starting GENSEC submechanism ntlmssp
> > >> Got challenge flags:
> > >> Got NTLMSSP neg_flags=0x62898215
> > >>   NTLMSSP_NEGOTIATE_UNICODE
> > >>   NTLMSSP_REQUEST_TARGET
> > >>   NTLMSSP_NEGOTIATE_SIGN
> > >>   NTLMSSP_NEGOTIATE_NTLM
> > >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > >>   NTLMSSP_TARGET_TYPE_DOMAIN
> > >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > >>   NTLMSSP_NEGOTIATE_TARGET_INFO
> > >>   NTLMSSP_NEGOTIATE_VERSION
> > >>   NTLMSSP_NEGOTIATE_128
> > >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> > >> NTLMSSP: Set final flags:
> > >> Got NTLMSSP neg_flags=0x62088215
> > >>   NTLMSSP_NEGOTIATE_UNICODE
> > >>   NTLMSSP_REQUEST_TARGET
> > >>   NTLMSSP_NEGOTIATE_SIGN
> > >>   NTLMSSP_NEGOTIATE_NTLM
> > >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > >>   NTLMSSP_NEGOTIATE_VERSION
> > >>   NTLMSSP_NEGOTIATE_128
> > >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> > >> NTLMSSP Sign/Seal - Initialising with flags:
> > >> Got NTLMSSP neg_flags=0x62088215
> > >>   NTLMSSP_NEGOTIATE_UNICODE
> > >>   NTLMSSP_REQUEST_TARGET
> > >>   NTLMSSP_NEGOTIATE_SIGN
> > >>   NTLMSSP_NEGOTIATE_NTLM
> > >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > >>   NTLMSSP_NEGOTIATE_VERSION
> > >>   NTLMSSP_NEGOTIATE_128
> > >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> > >> SPNEGO login failed: The transport connection is now disconnected.
> > >> libnet_Join:
> > >>     libnet_JoinCtx: struct libnet_JoinCtx
> > >>         out: struct libnet_JoinCtx
> > >>             account_name             : NULL
> > >>             netbios_domain_name      : NULL
> > >>             dns_domain_name          : NULL
> > >>             forest_name              : NULL
> > >>             dn                       : NULL
> > >>             domain_sid               : NULL
> > >>                 domain_sid               : (NULL SID)
> > >>             modified_config          : 0x00 (0)
> > >>             error_string             : 'failed to lookup
> > DC info for
> > >> domain 'DOMAIN.COM' over rpc: The transport connection is now
> > >> disconnected.'
> > >>             domain_is_ad             : 0x00 (0)
> > >>             set_encryption_types     : 0x00000000 (0)
> > >>             result                   : WERR_NETNAME_DELETED
> > >> return code = -1
> > >> Failed to join domain: failed to lookup DC info for domain
> > 'DOMAIN.COM'
> > >> over rpc: The transport connection is now disconnected.
> > >>
> > >> ------------------------------------------------------------
> > >> ------------------------------------------------------------------
> > >>
> > >> If we compare the Success vs Failure logs, we see only
> > difference of
> > >> following lines:
> > >>
> > >>
> > >> Below lines are missing in Failure case:
> > >> ----------------------------------------------
> > >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> > timeout=[Thu
> > >> Jan  1 05:30:00 1970 IST] (-1511892480 seconds in the past)
> > >> no entry for PDC.DOMAIN.COM#20 found.
> > >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> > >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> > 172.16.72.124
> > >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> > timeout=[Tue Nov
> > >> 28 23:49:00 2017 IST] (660 seconds ahead)
> > >> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
> > >> -------------------------------------------------
> > >>
> > >> Also, OIDs are different.
> > >>
> > >> Please help me understand in what scenarios does domain
> > controller will
> > >> revoke the transport connection with SPNEGO failed for
> > same flags and same
> > >> inputs
> > >>
> > >> Thanks
> > >> Akash
> > >>
> > >>
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Intermittent failure of net ads join command with error "The transport connection is now disconnected"

Samba - General mailing list
Hai,
 
this is the "good" part of your config.
 > >> [global]
> >> max log size = 0
> >> realm = DOMAIN.COM
> >> workgroup = DOMAIN
> >> security = ADS
 
this is the bad part.
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-19999999
 
winbind enum users = yes does nothing for you exept slowing down your server. 
use getent passwd username  if you want to test users.
 
this is missing/incorrect, i guess you missed this on the wiki. ( below is a correct part, yours is incorrect.
        # Default idmap config for local BUILTIN accounts and groups
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        # idmap config for the SAMDOM domain
        idmap config SAMDOM : backend = rid
        idmap config SAMDOM : range = 1000000-19999999
 
 
Your using RID, you you need to define, login and homdir if needed.
        # Template settings for login shell and home directory
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U
 
 
Greetz,
 
Louis
 

 
Van: Akash Jain [mailto:[hidden email]]
Verzonden: woensdag 13 december 2017 9:10
Aan: L.P.H. van Belle
CC: [hidden email]
Onderwerp: Re: [Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"



Hi Louis


Thanks for your reply and the link. I have been following same document and I do not see any major difference.
The SAMDOM.EXAMPLE.COM is the realm they are using for example but DOMAIN.COM is also valid realm in my case.
Can you please pin point the configuration line which can cause this intermittent failure? I believe if the configuration is not correct it will not succeed even once.


Thanks
Akash






On Tue, Dec 12, 2017 at 4:48 PM, L.P.H. van Belle via samba <[hidden email]> wrote:
Your smb.conf is incorrect/incomplete.

Info here on these 2 links.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_rid

Your smb.conf
 > >> [global]
> >> max log size = 0
> >> realm = DOMAIN.COM
> >> workgroup = DOMAIN
> >> security = ADS
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-19999999

But Yours should be something like:
[global]
       security = ADS
       workgroup = SAMDOM
       realm = SAMDOM.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 1

        # Default idmap config for local BUILTIN accounts and groups
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        # idmap config for the SAMDOM domain
        idmap config SAMDOM : backend = rid
        idmap config SAMDOM : range = 10000-999999

        # Template settings for login shell and home directory
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Akash Jain via samba
> Verzonden: dinsdag 12 december 2017 12:10
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Intermittent failure of net ads join
> command with error "The transport connection is now disconnected"
>
> Hello All
>
> Can I get some response on above email.
>
> More Setup Details
>
> My AD Controller is Windows 2008 R2
> My Linux machine which is trying to join domain is CentOS
> Linux release
> 7.2.1511
> Samba version is Version 4.6.2
>
> Kindly help and let me know if I need to include more
> information in the
> email.
>
> Thanks
> Akash
>
> On Wed, Dec 6, 2017 at 1:42 PM, Akash Jain
> <[hidden email]>
> wrote:
>
> > Hello All
> >
> > Can someone please help me understand what could be the
> reason SPENGO
> > fails with windows AD server?
> >
> >   SPNEGO login failed: The transport connection is now disconnected.
> >   error_string             : 'failed to lookup DC info for domain '
> > DOMAIN.COM <http://domain.com/>' over rpc: The transport
> connection is
> > now disconnected.'
> >
> >
> >
> > Thanks in Advance
> >
> > Akash
> >
> > On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain
> <[hidden email]>
> > wrote:
> >
> >> Hello All
> >>
> >> I am seeing following error intermittently when I try to
> join the samba
> >> machine into AD controlled by windows machine.
> >>
> >> Failed to join domain: failed to lookup DC info for domain '
> >> 3DFSTESTAD.COM' over rpc: The transport connection is now
> disconnected.
> >>
> >> If we repeat the same command with same configuration and
> credentials, it
> >> succeeds.
> >>
> >> Detailed logs at log level 5 are at end of the message.
> >>
> >>
> >> Command:
> >> net ads join -d5 -e -I <AD Controller IP>  -U
> administrator%<password>
> >>
> >> configuration details are as follows
> >>
> >> -------------------- smb.conf -----------------------
> >> [global]
> >> max log size = 0
> >> realm = DOMAIN.COM
> >> workgroup = DOMAIN
> >> security = ADS
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-19999999
> >> passdb backend = tdbsam
> >>
> >> ------------------- krb5.conf ------------------------
> >> [libdefaults]
> >> default_realm = DOMAIN.COM
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >> ticket_lifetime = 24h
> >> renew_lifetime = 7d
> >> forwardable = true
> >> rdns = false
> >> default_ccache_name = KEYRING:persistent:%{uid}
> >> [realms]
> >> DOMAIN.COM = {
> >> kdc = PDC.DOMAIN.COM
> >> admin_server = PDC.DOMAIN.COM
> >> }
> >> [domain_realm]
> >> domain = DOMAIN.COM
> >> .domain = DOMAIN.COM
> >>
> >>
> >> ------------------------------------------------------------
> >> ----------------------------------
> >>
> >> Log level 5 logs for net ads command are:
> >>
> >>
> >> Enter Administrator's password:libnet_Join:
> >>     libnet_JoinCtx: struct libnet_JoinCtx
> >>         in: struct libnet_JoinCtx
> >>             dc_name                  : NULL
> >>             machine_name             : 'Hostname'
> >>             domain_name              : *
> >>                 domain_name              : 'DOMAIN.COM'
> >>             domain_name_type         : JoinDomNameTypeDNS (1)
> >>             account_ou               : NULL
> >>             admin_account            : 'Administrator'
> >>             admin_domain             : NULL
> >>             machine_password         : NULL
> >>             join_flags               : 0x00000023 (35)
> >>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> >>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> >>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> >>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> >>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> >>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> >>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> >>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> >>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> >>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> >>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> >>             os_version               : NULL
> >>             os_name                  : NULL
> >>             os_servicepack           : NULL
> >>             create_upn               : 0x00 (0)
> >>             upn                      : NULL
> >>             modify_config            : 0x00 (0)
> >>             ads                      : NULL
> >>             debug                    : 0x01 (1)
> >>             use_kerberos             : 0x00 (0)
> >>             secure_channel_type      : SEC_CHAN_WKSTA (2)
> >>             desired_encryption_types : 0x0000001f (31)
> >> Opening cache file at /var/lib/samba/gencache.tdb
> >> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> >> "Default-First-Site-Name"
> >> ads_dns_lookup_srv: 1 records returned in the answer section.
> >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> >> "Default-First-Site-Name"
> >> no entry for PDC.DOMAIN.COM#20 found.
> >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> <AD Controller
> >> IP>
> >> Connecting to <AD Controller IP> at port 445
> >> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - '
> >> PDC.DOMAIN.COM'
> >> Connecting to <AD Controller IP> at port 139
> >> Socket options:
> >>         SO_KEEPALIVE = 0
> >>         SO_REUSEADDR = 0
> >>         SO_BROADCAST = 0
> >>         TCP_NODELAY = 1
> >>         TCP_KEEPCNT = 9
> >>         TCP_KEEPIDLE = 7200
> >>         TCP_KEEPINTVL = 75
> >>         IPTOS_LOWDELAY = 0
> >>         IPTOS_THROUGHPUT = 0
> >>         SO_REUSEPORT = 0
> >>         SO_SNDBUF = 87040
> >>         SO_RCVBUF = 367360
> >>         SO_SNDLOWAT = 1
> >>         SO_RCVLOWAT = 1
> >>         SO_SNDTIMEO = 0
> >>         SO_RCVTIMEO = 0
> >>         TCP_QUICKACK = 1
> >>         TCP_DEFER_ACCEPT = 0
> >> got OID=1.3.6.1.4.1.311.2.2.10
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'naclrpc_as_system' registered
> >> GENSEC backend 'sasl-EXTERNAL' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'ntlmssp_resume_ccache' registered
> >> GENSEC backend 'http_basic' registered
> >> GENSEC backend 'http_ntlm' registered
> >> Starting GENSEC mechanism spnego
> >> Server claims it's principal name is
> not_defined_in_RFC4178@PLEASE_IGNORE
> >> Starting GENSEC submechanism ntlmssp
> >> Got challenge flags:
> >> Got NTLMSSP neg_flags=0x62898215
> >>   NTLMSSP_NEGOTIATE_UNICODE
> >>   NTLMSSP_REQUEST_TARGET
> >>   NTLMSSP_NEGOTIATE_SIGN
> >>   NTLMSSP_NEGOTIATE_NTLM
> >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >>   NTLMSSP_TARGET_TYPE_DOMAIN
> >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >>   NTLMSSP_NEGOTIATE_TARGET_INFO
> >>   NTLMSSP_NEGOTIATE_VERSION
> >>   NTLMSSP_NEGOTIATE_128
> >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> >> NTLMSSP: Set final flags:
> >> Got NTLMSSP neg_flags=0x62088215
> >>   NTLMSSP_NEGOTIATE_UNICODE
> >>   NTLMSSP_REQUEST_TARGET
> >>   NTLMSSP_NEGOTIATE_SIGN
> >>   NTLMSSP_NEGOTIATE_NTLM
> >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >>   NTLMSSP_NEGOTIATE_VERSION
> >>   NTLMSSP_NEGOTIATE_128
> >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> >> NTLMSSP Sign/Seal - Initialising with flags:
> >> Got NTLMSSP neg_flags=0x62088215
> >>   NTLMSSP_NEGOTIATE_UNICODE
> >>   NTLMSSP_REQUEST_TARGET
> >>   NTLMSSP_NEGOTIATE_SIGN
> >>   NTLMSSP_NEGOTIATE_NTLM
> >>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >>   NTLMSSP_NEGOTIATE_VERSION
> >>   NTLMSSP_NEGOTIATE_128
> >>   NTLMSSP_NEGOTIATE_KEY_EXCH
> >> SPNEGO login failed: The transport connection is now disconnected.
> >> libnet_Join:
> >>     libnet_JoinCtx: struct libnet_JoinCtx
> >>         out: struct libnet_JoinCtx
> >>             account_name             : NULL
> >>             netbios_domain_name      : NULL
> >>             dns_domain_name          : NULL
> >>             forest_name              : NULL
> >>             dn                       : NULL
> >>             domain_sid               : NULL
> >>                 domain_sid               : (NULL SID)
> >>             modified_config          : 0x00 (0)
> >>             error_string             : 'failed to lookup
> DC info for
> >> domain 'DOMAIN.COM' over rpc: The transport connection is now
> >> disconnected.'
> >>             domain_is_ad             : 0x00 (0)
> >>             set_encryption_types     : 0x00000000 (0)
> >>             result                   : WERR_NETNAME_DELETED
> >> return code = -1
> >> Failed to join domain: failed to lookup DC info for domain
> 'DOMAIN.COM'
> >> over rpc: The transport connection is now disconnected.
> >>
> >> ------------------------------------------------------------
> >> ------------------------------------------------------------------
> >>
> >> If we compare the Success vs Failure logs, we see only
> difference of
> >> following lines:
> >>
> >>
> >> Below lines are missing in Failure case:
> >> ----------------------------------------------
> >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> timeout=[Thu
> >> Jan  1 05:30:00 1970 IST] (-1511892480 seconds in the past)
> >> no entry for PDC.DOMAIN.COM#20 found.
> >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20:
> 172.16.72.124
> >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and
> timeout=[Tue Nov
> >> 28 23:49:00 2017 IST] (660 seconds ahead)
> >> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
> >> -------------------------------------------------
> >>
> >> Also, OIDs are different.
> >>
> >> Please help me understand in what scenarios does domain
> controller will
> >> revoke the transport connection with SPNEGO failed for
> same flags and same
> >> inputs
> >>
> >> Thanks
> >> Akash
> >>
> >>
> >


> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba