Bug 926 - Unable to join Samba server to Win2k domain
Unable to join Samba server to Win2k domain
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.1
All Linux
: P2 major
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks: 807
  Show dependency treegraph
 
Reported: 2003-12-28 04:31 UTC by Henrik Larsson
Modified: 2005-08-24 10:19 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Henrik Larsson 2003-12-28 04:31:39 UTC
I'm unable to join the Samba server to a Win2k domain running in mixed mode.

I have changed the settings in my krb5.conf and tested this with kinit:
-- cut
# kinit -V
Password for administrator@DOMAIN.DOM:
Authenticated to Kerberos v5
-- cut


But when I try to add the server to the domain with the command "net ads
join MEMBER -Uadministrator%password -d 10" I get the following error:
-- cut
[2003/12/13 23:30:00, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/12/13 23:30:00, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385)
  Got KRB5 session key of length 8
[2003/12/13 23:30:00, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Invalid credentials
[2003/12/13 23:30:00, 2] utils/net.c:main(759)
  return code = -1
-- cut

If i use a wrong password, I get a "preauthentication failed" so again the
kerberos part should be OK.

I then tried "security = domain".

If I don't create a computer in the AD I get this error when running "net
rpc join MEMBER -Uadministrator%password -d 10":
-- cut
[2003/12/13 23:27:40, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
  cli_pipe: return critical error. Error was Call timed out: server did not
respond after 10000 milliseconds
[2003/12/13 23:27:40, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(286)
  error setting trust account password: NT_STATUS_UNSUCCESSFUL
Unable to join domain DOMAIN.
[2003/12/13 23:27:40, 2] utils/net.c:main(759)
  return code = 1
-- cut

If I create a computer account and set it to allow pre Window 2000 computers
to use this account I get:
-- cut
[2003/12/13 23:29:28, 1] libsmb/cliconnect.c:cli_full_connection(1426)
  failed tcon_X with NT_STATUS_ACCESS_DENIED
[2003/12/13 23:29:28, 1] utils/net.c:connect_to_ipc_anonymous(179)
  Cannot connect to server (anonymously).  Error was NT_STATUS_ACCESS_DENIED
[2003/12/13 23:29:28, 6] lib/util_sock.c:write_socket(407)
  write_socket(5,45)
[2003/12/13 23:29:28, 6] lib/util_sock.c:write_socket(410)
  write_socket(5,45) wrote 45
[2003/12/13 23:29:28, 10]
lib/util_sock.c:read_smb_length_return_keepalive(463)
  got smb length of 35
[2003/12/13 23:29:28, 5] lib/util.c:show_msg(456)
[2003/12/13 23:29:28, 5] lib/util.c:show_msg(466)
  size=35
  smb_com=0x4
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=22538
  smb_pid=6905
  smb_uid=3
  smb_mid=28
  smt_wct=0
  smb_bcc=0
Unable to join domain DOMAIN.
-- cut

The full debug logs of all atempts and configuration files are here...

net join ads:
http://www.larsson.as/files/net-ads-join.txt

net join before a computer account is created in the AD:
http://www.larsson.as/files/net-join-noaccount.txt

net join after a computer account is create in the AD:
http://www.larsson.as/files/net-join-account.txt

krb5.conf:
http://www.larsson.as/files/krb5.conf

smb.conf:
http://www.larsson.as/files/smb.conf


Best regards Henrik
Comment 1 Volker Lendecke 2004-01-04 05:01:11 UTC
What Linux are you using? The SuSE versions of Kerberos are known to be broken,
that's why I ask. You mind try try the RPMs from ftp.sernet.de that fix this
issue.
Comment 2 Henrik Larsson 2004-01-04 05:24:32 UTC
I use RedHat 9.

As you can see in the logs, the kerberos part should be OK. Also kinit works.

Best regards Henrik
Comment 3 Vladimir Berezniker 2004-01-06 10:28:00 UTC
I seem to have simular problem joining NT4 domain.  Here is the log info for 
the cli_samr_set_userinfo function that fails:

[2004/01/06 13:10:18, 10] rpc_client/cli_samr.c:cli_samr_set_userinfo(1351)
  cli_samr_set_userinfo
[2004/01/06 13:10:18, 5] rpc_parse/parse_samr.c:init_samr_q_set_userinfo(6509)
  init_samr_q_set_userinfo
[2004/01/06 13:10:18, 5] rpc_parse/parse_samr.c:init_samr_userinfo_ctr(6308)
  init_samr_userinfo_ctr
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_q_set_userinfo 
[2004/01/06 13:10:18, 6] rpc_parse/parse_prs.c:prs_debug(82)
      000000 smb_io_pol_hnd pol
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0000 data1: 00000000
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0004 data2: 39e04e0d
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
          0008 data3: 043e
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
          000a data4: 4bb9
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
          000c data5: a0 74 94 d4 14 4a 17 1e 
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      0014 switch_value: 0018
[2004/01/06 13:10:18, 6] rpc_parse/parse_prs.c:prs_debug(82)
      000016 samr_io_userinfo_ctr ctr
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
          0016 switch_value: 0018
[2004/01/06 13:10:18, 7] rpc_parse/parse_prs.c:prs_debug(82)
          000018 sam_io_user_info24 
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
              0018 password: 4f 78 68 52 75 7a 33 70 5d b0 e7 6a b9 35 95 04 83 
30 87 40 8f 94 f1 71 dd d7 e4 60 fd 23 32 ac a3 d6 23 47 e6 ed 90 1d 67 ff fa 
04 06 0a e4 0a db 24 58 ea 67 89 57 1f 31 98 2b 34 d4 1b bc ed 5c 0c c3 52 c2 
92 6d 25 ec 1c 7a 7f 7e 30 d5 9f cc c6 b3 a6 a6 6b 5d dd 8a 8f 7d 73 59 d0 33 
ee d7 95 f4 53 e9 12 50 6f a8 c0 50 ac e6 2d 1f 0e 92 ae 69 64 3c 7a bf 9c 0c 
99 78 03 18 16 b7 3b ea 78 43 21 7f e8 e8 65 79 27 73 54 95 ba 78 ea 3f 8a be 
dd 88 d3 2c 55 82 a2 ac db c5 49 75 c1 75 34 63 f5 8b 91 77 ae a1 ec 81 be 7e 
05 97 1d 5f fc 3b 89 f4 74 7b 02 6d a6 a6 d1 14 8d a9 4c c4 71 df 88 d4 d7 c9 
b1 1a 8d 85 b7 d9 9d f9 2d 3a 2e 21 0e a7 f4 6d e1 06 32 32 56 90 70 ab 24 ca 
7c 0a e8 15 3d 33 89 99 c2 5f 79 95 79 1f b9 e1 23 1c a9 0f 4d 27 87 84 a8 3f 
f6 f9 8f 4f b7 70 24 3f 75 80 78 05 c4 33 57 ca 2e 32 95 04 22 95 3a 14 27 8d 
fe 1b ab 85 f7 17 85 79 6f d6 12 3c 4e 32 b7 34 e3 ab 1b f2 75 29 94 f7 f0 c0 
64 63 2f ba af d5 88 9b ea a5 d3 bb 01 80 42 e4 9e dc 7f 0a a0 6d 69 f3 3a 59 
a3 75 d +>
  3 19 21 fa 0b 87 9d fa 3a ca ac eb e6 2a fb df ee 63 75 d5 6b 08 5b 7e a1 f7 
94 45 de 4c 56 dc 8b 79 9c ac 55 33 5c be 6a 64 13 15 1b 02 dd c3 32 e2 ce a1 
d3 ec 97 74 d9 0b 4c a6 c8 a9 11 76 6d 2c 6d a5 2f 9d 7f 75 37 2b 92 fc 70 5a 
bf 24 01 a0 3a 09 3b c8 a1 17 5e a9 e1 01 0c ab 10 ac 14 96 9c 51 87 7e d2 08 
54 6a eb 90 4d 87 79 f1 6a 54 0c 4b 4a 95 a9 cc 24 42 b8 1d 05 f2 b5 83 8c b7 
f1 d4 16 f3 a5 a8 dc 8f 47 3a 58 77 2b 1f 47 6a 5f 97 35 0e d8 42 20 d3 dc 3b 
dd 56 47 47 4d d4 a9 f3 e5 69 47 8f 4b 82 46 05 37 4d 7b aa 19 cf 1c 76 fd 1a 
27 43 cc 
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
              021c pw_len: 0018
[2004/01/06 13:10:18, 5] rpc_client/cli_pipe.c:create_rpc_request(841)
  create_rpc_request: opnum: 0x3a data_len: 0x238
[2004/01/06 13:10:18, 10] rpc_client/cli_pipe.c:create_rpc_request(857)
  create_rpc_request: data_len: 238 auth_len: 0 alloc_hint: 228
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 smb_io_rpc_hdr hdr    
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0000 major     : 05
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0001 minor     : 00
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0002 pkt_type  : 00
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0003 flags     : 03
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0004 pack_type0: 10
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0005 pack_type1: 00
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0006 pack_type2: 00
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint8(577)
      0007 pack_type3: 00
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      0008 frag_len  : 0238
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      000a auth_len  : 0000
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      000c call_id   : 00000012
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000010 smb_io_rpc_hdr_req hdr_req
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0010 alloc_hint: 00000228
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      0014 context_id: 0000
[2004/01/06 13:10:18, 5] rpc_parse/parse_prs.c:prs_uint16(606)
      0016 opnum     : 003a
[2004/01/06 13:10:18, 5] rpc_client/cli_pipe.c:rpc_api_pipe(410)
  rpc_api_pipe: fnum:804
[2004/01/06 13:10:18, 5] lib/util.c:show_msg(456)
[2004/01/06 13:10:18, 5] lib/util.c:show_msg(459)
  size=650
  smb_com=0x25
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=8
  smb_flg2=51201
  smb_tid=2050
  smb_pid=8607
  smb_uid=2050
  smb_mid=18
  smt_wct=16
  smb_vwv[ 0]=    0 (0x0)
  smb_vwv[ 1]=  568 (0x238)
  smb_vwv[ 2]=    0 (0x0)
  smb_vwv[ 3]= 4280 (0x10B8)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=    0 (0x0)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=    0 (0x0)
  smb_vwv[10]=   82 (0x52)
  smb_vwv[11]=  568 (0x238)
  smb_vwv[12]=   82 (0x52)
  smb_vwv[13]=    2 (0x2)
  smb_vwv[14]=   38 (0x26)
  smb_vwv[15]= 2052 (0x804)
  smb_bcc=583
[2004/01/06 13:10:18, 10] lib/util.c:dump_data(1830)
  [000] 00 5C 00 50 00 49 00 50  00 45 00 5C 00 00 00 05  .\.P.I.P .E.\....
  [010] 00 00 03 10 00 00 00 38  02 00 00 12 00 00 00 28  .......8 .......(
  [020] 02 00 00 00 00 3A 00 00  00 00 00 0D 4E E0 39 3E  .....:.. ....Nà9>
  [030] 04 B9 4B A0 74 94 D4 14  4A 17 1E 18 00 18 00 4F  .¹K t.Ô. J......O
  [040] 78 68 52 75 7A 33 70 5D  B0 E7 6A B9 35 95 04 83  xhRuz3p] °çj¹5...
  [050] 30 87 40 8F 94 F1 71 DD  D7 E4 60 FD 23 32 AC A3  0.@..ñqÝ ×ä`ý#2¬£
  [060] D6 23 47 E6 ED 90 1D 67  FF FA 04 06 0A E4 0A DB  Ö#Gæí..g ÿú...ä.Û
  [070] 24 58 EA 67 89 57 1F 31  98 2B 34 D4 1B BC ED 5C  $Xêg.W.1 .+4Ô.¼í\
  [080] 0C C3 52 C2 92 6D 25 EC  1C 7A 7F 7E 30 D5 9F CC  .ÃRÂ.m%ì .z.~0Õ.Ì
  [090] C6 B3 A6 A6 6B 5D DD 8A  8F 7D 73 59 D0 33 EE D7  Ƴ¦¦k]Ý. .}sYÐ3î×
  [0A0] 95 F4 53 E9 12 50 6F A8  C0 50 AC E6 2D 1F 0E 92  .ôSé.Po¨ ÀP¬æ-...
  [0B0] AE 69 64 3C 7A BF 9C 0C  99 78 03 18 16 B7 3B EA  ®id<z¿.. .x...·;ê
  [0C0] 78 43 21 7F E8 E8 65 79  27 73 54 95 BA 78 EA 3F  xC!.èèey 'sT.ºxê?
  [0D0] 8A BE DD 88 D3 2C 55 82  A2 AC DB C5 49 75 C1 75  .¾Ý.Ó,U. ¢¬ÛÅIuÁu
  [0E0] 34 63 F5 8B 91 77 AE A1  EC 81 BE 7E 05 97 1D 5F  4cõ..w®¡ ì.¾~..._
  [0F0] FC 3B 89 F4 74 7B 02 6D  A6 A6 D1 14 8D A9 4C C4  ü;.ôt{.m ¦¦Ñ..©LÄ
  [100] 71 DF 88 D4 D7 C9 B1 1A  8D 85 B7 D9 9D F9 2D 3A  qß.Ô×ɱ. ..·Ù.ù-:
  [110] 2E 21 0E A7 F4 6D E1 06  32 32 56 90 70 AB 24 CA  .!.§ômá. 22V.p«$Ê
  [120] 7C 0A E8 15 3D 33 89 99  C2 5F 79 95 79 1F B9 E1  |.è.=3.. Â_y.y.¹á
  [130] 23 1C A9 0F 4D 27 87 84  A8 3F F6 F9 8F 4F B7 70  #.©.M'.. ¨?öù.O·p
  [140] 24 3F 75 80 78 05 C4 33  57 CA 2E 32 95 04 22 95  $?u.x.Ä3 WÊ.2..".
  [150] 3A 14 27 8D FE 1B AB 85  F7 17 85 79 6F D6 12 3C  :.'.þ.«. ÷..yoÖ.<
  [160] 4E 32 B7 34 E3 AB 1B F2  75 29 94 F7 F0 C0 64 63  N2·4ã«.ò u).÷ðÀdc
  [170] 2F BA AF D5 88 9B EA A5  D3 BB 01 80 42 E4 9E DC  /º¯Õ..ê¥ Ó»..Bä.Ü
  [180] 7F 0A A0 6D 69 F3 3A 59  A3 75 D3 19 21 FA 0B 87  .. mió:Y £uÓ.!ú..
  [190] 9D FA 3A CA AC EB E6 2A  FB DF EE 63 75 D5 6B 08  .ú:ʬëæ* ûßîcuÕk.
  [1A0] 5B 7E A1 F7 94 45 DE 4C  56 DC 8B 79 9C AC 55 33  [~¡÷.EÞL VÜ.y.¬U3
  [1B0] 5C BE 6A 64 13 15 1B 02  DD C3 32 E2 CE A1 D3 EC  \¾jd.... ÝÃ2âΡÓì
  [1C0] 97 74 D9 0B 4C A6 C8 A9  11 76 6D 2C 6D A5 2F 9D  .tÙ.L¦È© .vm,m¥/.
  [1D0] 7F 75 37 2B 92 FC 70 5A  BF 24 01 A0 3A 09 3B C8  .u7+.üpZ ¿$. :.;È
  [1E0] A1 17 5E A9 E1 01 0C AB  10 AC 14 96 9C 51 87 7E  ¡.^©á..« .¬...Q.~
  [1F0] D2 08 54 6A EB 90 4D 87  79 F1 6A 54 0C 4B 4A 95  Ò.Tjë.M. yñjT.KJ.
[2004/01/06 13:10:18, 6] lib/util_sock.c:write_socket(407)
  write_socket(4,654)
[2004/01/06 13:10:18, 6] lib/util_sock.c:write_socket(410)
  write_socket(4,654) wrote 654
[2004/01/06 13:10:28, 10] lib/util_sock.c:read_socket_with_timeout(263)
  read_socket_with_timeout: timeout read. select timed out.
[2004/01/06 13:10:28, 10] lib/util_sock.c:receive_smb_raw(514)
  receive_smb_raw: length < 0!
[2004/01/06 13:10:28, 10] libsmb/clientgen.c:client_receive_smb(65)
  client_receive_smb failed
[2004/01/06 13:10:28, 5] lib/util.c:show_msg(456)
[2004/01/06 13:10:28, 5] lib/util.c:show_msg(459)
  size=0
  smb_com=0x0
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=0
  smb_flg2=0
  smb_tid=0
  smb_pid=0
  smb_uid=0
  smb_mid=0
  smt_wct=0
  smb_bcc=0
[2004/01/06 13:10:28, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
  cli_pipe: return critical error. Error was Call timed out: server did not 
respond after 10000 milliseconds
[2004/01/06 13:10:28, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(298)
  error setting trust account password: NT_STATUS_UNSUCCESSFUL
Comment 4 Gerald (Jerry) Carter 2004-03-26 06:45:34 UTC
If the server does not respond, how is this our bug ?
Sorry, but I don't see the problem here.
Comment 5 Henrik Larsson 2004-03-26 07:30:15 UTC
Please look at the links to the debug files. There is reported different errors
on different methods of account creation is used.
Comment 6 Gerald (Jerry) Carter 2004-10-29 08:10:19 UTC
please retest against 3.0.8 (once it is released and report if 
not fixed).  There has been a lot of changes here since last march.
Comment 7 Gerald (Jerry) Carter 2005-08-24 10:19:37 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.