Re: Re : Problem with Winbind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Robert;
 
Its OK i have resolved the time problem between linux and Windows servers.
But I have strange behavior when I join the AD server with ADS protocol : a Segmentation fault :
 
# net ads join -S CINVW067 -U administrateur%XXX -d3
[2011/11/18 16:38:45,  3] param/loadparm.c:9180(lp_load_ex)
  lp_load_ex: refreshing parameters
[2011/11/18 16:38:45,  3] param/loadparm.c:4948(init_globals)
  Initialising global parameters
[2011/11/18 16:38:45,  2] param/loadparm.c:4807(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2011/11/18 16:38:45.611969,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2011/11/18 16:38:45.612040,  3] param/loadparm.c:7864(do_section)
  Processing section "[global]"
[2011/11/18 16:38:45.613778,  2] lib/interface.c:340(add_interface)
  added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
[2011/11/18 16:38:45.613832,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=fe80::250:56ff:fea4:39b6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2011/11/18 16:38:45.613891,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=187.0.22.177 bcast=187.0.23.255 netmask=255.255.248.0
[2011/11/18 16:38:45.614224,  1] libnet/libnet_join.c:1924(libnet_Join)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          in: struct libnet_JoinCtx
              dc_name                  : 'CINVW067'
              machine_name             : 'CILVS049'
              domain_name              : *
                  domain_name              : 'P9BIS.NEOPLUS.LAPOSTE.POC'
              account_ou               : NULL
              admin_account            : 'administrateur'
              admin_password           : *
              machine_password         : NULL
              join_flags               : 0x00000023 (35)
                     0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
              os_version               : NULL
              os_name                  : NULL
              create_upn               : 0x00 (0)
              upn                      : NULL
              modify_config            : 0x00 (0)
              ads                      : NULL
              debug                    : 0x01 (1)
              use_kerberos             : 0x00 (0)
              secure_channel_type      : SEC_CHAN_WKSTA (2)
[2011/11/18 16:38:45.614849,  3] libsmb/cliconnect.c:2212(cli_start_connection)
  Connecting to host=CINVW067
[2011/11/18 16:38:45.615392,  3] lib/util_sock.c:979(open_socket_out_send)
  Connecting to 187.0.17.104 at port 445
[2011/11/18 16:38:45.619155,  3] lib/util_sock.c:979(open_socket_out_send)
  Connecting to 187.0.17.104 at port 139
[2011/11/18 16:38:45.620528,  3] libsmb/cliconnect.c:991(cli_session_setup_spnego)
  Doing spnego session setup (blob length=136)
[2011/11/18 16:38:45.620675,  3] libsmb/cliconnect.c:1020(cli_session_setup_spnego)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.2.840.113554.1.2.2.3
  got OID=1.3.6.1.4.1.311.2.2.10
[2011/11/18 16:38:45.620725,  3] libsmb/cliconnect.c:1030(cli_session_setup_spnego)
  got principal=not_defined_in_RFC4178@please_ignore
[2011/11/18 16:38:45.621464,  3] libsmb/ntlmssp.c:1101(ntlmssp_client_challenge)
  Got challenge flags:
[2011/11/18 16:38:45.621508,  3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2011/11/18 16:38:45.621526,  3] libsmb/ntlmssp.c:1123(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2011/11/18 16:38:45.621537,  3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x60088215
[2011/11/18 16:38:45.621668,  3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2011/11/18 16:38:45.621709,  3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x60088215
[2011/11/18 16:38:45.704425,  3] libads/ldap.c:634(ads_connect)
  Successfully contacted LDAP server 187.0.17.104
[2011/11/18 16:38:45.706539,  3] libads/ldap.c:688(ads_connect)
  Connected to LDAP server CINVW067.p9bis.neoplus.laposte.poc
[2011/11/18 16:38:45.708416,  3] libads/sasl.c:784(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2011/11/18 16:38:45.708459,  3] libads/sasl.c:784(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2011/11/18 16:38:45.708475,  3] libads/sasl.c:784(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2011/11/18 16:38:45.708488,  3] libads/sasl.c:784(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2011/11/18 16:38:45.708501,  3] libads/sasl.c:784(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2011/11/18 16:38:45.708514,  3] libads/sasl.c:793(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
[2011/11/18 16:38:45.709568,  3] libsmb/clikrb5.c:777(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2011/11/18 16:38:45.741849,  3] libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Fri, 18 Nov 2011 23:18:45 CET
[2011/11/18 16:38:45.741987,  3] libsmb/clikrb5.c:830(ads_krb5_mk_req)
  ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2011/11/18 16:38:45.748606,  3] libads/ldap.c:2910(ads_domain_func_level)
  ads_domain_func_level: 4
[2011/11/18 16:38:45.748700,  3] libads/kerberos.c:445(kerberos_secrets_store_des_salt)
  kerberos_secrets_store_des_salt: Storing salt "host/cilvs049.p9bis.neoplus.laposte.poc@xxxxxxxxxxxxxxxxxxxxxxxxx"
[2011/11/18 16:38:45.751892,  3] libads/kerberos_keytab.c:64(smb_krb5_kt_add_entry_ext)
  smb_krb5_kt_add_entry_ext: Will try to delete old keytab entries
Segmentation fault

 
With RPC protocol it works but I have the error : "NT_STATUS_ACCESS_DENIED" ?
 
# net rpc join -S CINVW067 -U administrateur%XXX -d3

[2011/11/18 16:36:08,  3] param/loadparm.c:9180(lp_load_ex)
  lp_load_ex: refreshing parameters
[2011/11/18 16:36:08,  3] param/loadparm.c:4948(init_globals)
  Initialising global parameters
[2011/11/18 16:36:08,  2] param/loadparm.c:4807(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2011/11/18 16:36:08.913273,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2011/11/18 16:36:08.913340,  3] param/loadparm.c:7864(do_section)
  Processing section "[global]"
[2011/11/18 16:36:08.915286,  2] lib/interface.c:340(add_interface)
  added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
[2011/11/18 16:36:08.915361,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=fe80::250:56ff:fea4:39b6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2011/11/18 16:36:08.915421,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=187.0.22.177 bcast=187.0.23.255 netmask=255.255.248.0
lp_load_ex: refreshing parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=fe80::250:56ff:fea4:39b6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=187.0.22.177 bcast=187.0.23.255 netmask=255.255.248.0
Connecting to host=CINVW067
Connecting to 187.0.17.104 at port 445
rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Connecting to host=CINVW067
Connecting to 187.0.17.104 at port 445
Doing spnego session setup (blob length=136)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Connecting to host=CINVW067
Connecting to 187.0.17.104 at port 445
Doing spnego session setup (blob length=136)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Joined domain P9BIS.
return code = 0
 
I don't know its OK or not ?

Regards

--- En date de : Ven 18.11.11, djamel boussebha <dboussebha@xxxxxxxx> a écrit :


De: djamel boussebha <dboussebha@xxxxxxxx>
Objet: Re:  Re : Problem with Winbind
À: samba@xxxxxxxxxxxxxxx, "Robert Freeman-Day" <presgas@xxxxxxxxx>
Date: Vendredi 18 novembre 2011, 11h20







Hi;
 
I have modify my /etc/hosts in adding a entry and "ads" works fine but when I try to join AD, I have the following error message :
 
# net ads join -S 221.221.17.104 -U administrateur
Enter administrateur's password:
[2011/11/18 11:06:09.010144,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database
 
May be I use a old Kerberos version ?
 
Any idea ?
 
Regards;


--- En date de : Ven 18.11.11, djamel boussebha <dboussebha@xxxxxxxx> a écrit :


De: djamel boussebha <dboussebha@xxxxxxxx>
Objet: Re:  Re : Problem with Winbind
À: samba@xxxxxxxxxxxxxxx, "Robert Freeman-Day" <presgas@xxxxxxxxx>
Date: Vendredi 18 novembre 2011, 10h02







Hi Robert;
 
Exactly my Suse Linux server it sync with a time server (221.128.17.234) :
 
# /etc/init.d/ntp restart
Shutting down network time protocol daemon (NTPD)                     done
Try to get initial date and time via NTP from 221.128.17.234          done
Starting network time protocol daemon (NTPD) 
 
When I execute the date/time are correct :
# date
Fri Nov 18 09:59:07 CET 2011

My Windows 2008 R2 server its also sync with the same time server (221.128.17.234) :
 
#w32tm /query /configuration
....
EventLogFlags: 1 (Locale)
LargeSampleSkew: 3 (Locale)
SpecialPollInterval: 3600 (Locale)
Type: NTP (Locale)
NtpServer: "221.128.17.234" (Locale)

The time showing with "net" is the time on the windows server ?

# net ads info - U administrateur
..> Server time: Thu, 01 Jan 1970 01:00:00 CET

How resolve this time problem ?
 
Regards

--- En date de : Jeu 17.11.11, Robert Freeman-Day <presgas@xxxxxxxxx> a écrit :


De: Robert Freeman-Day <presgas@xxxxxxxxx>
Objet: Re:  Re : Problem with Winbind
À: samba@xxxxxxxxxxxxxxx
Date: Jeudi 17 novembre 2011, 17h46


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/17/2011 06:09 AM, djamel boussebha wrote:
> Hi;
>  
> I would like to set the file /etc/krb5.keytab  for apache :
>  
> # net ads keytab add HTTP -U compte_admin_dom1
> Processing principals to add...
> Enter administrateur's password:
> # ktutil
> ktutil:  l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> ktutil:
> 
> The file is empty ?
> May be that this problem is linked to the command "net ads" ? because when I try to join the AD :
> # net ads join -U administrateur@xxxxxxxxxxxxxxxxxxxxxxxxx
> Enter administrateur@xxxxxxxxxxxxxxxxxxxxxxxxx's password:
> Failed to join domain: failed to find DC for domain P9BIS.NEOPLUS.LAPOSTE.POC
>  
> But with "rpc" it works :
>  
> # net rpc join -U administrateur@xxxxxxxxxxxxxxxxxxxxxxxxx
> Enter administrateur@xxxxxxxxxxxxxxxxxxxxxxxxx's password:
> Joined domain P9BIS.
>  
> When I execute :  # net ads info - U administrateur
> Failed to get server's current time!
> LDAP server: 187.0.17.104
> LDAP server name: CINVW067.p9bis.neoplus.laposte.poc
> Realm: P9BIS.NEOPLUS.LAPOSTE.POC
> Bind Path: dc=P9BIS,dc=NEOPLUS,dc=LAPOSTE,dc=POC
> LDAP port: 389
> Server time: Thu, 01 Jan 1970 01:00:00 CET
> KDC server: 187.0.17.104
> 
> And # net rpc info -U administrateur
> Enter administrateur's password:
> Domain Name: P9BIS
> Domain SID: S-1-5-21-254703050-2859693384-3493432365
> Sequence number: 1
> Num users: 50
> Num domain groups: 0
> Num local groups: 12
>  
> The 2 commands # wbinfo -u  and wbinfo -g no returns any values for users/groups ?
> The kinit works fine :
>  # kinit administrateur@xxxxxxxxxxxxxxxxxxxxxxxxx
> Password for administrateur@xxxxxxxxxxxxxxxxxxxxxxxxx:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrateur@xxxxxxxxxxxxxxxxxxxxxxxxx
> Valid starting     Expires            Service principal
> 11/17/11 12:05:00  11/17/11 22:05:03  krbtgt/P9BIS.NEOPLUS.LAPOSTE.POC@xxxxxxxxxxxxxxxxxxxxxxxxx
>         renew until 11/18/11 12:05:00
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>  
> Impossible to join the AD serveur with "ads" :
> # net ads testjoin
> Join to domain is not valid: Operations error
> # net rpc testjoin
> Join to 'P9BIS' is OK
>  
> How make work correctly the "ads" and how get the list of users of the AD domain ?
> 
> Any help would be very appreciated.
>  
> Regards
> 
>  
> 
> 
>  
>  
>  
>  
> 
> 
> --- En date de : Mer 16.11.11, djamel boussebha <dboussebha@xxxxxxxx> a écrit :
> 
> 
> De: djamel boussebha <dboussebha@xxxxxxxx>
> Objet: Problem with Winbind
> À: "samba@xxxxxxxxxxxxxxx" <samba@xxxxxxxxxxxxxxx>, "foedisch@xxxxxxxxxx" <foedisch@xxxxxxxxxx>, "AndrewPhilipoff" <aphilipoff@xxxxxxxxxxxxxxxxx>
> Date: Mercredi 16 novembre 2011, 17h24
> 
> 
> 
> 
> 
> 
> 
> Hi;
>  
> wbinfo can not get the user names and group names of my AD domain (Windows 2008 SP2)
> The result for "wbinfo -t" is ok :
> "checking the trust secret for domain P9BIS via RPC calls succeeded"
> But when i try to get wbinfo -n "USER1" or wbinfo -r "USER1" it shows this error message:  "Could not lookup name USER1"
> I use Samba version : 3.5.12.
> 
> Any help would be very appreciated... thanks to anyone!
> 
I noticed the server time has the year 1970.  The ads methods use
kerberos and that is time sensitive.  Get the accurate date/time and
things should start working for you.  Perhaps have it sync with a time
server.

Robert

- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7FOnEACgkQup357T5MfTZ5IgCg0kqoEoWaDT2ayt2XjKW5RJs0
+LEAnAgyCHQw5JtlXHxrX6EuZ2VHaBbC
=tSUp
-----END PGP SIGNATURE-----
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



[Index of Archives]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [RAID]     [Trinity TED Users]     [Yosemite News]
  Powered by Linux