Selon Jim McDonough j...@samba.org:
On Mon, May 21, 2012 at 12:17 PM, alex.rans...@free.fr wrote:
We're having trouble joining an AD domain with 3.6.5
This message when running net join looks fishy :
got principal=not_defined_in_RFC4178@please_ignore
I'm sure it looks fishy, but it's not. This is normal for newer
versions of windows (windows is sending it back).
OS : Solaris 10 x64
Kerberos : MIT krb5 1.10.1
DC servers are running Windows 2008
The error message is :
./net join -U aranskis
Enter aranskis's password:
Failed to join domain: failed to lookup DC info for domain 'CORP.NET'
over rpc: Logon failure
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain CORP
Unable to find a suitable server for domain CORP
with -d9, here's the hopefully relevant output :
ads_dns_lookup_srv: 18 records returned in the answer section.
namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253,
[List of
DCs IP follows]
[..]
Successfully contacted LDAP server 10.219.244.253
[..]
got principal=not_defined_in_RFC4178@please_ignore
[..]
What's cut out here might be more helpful. However, please see below
and try that first.
SPNEGO login failed: Logon failure
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain
'CIB.NET' over rpc: Logon failure'
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
relevant configuration options :
[global]
realm=CORP.NET
workgroup=CORP.NET
Please try changing this to just CORP (or whatever the short netbios
name is for the domain...not the dns name).
security=ADS
encrypt passwords = yes
bind interfaces only = true
interfaces = msusersncs
Any hints on the best way to try and figure out what is wrong when
trying to register in the AD ?
(the same config worked with samba 3.4.x, but the DCs were running Windows
2003)
Still stuck, if anyone can help me find what looks wrong in the log below when
trying to join the domain, I'd be most grateful !
(In addition to Jim's suggestion I have also tried reverting to the previouse
security default : client ntlmv2 auth, client use spnego, send spnego principal
- which didn't help either)
check_negative_conn_cache returning result 0 for domain CORP.NET server
10.220.244.253
ads_try_connect: sending CLDAP request to 10.220.244.253 (realm: CORP.NET)
Successfully contacted LDAP server 10.220.244.253
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'MSUSERSNCS'
domain_name : *
domain_name : 'CORP.NET'
account_ou : NULL
admin_account: 'aranskis'
machine_password : NULL
join_flags : 0x0023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
...skipping...
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx