[Samba] net ads join : ads_connect: No logon servers - Samba

This is a discussion on [Samba] net ads join : ads_connect: No logon servers - Samba ; I've been able to use security = ads in smb.conf, and connect OK, but it must be falling back to domain. When I run net ads join I get the error (debug trace below): ads_connect: No logon servers Here is ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] net ads join : ads_connect: No logon servers

  1. [Samba] net ads join : ads_connect: No logon servers

    I've been able to use security = ads in smb.conf, and connect OK,
    but it must be falling back to domain. When I run net ads join
    I get the error (debug trace below):

    ads_connect: No logon servers

    Here is my krb5.conf:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
    default_realm = BEER
    [realms]
    BEER = {
    kdc = ADC1.AD.BEERU.CA
    }
    [domain_realm]
    beer.ca = BEER
    .beer.ca = BEER

    Here is my rpc join status:
    # net rpc testjoin
    Join to 'BEER' is OK

    Here is my attempt to graduate this to ADS levels, with debug:

    # net ads join -Ubeeruser%beeruserpw -d3
    [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
    lp_load: refreshing parameters
    [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
    Initialising global parameters
    [2008/01/30 11:06:08, 3] param/params.cm_process(572)
    params.cm_process() - Processing configuration file "/etc/samba/smb.conf"
    [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
    Processing section "[global]"
    [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
    added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
    [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
    added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
    [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
    Failed to parse cldap reply
    [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
    ads_try_connect: CLDAP request 111.111.200.66 failed.
    [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
    Failed to parse cldap reply
    [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
    ads_try_connect: CLDAP request 111.111.200.67 failed.
    [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
    Could not look up dc's for domain BEER
    [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
    ads_connect: No logon servers
    [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
    error on ads_startup: No logon servers
    Failed to join domain: No logon servers
    [2008/01/30 11:06:08, 2] utils/net.c:main(1032)
    return code = -1

    Can this user achieve such a goal?

    Here is beeruser's rights via rpc:
    net rpc rights list -Ubeeruser
    Password:
    SeMachineAccountPrivilege Add machines to domain
    SeTakeOwnershipPrivilege Take ownership of files or other objects
    SeBackupPrivilege Back up files and directories
    SeRestorePrivilege Restore files and directories
    SeRemoteShutdownPrivilege Force shutdown from a remote system
    SePrintOperatorPrivilege Manage printers
    SeAddUsersPrivilege Add users and groups to the domain
    SeDiskOperatorPrivilege Manage disk shares

    I've had various toggles done to my smb.conf, but here is what the
    global section
    of smb.conf looks like at the moment, following the hints of someone else who
    solved this on the list...

    [global]
    netbios name = www2
    workgroup = BEER
    unix charset = LOCALE
    realm = BEER
    server string = Web Server
    security = ADS
    password server = 111.111.200.67
    idmap backend = rid:BEER=5000-100000000
    idmap uid = 10000-10000000
    idmap gid = 10000-10000000
    template shell = /bin/bash
    winbind use default domain = Yes
    winbind enum users = Yes
    winbind enum groups = Yes
    allow trusted domains = No
    log level = 3
    log file = /var/log/samba/%m.log
    max log size = 50
    dns proxy = No
    winbind use default domain = Yes
    hosts allow = 111.111.
    encrypt passwords = yes

    I had great results with the last question I put on the list. I hope
    someone can help us graduate to ads with kerberos level authentication.

    It feels like there is something missing on the AD end, but I know
    nothing about this
    other than that it is Windows Server 2003 and it has been in production for
    awhile with good performance.

    --Donald
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] net ads join : ads_connect: No logon servers

    D G Teed wrote:
    > I've been able to use security = ads in smb.conf, and connect OK,
    > but it must be falling back to domain. When I run net ads join
    > I get the error (debug trace below):
    >
    > ads_connect: No logon servers
    >
    > Here is my krb5.conf:
    >
    > [logging]
    > default = FILE:/var/log/krb5libs.log
    > kdc = FILE:/var/log/krb5kdc.log
    > admin_server = FILE:/var/log/kadmind.log
    > [libdefaults]
    > default_realm = BEER
    > [realms]
    > BEER = {
    > kdc = ADC1.AD.BEERU.CA
    > }
    > [domain_realm]
    > beer.ca = BEER
    > .beer.ca = BEER


    This should be a mapping from DNS domain to Kerberos REALM.
    Going by the kdc name, what you probably want is:
    beer.ca = AD.BEERU.CA
    ..beer.ca = AD.BEERU.CA
    www2.beer.ca = AD.BEERU.CA


    >
    > Here is my rpc join status:
    > # net rpc testjoin
    > Join to 'BEER' is OK
    >
    > Here is my attempt to graduate this to ADS levels, with debug:
    >
    > # net ads join -Ubeeruser%beeruserpw -d3
    > [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
    > lp_load: refreshing parameters
    > [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
    > Initialising global parameters
    > [2008/01/30 11:06:08, 3] param/params.cm_process(572)
    > params.cm_process() - Processing configuration file "/etc/samba/smb.conf"
    > [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
    > Processing section "[global]"
    > [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
    > added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
    > [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
    > added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
    > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    > get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    > [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
    > Failed to parse cldap reply
    > [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
    > ads_try_connect: CLDAP request 111.111.200.66 failed.
    > [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
    > Failed to parse cldap reply
    > [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
    > ads_try_connect: CLDAP request 111.111.200.67 failed.
    > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    > get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    > [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
    > Could not look up dc's for domain BEER
    > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    > get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
    > get_dc_list: preferred server list: "ADC2, 111.111.200.67"
    > [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
    > ads_connect: No logon servers
    > [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
    > error on ads_startup: No logon servers
    > Failed to join domain: No logon servers
    > [2008/01/30 11:06:08, 2] utils/net.c:main(1032)
    > return code = -1
    >
    > Can this user achieve such a goal?
    >
    > Here is beeruser's rights via rpc:
    > net rpc rights list -Ubeeruser
    > Password:
    > SeMachineAccountPrivilege Add machines to domain
    > SeTakeOwnershipPrivilege Take ownership of files or other objects
    > SeBackupPrivilege Back up files and directories
    > SeRestorePrivilege Restore files and directories
    > SeRemoteShutdownPrivilege Force shutdown from a remote system
    > SePrintOperatorPrivilege Manage printers
    > SeAddUsersPrivilege Add users and groups to the domain
    > SeDiskOperatorPrivilege Manage disk shares
    >
    > I've had various toggles done to my smb.conf, but here is what the
    > global section
    > of smb.conf looks like at the moment, following the hints of someone else who
    > solved this on the list...
    >
    > [global]
    > netbios name = www2
    > workgroup = BEER
    > unix charset = LOCALE
    > realm = BEER


    Same here.
    realm = AD.BEERU.CA

    > server string = Web Server
    > security = ADS
    > password server = 111.111.200.67
    > idmap backend = rid:BEER=5000-100000000
    > idmap uid = 10000-10000000
    > idmap gid = 10000-10000000
    > template shell = /bin/bash
    > winbind use default domain = Yes
    > winbind enum users = Yes
    > winbind enum groups = Yes
    > allow trusted domains = No
    > log level = 3
    > log file = /var/log/samba/%m.log
    > max log size = 50
    > dns proxy = No
    > winbind use default domain = Yes
    > hosts allow = 111.111.
    > encrypt passwords = yes
    >
    > I had great results with the last question I put on the list. I hope
    > someone can help us graduate to ads with kerberos level authentication.
    >
    > It feels like there is something missing on the AD end, but I know
    > nothing about this
    > other than that it is Windows Server 2003 and it has been in production for
    > awhile with good performance.
    >


    There may be something else, but the REALM is what jumped out at me.

    Regards, Doug
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] net ads join : ads_connect: No logon servers

    Douglas VanLeuven wrote:
    > D G Teed wrote:
    >> I've been able to use security = ads in smb.conf, and connect OK,
    >> but it must be falling back to domain. When I run net ads join
    >> I get the error (debug trace below):
    >>
    >> ads_connect: No logon servers
    >>
    >> Here is my krb5.conf:
    >>
    >> [logging]
    >> default = FILE:/var/log/krb5libs.log
    >> kdc = FILE:/var/log/krb5kdc.log
    >> admin_server = FILE:/var/log/kadmind.log
    >> [libdefaults]
    >> default_realm = BEER
    >> [realms]
    >> BEER = {
    >> kdc = ADC1.AD.BEERU.CA
    >> }


    Missed this on the last post.
    default realm = AD.BEERU.CA

    Doug
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] net ads join : ads_connect: No logon servers

    Thanks very much, Douglas. That did the trick.
    I had not understood what realm represented in a dns
    style domain.

    It is also confusing that one lists a realm section,
    defining it...

    BEER = {
    kdc = ADC1.AD.BEERU.CA
    }

    But then when providing the realm name in smb.conf, the
    handle isn't BEER, but rather the subdomain in
    which the AD controller lives.

    Regards,

    --Donald

    On Jan 30, 2008 3:37 PM, Douglas VanLeuven wrote:
    > Douglas VanLeuven wrote:
    > > D G Teed wrote:
    > >> I've been able to use security = ads in smb.conf, and connect OK,
    > >> but it must be falling back to domain. When I run net ads join
    > >> I get the error (debug trace below):
    > >>
    > >> ads_connect: No logon servers
    > >>
    > >> Here is my krb5.conf:
    > >>
    > >> [logging]
    > >> default = FILE:/var/log/krb5libs.log
    > >> kdc = FILE:/var/log/krb5kdc.log
    > >> admin_server = FILE:/var/log/kadmind.log
    > >> [libdefaults]
    > >> default_realm = BEER
    > >> [realms]
    > >> BEER = {
    > >> kdc = ADC1.AD.BEERU.CA
    > >> }

    >
    > Missed this on the last post.
    > default realm = AD.BEERU.CA
    >
    > Doug
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] net ads join : ads_connect: No logon servers

    D G Teed wrote:
    > Thanks very much, Douglas. That did the trick.
    > I had not understood what realm represented in a dns
    > style domain.
    >
    > It is also confusing that one lists a realm section,
    > defining it...
    >
    > BEER = {
    > kdc = ADC1.AD.BEERU.CA
    > }


    Sorry, missed that one too. Should be
    AD.BEERU.CA = {
    kdc = ADC1.AD.BEERU.CA
    }

    It's just that Kerberos doesn't know anything about workgroups in
    windows and so there shouldn't be any workgroup names in krb5.conf,
    only DNS names and REALM names. It worked because samba picked up the
    Kerberos kdc from SRV records in DNS. BEER defines the .BEER realm
    which doesn't exist.


    >
    > But then when providing the realm name in smb.conf, the
    > handle isn't BEER, but rather the subdomain in
    > which the AD controller lives.
    >
    > Regards,
    >
    > --Donald
    >
    > On Jan 30, 2008 3:37 PM, Douglas VanLeuven wrote:
    >> Douglas VanLeuven wrote:
    >>> D G Teed wrote:
    >>>> I've been able to use security = ads in smb.conf, and connect OK,
    >>>> but it must be falling back to domain. When I run net ads join
    >>>> I get the error (debug trace below):
    >>>>
    >>>> ads_connect: No logon servers
    >>>>
    >>>> Here is my krb5.conf:
    >>>>
    >>>> [logging]
    >>>> default = FILE:/var/log/krb5libs.log
    >>>> kdc = FILE:/var/log/krb5kdc.log
    >>>> admin_server = FILE:/var/log/kadmind.log
    >>>> [libdefaults]
    >>>> default_realm = BEER
    >>>> [realms]
    >>>> BEER = {
    >>>> kdc = ADC1.AD.BEERU.CA
    >>>> }

    >> Missed this on the last post.
    >> default realm = AD.BEERU.CA
    >>
    >> Doug
    >>


    Regards, Doug
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread