Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)
754 views
Skip to first unread message
George Diamantopoulos
Mar 29, 2012, 5:10:02 PM3/29/12
to
Hello all,
I've run into the issue described here:
http://lists.samba.org/archive/samba-technical/2010-September/073075.html
To sum it up, I installed samba4 from git on a debian wheezy system.
Initially, I was able to join Windows 7 clients to the AD controller.
However, trying to get freenas 8 to join has been failing. In the end,
trying to get it to work I changed administrator's password (via
dsa.msc) which broke AD joining for windows clients too. KVNO in
secrets.keytab file has always been "1". Could this mismatch be the
cause of the failures?
I rebooted all clients (to get rid of stale tickets) to no avail. The
only way to fix this was to run the provision script again, but now
samba is not very stable (I managed to join the AD domain, but upon
login I get The security database on the server does not have a
computer account for this workstation trust relationship).
I really don't know where to start. Do you think using samba from
debian SID would be wiser than building from git? Are there any other
errors in the log I didn't spot? Is KVNO mismatch the reason joining
fails, or are there more errors?
Thanks.
Kerberos: AS-REQ admini...@SYNDOM.SYNERGYPROJECT.GR from
ipv4:172.17.172.41:13893 for
krbtgt/SYNDOM.SYNER...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
admini...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: AS-REQ admini...@SYNDOM.SYNERGYPROJECT.GR from
ipv4:172.17.172.41:44144 for
krbtgt/SYNDOM.SYNER...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- admini...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: Looking for ENC-TS pa-data -- admini...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: ENC-TS Pre-authentication succeeded --
admini...@SYNDOM.SYNERGYPROJECT.GR using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-03-29T23:45:08 starttime: unset
endtime: 2012-03-30T09:45:07 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5,
arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
Kerberos: TGS-REQ admini...@SYNDOM.SYNERGYPROJECT.GR from
ipv4:172.17.172.41:38698 for
ldap/adpdc.syndom.sy...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: TGS-REQ authtime: 2012-03-29T23:45:08 starttime:
2012-03-29T23:45:08 endtime: 2012-03-30T09:45:07 renew till: unset
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
--- important bit ???? ---
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Failed to find ADPDC$@SYNDOM.SYNERGYPROJECT.GR(kvno 3) in
keytab FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
-------------------------------
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user
[SYNDOM]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [SYNDOM]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user
[SYNDOM]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [SYNDOM]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user
[SYNDOM]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [SYNDOM]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I've run into the issue described here:
http://lists.samba.org/archive/samba-technical/2010-September/073075.html
To sum it up, I installed samba4 from git on a debian wheezy system.
Initially, I was able to join Windows 7 clients to the AD controller.
However, trying to get freenas 8 to join has been failing. In the end,
trying to get it to work I changed administrator's password (via
dsa.msc) which broke AD joining for windows clients too. KVNO in
secrets.keytab file has always been "1". Could this mismatch be the
cause of the failures?
I rebooted all clients (to get rid of stale tickets) to no avail. The
only way to fix this was to run the provision script again, but now
samba is not very stable (I managed to join the AD domain, but upon
login I get The security database on the server does not have a
computer account for this workstation trust relationship).
I really don't know where to start. Do you think using samba from
debian SID would be wiser than building from git? Are there any other
errors in the log I didn't spot? Is KVNO mismatch the reason joining
fails, or are there more errors?
Thanks.
Kerberos: AS-REQ admini...@SYNDOM.SYNERGYPROJECT.GR from
ipv4:172.17.172.41:13893 for
krbtgt/SYNDOM.SYNER...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
admini...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: AS-REQ admini...@SYNDOM.SYNERGYPROJECT.GR from
ipv4:172.17.172.41:44144 for
krbtgt/SYNDOM.SYNER...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- admini...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: Looking for ENC-TS pa-data -- admini...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: ENC-TS Pre-authentication succeeded --
admini...@SYNDOM.SYNERGYPROJECT.GR using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-03-29T23:45:08 starttime: unset
endtime: 2012-03-30T09:45:07 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5,
arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
Kerberos: TGS-REQ admini...@SYNDOM.SYNERGYPROJECT.GR from
ipv4:172.17.172.41:38698 for
ldap/adpdc.syndom.sy...@SYNDOM.SYNERGYPROJECT.GR
Kerberos: TGS-REQ authtime: 2012-03-29T23:45:08 starttime:
2012-03-29T23:45:08 endtime: 2012-03-30T09:45:07 renew till: unset
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
--- important bit ???? ---
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Failed to find ADPDC$@SYNDOM.SYNERGYPROJECT.GR(kvno 3) in
keytab FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
-------------------------------
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user
[SYNDOM]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [SYNDOM]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user
[SYNDOM]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [SYNDOM]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user
[SYNDOM]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [SYNDOM]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Apr 4, 2012, 6:30:01 AM4/4/12
to
On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote:
> Hello all,
>
> I've run into the issue described here:
> http://lists.samba.org/archive/samba-technical/2010-September/073075.html
>
> To sum it up, I installed samba4 from git on a debian wheezy system.
> Initially, I was able to join Windows 7 clients to the AD controller.
> However, trying to get freenas 8 to join has been failing. In the end,
> trying to get it to work I changed administrator's password (via
> dsa.msc) which broke AD joining for windows clients too. KVNO in
> secrets.keytab file has always been "1". Could this mismatch be the
> cause of the failures?
>
> I rebooted all clients (to get rid of stale tickets) to no avail. The
> only way to fix this was to run the provision script again, but now
> samba is not very stable (I managed to join the AD domain, but upon
> login I get The security database on the server does not have a
> computer account for this workstation trust relationship).
>
> I really don't know where to start. Do you think using samba from
> debian SID would be wiser than building from git? Are there any other
> errors in the log I didn't spot? Is KVNO mismatch the reason joining
> fails, or are there more errors?
Samba is best installed from git.
> Hello all,
>
> I've run into the issue described here:
> http://lists.samba.org/archive/samba-technical/2010-September/073075.html
>
> To sum it up, I installed samba4 from git on a debian wheezy system.
> Initially, I was able to join Windows 7 clients to the AD controller.
> However, trying to get freenas 8 to join has been failing. In the end,
> trying to get it to work I changed administrator's password (via
> dsa.msc) which broke AD joining for windows clients too. KVNO in
> secrets.keytab file has always been "1". Could this mismatch be the
> cause of the failures?
>
> I rebooted all clients (to get rid of stale tickets) to no avail. The
> only way to fix this was to run the provision script again, but now
> samba is not very stable (I managed to join the AD domain, but upon
> login I get The security database on the server does not have a
> computer account for this workstation trust relationship).
>
> I really don't know where to start. Do you think using samba from
> debian SID would be wiser than building from git? Are there any other
> errors in the log I didn't spot? Is KVNO mismatch the reason joining
> fails, or are there more errors?
As to the KVNO mismatch, have you somehow installed a client with the
same name as the server (ADPDC), or attempted to 'join' the server to
itself? That can cause this kind of thing.
Changing the administrator password won't be the issue, but if anything
(a join, or reset with any tool) of the machine account password
certainly could update sam.ldb but not the local
secrets.ldb/secrets.keytab.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Jeremy Allison
Apr 4, 2012, 11:50:01 AM4/4/12
to
On Wed, Apr 04, 2012 at 08:22:10PM +1000, Andrew Bartlett wrote:
> On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote:
> > Hello all,
> >
> > I've run into the issue described here:
> > http://lists.samba.org/archive/samba-technical/2010-September/073075.html
> >
> > To sum it up, I installed samba4 from git on a debian wheezy system.
> > Initially, I was able to join Windows 7 clients to the AD controller.
> > However, trying to get freenas 8 to join has been failing. In the end,
> > trying to get it to work I changed administrator's password (via
> > dsa.msc) which broke AD joining for windows clients too. KVNO in
> > secrets.keytab file has always been "1". Could this mismatch be the
> > cause of the failures?
> >
> > I rebooted all clients (to get rid of stale tickets) to no avail. The
> > only way to fix this was to run the provision script again, but now
> > samba is not very stable (I managed to join the AD domain, but upon
> > login I get The security database on the server does not have a
> > computer account for this workstation trust relationship).
> >
> > I really don't know where to start. Do you think using samba from
> > debian SID would be wiser than building from git? Are there any other
> > errors in the log I didn't spot? Is KVNO mismatch the reason joining
> > fails, or are there more errors?
>
> Samba is best installed from git.
Just want to point out this is a very *temporary* situation, until
> On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote:
> > Hello all,
> >
> > I've run into the issue described here:
> > http://lists.samba.org/archive/samba-technical/2010-September/073075.html
> >
> > To sum it up, I installed samba4 from git on a debian wheezy system.
> > Initially, I was able to join Windows 7 clients to the AD controller.
> > However, trying to get freenas 8 to join has been failing. In the end,
> > trying to get it to work I changed administrator's password (via
> > dsa.msc) which broke AD joining for windows clients too. KVNO in
> > secrets.keytab file has always been "1". Could this mismatch be the
> > cause of the failures?
> >
> > I rebooted all clients (to get rid of stale tickets) to no avail. The
> > only way to fix this was to run the provision script again, but now
> > samba is not very stable (I managed to join the AD domain, but upon
> > login I get The security database on the server does not have a
> > computer account for this workstation trust relationship).
> >
> > I really don't know where to start. Do you think using samba from
> > debian SID would be wiser than building from git? Are there any other
> > errors in the log I didn't spot? Is KVNO mismatch the reason joining
> > fails, or are there more errors?
>
> Samba is best installed from git.
we get closer to Samba4 release. I know that is what Andrew meant,
right ? :-) :-).
We're not seriously suggesting that "git" is the best way to get
your stable Samba (just wanted to make that clear :-).
Jeremy.
George Diamantopoulos
Apr 5, 2012, 6:10:02 PM4/5/12
to
Thanks for the reply.
That might have been the case, after all. FreeNAS AD Web Config has a
non-intuitive field called "Host Name (NetBIOS-Name)" where I put
ADPDC in at first, then changed it to freenas. I've reinstalled
everything on clean VMs now and it seems to be working.
User authentication on computers I had previously joined to the domain
however is a little tricky now (for example, I need to explicitly set
NT style domain in the username field such as SYNDOM\Administrator in
order for login to work), but I've been changing so many settings I
might have caused this. I guess I'll have to reinstall Windows on
them. When FreeNAS authenticates, I get "Selected protocol [8][NT
LANMAN 1.0]" on the samba4 console, and freenas logs print "freenas
freenas: Using short domain name -- SYNDOM".
On a side note, isn't the samba4 server supposed to join itself to the
AD domain when running the provision script? At least that's what I
get on STDOUT after running provision...
It now seems I've run into this bug, though:
http://support.freenas.org/ticket/1135 (which has a won't fix status
from FreeNAS devs). It's a pity because samba4 and FreeNAS integration
can prove very useful in some situations.
There are not many references to this online, however. I think I
spotted a discussion somewhere between a samba developer (I can't
remember who it was) and a user (not sure either) where it was
mentioned that it's most probably a samba 3/4 incompatibility issue
and that it wouldn't be too hard to fix. Unfortunately I have been
unable to find more information on this matter, and whether this .
George
Andrew Bartlett
Apr 5, 2012, 6:20:01 PM4/5/12
to
Sadly I don't follow the freeNAS bug tracker as part of my daily work.
If you or anyone suspects a Samba issue, then raise it in our bugzilla
or on these lists (samba-technical is better for Samba4, at least until
we release).
If you can tell me what *exactly* you think is wrong - by example of
Samba4 and Windows 2008 (available for free download), I'll happily fix
it.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
George Diamantopoulos
Apr 5, 2012, 6:40:01 PM4/5/12
to
On Fri, Apr 6, 2012 at 1:17 AM, Andrew Bartlett <abar...@samba.org> wrote:
>
> George,
>
> Sadly I don't follow the freeNAS bug tracker as part of my daily work.
> If you or anyone suspects a Samba issue, then raise it in our bugzilla
> or on these lists (samba-technical is better for Samba4, at least until
> we release).
>
> If you can tell me what *exactly* you think is wrong - by example of
> Samba4 and Windows 2008 (available for free download), I'll happily fix
> it.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
>
> George,
>
> Sadly I don't follow the freeNAS bug tracker as part of my daily work.
> If you or anyone suspects a Samba issue, then raise it in our bugzilla
> or on these lists (samba-technical is better for Samba4, at least until
> we release).
>
> If you can tell me what *exactly* you think is wrong - by example of
> Samba4 and Windows 2008 (available for free download), I'll happily fix
> it.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
Andrew,
I really can't say much more other than what's already in the ticket
("[...] samba 4 puts the unique 'netbios' identifier in the 'cn'
attribute, not the 'nETBIOSName' attribute [...]"). The reason why I
believe I've run into this bug is that I'm getting an error with a
reference to "nETBIOSName" upon opening the CIFS configuration panel
on FreeNAS.
I would post this on samba-technical, but I have very little
understanding of the internals so I think it would be more of a
nuisance than helping out the project. However, if you believe
otherwise, I'd be happy to do so.
George
Andrew Bartlett
Apr 5, 2012, 6:50:02 PM4/5/12
to
- exactly on which ldap object
- exactly the difference between us and Windows
Please do that by showing the comparative output of
ldbsearch -H ldap://sambadc -s base -b <problem DN> -Uadmin%pass
ldbsearch -H ldap://windowsdc -s base -b <problem DN> -Uadmin%pass
I'm sorry, but what is clear to you is not clear to me, and the
specifics will help us fix the bug, and write a test to ensure it does
not re-occur.
On where to post, posting to this list is a good way to have your
concerns lost in the flood of discussion. While we wait for our first
release, we handle Samba4 AD issues on the samba-technical list to
ensure they are seen and handled.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
0 new messages