Bug 6073 - 3.3.0 fails to join domain
Summary: 3.3.0 fails to join domain
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.3.0
Hardware: x86 Solaris
: P3 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-28 10:29 UTC by mchugh19@yahoo.com
Modified: 2009-01-30 01:11 UTC (History)
0 users

See Also:

Attachments
smb.conf used (987 bytes, application/octet-stream)
2009-01-28 10:30 UTC, mchugh19@yahoo.com 		no flags Details
patch commited upstream (1.09 KB, patch)
2009-01-29 06:35 UTC, Michael Adam 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description mchugh19@yahoo.com 2009-01-28 10:29:11 UTC 
Just compiled the release of 3.3.0 to see if bug 5973 still exists, only now I am unable to even join the domain.

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

If I run it again I also get:

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
[2009/01/28 23:27:54,  0] lib/smbldap.c:smb_ldap_start_tls(598)
  Failed to issue the StartTLS instruction: Connect error
Broken Pipe


and rpc does not work either:

root@egr214-01:/usr/local/samba/bin$ ./net rpc join -S acadrdcs.students.froot.nau.edu -U mmchugh
Could not initialise lsa pipe
Enter mmchugh's password:
[2009/01/28 23:23:56,  0] utils/net_rpc_join.c:net_rpc_join_newstyle(353)
  error setting trust account password: NT_STATUS_NOT_SUPPORTED
Unable to join domain NAU-STUDENTS.


and joining with kerberos also seems broken:

root@egr214-01:/usr/local/samba/bin$ kinit mmchugh
Password for mmchugh@STUDENTS.FROOT.NAU.EDU:
root@egr214-01:/usr/local/samba/bin$ ./net ads join -k
[2009/01/28 23:26:49,  0] libads/kerberos.c:kerberos_get_default_realm_from_ccache(529)
  kerberos_get_default_realm_from_ccache: failed to get default principal
Failed to join domain: failed to lookup DC info for domain 'STUDENTS.FROOT.NAU.EDU' over rpc: Logon failure
Comment 1 mchugh19@yahoo.com 2009-01-28 10:30:14 UTC 
Created attachment 3896 [details]
smb.conf used
Comment 2 Karolin Seeger 2009-01-29 05:28:45 UTC 
Please re-try with "ldap ssl = off".
That solves the problem on my system.
Comment 3 Michael Adam 2009-01-29 06:35:34 UTC 
Created attachment 3897 [details]
patch commited upstream

Hi,

This patch has been pushed upstream
It restores the default behaviour not to use ssl for ads_connect.
If you do explicitly want ssl for ads , you can enable it now
with setting "ldap ssl : ads = yes".

Cheers - Michael
Comment 4 mchugh19@yahoo.com 2009-01-29 09:58:45 UTC 
(In reply to comment #2)
> Please re-try with "ldap ssl = off".
> That solves the problem on my system.

That sort of solves it. 

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
Using short domain name -- NAU-STUDENTS
Joined 'EGR214-01' to realm 'students.froot.nau.edu'


Had to try twice to get it to work, but good enough to continue testing. Thanks
Comment 5 Karolin Seeger 2009-01-30 01:11:15 UTC 
Michael's patch solves the problem.
It will be included in 3.3.1.
Closing out bug report.

Thanks for reporting!