Bug 6073 - 3.3.0 fails to join domain
3.3.0 fails to join domain
Status: RESOLVED FIXED
Product: Samba 3.3
Classification: Unclassified
Component: Winbind
3.3.0
x86 Solaris
: P3 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-28 10:29 UTC by mchugh19@yahoo.com
Modified: 2009-01-30 01:11 UTC (History)
0 users

See Also:


Attachments
smb.conf used (987 bytes, application/octet-stream)
2009-01-28 10:30 UTC, mchugh19@yahoo.com
no flags Details
patch commited upstream (1.09 KB, patch)
2009-01-29 06:35 UTC, Michael Adam
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mchugh19@yahoo.com 2009-01-28 10:29:11 UTC
Just compiled the release of 3.3.0 to see if bug 5973 still exists, only now I am unable to even join the domain.

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

If I run it again I also get:

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
[2009/01/28 23:27:54,  0] lib/smbldap.c:smb_ldap_start_tls(598)
  Failed to issue the StartTLS instruction: Connect error
Broken Pipe


and rpc does not work either:

root@egr214-01:/usr/local/samba/bin$ ./net rpc join -S acadrdcs.students.froot.nau.edu -U mmchugh
Could not initialise lsa pipe
Enter mmchugh's password:
[2009/01/28 23:23:56,  0] utils/net_rpc_join.c:net_rpc_join_newstyle(353)
  error setting trust account password: NT_STATUS_NOT_SUPPORTED
Unable to join domain NAU-STUDENTS.


and joining with kerberos also seems broken:

root@egr214-01:/usr/local/samba/bin$ kinit mmchugh
Password for mmchugh@STUDENTS.FROOT.NAU.EDU:
root@egr214-01:/usr/local/samba/bin$ ./net ads join -k
[2009/01/28 23:26:49,  0] libads/kerberos.c:kerberos_get_default_realm_from_ccache(529)
  kerberos_get_default_realm_from_ccache: failed to get default principal
Failed to join domain: failed to lookup DC info for domain 'STUDENTS.FROOT.NAU.EDU' over rpc: Logon failure
Comment 1 mchugh19@yahoo.com 2009-01-28 10:30:14 UTC
Created attachment 3896 [details]
smb.conf used
Comment 2 Karolin Seeger 2009-01-29 05:28:45 UTC
Please re-try with "ldap ssl = off".
That solves the problem on my system.
Comment 3 Michael Adam 2009-01-29 06:35:34 UTC
Created attachment 3897 [details]
patch commited upstream

Hi,

This patch has been pushed upstream
It restores the default behaviour not to use ssl for ads_connect.
If you do explicitly want ssl for ads , you can enable it now
with setting "ldap ssl : ads = yes".

Cheers - Michael
Comment 4 mchugh19@yahoo.com 2009-01-29 09:58:45 UTC
(In reply to comment #2)
> Please re-try with "ldap ssl = off".
> That solves the problem on my system.

That sort of solves it. 

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

root@egr214-01:/usr/local/samba/bin$ ./net ads join -U mmchugh
Enter mmchugh's password:
Using short domain name -- NAU-STUDENTS
Joined 'EGR214-01' to realm 'students.froot.nau.edu'


Had to try twice to get it to work, but good enough to continue testing. Thanks
Comment 5 Karolin Seeger 2009-01-30 01:11:15 UTC
Michael's patch solves the problem.
It will be included in 3.3.1.
Closing out bug report.

Thanks for reporting!