Bug 10956 - samba4 - samba-tool drs bind / Server ldap <..> is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM) unknown SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_IN
Summary: samba4 - samba-tool drs bind / Server ldap <..> is not registered with our K...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.13
Hardware: All All
: P5 regression (vote)
Target Milestone: 4.3
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-23 19:00 UTC by Remsnet (dead mail address)
Modified: 2014-11-30 17:14 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Remsnet (dead mail address) 2014-11-23 19:00:19 UTC 
samba-tool drs bind
Unknown parameter encountered: "display charset"
Ignoring unknown parameter "display charset"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[users]"
Processing section "[groups]"
Processing section "[srv]"
Processing section "[testsmb]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:adhrst.ads.sample.dom[,seal]
Mapped to DCERPC endpoint 135
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.25.200 bcast=192.168.25.255 netmask=255.255.255.0
Received smb_krb5 packet of length 292
Received smb_krb5 packet of length 1341

Server ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Bind to adhrst.ads.sample.dom succeeded.
Extensions supported:
  DRSUAPI_SUPPORTED_EXTENSION_BASE                            : Yes (DRS_EXT_BASE)
  DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION               : Yes (DRS_EXT_ASYNCREPL)
  DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI                       : Yes (DRS_EXT_REMOVEAPI)
  DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2                      : Yes (DRS_EXT_MOVEREQ_V2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS                 : No  (DRS_EXT_GETCHG_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1                       : Yes (DRS_EXT_DCINFO_V1)
  DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION        : Yes (DRS_EXT_RESTORE_USN_OPTIMIZATION)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY                        : No  (DRS_EXT_ADDENTRY)
  DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE                     : Yes (DRS_EXT_KCC_EXECUTE)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2                     : Yes (DRS_EXT_ADDENTRY_V2)
  DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION        : Yes (DRS_EXT_LINKED_VALUE_REPLICATION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2                       : Yes (DRS_EXT_DCINFO_V2)
  DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD    : Yes (DRS_EXT_INSTANCE_TYPE_NOT_REQ_ON_MOD)
  DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND                     : Yes (DRS_EXT_CRYPTO_BIND)
  DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO                   : Yes (DRS_EXT_GET_REPL_INFO)
  DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION               : Yes (DRS_EXT_STRONG_ENCRYPTION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01                      : Yes (DRS_EXT_DCINFO_VFFFFFFFF)
  DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP           : Yes (DRS_EXT_TRANSITIVE_MEMBERSHIP)
  DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY                 : Yes (DRS_EXT_ADD_SID_HISTORY)
  DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3                      : Yes (DRS_EXT_POST_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5                    : Yes (DRS_EXT_GETCHGREQ_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2                : Yes (DRS_EXT_GETMEMBERSHIPS2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6                    : Yes (DRS_EXT_GETCHGREQ_V6)
  DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS                   : Yes (DRS_EXT_NONDOMAIN_NCS)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8                    : Yes (DRS_EXT_GETCHGREQ_V8)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5                  : Yes (DRS_EXT_GETCHGREPLY_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6                  : Yes (DRS_EXT_GETCHGREPLY_V6)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3                : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7                  : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT                   : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS                 : No  (DRS_EXT_W2K3_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10                   : Yes (DRS_EXT_GETCHGREQ_V10)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART2)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART3)

Site GUID: ba489383-78f8-48d9-ad73-297b81061b13
Repl epoch: 0
Comment 1 Remsnet (dead mail address) 2014-11-23 19:04:23 UTC 

Server ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/AD1.ADS.SAMPLE.DOM@ADS.SAMPLE.DOM) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER


Error cause with or without SPNEGO 
reprodcuce all the time  with bind dlz  with bind 9.8.2 and 9.9.6.
Comment 2 Remsnet (dead mail address) 2014-11-23 19:16:27 UTC 

reprododuce  path :

- setup domain master
- join vpn based samba domain as dc
- increase log to level 4
- add at  /etc/krb5.conf  new joined  as
  kdc = 

- run samba-tool drs bind

expected result:

-> new joined DC must be displyed as registered with our KDC  .