Quantcast

net ads testjoin failed but net rpc testjoin work

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

net ads testjoin failed but net rpc testjoin work

Thierry Leurent-2
Hello,

I have a very strange trouble with samba 3.0.33 when I integrate a Linux
server in my Windows 2003 AD.
I do :
 - kinit administartor, it's work.
 - klist, it's work too.
 - net join ads -U administrator, it's work. I hev the message that my
computer has join the domain and I see the Linux in my Domain.
 - wbinfo -t give me "checking the trust secret via RPC calls succeeded".
 - wbinfo -u give me all the users of my domain.
 - wbinfo -g give me all the groups of my domain.
 - wbinfo -a NuteGunray%CatoNeimoida return "plaintext password
authentication failed
                                             error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
                                             error messsage was: No such user
                                             Could not authenticate user NuteGunray%CatoNeimoida with
plaintext password
                                             challenge/response password authentication succeeded"
   It's normal ? Perhaps, I have "encrypt password = yes" in my smb.conf.

But when I do net ads testjoin, I "have ads_connect: No logon servers
                                   Join to domain is not valid: No logon servers"

With a Debug Level 3, I recieve this messages.
[2010/04/21 14:36:21, 3] param/loadparm.c:lp_load(5069)
  lp_load: refreshing parameters
[2010/04/21 14:36:21, 3] param/loadparm.c:init_globals(1440)
  Initialising global parameters
[2010/04/21 14:36:21, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2010/04/21 14:36:21, 3] param/loadparm.c:do_section(3808)
  Processing section "[global]"
[2010/04/21 14:36:21, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.120.2 bcast=192.168.255.255 nmask=255.255.0.0
[2010/04/21 14:36:21, 3] libsmb/namequery.c:get_dc_list(1495)
  get_dc_list: preferred server list: ", *"
[2010/04/21 14:36:21, 1] libads/cldap.c:recv_cldap_netlogon(247)
  Failed to parse cldap reply
[2010/04/21 14:36:21, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 192.168.10.116 failed.
[2010/04/21 14:36:21, 1] libads/cldap.c:recv_cldap_netlogon(247)
  Failed to parse cldap reply
[2010/04/21 14:36:21, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 192.168.10.110 failed.
[2010/04/21 14:36:21, 1] libads/cldap.c:recv_cldap_netlogon(247)
  Failed to parse cldap reply
[2010/04/21 14:36:21, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 192.168.50.75 failed.
[2010/04/21 14:36:28, 1] libads/cldap.c:recv_cldap_netlogon(219)
  no reply received to cldap netlogon
[2010/04/21 14:36:28, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 10.10.10.116 failed.
[2010/04/21 14:36:35, 1] libads/cldap.c:recv_cldap_netlogon(219)
  no reply received to cldap netlogon
[2010/04/21 14:36:35, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 10.10.10.110 failed.
[2010/04/21 14:36:35, 0] utils/net_ads.c:ads_startup_int(286)
  ads_connect: No logon servers
Join to domain is not valid: No logon servers
[2010/04/21 14:36:35, 2] utils/net.c:main(1075)
  return code = -1

I see the IP of :
 - My Linux Computer : 192.168.120.2
 - My First DC general network : 192.168.10.110
 - My First DC backup network : 10.10.10.110
 - My Second DC general network : 192.168.10.116
 - My Second DC backup network : 10.10.10.116
 - My Third DC general network : 192.168.50.75 (this don't have a backup
network).


After reading lots of pages on Google, I try a net rpc testjoin -d3
[2010/04/21 15:09:25, 3] param/loadparm.c:lp_load(5069)
  lp_load: refreshing parameters
[2010/04/21 15:09:25, 3] param/loadparm.c:init_globals(1440)
  Initialising global parameters
[2010/04/21 15:09:25, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2010/04/21 15:09:25, 3] param/loadparm.c:do_section(3808)
  Processing section "[global]"
[2010/04/21 15:09:25, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.120.2 bcast=192.168.255.255 nmask=255.255.0.0
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_start_connection(1563)
  Connecting to host=dc001
[2010/04/21 15:09:25, 3] lib/util_sock.c:open_socket_out(866)
  Connecting to 192.168.10.110 at port 445
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(805)
  Doing spnego session setup (blob length=119)
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
  got OID=1 2 840 48018 1 2 2
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
  got OID=1 2 840 113554 1 2 2
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
  got OID=1 2 840 113554 1 2 2 3
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
  got OID=1 3 6 1 4 1 311 2 2 10
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(840)
  got principal=dc001$@EMPIRE.LOCAL
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1018)
  Got challenge flags:
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x62898215
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1040)
  NTLMSSP: Set final flags:
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
[2010/04/21 15:09:25, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
[2010/04/21 15:09:25, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
  rpc_pipe_bind: Remote machine dc001 pipe \NETLOGON fnum 0xc00d bind
request returned ok.
[2010/04/21 15:09:25, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
  rpc_pipe_bind: Remote machine dc001 pipe \NETLOGON fnum 0xc00e bind
request returned ok.
Join to 'EMPIRE' is OK
[2010/04/21 15:09:25, 2] utils/net.c:main(1075)
  return code = 0

It's work !!!!!!! But why ?
Thanks

Thierry

My krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
 default_realm = EMPIRE.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EMPIRE.LOCAL = {
  kdc = dc001.empire.local
  admin_server =  dc001.empire.local
  default_domain = empire.local
 }

[domain_realm]
 .kerberos.server = EMPIRE.LOCAL
 .empire.local = EMPIRE.LOCAL

My smb.conf
# Global parameters
[global]
        workgroup = empire
        server string = OPROD-POX
        netbios name = lsister-l
        preferred master = no

# | Logs
#   ----------------------------------------------------
        log level = 3
        log file = /var/log/samba/%m.log
#max log size = 50

# | Domain Integration
#   -----------------------------------------------------
        security = ads
        realm = EMPIRE
        winbind enum users = yes
        winbind enum groups = yes
        winbind separator = +
        winbind nss info = rfc2307

        encrypt passwords = yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        #socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192

        idmap uid = 10000-19999
        idmap gid = 20000-29999


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: net ads testjoin failed but net rpc testjoin work

Volker Lendecke
On Wed, Apr 21, 2010 at 04:29:27PM +0200, Thierry Leurent wrote:
>  - wbinfo -a NuteGunray%CatoNeimoida return "plaintext password

Please try

wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida

Volker
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: net ads testjoin failed but net rpc testjoin work

Thierry Leurent-2
In reply to this post by Thierry Leurent-2
Volker,

I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed :(

plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response

==> /var/log/samba/wb-EMPIRE.log <==
[2010/04/22 08:25:34, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
  [ 3235]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 08:25:34, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)

==> /var/log/samba/winbindd.log <==
[2010/04/22 08:25:34, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [ 8479]: request interface version
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [ 8479]: request location of privileged pipe
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [ 8479]: pam auth EMPIRE\NuteGunray
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
  [ 8479]: request misc info
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
  [ 8479]: request domain name
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
  [ 8479]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray


Yesterday, I saw a little error in my krb5.conf, I forgot last newline.
This morning after "your test", I corrected it but wbinfo -t failed the
RPC with "error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
(0xc0000233)" :(
After few search, I resolved the problem by adding lines in my
configurations files.

In my smb.conf it the general section, I add this 2 lines:
winbind use default domain = Yes
winbind nested groups = Yes


In My krb5.conf, I add this section
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

After a restart of winbind, wbinto -t worked


I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed but in my
/var/log/samba/wb-EMPIRE.log, I saw "dual pam auth
EMPIRE+EMPIRE\NuteGunray".
+ is my winbind separator, it's look like, samba used 2 EMPIRE one as the
domain implicit, and one as a group explicit in my wbinfo command.

I joined the domain again with a net join ads.
net ads testjoin don't work and net rpc testjoin work like yesterday.

wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response

==> /var/log/samba/wb-EMPIRE.log <==
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
  [ 8693]: dual pam auth EMPIRE+EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1584)
  Plain-text authentication for user EMPIRE+EMPIRE\NuteGunray returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2010/04/22 11:54:47, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
  [ 8693]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)

==> /var/log/samba/winbindd.log <==
[2010/04/22 11:54:47, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [ 8950]: request interface version
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [ 8950]: request location of privileged pipe
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [ 8950]: pam auth EMPIRE\NuteGunray
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
  [ 8950]: request misc info
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
  [ 8950]: request domain name
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
  [ 8950]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray

wbinfo -a EMPIRE+NuteGunray%CatoNeimoida
plaintext password authentication succeeded
challenge/response password authentication succeeded

[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
  [ 8693]: dual pam auth EMPIRE+NuteGunray
[2010/04/22 13:10:23, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
  [ 8693]: pam auth crap domain: EMPIRE user: NuteGunray

==> /var/log/samba/winbindd.log <==
[2010/04/22 13:10:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [ 9081]: request interface version
[2010/04/22 13:10:23, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [ 9081]: request location of privileged pipe
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [ 9081]: pam auth EMPIRE+NuteGunray
[2010/04/22 13:10:23, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
  [ 9081]: request misc info
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
  [ 9081]: pam auth crap domain: [EMPIRE] user: NuteGunray

I really have some troubles to understand Samba and Active Directory.

Thierry





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: net ads testjoin failed but net rpc testjoin work

Volker Lendecke
On Thu, Apr 22, 2010 at 01:38:53PM +0200, Thierry Leurent wrote:
> wbinfo -a EMPIRE+NuteGunray%CatoNeimoida
> plaintext password authentication succeeded
> challenge/response password authentication succeeded

Sorry, I had not seen that you have set your winbind
separator to + .

> I really have some troubles to understand Samba and Active Directory.

Samba is a very flexible tool. You might start out with an
almost empty smb.conf tool just using the workgroup
parameter and make that work. The advantage of this approach
is that much of the documentation out there does not take
many of the possible settings into account.

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

signature.asc (204 bytes) Download Attachment
Loading...