1370 – net ads join hangs

Bug 1370 - net ads join hangs

Summary: net ads join hangs

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	Domain Control (show other bugs)
Version:	3.0.4
Hardware:	All All

Importance:	P2 major
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-05-21 05:00 UTC by Andy Smith
Modified:	2005-02-07 15:46 UTC (History)
CC List:	0 users

See Also:

Attachments
Network trace from linux box attempting to run net ads join (54.49 KB, application/octet-stream) 2004-05-21 05:04 UTC, Andy Smith	no flags	Details
debug & valgrind output from hung net command (5.39 KB, application/octet-stream) 2004-05-21 05:04 UTC, Andy Smith	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andy Smith 2004-05-21 05:00:48 UTC

Hi Samba team,

	I'm having difficulty joining new Samba 3.0.x machines to our 
production domain. I'm trying to join using

net ads join -U Administrator

but it just hangs, last thing from the net command with debugging on is,

[2004/05/11 17:05:58, 5] libads/ldap_utils.c:ads_do_search_retry(56)
  Search for (objectclass=*) gave 1 replies

It does create a computer object in the AD though, if you Control C the hung 
net join and try and start winbind, winbind complains with this 
error "ads_connect from domain DOMAIN failed: Cannot read password"

I know my Samba install is not fundamentally flawed because I can get the same 
machine to join our test AD domain.
Also this did previously work with the same version of Samba (3.0.2a) on our 
production domain, I have also tried
Samba 3.0.3 and 3.0.4 and on both Solaris 8&9 and Redhat Linux, and all exhibit 
the same bahviour.

Identical behaviour has been reported by at least one other to the Samba list.

I have many logs from debugs, valgrind and ethereal, can I post these to 
bugzilla?

Comment 1 Andy Smith 2004-05-21 05:04:17 UTC

Created attachment 522 [details]
Network trace from linux box attempting to run net ads join

Comment 2 Andy Smith 2004-05-21 05:04:53 UTC

Created attachment 523 [details]
debug & valgrind output from hung net command

Comment 3 Andy Smith 2004-07-11 04:19:14 UTC

This turned out to be a problem where the AD admin account was a member of too 
many groups, when it tries to set the password for the computer account the 
ticket is bigger than MS KDC will handle so it's simply dropped and no error is 
passed back to Samba. According to MS Samba is using UDP to make the change 
password call, but I couldn't see this from a network trace :-\, can someone 
from Samba confirm this? If this is the case apparently you should use TCP 
instead and this will resolve the issue. Also in Windows 2003 AD you can set a 
registry value to define the maximum size of the ticket which will be accepted 
and fix the problem on the windows side, but this is not possible in Windows 
2000 (currently, MS are evaluating whether to patch this).

Comment 4 Holger Schmieder 2005-01-05 13:39:12 UTC

I saw the same on a server with much (about 100) groups assigned to the admin-
account. 
To come over the net join, i did an "net rpc oldjoin", this works for me 
without problems.

Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-02-07 15:46:41 UTC

newer kerberos libs support tcp.  sounds like a krb5 lib issue.
Closing.