Hi Samba team, I'm having difficulty joining new Samba 3.0.x machines to our production domain. I'm trying to join using net ads join -U Administrator but it just hangs, last thing from the net command with debugging on is, [2004/05/11 17:05:58, 5] libads/ldap_utils.c:ads_do_search_retry(56) Search for (objectclass=*) gave 1 replies It does create a computer object in the AD though, if you Control C the hung net join and try and start winbind, winbind complains with this error "ads_connect from domain DOMAIN failed: Cannot read password" I know my Samba install is not fundamentally flawed because I can get the same machine to join our test AD domain. Also this did previously work with the same version of Samba (3.0.2a) on our production domain, I have also tried Samba 3.0.3 and 3.0.4 and on both Solaris 8&9 and Redhat Linux, and all exhibit the same bahviour. Identical behaviour has been reported by at least one other to the Samba list. I have many logs from debugs, valgrind and ethereal, can I post these to bugzilla?
Created attachment 522 [details] Network trace from linux box attempting to run net ads join
Created attachment 523 [details] debug & valgrind output from hung net command
This turned out to be a problem where the AD admin account was a member of too many groups, when it tries to set the password for the computer account the ticket is bigger than MS KDC will handle so it's simply dropped and no error is passed back to Samba. According to MS Samba is using UDP to make the change password call, but I couldn't see this from a network trace :-\, can someone from Samba confirm this? If this is the case apparently you should use TCP instead and this will resolve the issue. Also in Windows 2003 AD you can set a registry value to define the maximum size of the ticket which will be accepted and fix the problem on the windows side, but this is not possible in Windows 2000 (currently, MS are evaluating whether to patch this).
I saw the same on a server with much (about 100) groups assigned to the admin- account. To come over the net join, i did an "net rpc oldjoin", this works for me without problems.
newer kerberos libs support tcp. sounds like a krb5 lib issue. Closing.