net ads join couldn't work on both Linux(Fedora Core 5)and HP-UX, in 3.0.23rc2 and rc3. From ethereal traffic, only see a CLDAP request/response on the wire(no any kerberos), and the response gave an error due to a null Distringgushed Name on the request. Here is traffic of net ads join for Windows 2003 DC. Lightweight Directory Access Protocol, Search Entry Message Id: 4 Message Type: Search Entry (0x04) Message Length: 154 Distinguished Name: (null) Attribute: netlogon Value: \027 Lightweight Directory Access Protocol, Search Result Message Id: 4 Message Type: Search Result (0x05) Message Length: 7 Result Code: Success (0x00) Matched DN: (null) Error Message: (null) #0 ads_connect (ads=0x40082728) at samba-3.0.23rc3/source/libads/ldap.c:329 #1 0x49ebc in ads_startup () at samba-3.0.23rc3/source/utils/net_ads.c:280 #2 0x4bdf0 in net_ads_join_ok () at samba-3.0.23rc3/source/utils/net_ads.c:829 #3 0x4be60 in net_ads_testjoin (argc=0, argv=0x4002e3b4) at samba-3.0.23rc3/source/utils/net_ads.c:845 #4 0x46b5c in net_run_function (argc=1, argv=0x4002e3b0, table=0x7f7f0d10, usage_fn=0x4001771a <net_ads_usage>) at samba-3.0.23rc3/source/utils/net.c:130 #5 0x4ec28 in net_ads (argc=1, argv=0x4002e3b0) at samba-3.0.23rc3/source/utils/net_ads.c:1870 #6 0x46b5c in net_run_function (argc=2, argv=0x4002e3ac, table=0x40001378, usage_fn=0x400174f2 <net_help>) at samba-3.0.23rc3/source/utils/net.c:130 #7 0x493a0 in main (argc=3, argv=0x7f7f078c) at samba-3.0.23rc3/source/utils/net.c:986 net ads testjoin has the same issue. [2006/06/30 19:38:03, 0] utils/net_ads.c:ads_startup(288) ads_connect: Operations error Join to domain is not valid The same configurations krb5.conf, smb.conf can work with 3.0.22. I think this seems to be a bug, and not found in bugzilla.
Please attach the output of 'net ads join --debuglevel=10' and raw ethereal network trace. Thanks.
also include the output from 'net ads lookup'. Thanks.
(In reply to comment #1) > Please attach the output of 'net ads join --debuglevel=10' > and raw ethereal network trace. Thanks. [2006/07/03 11:46:19, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 [2006/07/03 11:46:19, 3] param/loadparm.c:lp_load(4945) lp_load: refreshing parameters [2006/07/03 11:46:19, 3] param/loadparm.c:init_globals(1410) Initialising global parameters [2006/07/03 11:46:19, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/usr/local/samba/lib/smb.co nf" [2006/07/03 11:46:19, 3] param/loadparm.c:do_section(3687) Processing section "[global]" doing parameter workgroup = cifsw2k3r2dom doing parameter realm = CIFSW2K3R2DOM.CUP.HP.COM doing parameter password server = hpcif49 doing parameter server string = Samba server doing parameter security = ads doing parameter log file = /var/opt/samba/log.%m doing parameter max log size = 10000 doing parameter log level = 10 doing parameter socket options = TCP_NODELAY doing parameter read only = no doing parameter idmap uid = 40000-60000 doing parameter idmap gid = 40000-60000 [2006/07/03 11:46:19, 4] param/loadparm.c:lp_load(4976) pm_process() returned Yes [2006/07/03 11:46:19, 7] param/loadparm.c:lp_servicenumber(5112) lp_servicenumber: couldn't find homes [2006/07/03 11:46:19, 10] param/loadparm.c:set_server_role(4221) set_server_role: role = ROLE_DOMAIN_MEMBER [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2LE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2LE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16LE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16LE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2BE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2BE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16BE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16BE [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF8 66 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) 67 Registered charset UTF8 68 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) 69 Attempting to register new charset UTF-8 70 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) 71 Registered charset UTF-8 72 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) 73 Attempting to register new charset ASCII 74 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) 75 Registered charset ASCII 76 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) 77 Attempting to register new charset 646 78 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) 79 Registered charset 646 80 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) 81 Attempting to register new charset ISO-8859-1 82 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) 83 Registered charset ISO-8859-1 84 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) 85 Attempting to register new charset UCS2-HEX 86 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) 87 Registered charset UCS2-HEX 88 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 89 Substituting charset 'roman8' for LOCALE 90 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 91 Substituting charset 'roman8' for LOCALE 92 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 93 Substituting charset 'roman8' for LOCALE 94 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 95 Substituting charset 'roman8' for LOCALE 96 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 97 Substituting charset 'roman8' for LOCALE 98 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 99 Substituting charset 'roman8' for LOCALE 100 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 101 Substituting charset 'roman8' for LOCALE 102 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 103 Substituting charset 'roman8' for LOCALE 104 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 105 Substituting charset 'roman8' for LOCALE 106 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 107 Substituting charset 'roman8' for LOCALE 108 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 109 Substituting charset 'roman8' for LOCALE 110 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 111 Substituting charset 'roman8' for LOCALE 112 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 113 Substituting charset 'roman8' for LOCALE 114 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 115 Substituting charset 'roman8' for LOCALE 116 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 117 Substituting charset 'roman8' for LOCALE 118 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 119 Substituting charset 'roman8' for LOCALE 120 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 121 Substituting charset 'roman8' for LOCALE 122 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 123 Substituting charset 'roman8' for LOCALE 124 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 125 Substituting charset 'roman8' for LOCALE 126 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) 127 Substituting charset 'roman8' for LOCALE 128 [2006/07/03 11:46:19, 2] lib/util_unistr.c:init_valid_table(249) 129 creating default valid table 130 [2006/07/03 11:46:19, 5] lib/util.c:init_names(286) 131 Netbios name list:- 132 my_netbios_names[0]="HPCFS64" 133 [2006/07/03 11:46:19, 2] lib/interface.c:add_interface(81) 134 added interface ip=10.13.116.64 bcast=10.13.119.255 nmask=255.255.248.0 135 [2006/07/03 11:46:19, 2] lib/interface.c:add_interface(81) 136 added interface ip=16.91.116.171 bcast=16.91.119.255 nmask=255.255.252.0 137 [2006/07/03 11:46:21, 6] libads/ldap.c:ads_find_dc(219) 138 ads_find_dc: looking for realm 'CIFSW2K3R2DOM.CUP.HP.COM' 139 [2006/07/03 11:46:21, 8] libsmb/namequery.c:get_sorted_dc_list(1525) 140 get_sorted_dc_list: attempting lookup using [ads] 141 [2006/07/03 11:46:21, 5] lib/gencache.c:gencache_init(60) 142 Opening cache file at /usr/local/samba/var/locks/gencache.tdb 143 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_get(285) 144 Returning expired cache entry: key = SAF/DOMAIN/CIFSW2K3R2DOM.CUP.HP.COM, value = 15.13.115.49, timeout = Fri Jun 16 17:51:17 2006 145 [2006/07/03 11:46:21, 5] libsmb/namequery.c:saf_fetch(105) 146 saf_fetch: failed to find server for "CIFSW2K3R2DOM.CUP.HP.COM" domain 147 [2006/07/03 11:46:21, 3] libsmb/namequery.c:get_dc_list(1401) 148 get_dc_list: preferred server list: "15.13.115.49, hpcif49" 149 [2006/07/03 11:46:21, 10] libsmb/namequery.c:internal_resolve_name(1112) 150 internal_resolve_name: looking up hpcif49#20 151 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_get(285) 152 Returning expired cache entry: key = NBT/HPCIF49#20, value = 16.91.116.99: 0, timeout = Mon Jul 3 10:45:24 2006 153 [2006/07/03 11:46:21, 5] libsmb/namecache.c:namecache_fetch(195) 154 no entry for hpcif49#20 found. 155 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_del(218) 156 Deleting cache entry (key = NBT/HPCIF49#20) 157 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_lmhosts(939) 158 resolve_lmhosts: Attempting lmhosts lookup for name hpcif49<0x20> 159 [2006/07/03 11:46:21, 4] libsmb/namequery.c:startlmhosts(631) 160 startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error was No such file or directory 161 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_wins(836) 162 resolve_wins: Attempting wins lookup for name hpcif49<0x20> 163 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_wins(839) 164 resolve_wins: WINS server resolution selected and no WINS servers listed. 165 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_hosts(1002) 166 resolve_hosts: Attempting host lookup for name hpcif49<0x20> 167 [2006/07/03 11:46:21, 10] libsmb/namequery.c:remove_duplicate_addrs2(408) 168 remove_duplicate_addrs2: looking for duplicate address/port pairs 169 [2006/07/03 11:46:21, 5] libsmb/namecache.c:namecache_store(130) 170 namecache_store: storing 1 address for hpcif49#20: 16.91.116.99:0 171 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_set(128) 172 Adding cache entry with key = NBT/HPCIF49#20; value = 16.91.116.99:0 and t imeout = Mon Jul 3 11:57:21 2006 173 (660 seconds ahead) 174 [2006/07/03 11:46:21, 10] libsmb/namequery.c:internal_resolve_name(1229) 175 internal_resolve_name: returning 1 addresses: 16.91.116.99:0 176 [2006/07/03 11:46:21, 10] libsmb/namequery.c:remove_duplicate_addrs2(408) 177 remove_duplicate_addrs2: looking for duplicate address/port pairs 178 [2006/07/03 11:46:21, 4] libsmb/namequery.c:get_dc_list(1503) 179 get_dc_list: returning 2 ip addresses in an ordered list 180 [2006/07/03 11:46:21, 4] libsmb/namequery.c:get_dc_list(1505) 181 get_dc_list: 15.13.115.49:389 16.91.116.99:389 182 [2006/07/03 11:46:21, 5] libads/ldap.c:ads_try_connect(125) 183 ads_try_connect: sending CLDAP request to 15.13.115.49 184 [2006/07/03 11:46:36, 1] libads/cldap.c:recv_cldap_netlogon(206) 185 no reply received to cldap netlogon 186 [2006/07/03 11:46:36, 3] libads/ldap.c:ads_try_connect(134) 187 ads_try_connect: CLDAP request 15.13.115.49 failed. 188 [2006/07/03 11:46:36, 10] libsmb/conncache.c:add_failed_connection_entry(139 ) 189 add_failed_connection_entry: added domain CIFSW2K3R2DOM.CUP.HP.COM (15.13. 115.49) to failed conn cache 190 [2006/07/03 11:46:36, 5] libads/ldap.c:ads_try_connect(125) 191 ads_try_connect: sending CLDAP request to 16.91.116.99 192 [2006/07/03 11:46:36, 10] libsmb/namequery.c:saf_store(70) 193 saf_store: domain = [CIFSW2K3R2DOM], server = [16.91.116.99], expire = [11 51953296] 194 [2006/07/03 11:46:36, 10] lib/gencache.c:gencache_set(128) 195 Adding cache entry with key = SAF/DOMAIN/CIFSW2K3R2DOM; value = 16.91.116. 99 and timeout = Mon Jul 3 12:01:36 2006 196 (900 seconds ahead) 197 [2006/07/03 11:46:36, 3] libads/ldap.c:ads_connect(283) 198 Connected to LDAP server 16.91.116.99 199 [2006/07/03 11:46:36, 0] utils/net_ads.c:ads_startup(288) 200 ads_connect: Operations error 201 [2006/07/03 11:46:36, 2] utils/net.c:main(988) 202 return code = -1
(In reply to comment #2) > also include the output from 'net ads lookup'. Thanks. ./net ads lookup Information for Domain Controller: 16.91.116.99 Response Type: SAMLOGON GUID: ad462da4-fc89-4526-a184-ef2d991c1b98 Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Forest: CIFSW2K3R2DOM.CUP.HP.COM Domain: CIFSW2K3R2DOM.CUP.HP.COM Domain Controller: hpcif49.CIFSW2K3R2DOM.CUP.HP.COM Pre-Win2k Domain: CIFSW2K3R2DOM Pre-Win2k Hostname: HPCIF49 Site Name: Default-First-Site-Name Site Name (2): Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff
Please attach a raw ethereal trace to help diagnose this error in the logs: Connected to LDAP server 16.91.116.99 ads_connect: Operations error
(In reply to comment #1) > Please attach the output of 'net ads join --debuglevel=10' > and raw ethereal network trace. Thanks. (In reply to comment #3) > (In reply to comment #1) > > Please attach the output of 'net ads join --debuglevel=10' > > and raw ethereal network trace. Thanks. > [2006/07/03 11:46:19, 5] lib/debug.c:debug_dump_status(391) > INFO: Current debug levels: > all: True/10 > tdb: False/0 > printdrivers: False/0 > lanman: False/0 > smb: False/0 > rpc_parse: False/0 > rpc_srv: False/0 > rpc_cli: False/0 > passdb: False/0 > sam: False/0 > auth: False/0 > winbind: False/0 > vfs: False/0 > idmap: False/0 > quota: False/0 > acls: False/0 > locking: False/0 > msdfs: False/0 > dmapi: False/0 > [2006/07/03 11:46:19, 3] param/loadparm.c:lp_load(4945) > lp_load: refreshing parameters > [2006/07/03 11:46:19, 3] param/loadparm.c:init_globals(1410) > Initialising global parameters > [2006/07/03 11:46:19, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file > "/usr/local/samba/lib/smb.co > nf" > [2006/07/03 11:46:19, 3] param/loadparm.c:do_section(3687) > Processing section "[global]" > doing parameter workgroup = cifsw2k3r2dom > doing parameter realm = CIFSW2K3R2DOM.CUP.HP.COM > doing parameter password server = hpcif49 > doing parameter server string = Samba server > doing parameter security = ads > doing parameter log file = /var/opt/samba/log.%m > doing parameter max log size = 10000 > doing parameter log level = 10 > doing parameter socket options = TCP_NODELAY > doing parameter read only = no > doing parameter idmap uid = 40000-60000 > doing parameter idmap gid = 40000-60000 > [2006/07/03 11:46:19, 4] param/loadparm.c:lp_load(4976) > pm_process() returned Yes > [2006/07/03 11:46:19, 7] param/loadparm.c:lp_servicenumber(5112) > lp_servicenumber: couldn't find homes > [2006/07/03 11:46:19, 10] param/loadparm.c:set_server_role(4221) > set_server_role: role = ROLE_DOMAIN_MEMBER > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UCS-2LE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UCS-2LE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UTF-16LE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UTF-16LE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UCS-2BE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UCS-2BE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UTF-16BE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UTF-16BE > [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UTF8 > 66 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > 67 Registered charset UTF8 > 68 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > 69 Attempting to register new charset UTF-8 > 70 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > 71 Registered charset UTF-8 > 72 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > 73 Attempting to register new charset ASCII > 74 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > 75 Registered charset ASCII > 76 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > 77 Attempting to register new charset 646 > 78 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > 79 Registered charset 646 > 80 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > 81 Attempting to register new charset ISO-8859-1 > 82 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > 83 Registered charset ISO-8859-1 > 84 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(105) > 85 Attempting to register new charset UCS2-HEX > 86 [2006/07/03 11:46:19, 5] lib/iconv.c:smb_register_charset(113) > 87 Registered charset UCS2-HEX > 88 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 89 Substituting charset 'roman8' for LOCALE > 90 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 91 Substituting charset 'roman8' for LOCALE > 92 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 93 Substituting charset 'roman8' for LOCALE > 94 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 95 Substituting charset 'roman8' for LOCALE > 96 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 97 Substituting charset 'roman8' for LOCALE > 98 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 99 Substituting charset 'roman8' for LOCALE > 100 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 101 Substituting charset 'roman8' for LOCALE > 102 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 103 Substituting charset 'roman8' for LOCALE > 104 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 105 Substituting charset 'roman8' for LOCALE > 106 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 107 Substituting charset 'roman8' for LOCALE > 108 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 109 Substituting charset 'roman8' for LOCALE > 110 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 111 Substituting charset 'roman8' for LOCALE > 112 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 113 Substituting charset 'roman8' for LOCALE > 114 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 115 Substituting charset 'roman8' for LOCALE > 116 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 117 Substituting charset 'roman8' for LOCALE > 118 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 119 Substituting charset 'roman8' for LOCALE > 120 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 121 Substituting charset 'roman8' for LOCALE > 122 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 123 Substituting charset 'roman8' for LOCALE > 124 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 125 Substituting charset 'roman8' for LOCALE > 126 [2006/07/03 11:46:19, 5] lib/charcnv.c:charset_name(81) > 127 Substituting charset 'roman8' for LOCALE > 128 [2006/07/03 11:46:19, 2] lib/util_unistr.c:init_valid_table(249) > 129 creating default valid table > 130 [2006/07/03 11:46:19, 5] lib/util.c:init_names(286) > 131 Netbios name list:- > 132 my_netbios_names[0]="HPCFS64" > 133 [2006/07/03 11:46:19, 2] lib/interface.c:add_interface(81) > 134 added interface ip=10.13.116.64 bcast=10.13.119.255 > nmask=255.255.248.0 > 135 [2006/07/03 11:46:19, 2] lib/interface.c:add_interface(81) > 136 added interface ip=16.91.116.171 bcast=16.91.119.255 > nmask=255.255.252.0 > 137 [2006/07/03 11:46:21, 6] libads/ldap.c:ads_find_dc(219) > 138 ads_find_dc: looking for realm 'CIFSW2K3R2DOM.CUP.HP.COM' > 139 [2006/07/03 11:46:21, 8] libsmb/namequery.c:get_sorted_dc_list(1525) > 140 get_sorted_dc_list: attempting lookup using [ads] > 141 [2006/07/03 11:46:21, 5] lib/gencache.c:gencache_init(60) > 142 Opening cache file at /usr/local/samba/var/locks/gencache.tdb > 143 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_get(285) > 144 Returning expired cache entry: key = > SAF/DOMAIN/CIFSW2K3R2DOM.CUP.HP.COM, > value = 15.13.115.49, timeout = Fri Jun 16 17:51:17 2006 > 145 [2006/07/03 11:46:21, 5] libsmb/namequery.c:saf_fetch(105) > 146 saf_fetch: failed to find server for "CIFSW2K3R2DOM.CUP.HP.COM" > domain > 147 [2006/07/03 11:46:21, 3] libsmb/namequery.c:get_dc_list(1401) > 148 get_dc_list: preferred server list: "15.13.115.49, hpcif49" > 149 [2006/07/03 11:46:21, 10] > libsmb/namequery.c:internal_resolve_name(1112) > 150 internal_resolve_name: looking up hpcif49#20 > 151 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_get(285) > 152 Returning expired cache entry: key = NBT/HPCIF49#20, value = > 16.91.116.99: > 0, timeout = Mon Jul 3 10:45:24 2006 > 153 [2006/07/03 11:46:21, 5] libsmb/namecache.c:namecache_fetch(195) > 154 no entry for hpcif49#20 found. > 155 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_del(218) > 156 Deleting cache entry (key = NBT/HPCIF49#20) > 157 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_lmhosts(939) > 158 resolve_lmhosts: Attempting lmhosts lookup for name hpcif49<0x20> > 159 [2006/07/03 11:46:21, 4] libsmb/namequery.c:startlmhosts(631) > 160 startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. > Error > was No such file or directory > 161 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_wins(836) > 162 resolve_wins: Attempting wins lookup for name hpcif49<0x20> > 163 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_wins(839) > 164 resolve_wins: WINS server resolution selected and no WINS servers > listed. > 165 [2006/07/03 11:46:21, 3] libsmb/namequery.c:resolve_hosts(1002) > 166 resolve_hosts: Attempting host lookup for name hpcif49<0x20> > 167 [2006/07/03 11:46:21, 10] > libsmb/namequery.c:remove_duplicate_addrs2(408) > 168 remove_duplicate_addrs2: looking for duplicate address/port pairs > 169 [2006/07/03 11:46:21, 5] libsmb/namecache.c:namecache_store(130) > 170 namecache_store: storing 1 address for hpcif49#20: 16.91.116.99:0 > 171 [2006/07/03 11:46:21, 10] lib/gencache.c:gencache_set(128) > 172 Adding cache entry with key = NBT/HPCIF49#20; value = 16.91.116.99:0 > and t > imeout = Mon Jul 3 11:57:21 2006 > 173 (660 seconds ahead) > 174 [2006/07/03 11:46:21, 10] > libsmb/namequery.c:internal_resolve_name(1229) > 175 internal_resolve_name: returning 1 addresses: 16.91.116.99:0 > 176 [2006/07/03 11:46:21, 10] > libsmb/namequery.c:remove_duplicate_addrs2(408) > 177 remove_duplicate_addrs2: looking for duplicate address/port pairs > 178 [2006/07/03 11:46:21, 4] libsmb/namequery.c:get_dc_list(1503) > 179 get_dc_list: returning 2 ip addresses in an ordered list > 180 [2006/07/03 11:46:21, 4] libsmb/namequery.c:get_dc_list(1505) > 181 get_dc_list: 15.13.115.49:389 16.91.116.99:389 > 182 [2006/07/03 11:46:21, 5] libads/ldap.c:ads_try_connect(125) > 183 ads_try_connect: sending CLDAP request to 15.13.115.49 > 184 [2006/07/03 11:46:36, 1] libads/cldap.c:recv_cldap_netlogon(206) > 185 no reply received to cldap netlogon > 186 [2006/07/03 11:46:36, 3] libads/ldap.c:ads_try_connect(134) > 187 ads_try_connect: CLDAP request 15.13.115.49 failed. > 188 [2006/07/03 11:46:36, 10] > libsmb/conncache.c:add_failed_connection_entry(139 > ) > 189 add_failed_connection_entry: added domain CIFSW2K3R2DOM.CUP.HP.COM > (15.13. > 115.49) to failed conn cache > 190 [2006/07/03 11:46:36, 5] libads/ldap.c:ads_try_connect(125) > 191 ads_try_connect: sending CLDAP request to 16.91.116.99 > 192 [2006/07/03 11:46:36, 10] libsmb/namequery.c:saf_store(70) > 193 saf_store: domain = [CIFSW2K3R2DOM], server = [16.91.116.99], expire > = [11 > 51953296] > 194 [2006/07/03 11:46:36, 10] lib/gencache.c:gencache_set(128) > 195 Adding cache entry with key = SAF/DOMAIN/CIFSW2K3R2DOM; value = > 16.91.116. > 99 and timeout = Mon Jul 3 12:01:36 2006 > 196 (900 seconds ahead) > 197 [2006/07/03 11:46:36, 3] libads/ldap.c:ads_connect(283) > 198 Connected to LDAP server 16.91.116.99 > 199 [2006/07/03 11:46:36, 0] utils/net_ads.c:ads_startup(288) > 200 ads_connect: Operations error > 201 [2006/07/03 11:46:36, 2] utils/net.c:main(988) > 202 return code = -1 Frame 5 (151 bytes on wire, 151 bytes captured) Ethernet II, Src: 16.91.116.171 (00:11:0a:80:41:82), Dst: 16.91.116.99 (00:30:6e:05:77:de) Internet Protocol, Src: 16.91.116.171 (16.91.116.171), Dst: 16.91.116.99 (16.91.116.99) User Datagram Protocol, Src Port: 52232 (52232), Dst Port: 389 (389) Lightweight Directory Access Protocol LDAP Message, Search Request Message Id: 4 Message Type: Search Request (0x03) Message Length: 102 Response In: 6 Base DN: (null) Scope: Base (0x00) Dereference: Never (0x00) Size Limit: 0 Time Limit: 0 Attributes Only: False Filter: (&(DnsDomain=CIFSW2K3R2DOM.CUP.HP.COM)(Host=HPCFS64)(NtVer=\006)) Attribute: NetLogon No. Time Source Destination Protocol Info 6 32.760976 16.91.116.99 16.91.116.171 CLDAP MsgId=4 Search Entry, 1 result Frame 6 (233 bytes on wire, 233 bytes captured) Ethernet II, Src: 16.91.116.99 (00:30:6e:05:77:de), Dst: 16.91.116.171 (00:11:0a:80:41:82) Internet Protocol, Src: 16.91.116.99 (16.91.116.99), Dst: 16.91.116.171 (16.91.116.171) User Datagram Protocol, Src Port: 389 (389), Dst Port: 52232 (52232) Lightweight Directory Access Protocol LDAP Message, Search Entry Message Id: 4 Message Type: Search Entry (0x04) Message Length: 154 Response To: 5 Time: 0.000349000 seconds Distinguished Name: (null) Attribute: netlogon Type: 23 Flags: 0x000003fd .... .... .... .... .... .0.. .... .... = NDNC: Domain is NOT non-domain nc serviced by ldap server .... .... .... .... .... ..1. .... .... = Good Time Serv: This dc has a GOOD TIME SERVICE (i.e. hardware clock) .... .... .... .... .... ...1 .... .... = Writable: This dc is WRITABLE .... .... .... .... .... .... 1... .... = Closest: This is the CLOSEST dc (unreliable?) .... .... .... .... .... .... .1.. .... = Time Serv: This dc is running TIME SERVICES (ntp) .... .... .... .... .... .... ..1. .... = KDC: This is a KDC (kerberos) .... .... .... .... .... .... ...1 .... = DS: This dc supports DS .... .... .... .... .... .... .... 1... = LDAP: This is an LDAP server .... .... .... .... .... .... .... .1.. = GC: This is a GLOBAL CATALOGUE of forest .... .... .... .... .... .... .... ...1 = PDC: This is a PDC Domain GUID: A42D46AD89FC2645A184EF2D991C1B98 Forest: CIFSW2K3R2DOM.CUP.HP.COM Domain: CIFSW2K3R2DOM.CUP.HP.COM Hostname: hpcif49.CIFSW2K3R2DOM.CUP.HP.COM NetBios Domain: CIFSW2K3R2DOM NetBios Hostname: HPCIF49 User: Site: Default-First-Site-Name Client Site: Default-First-Site-Name Version: 5 LM Token: 0xffff NT Token: 0xffff LDAP Message, Search Result Message Id: 4 Message Type: Search Result (0x05) Message Length: 7 Response To: 5 Time: 0.000349000 seconds Result Code: success (0x00) Matched DN: (null) Error Message: (null)
Ying, I asked for a raw ethereal trace. Text dumps of packets are not help. Please capture the entire join process and *attach* the raw packet trace to the report. Thanks.
Created attachment 2019 [details] raw ethereal trace for net ads join raw ethereal trace for "net ads join -Uadministrator"
Hi Jerry, I found ldap_open(server, port) for openldap 2.3.24/2.3.21 versions returned an error 242(no route to host), when config.ldap_server_name = cldap_replay.hostname. Here is my scenario. Windows2k3 DC - hostname: myhost.adsdomain.dept.company.com - DNS Server configured, and forwarder to other DNS server in company. krb5.conf: [realms] ADSDOMAIN.DEPT.COMAPNY.COM = { kdc = myhost.dept.company.com:88 admin_server = myhost.dept.company.com } [domain_realm] .dept.company.com = ADSDOMAIN.DEPT.COMAPNY.COM Kinit OK. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@MYDOMAIN.DEPT.COMPANY.COM Valid starting Expires Service principal 07/21/06 09:28:52 07/21/06 19:26:55 krbtgt/MYDOMAIN.DEPT.COMPANY.COM @MYDOMAIN.DEPT.COMPANY.COM renew until 07/21/06 19:28:52 After ads_ldap_netlogon() call of ads_try_connec() in ldap.c, cldap_reply contains: forest: ADSDOMAIN.DEPT.COMPANY.COM domain: ADSDOMAIN.DEPT.COMPANY.COM hostname: myhost.ADSDOMAIN.DEPT.COMPANY.COM netbios_domain: ADSDOMAIN.DEPT.COMPANY.COM netbios_hostname: MYHOST Then the code transfer to ads ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.hostname); strupper_m(cldap_reply.domain); ads->config.realm = SMB_STRDUP(cldap_reply.domain); ads->config.bind_path = ads_build_dn(ads->config.realm); ads->server.workgroup = SMB_STRDUP(cldap_reply.netbios_domain); From my testing, using cldap_reply.netbios_hostname (not cldap_reply.hostname) for ldap_open call can fix the problem. ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.netbios_hostname); I don't know if it's used for all cases. thanks.
I'm having the same issue with 3.0.23a
Actually, the bug is reproducible only if the DNS used by the client isn't one of the DC, not sure if it is really a bug... Ying Li: what for DNS do you use ?
(In reply to comment #11) > Actually, the bug is reproducible only if the DNS used by the client isn't one of the DC, not sure if it is really a bug... > Ying Li: what for DNS do you use ? Yes. You are right. I used a DNS server that was NOT that DNS Windows DC configured with in my DC. For example: - a public DNS-A in company. - Windows DC configured DNS-B, forwardered to DNS-A. - /etc/resolv.conf using DNS-A. - kinit OK. But net ads join failed.
a fulle trace of the net ads join. Not just the CLDAP packet on port 389. Also please test the 3.0.23c-gwc-2 patch at http://www.samba.org/~jerry/patches/. Thanks.
I also have noticed the same problem on Debian-Sarge 2.4.21 even using the latest Samba patches for 3.0.23c. The problem goes away when I use the DC REALM as my DNS, as described above by Blindauer. We really depend on the new features provided in 3.0.23, however this bug is blocking us. I would be happy if I can assist on fixing this.
I also noticed that under the same situation, "net ads info" can not get server's current time. I'm not sure if this is a related bug or something else. # net ads info -w rolaid0 -UAdministrator%scs Failed to get server's current time! LDAP server: 192.168.26.202 LDAP server name: rolaid.ROLAID.2K3AD.NET Realm: ROLAID.2K3AD.NET Bind Path: dc=ROLAID,dc=2K3AD,dc=NET LDAP port: 389 Server time: Wed, 31 Dec 1969 20:00:00 GMT-4 KDC server: 192.168.26.202 Server time offset: 0 As before, setting the AD domain controller to be my DNS will resolve this problem. # cat /etc/resolv.conf nameserver 192.168.26.202 <=== This line solves the problem nameserver 127.0.0.1 domain weavernet.null However, I can't always apply this work around.
I noticed this in samba-technical digest and thought it could be relevant to this this bug. Subject: Re: DNS query with Netbios domain From:Todd Stecher <todd.stecher@isilon.com> Date:Thu, 8 Feb 2007 23:55:19 -0800 To:Todd Stecher <todd.stecher@isilon.com> CC:samba-technical <samba-technical@samba.org> It looks like this was a bug in winbindd_cm.c / get_dcs() which is remedied in 3.0.25 as part of the site proximity fixes. On Feb 8, 2007, at 11:33 PM, Todd Stecher wrote: > Given an ADS domain foobar.zippy.com, I'm seeing quite a few DNS queries originating from resolve_ads() / ads_dns_query_dcs() with the form: > > _ldap._tcp.dc._msdcs.foobar > > I would typically expect to see this query actually take the form: > > _ldap._tcp.dc_msdcs.foobar.zippy.com > > In all of my years sniffing wire traffic in windows enterprises, I've never seen the first form - that just doesn't seem like a "real" DNS domain name / SRV query. Is there some element of configuration I'm missing which would make this work? Does anyone expect it to? These queries fail pretty quickly on my system, but it seems like unnecessary overhead. > > > Todd Stecher | Windows Interop Dev > Isilon Systems P +1-206-315-7500 F +1-206-315-7501 > www.isilon.com D +1-206-315-7638 M +1-425-205-1180 > > Todd Stecher | Windows Interop Dev Isilon Systems P +1-206-315-7500 F +1-206-315-7501 www.isilon.com D +1-206-315-7638 M +1-425-205-1180
I can do the 'net ads join' with the following config in /etc/hosts without modifying /etc/resolv.conf: 127.0.0.1 localhost ## This host (Samba) 10.0.0.17 blade.example.com blade loghost ## AD domain controller (workaround for Bug 3906) 10.0.0.1 ads.example.com My /etc/krb5.conf contains the following: [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = ads.example.com } [domain_realms] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM I think that "password server = 10.0.0.1 (It's IP address of AD DC)" in smb.conf can be used for workaround for this bug too. But it does not help me.
This discussion is also relevant: Subject: setting dNSHostName at join From: "Gerald (Jerry) Carter" <jerry@samba.org> Date: Mon, 26 Feb 2007 20:03:19 -0600 To: Guenther Deschner <gd@samba.org>, samba-technical@samba.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guenther, If case the IRC logs gets lost.... (6:45:35 PM) gd: coffeedude: we need to be more graceful when joining and name_to_fqdn fails and where we are not using a keytab. (6:46:16 PM) gd: coffeedude: also assuming that we can always write to "dnsHostName" is invalid. (7:54:11 PM) coffeedude: gd: I disagree. (7:55:03 PM) coffeedude: gd: if we can't get a valid fqdn krb5 cannot work. I think it it is better to fail upfront than to leave an admin scratching his/her head later on. (7:55:56 PM) coffeedude: gd: the current model does exactly what XP does. (7:56:14 PM) coffeedude: gd: if we cannot update the hostname and SPN in AD, the just use security = domain. (7:56:57 PM) coffeedude: gd: if you have a specific environment where this is failing and Windows is working, then we should do what Windows does. But based on my invesigations, if Windows cannot update the dNSHostName or SPN it will fail the join. (7:59:24 PM) coffeedude: gd: I should clarify, Windows XP will fail. Windows 2000 will join but Krb5 will never be available. (8:03:29 PM) gd: coffeedude: I need to check back with my customer, but they kepp telling me, that they are not allowed to set dnsHostName (by LDAP security descriptor) but nicely do krb5 auth in the domain after joining. (8:04:39 PM) gd: coffeedude: and where do you think we need a fqdn when using kerberos? (without a system keytab) (8:05:00 PM) gd: coffeedude: we can *always* kinit as netbiosname$@realm.de. (8:05:11 PM) gd: coffeedude: that is at least my understanding. (8:05:57 PM) gd: coffeedude: so it is not required for the SPNs. Do I miss something? (8:06:06 PM) coffeedude: The keytab has nothing to do with it. How can a Windows client get a service ticket for an account with no SPN ? (8:06:29 PM) coffeedude: gd: Just show me a trace of a Windows client doing Krb5 auth in the session setup with no SPN set. (8:06:35 PM) coffeedude: for the target server of course in AD. (8:07:10 PM) coffeedude: NTLM will continue to work of course, but that defeats the purpose of security =a ds. (8:07:11 PM) gd: you mean for us as a smbd as a domain member? (8:07:53 PM) coffeedude: gd: Yes. Just show me a trace of a Windows client going \\server\share and sending Krb5 in the session setup if the Samba host has not SPN set in AD. (8:08:06 PM) coffeedude: And no dNSHostName attribute (8:08:35 PM) coffeedude: gd: I'm not trying to be stubborn on this, I just need proof in order to accept the POV. (8:09:05 PM) gd: coffeedude: sure, no problem, I'll try to get such a trace (8:09:47 PM) coffeedude: gd: Thinking a bit more, a Windows client might succeed even it it cannot write to the dNSHostName (8:10:02 PM) coffeedude: if the value is already set properly. That I could understand. (8:10:18 PM) coffeedude: gd: and If you have traces, I'll be glad to change my tune. (8:11:35 PM) gd: coffeedude: my customer has valid DNS, just the DNS entries replicate very slowly to the subdomains. (They are not using the builtin DNS in AD but an external one). Windows seems to be happy with that. (8:11:56 PM) coffeedude: gd: it's not a question of valid DNS. (8:12:55 PM) coffeedude: gd: Ahh....I think I see what you are saying now. I still need to see a trace to understand it. I'm still a bit skeptical of your customer (no offense). (8:13:14 PM) coffeedude: gd: but I've been wrong before..... (8:13:59 PM) coffeedude: gd: if I'm wrong, then we should simply bracket the set spn and hostname in a WITH_ DNS_UPDATES block. (8:14:01 PM) gd: coffeedude: sure, just relating to the first issue: name2fqdn fails as the replication is not finished yet. (they prepare their dns for joining machines). (8:14:37 PM) gd: coffeedude: I made all that now dependent from the name2fqdn lookup success (converting to BOOL). still testing... (8:15:13 PM) coffeedude: gd: if you can show me the session setup trace, then we'll figure it. If however, I'm right about the krb5, then we have to know our fwdn in order to join (can be configured in /etc/hosts).
Created attachment 2816 [details] Proposed patch: Use resolved IP address instead of short DNS name Because ads->config.ldap_server_name has a short (non-FQDN) hostname, it cannot be resolved on some situation (e.g. DNS domainname and/or search suffix != AD domainname) and ldap_open_with_timeout() failed. I've applied this patch to Samba 3.0.24.
Created attachment 3923 [details] Updated patch for 3.2.8 (v3-2-test)
looks like this is still an unsolved issue even in the latest versions?
using a domain name which is not the AD realm is not supported. Further more not even using the realm in the DNS search list *must* fail then. There is no point in addding hooks to make such setups work somehow. Closing this as this is a broken setup acutally.