Been fighting this beast for about a week now, and I'm slowly going crazy.
I'm using Samba 3.6 with Kerberos 1.5.2 (Heimdal, but I've also tried the MIT version and had the same problems), trying to get it to join/auth against a Windows 2008R2 domain. Every time I run the net ads join command, I get the following failure (with debug 3 logging):
The exact same config works fine on Linux, however.
krb5.conf and samba.conf files:
SMB.conf:
Anyone done this / had the same problem and figured it out? Googling it leads to some possible heimdal bugs, but all the threads go dead there and silent, as if each person involved suddenly found the issue and never followed up (or what they found made them get religion).
I'm using Samba 3.6 with Kerberos 1.5.2 (Heimdal, but I've also tried the MIT version and had the same problems), trying to get it to join/auth against a Windows 2008R2 domain. Every time I run the net ads join command, I get the following failure (with debug 3 logging):
lp_load_ex: refreshing parameters
Initialising global parameters
params.cm_process() - Processing configuration file "/usr/local/etc/smb.conf"
Processing section "[global]"
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Unknown parameter encountered: "template primary group"
Ignoring unknown parameter "template primary group"
added interface em0 ip=10.21.20.109 bcast=10.21.23.255 netmask=255.255.252.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter pcarmichael's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'BRM-KRB'
domain_name : *
domain_name : 'BRMSTORAGE.COM'
account_ou : NULL
admin_account : 'pcarmichael'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Connecting to host=DC2.brmstorage.com
resolve_lmhosts: Attempting lmhosts lookup for name DC2.brmstorage.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC2.brmstorage.com<0x20>
resolve_wins: Attempting wins lookup for name DC2.brmstorage.com<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name DC2.brmstorage.com<0x20>
Connecting to 10.131.12.146 at port 445
Connecting to 10.131.12.146 at port 139
Doing spnego session setup (blob length=136)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 10.131.12.146
Connected to LDAP server DC2.brmstorage.com
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Fri, 18 Apr 2014 06:04:31 MDT
net: sha1 checksum failed
Abort (core dumped)
The exact same config works fine on Linux, however.
krb5.conf and samba.conf files:
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BRMSTORAGE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
[realms]
BRMSTORAGE.COM= {
kdc = dc1.brmstorage.com
kdc=dc3.brmstorage.com
kdc=dc4.brmstorage.com
kdc=dc5.brmstorage.com
kdc=dc2.brmstorage.com
}
[domain_realm]
.brmstorage.com = BRMSTORAGE.COM
brmstorage.com = BRMSTORAGE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 500
try_first_pass = true
}
SMB.conf:
#======================= Global Settings =====================================
[global]
workgroup = BRMSTORAGE
server string = Samba Server Version %v
netbios name = brm-krb
# --------------------------- Logging Options -----------------------------
log level = 3
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
# ----------------------- Domain Members Options ------------------------
#
security = ADS
realm = BRMSTORAGE.COM
encrypt passwords = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
template primary group = "Domain Users"
template shell = /sbin/nologin
allow trusted domains = Yes
server signing = mandatory
client signing = mandatory
client use spnego = Yes
ntlm auth = Yes
lanman auth = No
# ----------------------- Browser Control Options ----------------------------
preferred master = no
# --------------------------- Printing Options -----------------------------
load printers = no
printcap name = /etc/printcap
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
;[test]
; available = yes
; comment = Test Share
; path = /var/www/test
; writeable = yes
; browseable = yes
; invalid users = root
; create mask = 0660
; directory mask = 0770
; valid users = @DOMAIN+Group-Name
Anyone done this / had the same problem and figured it out? Googling it leads to some possible heimdal bugs, but all the threads go dead there and silent, as if each person involved suddenly found the issue and never followed up (or what they found made them get religion).