Web lists-archives.com

[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"




Hello All

I am seeing following error intermittently when I try to join the samba
machine into AD controlled by windows machine.

Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM'
over rpc: The transport connection is now disconnected.

If we repeat the same command with same configuration and credentials, it
succeeds.

Detailed logs at log level 5 are at end of the message.


Command:
net ads join -d5 -e -I <AD Controller IP>  -U administrator%<password>

configuration details are as follows

-------------------- smb.conf -----------------------
[global]
max log size = 0
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
passdb backend = tdbsam

------------------- krb5.conf ------------------------
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.COM = {
kdc = PDC.DOMAIN.COM
admin_server = PDC.DOMAIN.COM
}
[domain_realm]
domain = DOMAIN.COM
.domain = DOMAIN.COM


----------------------------------------------------------------------------------------------

Log level 5 logs for net ads command are:


Enter Administrator's password:libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'Hostname'
            domain_name              : *
                domain_name              : 'DOMAIN.COM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'Administrator'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
"Default-First-Site-Name"
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller IP>
Connecting to <AD Controller IP> at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM'
Connecting to <AD Controller IP> at port 139
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 367360
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Server claims it's principal name is not_defined_in_RFC4178@PLEASE_IGNORE
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: The transport connection is now disconnected.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to lookup DC info for domain
'DOMAIN.COM' over rpc: The transport connection is now disconnected.'
            domain_is_ad             : 0x00 (0)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_NETNAME_DELETED
return code = -1
Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
over rpc: The transport connection is now disconnected.

------------------------------------------------------------------------------------------------------------------------------

If we compare the Success vs Failure logs, we see only difference of
following lines:


Below lines are missing in Failure case:
----------------------------------------------
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan  1
05:30:00 1970 IST] (-1511892480 seconds in the past)
no entry for PDC.DOMAIN.COM#20 found.
resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov 28
23:49:00 2017 IST] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
-------------------------------------------------

Also, OIDs are different.

Please help me understand in what scenarios does domain controller will
revoke the transport connection with SPNEGO failed for same flags and same
inputs

Thanks
Akash
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba