Have you run: net ads testjoin Does it say "Join is OK"?
This might not be related... I had to compile samba 3.0.33 to get around a Windows Domain restriction issue: https://bugzilla.samba.org/show_bug.cgi?id=4771 The bug indicates that if the \NETLOGON pipe is opened up on the Windows AD server, the join works fine. As soon as it is restricted via domain policies, it restricts anonymous access to the ports. As soon as this happens, we are unable to complete a net join ads successfully. - Avron -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Henrik Dige Semark Sent: Thursday, January 08, 2009 9:13 AM To: Samba list Subject: [Samba] Samba + Windows 2003 AD Hey, I don't know if this is the right list to ask this question in, but I have tried on the IRC (irc.freenode.net #samba) and people on there advised me to try here instead. I have: Debian 4.0r4 Samba version 3.0.24 - mail.birke-gym.dk - 10.3.16.1 krb5 Version 1.4.4-7etch6 Kernel Version 2.6.18-6-amd64 A Windows Server 2003 SP2 with AD/DC - bgdc.birke-gym.dk - 10.3.17.1 ------------------------------------------------------------------------ -------------- When I try to connect my samba to the DC I get this output: # net ads join -U Administrator --debuglevel=10 [2009/01/08 17:10:15, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 [2009/01/08 17:10:15, 3] param/loadparm.c:lp_load(4953) lp_load: refreshing parameters [2009/01/08 17:10:15, 3] param/loadparm.c:init_globals(1418) Initialising global parameters [2009/01/08 17:10:15, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2009/01/08 17:10:15, 3] param/loadparm.c:do_section(3695) Processing section "[global]" doing parameter server string = Debian 4.0 - Samba %v - BDC doing parameter netbios name = mail [2009/01/08 17:10:15, 4] param/loadparm.c:handle_netbios_name(3053) handle_netbios_name: set global_myname to: MAIL doing parameter workgroup = UNDERVISNING doing parameter display charset = ASCII [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2LE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2LE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16LE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16LE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2BE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2BE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16BE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16BE [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF8 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF8 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-8 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-8 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ASCII [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset ASCII [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset 646 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset 646 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ISO-8859-1 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset ISO-8859-1 [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS2-HEX [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS2-HEX doing parameter unix charset = UTF-8 doing parameter dos charset = ASCII doing parameter Inherit permissions = yes doing parameter Inherit owner = yes doing parameter security = ADS doing parameter idmap uid = 500-10000000 doing parameter idmap gid = 500-10000000 doing parameter template shell = /bin/bash doing parameter winbind use default domain = yes doing parameter winbind separator = % doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter template homedir = /home/%D/%U doing parameter client use spnego = yes doing parameter password server = bgdc.birke-gym.dk doing parameter encrypt passwords = Yes doing parameter realm = UNDERVISNING.LOCAL doing parameter wins server = bgdc.birke-gym.dk doing parameter nt acl support = true doing parameter os level = 1000 doing parameter preferred master = no doing parameter domain master = no doing parameter local master = no doing parameter domain logons = no doing parameter hide special files = Yes doing parameter hide unreadable = Yes doing parameter disable netbios = yes doing parameter name resolve order = wins lmhosts hosts bcast doing parameter log level = 10 doing parameter log file = /var/log/samba/UNDERVISNING [2009/01/08 17:10:15, 4] param/loadparm.c:lp_load(4984) pm_process() returned Yes [2009/01/08 17:10:15, 7] param/loadparm.c:lp_servicenumber(5120) lp_servicenumber: couldn't find homes [2009/01/08 17:10:15, 10] param/loadparm.c:set_server_role(4229) set_server_role: role = ROLE_DOMAIN_MEMBER [2009/01/08 17:10:15, 5] lib/util.c:init_names(286) Netbios name list:- my_netbios_names[0]="MAIL" [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=194.182.87.97 bcast=194.182.87.127 nmask=255.255.255.128 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=194.182.87.2 bcast=194.182.87.127 nmask=255.255.255.128 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=194.182.87.98 bcast=194.182.87.127 nmask=255.255.255.128 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=194.182.87.121 bcast=194.182.87.127 nmask=255.255.255.128 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=10.3.255.1 bcast=10.3.255.255 nmask=255.255.255.0 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=10.3.16.1 bcast=10.3.31.255 nmask=255.255.240.0 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=10.3.2.250 bcast=10.3.3.255 nmask=255.255.254.0 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=10.3.2.1 bcast=10.3.3.255 nmask=255.255.254.0 [2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81) added interface ip=10.8.0.1 bcast=10.8.0.255 nmask=255.255.255.0 Administrator's password: [2009/01/08 17:10:19, 6] libads/ldap.c:ads_find_dc(224) ads_find_dc: looking for realm 'UNDERVISNING.LOCAL' [2009/01/08 17:10:19, 8] libsmb/namequery.c:get_sorted_dc_list(1551) get_sorted_dc_list: attempting lookup using [ads] [2009/01/08 17:10:19, 5] lib/gencache.c:gencache_init(61) Opening cache file at /var/run/samba/gencache.tdb [2009/01/08 17:10:19, 10] lib/gencache.c:gencache_get(329) Cache entry with key = SAF/DOMAIN/UNDERVISNING.LOCAL couldn't be found [2009/01/08 17:10:19, 5] libsmb/namequery.c:saf_fetch(105) saf_fetch: failed to find server for "UNDERVISNING.LOCAL" domain [2009/01/08 17:10:19, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: ", bgdc.birke-gym.dk" [2009/01/08 17:10:19, 10] libsmb/namequery.c:internal_resolve_name(1132) internal_resolve_name: looking up bgdc.birke-gym.dk#20 [2009/01/08 17:10:19, 10] lib/gencache.c:gencache_get(304) Returning valid cache entry: key = NBT/BGDC.BIRKE-GYM.DK#20, value = 10.3.17.1:0, timeout = Thu Jan 8 17:20:53 2009 [2009/01/08 17:10:19, 5] libsmb/namecache.c:namecache_fetch(201) name bgdc.birke-gym.dk#20 found. [2009/01/08 17:10:19, 10] libsmb/namequery.c:remove_duplicate_addrs2(408) remove_duplicate_addrs2: looking for duplicate address/port pairs [2009/01/08 17:10:19, 4] libsmb/namequery.c:get_dc_list(1529) get_dc_list: returning 1 ip addresses in an ordered list [2009/01/08 17:10:19, 4] libsmb/namequery.c:get_dc_list(1530) get_dc_list: 10.3.17.1:389 [2009/01/08 17:10:19, 5] libads/ldap.c:ads_try_connect(127) ads_try_connect: sending CLDAP request to 10.3.17.1 (realm: UNDERVISNING.LOCAL) [2009/01/08 17:10:19, 10] libsmb/namequery.c:saf_store(71) saf_store: domain = [UNDERVISNING], server = [10.3.17.1], expire = [1231431919] [2009/01/08 17:10:19, 10] lib/gencache.c:gencache_set(140) Adding cache entry with key = SAF/DOMAIN/UNDERVISNING; value = 10.3.17.1 and timeout = Thu Jan 8 17:25:19 2009 (900 seconds ahead) [2009/01/08 17:10:19, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 10.3.17.1 ==== STOPS HERE FOR ABOUT 30 SEC ==== [2009/01/08 17:10:24, 0] utils/net_ads.c:ads_startup(289) ads_connect: Operations error [2009/01/08 17:10:24, 2] utils/net.c:main(988) return code = -1 ------------------------------------------------------------------------ -------------- Windows Server Event log: ======= Windows Server Event - [22:56:34] Successful Network Logon: User Name: BGDC$ Domain: UNDERVISNING Logon ID: (0x0,0x1C82893) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {791dbfae-1330-1cc3-24ee-538ed69bc9d8} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.3.17.1 Source Port: 4831 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ====================================== Windows Server Event - [22:56:34] Special privileges assigned to new logon: User Name: BGDC$ Domain: UNDERVISNING Logon ID: (0x0,0x1C82893) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ====================================== Windows Server Event - [23:01:34] User Logoff: User Name: BGDC$ Domain: UNDERVISNING Logon ID: (0x0,0x1C82893) Logon Type: 3 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ------------------------------------------------------------------------ -------------- My klist: ======= # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 01/04/09 16:36:47 01/04/09 23:16:47 krbtgt/[email protected] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ------------------------------------------------------------------------ -------------- smb.conf ======= cat /etc/samba/smb.conf | grep -v "#" [global] dos charset = ASCII display charset = ASCII workgroup = UNDERVISNING realm = UNDERVISNING.LOCAL server string = Debian 4.0 - Samba %v - BDC security = ADS password server = bgdc.birke-gym.dk log level = 10 log file = /var/log/samba/UNDERVISNING disable netbios = Yes name resolve order = wins lmhosts hosts bcast os level = 1000 preferred master = No local master = No domain master = No wins server = bgdc.birke-gym.dk idmap uid = 500-10000000 idmap gid = 500-10000000 template shell = /bin/bash winbind separator = % winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes inherit permissions = Yes inherit owner = Yes hide special files = Yes hide unreadable = Yes [homes] comment = Home Directories valid users = %U read only = No browseable = No ------------------------------------------------------------------------ -------------- # testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions ^C ------------------------------------------------------------------------ -------------- krb5.conf ====== [logging] default = FILE:/var/log/krb5libs.log #kdc = FILE:/var/log/krb5kdc.log #admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = UNDERVISNING.LOCAL default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] #================ Birke-gym.dk ========================= UNDERVISNING.LOCAL = { kdc = bgdc.birke-gym.dk admin_server = bgdc.birke-gym.dk default_domain = UNDERVISNING.LOCAL } [domain_realm] .undervisning.local = UNDERVISNING.LOCAL undervisning.local = UNDERVISNING.LOCAL [login] krb4_convert = true krb4_get_tickets = false ------------------------------------------------------------------------ -------------- # cat /etc/hosts 127.0.0.1 localhost mail 127.0.1.1 mail.birke-gym.dk mail 10.3.17.1 bgdc.birke-gym.dk bgdc ------------------------------------------------------------------------ -------------- Any suggestion ? And how mutch do I have to setup on the Windows Server ? I have createt a krb. trust on it and I use the pass I gave there, but is there more I have to set ? Sorry for my bad english, and if there is anything plz feel free to write, all help is resived with love ---- Med Venlig Hilsen / Best regards Henrik Dige Semark _________________________________________________________________ Del dine billeder med alle vennerne med Windows Live Photo Gallery. http://download.live.com/photogallery-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
