Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Samba ADS Join Failure (CLDAP Request Failed) - Stumped!!
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo on AMD64
View previous topic :: View next topic  
Author Message
spiffywiffy
n00b
n00b


Joined: 08 May 2007
Posts: 21
PostPosted: Fri Jun 22, 2007 3:08 pm    Post subject: Samba ADS Join Failure (CLDAP Request Failed) - Stumped!! Reply with quote
Hello:

Hopefully someone has some insight into this. First, all the boring stuff:

    Linux [hostname] 2.6.21-hardened #1 SMP Tue May 8 11:39:26 x86_64 Dual-Core AMD Opteron(tm) Processor 2212 AuthenticAMD GNU/Linux
    Windows Server 2003 SP1 Domain Controller


Intention: Join Gentoo server to Windows Domain as Member only. Will eventually authenticate AD users for SSH/SFTP services.

Symptoms: Able to get Kerberos ticket from Domain Controller. Able to browse AD with ldapsearch. Unable to join server to domain. Complains about CLDAP request to DC failing.

Emerged:

Quote:
Samba: net-fs/samba-3.0.24-r3 USE="acl doc kerberos ldap pam readline syslog winbind -async -automount -caps -cups -examples -fam -oav -python -quotas (-selinux) -swat" LINGUAS="-ja -pl"

Quote:
Kerberos: app-crypt/mit-krb5-1.5.2-r1 USE="-doc -ipv6 -krb4 -tcl"

Quote:
net-nds/openldap-2.3.35-r1 USE="crypt kerberos readline samba sasl ssl tcpd -berkdb -debug -gdbm -ipv6 -minimal -odbc -overlays -perl (-selinux) -slp -smbkrb5passwd"

Quote:
sys-auth/nss_ldap-253 USE="sasl -debug"

Also, ntp installed - no clock skew between DC and Gentoo server.

testparm Output (edited):

Quote:
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = MYWORKGROUP
realm = MYWORKGROUP.MYDOMAIN.CA
server string = %h
security = ADS
obey pam restrictions = Yes
password server = DC1.MYDOMAIN.CA DC2.MYDOMAIN.CA
passdb backend = tdbsam
log level = 10
log file = /var/log/samba/log.%m
max log size = 50
client signing = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
dns proxy = No
socket address = 192.168.1.10
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /usr/bin/scponly
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
invalid users = root

[homes]
comment = Home Directories
read only = No
create mask = 0700
directory mask = 0700
browseable = No


krb5.conf Contents (edited):

Quote:
[libdefaults]
default_realm = MYWORKGROUP.MYDOMAIN.CA
ticket_lifetime = 36000
dns_lookup_kdc = false
dns_lookup_realm = false

[realms]
MYWORKGROUP.MYDOMAIN.CA = {
kdc = 10.1.60.10:88
kdc = 10.1.60.11:88
admin_server = 10.1.60.10:749
default_domain = MYDOMAIN.CA
}

[domain_realm]
.myworkgroup.mydomain.ca = MYWORKGROUP.MYDOMAIN.CA
myworkgroup.mydomain.ca = MYWORKGROUP.MYDOMAIN.CA

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log


Output of
Code:
net ads join -U domainadmin --debuglevel=3
(edited)
Quote:
[2007/06/22 10:37:16, 3] param/loadparm.c:lp_load(4945)
lp_load: refreshing parameters
[2007/06/22 10:37:16, 3] param/loadparm.c:init_globals(1410)
Initialising global parameters
[2007/06/22 10:37:16, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2007/06/22 10:37:16, 3] param/loadparm.c:do_section(3687)
Processing section "[global]"
[2007/06/22 10:37:16, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.1.10 bcast=192.168.1.255 nmask=255.255.255.0
domainadmin's password:
[2007/06/22 10:37:20, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", dc1.mydomain.ca dc2.mydomain.ca"
[2007/06/22 10:37:35, 1] libads/cldap.c:recv_cldap_netlogon(215)
no reply received to cldap netlogon
[2007/06/22 10:37:35, 3] libads/ldap.c:ads_try_connect(136)
ads_try_connect: CLDAP request 10.1.60.10 failed.
[2007/06/22 10:37:50, 1] libads/cldap.c:recv_cldap_netlogon(215)
no reply received to cldap netlogon
[2007/06/22 10:37:50, 3] libads/ldap.c:ads_try_connect(136)
ads_try_connect: CLDAP request 10.1.60.11 failed.
[2007/06/22 10:37:50, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Interrupted system call
[2007/06/22 10:37:50, 2] utils/net.c:main(988)
return code = -1


As you can see, I am getting cldap netlogon errors. This is stumping me as I can clearly communicate with the DC's via other methods. This configuration matches that of a couple of other servers (not Gentoo, however). ADS joins work fine on the other servers to the same DC's. Is this version of samba problematic? I am using hardened Gentoo - is that a potential issue? Any other thoughts? Thanks for any help.
Back to top
View user's profile Send private message
uweklosa
Tux's lil' helper
Tux's lil' helper


Joined: 18 Feb 2005
Posts: 105
PostPosted: Fri Jun 22, 2007 4:58 pm    Post subject: Reply with quote
We had a similar problem. The solution for us has been to remove/comment the following line:
Code:
winbind separator = +
Back to top
View user's profile Send private message
spiffywiffy
n00b
n00b


Joined: 08 May 2007
Posts: 21
PostPosted: Fri Jun 22, 2007 5:47 pm    Post subject: Reply with quote
Thanks - just tried, but the problem persists.
Back to top
View user's profile Send private message
spiffywiffy
n00b
n00b


Joined: 08 May 2007
Posts: 21
PostPosted: Mon Jun 25, 2007 1:04 pm    Post subject: Reply with quote
Anyone? :-/
Back to top
View user's profile Send private message
mem_gentoo
n00b
n00b


Joined: 27 Apr 2007
Posts: 27
PostPosted: Thu Jul 05, 2007 12:19 pm    Post subject: Reply with quote
I am having the same problem with my gentoo machine I am following http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

Near as I can tell at the moment fully qualified names (host.domain) are not being correctly resolved any suggestions please. I have added releavant info to /etc/hosts if the format below (short and full work with ping)
Code:
IP shortdns fqdns


I tried following the gentoo wikis guide http://gentoo-wiki.com/HOWTO_Add_a_gentoo_server_to_a_windows_network but it gave me an error message about not being able to join in single mode (will post correct error tomorrow).

Any help will be greatly appreciated.

PS: I think this thread should be moved.
Back to top
View user's profile Send private message
spiffywiffy
n00b
n00b


Joined: 08 May 2007
Posts: 21
PostPosted: Thu Jul 05, 2007 1:49 pm    Post subject: Reply with quote
I recently solved my problem down to nothing software related. Our firewall was not allowing LDAP UDP traffic from the DMZ to our server VLAN. LDAP (389) TCP and UDP is required. Although most traffic was TCP, seems the very first communication with the DC was UDP.

Good luck with your issue!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo on AMD64 All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy