Bug 10956 - samba4 - samba-tool drs bind / Server ldap <..> is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM) unknown SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_IN
samba4 - samba-tool drs bind / Server ldap <..> is not registered with our K...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.1.13
All All
: P5 regression
: 4.3
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-23 19:00 UTC by Remsnet LTD Support
Modified: 2014-11-30 17:14 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Remsnet LTD Support 2014-11-23 19:00:19 UTC
samba-tool drs bind
Unknown parameter encountered: "display charset"
Ignoring unknown parameter "display charset"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[users]"
Processing section "[groups]"
Processing section "[srv]"
Processing section "[testsmb]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:adhrst.ads.sample.dom[,seal]
Mapped to DCERPC endpoint 135
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
Received smb_krb5 packet of length 292
Received smb_krb5 packet of length 1341

Server ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Bind to adhrst.ads.sample.dom succeeded.
Extensions supported:
  DRSUAPI_SUPPORTED_EXTENSION_BASE                            : Yes (DRS_EXT_BASE)
  DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION               : Yes (DRS_EXT_ASYNCREPL)
  DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI                       : Yes (DRS_EXT_REMOVEAPI)
  DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2                      : Yes (DRS_EXT_MOVEREQ_V2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS                 : No  (DRS_EXT_GETCHG_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1                       : Yes (DRS_EXT_DCINFO_V1)
  DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION        : Yes (DRS_EXT_RESTORE_USN_OPTIMIZATION)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY                        : No  (DRS_EXT_ADDENTRY)
  DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE                     : Yes (DRS_EXT_KCC_EXECUTE)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2                     : Yes (DRS_EXT_ADDENTRY_V2)
  DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION        : Yes (DRS_EXT_LINKED_VALUE_REPLICATION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2                       : Yes (DRS_EXT_DCINFO_V2)
  DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD    : Yes (DRS_EXT_INSTANCE_TYPE_NOT_REQ_ON_MOD)
  DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND                     : Yes (DRS_EXT_CRYPTO_BIND)
  DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO                   : Yes (DRS_EXT_GET_REPL_INFO)
  DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION               : Yes (DRS_EXT_STRONG_ENCRYPTION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01                      : Yes (DRS_EXT_DCINFO_VFFFFFFFF)
  DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP           : Yes (DRS_EXT_TRANSITIVE_MEMBERSHIP)
  DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY                 : Yes (DRS_EXT_ADD_SID_HISTORY)
  DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3                      : Yes (DRS_EXT_POST_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5                    : Yes (DRS_EXT_GETCHGREQ_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2                : Yes (DRS_EXT_GETMEMBERSHIPS2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6                    : Yes (DRS_EXT_GETCHGREQ_V6)
  DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS                   : Yes (DRS_EXT_NONDOMAIN_NCS)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8                    : Yes (DRS_EXT_GETCHGREQ_V8)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5                  : Yes (DRS_EXT_GETCHGREPLY_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6                  : Yes (DRS_EXT_GETCHGREPLY_V6)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3                : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7                  : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT                   : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS                 : No  (DRS_EXT_W2K3_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10                   : Yes (DRS_EXT_GETCHGREQ_V10)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART2)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART3)

Site GUID: ba489383-78f8-48d9-ad73-297b81061b13
Repl epoch: 0
Comment 1 Remsnet LTD Support 2014-11-23 19:04:23 UTC

Server ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER


Error cause with or without SPNEGO 
reprodcuce all the time  with bind dlz  with bind 9.8.2 and 9.9.6.
Comment 2 Remsnet LTD Support 2014-11-23 19:16:27 UTC

reprododuce  path :

- setup domain master
- join vpn based samba domain as dc
- increase log to level 4
- add at  /etc/krb5.conf  new joined  as
  kdc = 

- run samba-tool drs bind

expected result:

-> new joined DC must be displyed as registered with our KDC  .