[Samba] net ads join : ads_connect: No logon servers
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
[domain_realm]
beer.ca = BEER
.beer.ca = BEER
Here is my rpc join status:
# net rpc testjoin
Join to 'BEER' is OK
Here is my attempt to graduate this to ADS levels, with debug:
# net ads join -Ubeeruser%beeruserpw -d3
[2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
lp_load: refreshing parameters
[2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
Initialising global parameters
[2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file /etc/samba/smb.conf
[2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
Processing section [global]
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.66 failed.
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.67 failed.
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
Could not look up dc's for domain BEER
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
[2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: No logon servers
Failed to join domain: No logon servers
[2008/01/30 11:06:08, 2] utils/net.c:main(1032)
return code = -1
Can this user achieve such a goal?
Here is beeruser's rights via rpc:
net rpc rights list -Ubeeruser
Password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
I've had various toggles done to my smb.conf, but here is what the
global section
of smb.conf looks like at the moment, following the hints of someone else who
solved this on the list...
[global]
netbios name = www2
workgroup = BEER
unix charset = LOCALE
realm = BEER
server string = Web Server
security = ADS
password server = 111.111.200.67
idmap backend = rid:BEER=5000-1
idmap uid = 1-1000
idmap gid = 1-1000
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
allow trusted domains = No
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
winbind use default domain = Yes
hosts allow = 111.111.
encrypt passwords = yes
I had great results with the last question I put on the list. I hope
someone can help us graduate to ads with kerberos level authentication.
It feels like there is something missing on the AD end, but I know
nothing about this
other than that it is Windows Server 2003 and it has been in production for
awhile with good performance.
--Donald
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
[domain_realm]
beer.ca = BEER
.beer.ca = BEER
This should be a mapping from DNS domain to Kerberos REALM.
Going by the kdc name, what you probably want is:
beer.ca = AD.BEERU.CA
.beer.ca = AD.BEERU.CA
www2.beer.ca = AD.BEERU.CA
Here is my rpc join status:
# net rpc testjoin
Join to 'BEER' is OK
Here is my attempt to graduate this to ADS levels, with debug:
# net ads join -Ubeeruser%beeruserpw -d3
[2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
lp_load: refreshing parameters
[2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
Initialising global parameters
[2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file /etc/samba/smb.conf
[2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
Processing section [global]
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.66 failed.
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.67 failed.
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
Could not look up dc's for domain BEER
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
[2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: No logon servers
Failed to join domain: No logon servers
[2008/01/30 11:06:08, 2] utils/net.c:main(1032)
return code = -1
Can this user achieve such a goal?
Here is beeruser's rights via rpc:
net rpc rights list -Ubeeruser
Password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
I've had various toggles done to my smb.conf, but here is what the
global section
of smb.conf looks like at the moment, following the hints of someone else who
solved this on the list...
[global]
netbios name = www2
workgroup = BEER
unix charset = LOCALE
realm = BEER
Same here.
realm = AD.BEERU.CA
server string = Web Server
security = ADS
password server = 111.111.200.67
idmap backend = rid:BEER=5000-1
idmap uid = 1-1000
idmap gid = 1-1000
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
allow trusted domains = No
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
winbind use default domain = Yes
hosts allow = 111.111.
encrypt passwords = yes
I had great results with the last question I put on the list. I hope
someone can help us graduate to ads with kerberos level authentication.
It feels like there is something missing on the AD end, but I know
nothing about this
other than that it is Windows Server 2003 and it has been in production for
awhile with good performance.
There may be something else, but the REALM is what jumped out at me.
Regards, Doug
--
To unsubscribe from this list go to the following URL and read
Re: [Samba] net ads join : ads_connect: No logon servers
Thanks very much, Douglas. That did the trick.
I had not understood what realm represented in a dns
style domain.
It is also confusing that one lists a realm section,
defining it...
BEER = {
kdc = ADC1.AD.BEERU.CA
}
But then when providing the realm name in smb.conf, the
handle isn't BEER, but rather the subdomain in
which the AD controller lives.
Regards,
--Donald
On Jan 30, 2008 3:37 PM, Douglas VanLeuven [EMAIL PROTECTED] wrote:
Douglas VanLeuven wrote:
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Missed this on the last post.
default realm = AD.BEERU.CA
Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
Douglas VanLeuven wrote:
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Missed this on the last post.
default realm = AD.BEERU.CA
Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote:
Thanks very much, Douglas. That did the trick.
I had not understood what realm represented in a dns
style domain.
It is also confusing that one lists a realm section,
defining it...
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Sorry, missed that one too. Should be
AD.BEERU.CA = {
kdc = ADC1.AD.BEERU.CA
}
It's just that Kerberos doesn't know anything about workgroups in
windows and so there shouldn't be any workgroup names in krb5.conf,
only DNS names and REALM names. It worked because samba picked up the
Kerberos kdc from SRV records in DNS. BEER defines the .BEER realm
which doesn't exist.
But then when providing the realm name in smb.conf, the
handle isn't BEER, but rather the subdomain in
which the AD controller lives.
Regards,
--Donald
On Jan 30, 2008 3:37 PM, Douglas VanLeuven [EMAIL PROTECTED] wrote:
Douglas VanLeuven wrote:
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Missed this on the last post.
default realm = AD.BEERU.CA
Doug
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
