The Samba-Bugzilla – Bug 1370
net ads join hangs
Last modified: 2005-02-07 15:46:41 UTC
Hi Samba team,
I'm having difficulty joining new Samba 3.0.x machines to our
production domain. I'm trying to join using
net ads join -U Administrator
but it just hangs, last thing from the net command with debugging on is,
[2004/05/11 17:05:58, 5] libads/ldap_utils.c:ads_do_search_retry(56)
Search for (objectclass=*) gave 1 replies
It does create a computer object in the AD though, if you Control C the hung
net join and try and start winbind, winbind complains with this
error "ads_connect from domain DOMAIN failed: Cannot read password"
I know my Samba install is not fundamentally flawed because I can get the same
machine to join our test AD domain.
Also this did previously work with the same version of Samba (3.0.2a) on our
production domain, I have also tried
Samba 3.0.3 and 3.0.4 and on both Solaris 8&9 and Redhat Linux, and all exhibit
the same bahviour.
Identical behaviour has been reported by at least one other to the Samba list.
I have many logs from debugs, valgrind and ethereal, can I post these to
Created attachment 522 [details]
Network trace from linux box attempting to run net ads join
Created attachment 523 [details]
debug & valgrind output from hung net command
This turned out to be a problem where the AD admin account was a member of too
many groups, when it tries to set the password for the computer account the
ticket is bigger than MS KDC will handle so it's simply dropped and no error is
passed back to Samba. According to MS Samba is using UDP to make the change
password call, but I couldn't see this from a network trace :-\, can someone
from Samba confirm this? If this is the case apparently you should use TCP
instead and this will resolve the issue. Also in Windows 2003 AD you can set a
registry value to define the maximum size of the ticket which will be accepted
and fix the problem on the windows side, but this is not possible in Windows
2000 (currently, MS are evaluating whether to patch this).
I saw the same on a server with much (about 100) groups assigned to the admin-
To come over the net join, i did an "net rpc oldjoin", this works for me
newer kerberos libs support tcp. sounds like a krb5 lib issue.