Bug 1370 - net ads join hangs
Summary: net ads join hangs
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.4
Hardware: All All
: P2 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-21 05:00 UTC by Andy Smith
Modified: 2005-02-07 15:46 UTC (History)
0 users

See Also:


Attachments
Network trace from linux box attempting to run net ads join (54.49 KB, application/octet-stream)
2004-05-21 05:04 UTC, Andy Smith
no flags Details
debug & valgrind output from hung net command (5.39 KB, application/octet-stream)
2004-05-21 05:04 UTC, Andy Smith
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Smith 2004-05-21 05:00:48 UTC
Hi Samba team,

	I'm having difficulty joining new Samba 3.0.x machines to our 
production domain. I'm trying to join using

net ads join -U Administrator

but it just hangs, last thing from the net command with debugging on is,

[2004/05/11 17:05:58, 5] libads/ldap_utils.c:ads_do_search_retry(56)
  Search for (objectclass=*) gave 1 replies

It does create a computer object in the AD though, if you Control C the hung 
net join and try and start winbind, winbind complains with this 
error "ads_connect from domain DOMAIN failed: Cannot read password"

I know my Samba install is not fundamentally flawed because I can get the same 
machine to join our test AD domain.
Also this did previously work with the same version of Samba (3.0.2a) on our 
production domain, I have also tried
Samba 3.0.3 and 3.0.4 and on both Solaris 8&9 and Redhat Linux, and all exhibit 
the same bahviour.

Identical behaviour has been reported by at least one other to the Samba list.

I have many logs from debugs, valgrind and ethereal, can I post these to 
bugzilla?
Comment 1 Andy Smith 2004-05-21 05:04:17 UTC
Created attachment 522 [details]
Network trace from linux box attempting to run net ads join
Comment 2 Andy Smith 2004-05-21 05:04:53 UTC
Created attachment 523 [details]
debug & valgrind output from hung net command
Comment 3 Andy Smith 2004-07-11 04:19:14 UTC
This turned out to be a problem where the AD admin account was a member of too 
many groups, when it tries to set the password for the computer account the 
ticket is bigger than MS KDC will handle so it's simply dropped and no error is 
passed back to Samba. According to MS Samba is using UDP to make the change 
password call, but I couldn't see this from a network trace :-\, can someone 
from Samba confirm this? If this is the case apparently you should use TCP 
instead and this will resolve the issue. Also in Windows 2003 AD you can set a 
registry value to define the maximum size of the ticket which will be accepted 
and fix the problem on the windows side, but this is not possible in Windows 
2000 (currently, MS are evaluating whether to patch this).
Comment 4 Holger Schmieder 2005-01-05 13:39:12 UTC
I saw the same on a server with much (about 100) groups assigned to the admin-
account. 
To come over the net join, i did an "net rpc oldjoin", this works for me 
without problems.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-02-07 15:46:41 UTC
newer kerberos libs support tcp.  sounds like a krb5 lib issue.
Closing.