Web lists-archives.com

Re: [Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"




Hello All

Can someone please help me understand what could be the reason SPENGO fails
with windows AD server?

  SPNEGO login failed: The transport connection is now disconnected.
  error_string             : 'failed to lookup DC info for domain '
DOMAIN.COM <http://domain.com/>' over rpc: The transport connection is now
disconnected.'



Thanks in Advance

Akash

On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain <akash.jain110683@xxxxxxxxx>
wrote:

> Hello All
>
> I am seeing following error intermittently when I try to join the samba
> machine into AD controlled by windows machine.
>
> Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM'
> over rpc: The transport connection is now disconnected.
>
> If we repeat the same command with same configuration and credentials, it
> succeeds.
>
> Detailed logs at log level 5 are at end of the message.
>
>
> Command:
> net ads join -d5 -e -I <AD Controller IP>  -U administrator%<password>
>
> configuration details are as follows
>
> -------------------- smb.conf -----------------------
> [global]
> max log size = 0
> realm = DOMAIN.COM
> workgroup = DOMAIN
> security = ADS
> winbind enum users = yes
> winbind enum groups = yes
> idmap config * : backend = autorid
> idmap config * : range = 1000000-19999999
> passdb backend = tdbsam
>
> ------------------- krb5.conf ------------------------
> [libdefaults]
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_ccache_name = KEYRING:persistent:%{uid}
> [realms]
> DOMAIN.COM = {
> kdc = PDC.DOMAIN.COM
> admin_server = PDC.DOMAIN.COM
> }
> [domain_realm]
> domain = DOMAIN.COM
> .domain = DOMAIN.COM
>
>
> ------------------------------------------------------------
> ----------------------------------
>
> Log level 5 logs for net ads command are:
>
>
> Enter Administrator's password:libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         in: struct libnet_JoinCtx
>             dc_name                  : NULL
>             machine_name             : 'Hostname'
>             domain_name              : *
>                 domain_name              : 'DOMAIN.COM'
>             domain_name_type         : JoinDomNameTypeDNS (1)
>             account_ou               : NULL
>             admin_account            : 'Administrator'
>             admin_domain             : NULL
>             machine_password         : NULL
>             join_flags               : 0x00000023 (35)
>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>             os_version               : NULL
>             os_name                  : NULL
>             os_servicepack           : NULL
>             create_upn               : 0x00 (0)
>             upn                      : NULL
>             modify_config            : 0x00 (0)
>             ads                      : NULL
>             debug                    : 0x01 (1)
>             use_kerberos             : 0x00 (0)
>             secure_channel_type      : SEC_CHAN_WKSTA (2)
>             desired_encryption_types : 0x0000001f (31)
> Opening cache file at /var/lib/samba/gencache.tdb
> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> "Default-First-Site-Name"
> ads_dns_lookup_srv: 1 records returned in the answer section.
> sitename_fetch: Returning sitename for realm 'DOMAIN.COM':
> "Default-First-Site-Name"
> no entry for PDC.DOMAIN.COM#20 found.
> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller
> IP>
> Connecting to <AD Controller IP> at port 445
> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM
> '
> Connecting to <AD Controller IP> at port 139
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 87040
>         SO_RCVBUF = 367360
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
> got OID=1.3.6.1.4.1.311.2.2.10
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Starting GENSEC mechanism spnego
> Server claims it's principal name is not_defined_in_RFC4178@PLEASE_IGNORE
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_TARGET_TYPE_DOMAIN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_TARGET_INFO
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: The transport connection is now disconnected.
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : NULL
>             dns_domain_name          : NULL
>             forest_name              : NULL
>             dn                       : NULL
>             domain_sid               : NULL
>                 domain_sid               : (NULL SID)
>             modified_config          : 0x00 (0)
>             error_string             : 'failed to lookup DC info for
> domain 'DOMAIN.COM' over rpc: The transport connection is now
> disconnected.'
>             domain_is_ad             : 0x00 (0)
>             set_encryption_types     : 0x00000000 (0)
>             result                   : WERR_NETNAME_DELETED
> return code = -1
> Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM'
> over rpc: The transport connection is now disconnected.
>
> ------------------------------------------------------------
> ------------------------------------------------------------------
>
> If we compare the Success vs Failure logs, we see only difference of
> following lines:
>
>
> Below lines are missing in Failure case:
> ----------------------------------------------
> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan
> 1 05:30:00 1970 IST] (-1511892480 seconds in the past)
> no entry for PDC.DOMAIN.COM#20 found.
> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20>
> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124
> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov
> 28 23:49:00 2017 IST] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0
> -------------------------------------------------
>
> Also, OIDs are different.
>
> Please help me understand in what scenarios does domain controller will
> revoke the transport connection with SPNEGO failed for same flags and same
> inputs
>
> Thanks
> Akash
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba