Hello,

I've been trying to get samba installed and connecting to a Win2k03 AD using RFC2307 and having problems getting it to join the domain. I've got a 6.2 machine which is working with nearly the same configuration (I think the only differences are the idmap backends).

I installed from the port after enabling the ADS support (and EXP_MODULES as I want the idmap backends provided there). I installed the openldap23-sasl-client as that is what I installed on the 6.2 machine (somewhere I read that was needed for things to work correctly).

I copied a working krb5.conf file from my 6.2 machine and verified that I could successfully do kinit (this works great, I get a ticket for myself).

However, when I try to do the net ads join command (after I kinit as the user who has permission to add the computer account to AD), I get prompted for my password, and then get the "Response too big for UDP, retry with TCP" error and am unable to join the domain. I *thought* that I didn't get prompted for my password with the 6.2 machine, but it has been since last summer that I set it up.

I see that net ads join creates its own krb5.conf file in /var/db/samba/smb_krb5/krb5.conf.IASTATE which doesn't have the tcp/ service flag preceding the IP addresses.

I ran the command with debug level at 10, and after a whole bunch of query stuff after it asked for my password, I got this:

------------
[2008/04/09 15:42:44, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2008/04/09 15:42:44, 4] libads/sasl.c:ads_sasl_bind(521)
  Found SASL mechanism GSS-SPNEGO
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED]
[2008/04/09 15:42:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2008/04/09 15:42:44, 10] libads/sasl.c:ads_sasl_spnego_bind(262)
ads_sasl_spnego_krb5_bind failed with: No such file or directory, calling kinit
[2008/04/09 15:42:44, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/db/samba/smb_krb5/krb5.conf.IASTATE]
[2008/04/09 15:42:44, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password [EMAIL PROTECTED] failed: Response too big for UDP, retry with TCP
[2008/04/09 15:42:44, 1] utils/net_ads.c:net_ads_join(1470)
  error on ads_startup: Response too big for UDP, retry with TCP
Failed to join domain: NT_STATUS_PROTOCOL_UNREACHABLE
[2008/04/09 15:42:44, 2] utils/net.c:main(1036)
  return code = -1
-------------------

Does any of this mean anything to anybody? I thought from reading the samba docs that it would automatically retry with TCP when it got this error. I can't find a whole lot on the net -- what I did find, people weren't able to successfully kinit at the command prompt either, but that works for me.

--
Stephanie Bridges
Department of Economics
Iowa State University
[EMAIL PROTECTED]

"A positive attitude may not solve all your problems, but it will
annoy enough people to make it worth the effort." --Herm Albright
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to