*New 12.1 series Release:
2020-09-13: XigmaNAS 12.1.0.4.7743 - released

*New 11.4 series Release:
2020-09-12: XigmaNAS 11.4.0.4.7741 - released!


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

NAS4Free does not join Windows Server 2012 domain?

Authenticating XigmaNAS users using Active Directory or NT PDC
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

NAS4Free does not join Windows Server 2012 domain?

#1

Post by tps800 »

Hi!

I've configured NAS4Free, It is running so far. Next step I'd like to take is join an AD domain (Windows 2012 Server). I've filled in "Access -> Active Directory" and clicked save. It seems to save the config, but does not do anything more than that.

From a shell:

Code: Select all

# net ads testjoin
ads_connect: No logon servers
Join to domain is not valid: No logon servers
#
Trying to list all users:

Code: Select all

# getent passwd
root:[::removed::]:0:0:Charlie &:/root:/bin/tcsh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
ftp:*:21:50:FTP user:/mnt:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/empty:/usr/sbin/nologin
transmission:[::removed::]:999:999:User &:/home/transmission:/bin/tcsh
#
Just lists what is locally defined, not the ~1000 AD-domain-users!
Same for groups:

Code: Select all

# getent group
wheel:*:0:root
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5:root
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
www:*:80
hast:*:845
nogroup:*:65533
nobody:*:65534
ftp:*:50:transmission
transmission:*:999
admin:*:1000
#
In case of user enumeration disabled I've tried to get one user and one group:

Code: Select all

# getent passwd <domain-user>
# getent group <domain-group>
#
Looking at /var/etc/smb4.conf:

Code: Select all

# cat /var/etc/smb4.conf
[global]
server role = standalone
encrypt passwords = yes
netbios name = SERVER
workgroup = DOMAIN
server string = NAS4Free Server
security = ads
max protocol = SMB2
dns proxy = no
# Settings to enhance performance:
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
socket options = TCP_NODELAY SO_SNDBUF=128480 SO_RCVBUF=128480
# End of performance section
password server = ad.local.local
unix charset = UTF-8
store dos attributes = yes
local master = no
domain master = no
preferred master = no
os level = 0
time server = no
guest account = ftp
map to guest = Bad User
max log size = 100
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1
dos charset = CP437
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
passdb backend = tdbsam
allow trusted domains = no
idmap config * : backend = tdb
idmap config * : range = 10000-39999
idmap config BFS : backend = rid
idmap config BFS : range = 10000-39999
realm = BFS
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind normalize names = yes
template homedir = /mnt
template shell = /bin/sh
winbind normalize names = no

[Q]
comment = Q
path = /mnt/zpool/Q
writeable = yes
printable = no
veto files = /.snap/.sujournal/
hide dot files = yes
guest ok = no
inherit permissions = yes
inherit acls = yes
vfs objects = shadow_copy2 zfsacl recycle aio_pthread
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
shadow:format = auto-%Y%m%d-%H%M%S
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
veto files = /.zfs/
winbind normalize names = no
Looking at /etc/nsswitch:

Code: Select all

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
I am not sure is this config is at all OK, since it doesn't really use AD setup for Kerberos/LDAP at all! In fact it doesn't set up kerberos as I'd awaited it to do!
Missing are:
  • Kerberos setup (/etc/krb5.conf, /etc/krb5.keytab)
  • OpenLDAP setup (/etc/openldap/ldap.conf or /etc/ldap/ldap.conf)
  • PAM-Setup (pam-ldap-setup or sssd-setup)
I'd only find winbindd-setups. But winbindd afaik does only use the old, deprecated lanman protocol for information distribution. lanman is known to be vulnerable and is deprecated since Windows Server 2008 and not active any more since Windows Server 2012 -- atmk not even included any more with Windows Server 2012.

So here my questions:
  • does NAS4Free at all join an AD domain spawned by Windows Server 2012?
  • does it set up necessary kerberos configuration and acquire kerberos keytabs as necessary?
  • does it at all set up configuration for kerberized LDAP as necessary to fully access an Windows Server 2012 AD?
  • does it, besides starting winbindd, set up credentials caching?
Looking at what has to be done, doing it manually, comparing what was done by "Access -> Active Directory" I'd say NAS4Free does not join a Windows Server 2012 AD domain in a useful way. But I'd like to be proven wrong!

Some hints:
* http://serverfault.com/questions/599200 ... urity-sssd (Handles kerberos, sssd, nssswitch setup for FreeBSD 9, 10, CURRENT)

Since I've set up some systems before to handle authentication and authorization by Windows Server 2012 AD here is what is found within the various configuration files on such a system (examples from CentOS 6.7):
* /etc/krb5.config

Code: Select all

# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1 arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md4 des3-cbc-sha1 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
  permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1 arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 proxiable = true
 kdc_timesync = 1
 rdns = false
 krb4_get_tickets = no
 allow_weak_crypto = true

[realms]
 DOMAIN = {
  kdc = <ad.local.local-ip-address>
  admin_server = ad.local.local
  kpasswd_server = ad.local.local
 }

[domain_realm]
 .bfs.de = DOMAIN
 bfs.de = DOMAIN

#
 
* /etc/krb5.keytab

Code: Select all

# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1      host/ad.local.local@DOMAIN
   2    1           ad.local.local@DOMAIN
   3    1      host/ad.local.local@DOMAIN
   4    1           ad.local.local@DOMAIN
   5    1      host/ad.local.local@DOMAIN
   6    1           ad.local.local@DOMAIN
   7    1      host/ad.local.local@DOMAIN
   8    1           ad.local.local@DOMAIN
   9    1      host/ad.local.local@DOMAIN
  10    1           ad.local.local@DOMAIN
ktutil:  q
#
Testing Kerberos:

Code: Select all

# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@imis-tsrv02 ~]# kinit <domain-user>
Password for <domain-user>@DOMAIN:
Warning: Your password will expire in 78 days on Thu Nov 26 01:47:24 2015
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <domain-user>@DOMAIN

Valid starting     Expires            Service principal
09/08/15 14:19:55  09/09/15 00:19:55  krbtgt/DOMAIN@DOMAIN
        renew until 09/15/15 14:19:50
# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
#
* /etc/openldap/ldap.conf

Code: Select all

# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
uri ldap://ad.local.local/
base dc=bfs,dc=de
URI ldaps://ad.local.local:<port>
BASE dc=local,dc=local
TLS_CACERTDIR /etc/openldap/cacerts
#
Testing LDAP:

Code: Select all

# ldapsearch -x | wc -l
[lists the whole seachbase, counting lines]
583730
* /etc/sssd/sssd.conf:

Code: Select all

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = DOMAIN, default
#debug_level = 0x0270

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
#debug_level = 0x0270

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 5
offline_failed_login_delay = 5
#debug_level = 0x0270

[autofs]

[ssh]

[domain/DOMAIN]
enumerate = true
cache_credentials = true

id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad

krb5_kdcip = <ad.local.local-address>
krb5_realm = DOMAIN
krb5_server = ad.local.local
krb5_kpasswd = ad.local.local
krb5_canonicalize = false

ldap_uri = ldaps://ad.local.local:<port>
ldap_search_base = dc=local,dc=local
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/authconfig_downloaded.pem
ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = <ucase-hostname>$@DOMAIN

#ldap_default_bind_dn = cn=<hostname>,cn=clients,cn=computers,dc=local,dc=local
#ldap_default_authtok_type = password
#ldap_default_authtok = <password>

#ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

#ldap_user_search_base = dc=local,dc=local
#ldap_user_object_class = user
#ldap_user_name =sAMAccountName
#ldap_user_fullname = displayName
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName

#debug_level = 0x0270

[domain/default]
ldap_id_use_start_tls = False
ldap_search_base = dc=local,dc=local
krb5_realm = DOMAIN
krb5_kdcip = <ad.local.local-address>
id_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_uri = ldaps://ad.local.local:<port>
krb5_kpasswd = ad.local.local
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts

#
* /etc/nsswitch:

Code: Select all

# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

#
If LDAP and Kerberos tests where OK, this would allow to read the whole directory.

Testing sssd:

Code: Select all

# getent passwd | wc -l
3775
# getent group | wc -l
995
#
* PAM:

Code: Select all

# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_sss.so
#
After adding pam config I'd be able to login with a domain user and acuire a kerberos tgt:

Code: Select all

# ssh -l <domain-user> localhost
<domain-user>@localhost's password: <type domain users password here>
Warning: Your password will expire in 78 days on Thu Nov 26 01:47:24 2015
Last login: Tue Sep  8 12:31:49 2015 from localhost
$ klist
Ticket cache: FILE:/tmp/krb5cc_10947_NivRZA
Default principal: <domain-user>@DOMAIN

Valid starting     Expires            Service principal
09/08/15 14:32:31  09/09/15 00:32:31  krbtgt/DOMAIN@DOMAIN
        renew until 09/15/15 14:32:31
$
Next step: config Samba4 (nfs4 is already configured since we'd changed PAM).

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#2

Post by daoyama »

Your config is something broken?
samba data is stored in /var/db/samba4 by default.
krb5.conf should be created in there.

Also your DNS can resolve Domain controller name / Password server?
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#3

Post by tps800 »

Image
Is what is configured.
And here is what is in /var/etc:

Code: Select all

# ll /var/etc/
total 92
-rw-r--r--  1 root  wheel   263 Sep  8 09:35 crontab
-rw-r--r--  1 root  wheel    61 Sep  8 09:35 exports
-rw-r--r--  1 root  wheel   111 Sep  8 09:35 hosts
drwxr-xr-x  2 root  wheel   512 Sep  7 14:43 iscsi/
-rw-r--r--  1 root  wheel     0 Sep  8 09:35 ldap.conf
-rw-r--r--  1 root  wheel     0 Sep  8 09:35 ldap.secret
-rw-r--r--  1 root  wheel  3750 Sep  8 09:35 lighttpd.conf
-rw-r--r--  1 root  wheel   224 Sep  8 09:57 mdnsresponder.conf
-rw-------  1 root  wheel   139 Sep  8 09:35 msmtp.conf
drwxr-xr-x  2 root  wheel   512 Sep  7 14:43 netatalk/
-rw-r--r--  1 root  wheel   193 Sep  8 09:35 nsswitch.conf
-rw-------  1 root  wheel    17 Sep  8 09:35 nut.conf
drwxr--r--  2 root  wheel   512 Sep  7 14:43 pam.d/
drwxr-xr-x  3 root  wheel   512 Sep  7 16:33 private/
-rw-r--r--  1 root  wheel    63 Sep  8 09:35 resolv.conf
-rw-r--r--  1 root  wheel   281 Sep  8 09:35 smartd.conf
-rw-r--r--  1 root  wheel  1881 Sep  8 09:57 smb4.conf
drwxr-xr-x  2 root  wheel   512 Sep  7 15:01 ssh/
drwxr-xr-x  3 root  wheel   512 Sep  7 14:43 ssl/
-rw-r--r--  1 root  wheel   332 Sep  8 09:35 syslog.conf
-rw-------  1 root  wheel    26 Sep  8 09:35 ups.conf
-rw-------  1 root  wheel    61 Sep  8 09:35 upsd.conf
-rw-------  1 root  wheel   146 Sep  8 09:35 upsd.users
-rw-------  1 root  wheel   591 Sep  8 09:35 upsmon.conf
-rw-------  1 root  wheel   507 Sep  8 09:35 upssched.conf
And if I try "ll /var/etc/krb5.*":

Code: Select all

# ll /var/etc/krb5.*
ls: No match.
Not there. PAM config is missing any kerberos references too:

Code: Select all

# cat /var/etc/pam.d/sshd
# PAM configuration for the "sshd" service

# auth
auth       sufficient      pam_opie.so             no_warn no_fake_prompts
auth       requisite       pam_opieaccess.so       no_warn allow_local
auth       sufficient      /usr/local/lib/pam_winbind.so        debug try_first_pass
auth       required        pam_unix.so             no_warn try_first_pass

# account
account    required        pam_nologin.so          no_warn
account    required        pam_login_access.so
account    sufficient           /usr/local/lib/pam_winbind.so
account    required        pam_unix.so

# session
session    required        pam_permit.so
session    required        /usr/local/lib/pam_mkhomedir.so

# password
password   sufficient   /usr/local/lib/pam_winbind.so   debug try_first_pass
password   required        pam_unix.so             no_warn try_first_pass
LDAP config is empty (length 0):

Code: Select all

-rw-r--r--  1 root  wheel     0 Sep  8 09:35 ldap.conf
-rw-r--r--  1 root  wheel     0 Sep  8 09:35 ldap.secret
nsswitch in /var/etc does not reference ldap in any way -- it only references winbind:

Code: Select all

# cat /var/etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

The configs I've posted after Some hints: are from a working CentOS / FreeBSD install and they reside in /etc, since this is NOT a NAS4Free install! But it is a working config and it gives an idea what I'd await to find in /var/etc-files on NAS4Free -- if I find these files there ...!
You do not have the required permissions to view the files attached to this post.

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#4

Post by daoyama »

tps800 wrote: And if I try "ll /var/etc/krb5.*":

Code: Select all

# ll /var/etc/krb5.*
ls: No match.
No. No. Global config such as /etc/krb5.conf is never created under N4F.
(local config is stored in/var/db)
And all users/groups on AD is provided by pam_winbind.

First you should check your DNS is correct.
Did you get IP from "ad.local.local" ?
Try "ping ad.local.local".
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#5

Post by tps800 »

Code: Select all

# ping ad.local.local
PING ad.local.local (10.10.1.33): 56 data bytes
64 bytes from 10.10.1.33: icmp_seq=0 ttl=58 time=23.954 ms
64 bytes from 10.10.1.33: icmp_seq=1 ttl=58 time=22.639 ms
64 bytes from 10.10.1.33: icmp_seq=2 ttl=58 time=23.814 ms
64 bytes from 10.10.1.33: icmp_seq=3 ttl=58 time=22.690 ms
64 bytes from 10.10.1.33: icmp_seq=4 ttl=58 time=38.147 ms
64 bytes from 10.10.1.33: icmp_seq=5 ttl=58 time=22.351 ms
^C
--- dc-master.bfs.de ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 22.351/25.599/38.147/5.644 ms
looks good for me.

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#6

Post by tps800 »

In this case kinit should work?

Code: Select all

# kinit <domain-user>
<domain-user>@DOMAIN's Password:
 osoz01-muc: ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: <domain-user>@DOMAIN

  Issued                Expires               Principal
Sep  9 09:49:11 2015  Sep  9 19:49:11 2015  krbtgt/DOMAIN@DOMAIN
look like it realy does!

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#7

Post by tps800 »

But:

Code: Select all

# ssh -l <domain-user> localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is SHA256:G1p3REUS2Wvq1NIMUAkMTypuCWZMuIwa5/asAQSlUi8.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
<domain-user>@localhost's password:
Permission denied, please try again.
<domain-user>@localhost's password:
Permission denied, please try again.
<domain-user>@localhost's password:
Permission denied (publickey,password).
PAM seems not to work as expected, as does nsswitch:

Code: Select all

# getent passwd
root:[::removed::]:0:0:Charlie &:/root:/bin/tcsh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
ftp:*:21:50:FTP user:/mnt:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/empty:/usr/sbin/nologin
transmission:[:removed::]:999:999:User &:/home/transmission:/bin/tcsh
Must have been more than 3000 lines ... If it where working!

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#8

Post by daoyama »

tps800 wrote:

Code: Select all

# getent passwd
root:[::removed::]:0:0:Charlie &:/root:/bin/tcsh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
ftp:*:21:50:FTP user:/mnt:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/empty:/usr/sbin/nologin
transmission:[:removed::]:999:999:User &:/home/transmission:/bin/tcsh
If ad is connected, the user is starting from around uid 10000 (default setting) like this:

Code: Select all

[root@nas4free-138 ~]# getent passwd
root:*remove*:0:0:Charlie &:/root:/bin/tcsh
toor:*:0:0:Bourne-again Superuser:/root:
(snip)
administrator:*:10500:10513:Administrator:/mnt:/bin/sh
guest:*:10501:10514:Guest:/mnt:/bin/sh
krbtgt:*:10502:10513:krbtgt:/mnt:/bin/sh
(snip)
Do you enable CIFS/SMB? Do you use Authentication = Active Directory?
What error show on Diagnostics|Information|MS Active Directory?
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#9

Post by tps800 »

Image

Results for net rpc testjoin:
Environment LOGNAME is not defined. Trying anonymous access.
Join to 'DOMAIN' is OK
Ping winbindd to see if it is alive:
Ping to winbindd succeeded
Check shared secret:
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
checking the trust secret for domain DOMAIN via RPC calls failed
You do not have the required permissions to view the files attached to this post.

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#10

Post by tps800 »

The whole thing does not find the domain controller. But why does windows find them? It is there any may be accessed:

Code: Select all

# ping -c4 dc
PING dc (10.161.18.34): 56 data bytes
64 bytes from 10.161.18.34: icmp_seq=0 ttl=64 time=0.280 ms
64 bytes from 10.161.18.34: icmp_seq=1 ttl=64 time=0.206 ms
64 bytes from 10.161.18.34: icmp_seq=2 ttl=64 time=0.122 ms
64 bytes from 10.161.18.34: icmp_seq=3 ttl=64 time=0.308 ms

--- dc ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.122/0.229/0.308/0.072 ms

Code: Select all

# host dc
dc has address 10.161.18.34
# host 10.161.18.34
34.18.161.10.in-addr.arpa domain name pointer dc.

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#11

Post by tps800 »

Code: Select all

# net join -U Administrator -s /var/etc/smb4.conf
No realm has been specified! Do you really want to join an Active Directory server?
Enter Administrator's password:
No realm has been specified! Do you really want to join an Active Directory server?
Failed to join domain: failed to join domain 'DOMAIN' over rpc: Access denied
But:

Code: Select all

# cat /var/etc/smb4.conf | grep -i realm
realm = DOMAIN

DexDeadly
NewUser
NewUser
Posts: 11
Joined: 24 Nov 2014 04:05
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#12

Post by DexDeadly »

Having similar issues? Where you able to figure this out?

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#13

Post by tps800 »

No. My question went stale. I could not figure out why the whole thing is not joining the domain, or better: why it is doing it halfway, staying inaccessible for all users.

DexDeadly
NewUser
NewUser
Posts: 11
Joined: 24 Nov 2014 04:05
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#14

Post by DexDeadly »

Looking at my windows logs I can see it getting a succesful login however in the nas4free logs I see this.

Code: Select all

Oct 14 11:45:30 fury winbindd[4877]: unable to initialize domain list 
Oct 14 11:45:30 fury winbindd[4877]: [2015/10/14 11:45:30.476265, 0] ../source3/winbindd/winbindd.c:1294(winbindd_register_handlers) 
Oct 14 11:45:30 fury winbindd[4877]: Could not fetch our SID - did we join? 
Oct 14 11:45:30 fury winbindd[4877]: [2015/10/14 11:45:30.476233, 0] ../source3/winbindd/winbindd_util.c:736(init_domain_list) 
Oct 14 11:45:30 fury winbindd[4877]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 
Oct 14 11:45:30 fury winbindd[4877]: [2015/10/14 11:45:30.474437, 0] ../source3/winbindd/winbindd_cache.c:3235(initialize_winbindd_cache)
I do see this in Windows log though as part of the login.

Code: Select all

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0
Which to me seems to be related, however its a successful login according to the AD. So I'm not sure why it is not connecting either.

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#15

Post by daoyama »

Can you query SRV recode on NAS4Free?
What file exist in /var/db/samba4/smb_krb5?

note: My Windows server (ADDC) has 5 ports network.

Code: Select all

# host -t SRV _ldap._tcp.ad.peach.ne.jp
_ldap._tcp.ad.peach.ne.jp has SRV record 0 100 389 iris.ad.peach.ne.jp.
# host -t SRV _kerberos._udp.ad.peach.ne.jp
_kerberos._udp.ad.peach.ne.jp has SRV record 0 100 88 iris.ad.peach.ne.jp.
# host -t A iris.ad.peach.ne.jp.
iris.ad.peach.ne.jp has address 172.18.0.29
iris.ad.peach.ne.jp has address 172.16.0.29
iris.ad.peach.ne.jp has address 172.17.0.29
iris.ad.peach.ne.jp has address 172.20.0.29
iris.ad.peach.ne.jp has address 172.21.0.29
# grep realm /var/etc/smb4.conf
realm = ad.peach.ne.jp
# ls -al /var/db/samba4/
total 3212
drwxr-xr-x  7 root  wheel    1024 Oct 15 01:22 .
drwxr-xr-x  9 root  wheel     512 Oct 14 20:30 ..
-rw-------  1 root  wheel  421888 Oct 12 02:47 account_policy.tdb
-rw-r--r--  1 root  wheel   40200 Oct 15 01:22 brlock.tdb
-rw-------  1 root  wheel     696 Oct 15 01:22 dbwrap_watchers.tdb
-rw-------  1 root  wheel   16384 Oct 15 01:22 g_lock.tdb
-rw-r--r--  1 root  wheel  434176 Oct 15 01:22 gencache.tdb
-rw-r--r--  1 root  wheel    8192 Oct 15 01:22 gencache_notrans.tdb
-rw-------  1 root  wheel  430080 Oct 12 02:47 group_mapping.tdb
drwxr-xr-x  2 root  wheel     512 Oct 15 01:23 lck
-rw-r--r--  1 root  wheel     696 Oct 15 01:22 leases.tdb
-rw-r--r--  1 root  wheel   81920 Oct 15 01:22 locking.tdb
drwx------  2 root  wheel     512 Oct 15 01:23 msg
-rw-------  1 root  wheel     696 Oct 12 02:47 mutex.tdb
-rw-------  1 root  wheel     696 Oct 15 01:22 netsamlogon_cache.tdb
-rw-r--r--  1 root  wheel     696 Oct 15 01:22 notify.tdb
-rw-r--r--  1 root  wheel     696 Oct 15 01:22 notify_index.tdb
-rw-r--r--  1 root  wheel     696 Oct 14 20:30 printer_list.tdb
drwxr-xr-x  2 root  wheel     512 Oct 12 02:47 private
-rw-------  1 root  wheel  528384 Oct 12 02:47 registry.tdb
-rw-r--r--  1 root  wheel    8192 Oct 15 01:22 serverid.tdb
-rw-------  1 root  wheel  421888 Oct 12 02:47 share_info.tdb
-rw-------  1 root  wheel   28672 Oct 15 01:22 smbXsrv_open_global.tdb
-rw-------  1 root  wheel   32768 Oct 15 01:22 smbXsrv_session_global.tdb
-rw-------  1 root  wheel   16384 Oct 15 01:22 smbXsrv_tcon_global.tdb
-rw-------  1 root  wheel   16384 Oct 15 01:22 smbXsrv_version_global.tdb
drwxr-xr-x  2 root  wheel     512 Oct 15 01:22 smb_krb5
-rw-------  1 root  wheel   32768 Oct 15 01:22 winbindd_cache.tdb
-rw-r--r--  1 root  wheel  421888 Oct 15 01:22 winbindd_idmap.tdb
drwxr-x---  2 root  wheel     512 Oct 15 01:22 winbindd_privileged

# cat /var/db/samba4/smb_krb5/krb5.conf.AD
[libdefaults]
        default_realm = AD.PEACH.NE.JP
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
        preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
        AD.PEACH.NE.JP = {
                kdc = 172.18.0.29
        }
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

DexDeadly
NewUser
NewUser
Posts: 11
Joined: 24 Nov 2014 04:05
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#16

Post by DexDeadly »

Here is my AD setup information

Image

total n00b moment here, where exactly do you want me to check this information? On console?

DexDeadly
NewUser
NewUser
Posts: 11
Joined: 24 Nov 2014 04:05
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#17

Post by DexDeadly »

Also I guess I should add to this since it is probably relevant. My active directory is as follows

office.simplysyncedllc.com

I verified that my NetBios is OFFICE. The name of the computer is infact labaled as IronMan. As we saw in my Windows Authentication logs it does try to authenticate. I also see in Nas4Free under the Information section that it is infact pulling the users, however I can't use them but that seems to be possible during not able to join the domain. Do I have the information setup properly?

DexDeadly
NewUser
NewUser
Posts: 11
Joined: 24 Nov 2014 04:05
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#18

Post by DexDeadly »

This was solved by changing the domain name to my full office.simplysyncedllc.com and it worked.

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#19

Post by tps800 »

My setup is:

Code: Select all

Domain controller name: dc-master
Domain name (DNS/Realm-Name): local.local
Domain name (NetBIOS-Name): LOCAL
Administrator name: LOCAL\Administrator
The domain is NOT joined:

Code: Select all

Results for net rpc testjoin:
Environment LOGNAME is not defined. Trying anonymous access.
connect_to_domain_password_server: unable to open the domain client session to machine dc-master. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED.
Join to domain 'LOCAL' is not valid: NT_STATUS_ACCESS_DENIED
Ping winbindd to see if it is alive:
Ping to winbindd succeeded
Check shared secret:
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
checking the trust secret for domain LOCAL via RPC calls failed
I CAN:
- login manually to this domain.
- export krb5-keys with LOCAL\Administrator
- join other Windows 7/8 machines, server or workstations
- join other FreeBSD 10 / FreeBSD CURRENT systems running Samba 4

NAS4Free DOES NOT JOIN THE DOMAIN!!

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#20

Post by tps800 »

DexDeadly wrote:This was solved by changing the domain name to my full office.simplysyncedllc.com and it worked.
does not work for me. Neither
- LOCAL
- LOCAL.LOCAL

nor

- local
- local.local

work. All times the same. Domain not joined. I've tried to remove the System from the domain, I've tried to preconfigure it. No way. ACCESS_DENIED Errors. All over. Users are imported, but unusable: they do not authenticate. In all cases: DOMAIN_CONTROLLER_NOT_FOUND. But it is found, if NOT using samba. Kerberos finds it. Seems only samba is having problems here.

- What is samba looking for?
- What name is it sending to DNS to resolve?

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#21

Post by daoyama »

tps800 wrote: - What is samba looking for?
- What name is it sending to DNS to resolve?
Why don't you check DNS recode I wrote above?

In your case (your setting is not wrong), you must run:
# host -t SRV _ldap._tcp.local.local
# host -t SRV _kerberos._udp.local.local
# host -t A dc-master.local.local
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#22

Post by tps800 »

I've took the time to try to integrate NAS4Free into an existing AD:

Code: Select all

Domain name (realm): ADT
Domain name (NetBIOS): ADT
Systems name (DNS): osoz-muc.adt.test
DC-Name (DNS): dc-master.adt.test, is-muc.adt.test, is-fr.adt.test, is-bn.adt.test, (and some more)

all DC are reachable:

Code: Select all

[root@osoz01-muc ~]# for i in $( host -t SRV _ldap._tcp.dc._msdcs.adt.test | awk '{ print $8 }' | sed 's/.$//' ); do ping -c1 $i; done
PING is-sz.adt.test (10.129.18.34): 56 data bytes
64 bytes from 10.129.18.34: icmp_seq=0 ttl=58 time=18.082 ms

--- is-sz.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 18.082/18.082/18.082/0.000 ms
PING is-ber.adt.test (10.145.18.34): 56 data bytes
64 bytes from 10.145.18.34: icmp_seq=0 ttl=58 time=17.230 ms

--- is-ber.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 17.230/17.230/17.230/0.000 ms
PING is-rd.adt.test (10.193.18.34): 56 data bytes
64 bytes from 10.193.18.34: icmp_seq=0 ttl=58 time=26.763 ms

--- is-rd.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 26.763/26.763/26.763/0.000 ms
PING is-muc.adt.test (10.161.18.34): 56 data bytes
64 bytes from 10.161.18.34: icmp_seq=0 ttl=64 time=0.426 ms

--- is-muc.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.426/0.426/0.426/0.000 ms
PING is-bn.adt.test (10.225.18.34): 56 data bytes
64 bytes from 10.225.18.34: icmp_seq=0 ttl=58 time=14.150 ms

--- is-bn.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 14.150/14.150/14.150/0.000 ms
PING is-fr.adt.test (10.177.18.34): 56 data bytes
64 bytes from 10.177.18.34: icmp_seq=0 ttl=58 time=12.555 ms

--- is-fr.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.555/12.555/12.555/0.000 ms
PING ucs-master.adt.test (10.129.18.33): 56 data bytes
64 bytes from 10.129.18.33: icmp_seq=0 ttl=58 time=18.189 ms

--- ucs-master.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 18.189/18.189/18.189/0.000 ms
PING dc-master.adt.test (10.10.1.33): 56 data bytes
64 bytes from 10.10.1.33: icmp_seq=0 ttl=58 time=19.457 ms

--- dc-master.adt.test ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 19.457/19.457/19.457/0.000 ms

DC informations are available via DNS:

Code: Select all

 osoz01-muc: ~# host -t SRV _ldap._tcp.adt.test
_ldap._tcp.adt.test has SRV record 0 100 389 is-bn.adt.test.
_ldap._tcp.adt.test has SRV record 0 100 389 is-fr.adt.test.
_ldap._tcp.adt.test has SRV record 0 100 389 is-muc.adt.test.
_ldap._tcp.adt.test has SRV record 0 100 389 is-rd.adt.test.
_ldap._tcp.adt.test has SRV record 0 100 389 is-sz.adt.test.
_ldap._tcp.adt.test has SRV record 0 100 389 ucs-master.adt.test.
_ldap._tcp.adt.test has SRV record 0 100 389 dc-master.adt.test.
_ldap._tcp.adt.test has SRV record 0 100 389 is-ber.adt.test.
 osoz01-muc: ~# host -t SRV _kerberos._tcp.adt.test
_kerberos._tcp.adt.test has SRV record 0 100 88 is-rd.adt.test.
_kerberos._tcp.adt.test has SRV record 0 100 88 is-muc.adt.test.
_kerberos._tcp.adt.test has SRV record 0 100 88 is-bn.adt.test.
_kerberos._tcp.adt.test has SRV record 0 100 88 is-fr.adt.test.
_kerberos._tcp.adt.test has SRV record 0 100 88 ucs-master.adt.test.
_kerberos._tcp.adt.test has SRV record 0 100 88 dc-master.adt.test.
_kerberos._tcp.adt.test has SRV record 0 100 88 is-sz.adt.test.
_kerberos._tcp.adt.test has SRV record 0 100 88 is-ber.adt.test.
 osoz01-muc: ~# host -t SRV _kerberos._udp.adt.test
_kerberos._udp.adt.test has SRV record 0 100 88 is-bn.adt.test.
_kerberos._udp.adt.test has SRV record 0 100 88 is-fr.adt.test.
_kerberos._udp.adt.test has SRV record 0 100 88 ucs-master.adt.test.
_kerberos._udp.adt.test has SRV record 0 100 88 dc-master.adt.test.
_kerberos._udp.adt.test has SRV record 0 100 88 is-sz.adt.test.
_kerberos._udp.adt.test has SRV record 0 100 88 is-ber.adt.test.
_kerberos._udp.adt.test has SRV record 0 100 88 is-rd.adt.test.
_kerberos._udp.adt.test has SRV record 0 100 88 is-muc.adt.test.
 osoz01-muc: ~# host -t SRV _ldap._tcp.dc._msdcs.adt.test
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 is-rd.adt.test.
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 is-muc.adt.test.
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 is-bn.adt.test.
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 is-fr.adt.test.
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 ucs-master.adt.test.
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 dc-master.adt.test.
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 is-sz.adt.test.
_ldap._tcp.dc._msdcs.adt.test has SRV record 0 100 389 is-ber.adt.test.

Tried to join the domain (new NAS4Free setup):

Code: Select all

Results for net rpc testjoin:
Environment LOGNAME is not defined. Trying anonymous access.
connect_to_domain_password_server: unable to open the domain client session to machine dc-master. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED.
Join to domain 'BFS' is not valid: NT_STATUS_ACCESS_DENIED
Ping winbindd to see if it is alive:
Ping to winbindd succeeded
Check shared secret:
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
checking the trust secret for domain BFS via RPC calls failed

Kerberos is working:

Code: Select all

 osoz01-muc: ~# kinit user
user@ADT.TEST's Password:
 osoz01-muc: ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: user@ADT.TEST

  Issued                Expires               Principal
Oct 15 12:25:39 2015  Oct 15 22:25:39 2015  krbtgt/ADT.TEST@ADT.TEST

It is quite astonishing: some parts are working requiring the domain controller online, while others do not work, because DOMAIN_CONTROLLER_NOT_FOUND ...!

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#23

Post by tps800 »

daoyama wrote:
tps800 wrote: - What is samba looking for?
- What name is it sending to DNS to resolve?
Why don't you check DNS recode I wrote above?

In your case (your setting is not wrong), you must run:
# host -t SRV _ldap._tcp.local.local
# host -t SRV _kerberos._udp.local.local
# host -t A dc-master.local.local
I've allready checked this -- available. I can even ping the dc. Looking for open ports on them gives back all have ports 88 (udp,tcp),389 (tcp) open. All are answering to ldap-queries. I can even change passwords if holding a valid tgt. Only samba: DOMAIN_CONTROLLER_NOT_FOUND!

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#24

Post by daoyama »

tps800 wrote: Results for net rpc testjoin:
Environment LOGNAME is not defined. Trying anonymous access.
connect_to_domain_password_server: unable to open the domain client session to machine dc-master. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED.
Join to domain 'BFS' is not valid: NT_STATUS_ACCESS_DENIED
It seems your setting on Access|Active Directory is wrong.
What show on this command?
net rpc -d10 testjoin -S dc-master.adt.test.
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#25

Post by tps800 »

daoyama wrote: It seems your setting on Access|Active Directory is wrong.
What show on this command?
net rpc -d10 testjoin -S dc-master.adt.test.

Code: Select all

INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
Processing section "[global]"
doing parameter server role = standalone
doing parameter encrypt passwords = yes
doing parameter netbios name = OSOZ01-MUC
doing parameter workgroup = ADT
doing parameter server string = NAS4Free Server
doing parameter security = ads
doing parameter max protocol = SMB2
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter read raw = yes
doing parameter write raw = yes
doing parameter oplocks = yes
doing parameter max xmit = 65535
doing parameter deadtime = 15
doing parameter getwd cache = yes
doing parameter socket options = TCP_NODELAY SO_SNDBUF=128480 SO_RCVBUF=128480
doing parameter password server = is-muc.adt.test
doing parameter wins server = 10.161.18.34
doing parameter unix charset = UTF-8
doing parameter store dos attributes = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter os level = 0
doing parameter time server = no
doing parameter guest account = ftp
doing parameter map to guest = Bad User
doing parameter max log size = 100
doing parameter syslog only = yes
doing parameter syslog = 1
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter log level = 1
doing parameter dos charset = CP850
doing parameter smb passwd file = /var/etc/private/smbpasswd
doing parameter private dir = /var/etc/private
doing parameter passdb backend = tdbsam
doing parameter allow trusted domains = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-39999
doing parameter idmap config ADT : backend = rid
doing parameter idmap config ADT : range = 10000-39999
doing parameter realm = ADT.TEST
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter winbind normalize names = yes
doing parameter template homedir = /mnt
doing parameter template shell = /bin/sh
doing parameter aio read size = 1024
doing parameter aio write size = 1024
doing parameter winbind normalize names = no
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="OSOZ01-MUC"
added interface nfe0 ip=10.161.18.213 bcast=10.161.18.255 netmask=255.255.255.0
added interface nfe1 ip=10.161.18.214 bcast=10.161.18.255 netmask=255.255.255.0
added interface bge0 ip=10.161.18.215 bcast=10.161.18.255 netmask=255.255.255.0
added interface bge1 ip=10.161.18.216 bcast=10.161.18.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Opening cache file at /var/db/samba4/gencache.tdb
Opening cache file at /var/db/samba4/gencache_notrans.tdb
sitename_fetch: No stored sitename for adt.test
internal_resolve_name: looking up dc-master.adt.test#20 (sitename (null))
name dc-master.adt.test#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.10.1.33 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=17 destlen=16 - 'DC-MASTER.ADT.TEST'
Connecting to 10.10.1.33 at port 139
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 4
	TCP_KEEPCNT = 0
	TCP_KEEPIDLE = 0
	TCP_KEEPINTVL = 0
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 0
	SO_SNDBUF = 128480
	SO_RCVBUF = 128480
	SO_SNDLOWAT = 2048
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
     negotiate: struct NEGOTIATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmNegotiate (1)
        NegotiateFlags           : 0x60088215 (1611170325)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               0: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
        DomainNameLen            : 0x0003 (3)
        DomainNameMaxLen         : 0x0003 (3)
        DomainName               : *
            DomainName               : 'ADT'
        WorkstationLen           : 0x000a (10)
        WorkstationMaxLen        : 0x000a (10)
        Workstation              : *
            Workstation              : 'OSOZ01-MUC'
     challenge: struct CHALLENGE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmChallenge (0x2)
        TargetNameLen            : 0x0006 (6)
        TargetNameMaxLen         : 0x0006 (6)
        TargetName               : *
            TargetName               : 'ADT'
        NegotiateFlags           : 0x60898215 (1619624469)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               1: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               1: NTLMSSP_NEGOTIATE_TARGET_INFO
               0: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
        ServerChallenge          : e1ce9df45ead29a3
        Reserved                 : 0000000000000000
        TargetInfoLen            : 0x0058 (88)
        TargetNameInfoMaxLen     : 0x0058 (88)
        TargetInfo               : *
            TargetInfo: struct AV_PAIR_LIST
                count                    : 0x00000005 (5)
                pair: ARRAY(5)
                    pair: struct AV_PAIR
                        AvId                     : MsvAvNbDomainName (0x2)
                        AvLen                    : 0x0006 (6)
                        Value                    : union ntlmssp_AvValue(case 0x2)
                        AvNbDomainName           : 'ADT'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvNbComputerName (0x1)
                        AvLen                    : 0x0012 (18)
                        Value                    : union ntlmssp_AvValue(case 0x1)
                        AvNbComputerName         : 'DC-MASTER'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvDnsDomainName (0x4)
                        AvLen                    : 0x000c (12)
                        Value                    : union ntlmssp_AvValue(case 0x4)
                        AvDnsDomainName          : 'adt.test'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvDnsComputerName (0x3)
                        AvLen                    : 0x0020 (32)
                        Value                    : union ntlmssp_AvValue(case 0x3)
                        AvDnsComputerName        : 'dc-master.adt.test'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvEOL (0x0)
                        AvLen                    : 0x0000 (0)
                        Value                    : union ntlmssp_AvValue(case 0x0)
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
     authenticate: struct AUTHENTICATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmAuthenticate (3)
        LmChallengeResponseLen   : 0x0018 (24)
        LmChallengeResponseMaxLen: 0x0018 (24)
        LmChallengeResponse      : *
            LmChallengeResponse      : union ntlmssp_LM_RESPONSE(case 24)
            v1: struct LM_RESPONSE
                Response                 : 9c458178a1400d9fa9d7d891801c0a1e62568cdb3a6159f6
        NtChallengeResponseLen   : 0x0084 (132)
        NtChallengeResponseMaxLen: 0x0084 (132)
        NtChallengeResponse      : *
            NtChallengeResponse      : union ntlmssp_NTLM_RESPONSE(case 132)
            v2: struct NTLMv2_RESPONSE
                Response                 : 367da2c5c513b0ded2b182129128e1b8
                Challenge: struct NTLMv2_CLIENT_CHALLENGE
                    RespType                 : 0x01 (1)
                    HiRespType               : 0x01 (1)
                    Reserved1                : 0x0000 (0)
                    Reserved2                : 0x00000000 (0)
                    TimeStamp                : Fri Oct 16 09:12:29 2015 CEST
                    ChallengeFromClient      : 4a46aa116e369783
                    Reserved3                : 0x00000000 (0)
                    AvPairs: struct AV_PAIR_LIST
                        count                    : 0x00000005 (5)
                        pair: ARRAY(5)
                            pair: struct AV_PAIR
                                AvId                     : MsvAvNbDomainName (0x2)
                                AvLen                    : 0x0006 (6)
                                Value                    : union ntlmssp_AvValue(case 0x2)
                                AvNbDomainName           : 'ADT'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvNbComputerName (0x1)
                                AvLen                    : 0x0012 (18)
                                Value                    : union ntlmssp_AvValue(case 0x1)
                                AvNbComputerName         : 'DC-MASTER'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvDnsDomainName (0x4)
                                AvLen                    : 0x000c (12)
                                Value                    : union ntlmssp_AvValue(case 0x4)
                                AvDnsDomainName          : 'adt.test'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvDnsComputerName (0x3)
                                AvLen                    : 0x0020 (32)
                                Value                    : union ntlmssp_AvValue(case 0x3)
                                AvDnsComputerName        : 'dc-master.adt.test'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvEOL (0x0)
                                AvLen                    : 0x0000 (0)
                                Value                    : union ntlmssp_AvValue(case 0x0)
        DomainNameLen            : 0x0006 (6)
        DomainNameMaxLen         : 0x0006 (6)
        DomainName               : *
            DomainName               : 'ADT'
        UserNameLen              : 0x0016 (22)
        UserNameMaxLen           : 0x0016 (22)
        UserName                 : *
            UserName                 : 'OSOZ01-MUC$'
        WorkstationLen           : 0x0014 (20)
        WorkstationMaxLen        : 0x0014 (20)
        Workstation              : *
            Workstation              : 'OSOZ01-MUC'
        EncryptedRandomSessionKeyLen: 0x0010 (16)
        EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
        EncryptedRandomSessionKey: *
            EncryptedRandomSessionKey: DATA_BLOB length=16
[0000] F9 B7 63 6D 13 7B 0A 41   3A 6A 29 91 60 66 AF 53   ..cm.{.A :j).`f.S
        NegotiateFlags           : 0x60088215 (1611170325)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               0: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
sitename_fetch: No stored sitename for ADT.TEST
internal_resolve_name: looking up dc-master.adt.test#20 (sitename (null))
name dc-master.adt.test#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.10.1.33 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=17 destlen=16 - 'DC-MASTER.ADT.TEST'
Connecting to 10.10.1.33 at port 139
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 4
	TCP_KEEPCNT = 0
	TCP_KEEPIDLE = 0
	TCP_KEEPINTVL = 0
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 0
	SO_SNDBUF = 128480
	SO_RCVBUF = 128480
	SO_SNDLOWAT = 2048
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
cli_init_creds: user  domain 
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Bind RPC Pipe: host dc-master.adt.test auth_type 0, auth_level 1
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND (11)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0048 (72)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000001 (1)
        u                        : union dcerpc_payload(case 11)
        bind: struct dcerpc_bind
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x10b8 (4280)
            assoc_group_id           : 0x00000000 (0)
            num_contexts             : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0000 (0)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     : 12345678-1234-abcd-ef00-01234567cffb
                        if_version               : 0x00000001 (1)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                            if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 56
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND_ACK (12)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0048 (72)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000001 (1)
        u                        : union dcerpc_payload(case 12)
        bind_ack: struct dcerpc_bind_ack
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x2000 (8192)
            assoc_group_id           : 0x0000d7b5 (55221)
            secondary_address_size   : 0x000f (15)
            secondary_address        : '\PIPE\netlogon'
            _pad1                    : DATA_BLOB length=3
[0000] 00 00 00                                          ... 
            num_results              : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ack_ctx
                    result                   : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
                    reason                   : union dcerpc_bind_ack_reason(case 0)
                    value                    : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
                    syntax: struct ndr_syntax_id
                        uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                        if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: got frag len of 72 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 72 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe netlogon to machine dc-master.adt.test and bound anonymously.
check lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:/var/db/samba4/g_lock.tdb 3:<none>
Locking key 434C495B4F534F5A3031
Allocated locked data 0x0x8134b7da0
Unlocking key 434C495B4F534F5A3031
release lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:<none> 3:<none>
check lock order 2 for /var/etc/private/netlogon_creds_cli.tdb
lock order:  1:<none> 2:/var/etc/private/netlogon_creds_cli.tdb 3:<none>
Locking key 434C495B4F534F5A3031
Allocated locked data 0x0x8134b7da0
Unlocking key 434C495B4F534F5A3031
release lock order 2 for /var/etc/private/netlogon_creds_cli.tdb
lock order:  1:<none> 2:<none> 3:<none>
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        in: struct netr_ServerReqChallenge
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 45321fb501075fe3
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000002 (2)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000062 (98)
            context_id               : 0x0000 (0)
            opnum                    : 0x0004 (4)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=122, this_data=122, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 20
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0024 (36)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000002 (2)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x0000000c (12)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=12
[0000] 73 33 3B 53 F2 7B BB 7D   00 00 00 00              s3;S.{.} ....
Got pdu len 36, data_len 12, ss_len 0
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 12 bytes.
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        out: struct netr_ServerReqChallenge
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 73333b53f27bbb7d
            result                   : NT_STATUS_OK
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        in: struct netr_ServerAuthenticate3
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            account_name             : *
                account_name             : 'OSOZ01-MUC$'
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 9f0a75376e2dea25
            negotiate_flags          : *
                negotiate_flags          : 0x610fffff (1628438527)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       0: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000003 (3)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000090 (144)
            context_id               : 0x0000 (0)
            opnum                    : 0x001a (26)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=168, this_data=168, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 28
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x002c (44)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000003 (3)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000014 (20)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=20
[0000] 00 00 00 00 00 00 00 00   FF FF 3F 61 F8 66 02 00   ........ ..?a.f..
[0010] 22 00 00 C0                                       "... 
Got pdu len 44, data_len 20, ss_len 0
rpc_api_pipe: got frag len of 44 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 20 bytes.
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        out: struct netr_ServerAuthenticate3
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 0000000000000000
            negotiate_flags          : *
                negotiate_flags          : 0x613fffff (1631584255)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       1: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
            rid                      : *
                rid                      : 0x000266f8 (157432)
            result                   : NT_STATUS_ACCESS_DENIED
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        in: struct netr_ServerReqChallenge
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 8ec953b156c4f709
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000004 (4)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000062 (98)
            context_id               : 0x0000 (0)
            opnum                    : 0x0004 (4)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=122, this_data=122, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 20
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0024 (36)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000004 (4)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x0000000c (12)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=12
[0000] 87 0F 31 49 F6 41 6F E6   00 00 00 00              ..1I.Ao. ....
Got pdu len 36, data_len 12, ss_len 0
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 12 bytes.
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        out: struct netr_ServerReqChallenge
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 870f3149f6416fe6
            result                   : NT_STATUS_OK
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        in: struct netr_ServerAuthenticate3
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            account_name             : *
                account_name             : 'OSOZ01-MUC$'
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 36680235f474df68
            negotiate_flags          : *
                negotiate_flags          : 0x613fffff (1631584255)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       1: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000005 (5)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000090 (144)
            context_id               : 0x0000 (0)
            opnum                    : 0x001a (26)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=168, this_data=168, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 28
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x002c (44)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000005 (5)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000014 (20)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=20
[0000] 00 00 00 00 00 00 00 00   FF FF 3F 61 F8 66 02 00   ........ ..?a.f..
[0010] 22 00 00 C0                                       "... 
Got pdu len 44, data_len 20, ss_len 0
rpc_api_pipe: got frag len of 44 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 20 bytes.
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        out: struct netr_ServerAuthenticate3
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 0000000000000000
            negotiate_flags          : *
                negotiate_flags          : 0x613fffff (1631584255)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       1: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
            rid                      : *
                rid                      : 0x000266f8 (157432)
            result                   : NT_STATUS_ACCESS_DENIED
check lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:/var/db/samba4/g_lock.tdb 3:<none>
Locking key 434C495B4F534F5A3031
Allocated locked data 0x0x813462060
Unlocking key 434C495B4F534F5A3031
release lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:<none> 3:<none>
connect_to_domain_password_server: unable to open the domain client session to machine dc-master.adt.test. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED.
Join to domain 'ADT' is not valid: NT_STATUS_ACCESS_DENIED
return code = -1
Freeing parametrics:

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#26

Post by tps800 »

daoyama wrote: It seems your setting on Access|Active Directory is wrong.
What show on this command?
net rpc -d10 testjoin -S dc-master.adt.test.

Code: Select all

INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
Processing section "[global]"
doing parameter server role = standalone
doing parameter encrypt passwords = yes
doing parameter netbios name = OSOZ01-MUC
doing parameter workgroup = ADT
doing parameter server string = NAS4Free Server
doing parameter security = ads
doing parameter max protocol = SMB2
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter read raw = yes
doing parameter write raw = yes
doing parameter oplocks = yes
doing parameter max xmit = 65535
doing parameter deadtime = 15
doing parameter getwd cache = yes
doing parameter socket options = TCP_NODELAY SO_SNDBUF=128480 SO_RCVBUF=128480
doing parameter password server = is-muc.adt.test
doing parameter wins server = 10.161.18.34
doing parameter unix charset = UTF-8
doing parameter store dos attributes = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter os level = 0
doing parameter time server = no
doing parameter guest account = ftp
doing parameter map to guest = Bad User
doing parameter max log size = 100
doing parameter syslog only = yes
doing parameter syslog = 1
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter log level = 1
doing parameter dos charset = CP850
doing parameter smb passwd file = /var/etc/private/smbpasswd
doing parameter private dir = /var/etc/private
doing parameter passdb backend = tdbsam
doing parameter allow trusted domains = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-39999
doing parameter idmap config ADT : backend = rid
doing parameter idmap config ADT : range = 10000-39999
doing parameter realm = ADT.TEST
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter winbind normalize names = yes
doing parameter template homedir = /mnt
doing parameter template shell = /bin/sh
doing parameter aio read size = 1024
doing parameter aio write size = 1024
doing parameter winbind normalize names = no
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="OSOZ01-MUC"
added interface nfe0 ip=10.161.18.213 bcast=10.161.18.255 netmask=255.255.255.0
added interface nfe1 ip=10.161.18.214 bcast=10.161.18.255 netmask=255.255.255.0
added interface bge0 ip=10.161.18.215 bcast=10.161.18.255 netmask=255.255.255.0
added interface bge1 ip=10.161.18.216 bcast=10.161.18.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Opening cache file at /var/db/samba4/gencache.tdb
Opening cache file at /var/db/samba4/gencache_notrans.tdb
sitename_fetch: No stored sitename for adt.test
internal_resolve_name: looking up dc-master.adt.test#20 (sitename (null))
name dc-master.adt.test#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.10.1.33 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=17 destlen=16 - 'DC-MASTER.ADT.TEST'
Connecting to 10.10.1.33 at port 139
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 4
	TCP_KEEPCNT = 0
	TCP_KEEPIDLE = 0
	TCP_KEEPINTVL = 0
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 0
	SO_SNDBUF = 128480
	SO_RCVBUF = 128480
	SO_SNDLOWAT = 2048
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
     negotiate: struct NEGOTIATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmNegotiate (1)
        NegotiateFlags           : 0x60088215 (1611170325)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               0: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
        DomainNameLen            : 0x0003 (3)
        DomainNameMaxLen         : 0x0003 (3)
        DomainName               : *
            DomainName               : 'ADT'
        WorkstationLen           : 0x000a (10)
        WorkstationMaxLen        : 0x000a (10)
        Workstation              : *
            Workstation              : 'OSOZ01-MUC'
     challenge: struct CHALLENGE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmChallenge (0x2)
        TargetNameLen            : 0x0006 (6)
        TargetNameMaxLen         : 0x0006 (6)
        TargetName               : *
            TargetName               : 'ADT'
        NegotiateFlags           : 0x60898215 (1619624469)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               1: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               1: NTLMSSP_NEGOTIATE_TARGET_INFO
               0: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
        ServerChallenge          : e1ce9df45ead29a3
        Reserved                 : 0000000000000000
        TargetInfoLen            : 0x0058 (88)
        TargetNameInfoMaxLen     : 0x0058 (88)
        TargetInfo               : *
            TargetInfo: struct AV_PAIR_LIST
                count                    : 0x00000005 (5)
                pair: ARRAY(5)
                    pair: struct AV_PAIR
                        AvId                     : MsvAvNbDomainName (0x2)
                        AvLen                    : 0x0006 (6)
                        Value                    : union ntlmssp_AvValue(case 0x2)
                        AvNbDomainName           : 'ADT'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvNbComputerName (0x1)
                        AvLen                    : 0x0012 (18)
                        Value                    : union ntlmssp_AvValue(case 0x1)
                        AvNbComputerName         : 'DC-MASTER'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvDnsDomainName (0x4)
                        AvLen                    : 0x000c (12)
                        Value                    : union ntlmssp_AvValue(case 0x4)
                        AvDnsDomainName          : 'adt.test'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvDnsComputerName (0x3)
                        AvLen                    : 0x0020 (32)
                        Value                    : union ntlmssp_AvValue(case 0x3)
                        AvDnsComputerName        : 'dc-master.adt.test'
                    pair: struct AV_PAIR
                        AvId                     : MsvAvEOL (0x0)
                        AvLen                    : 0x0000 (0)
                        Value                    : union ntlmssp_AvValue(case 0x0)
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
     authenticate: struct AUTHENTICATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmAuthenticate (3)
        LmChallengeResponseLen   : 0x0018 (24)
        LmChallengeResponseMaxLen: 0x0018 (24)
        LmChallengeResponse      : *
            LmChallengeResponse      : union ntlmssp_LM_RESPONSE(case 24)
            v1: struct LM_RESPONSE
                Response                 : 9c458178a1400d9fa9d7d891801c0a1e62568cdb3a6159f6
        NtChallengeResponseLen   : 0x0084 (132)
        NtChallengeResponseMaxLen: 0x0084 (132)
        NtChallengeResponse      : *
            NtChallengeResponse      : union ntlmssp_NTLM_RESPONSE(case 132)
            v2: struct NTLMv2_RESPONSE
                Response                 : 367da2c5c513b0ded2b182129128e1b8
                Challenge: struct NTLMv2_CLIENT_CHALLENGE
                    RespType                 : 0x01 (1)
                    HiRespType               : 0x01 (1)
                    Reserved1                : 0x0000 (0)
                    Reserved2                : 0x00000000 (0)
                    TimeStamp                : Fri Oct 16 09:12:29 2015 CEST
                    ChallengeFromClient      : 4a46aa116e369783
                    Reserved3                : 0x00000000 (0)
                    AvPairs: struct AV_PAIR_LIST
                        count                    : 0x00000005 (5)
                        pair: ARRAY(5)
                            pair: struct AV_PAIR
                                AvId                     : MsvAvNbDomainName (0x2)
                                AvLen                    : 0x0006 (6)
                                Value                    : union ntlmssp_AvValue(case 0x2)
                                AvNbDomainName           : 'ADT'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvNbComputerName (0x1)
                                AvLen                    : 0x0012 (18)
                                Value                    : union ntlmssp_AvValue(case 0x1)
                                AvNbComputerName         : 'DC-MASTER'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvDnsDomainName (0x4)
                                AvLen                    : 0x000c (12)
                                Value                    : union ntlmssp_AvValue(case 0x4)
                                AvDnsDomainName          : 'adt.test'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvDnsComputerName (0x3)
                                AvLen                    : 0x0020 (32)
                                Value                    : union ntlmssp_AvValue(case 0x3)
                                AvDnsComputerName        : 'dc-master.adt.test'
                            pair: struct AV_PAIR
                                AvId                     : MsvAvEOL (0x0)
                                AvLen                    : 0x0000 (0)
                                Value                    : union ntlmssp_AvValue(case 0x0)
        DomainNameLen            : 0x0006 (6)
        DomainNameMaxLen         : 0x0006 (6)
        DomainName               : *
            DomainName               : 'ADT'
        UserNameLen              : 0x0016 (22)
        UserNameMaxLen           : 0x0016 (22)
        UserName                 : *
            UserName                 : 'OSOZ01-MUC$'
        WorkstationLen           : 0x0014 (20)
        WorkstationMaxLen        : 0x0014 (20)
        Workstation              : *
            Workstation              : 'OSOZ01-MUC'
        EncryptedRandomSessionKeyLen: 0x0010 (16)
        EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
        EncryptedRandomSessionKey: *
            EncryptedRandomSessionKey: DATA_BLOB length=16
[0000] F9 B7 63 6D 13 7B 0A 41   3A 6A 29 91 60 66 AF 53   ..cm.{.A :j).`f.S
        NegotiateFlags           : 0x60088215 (1611170325)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               0: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               0: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
sitename_fetch: No stored sitename for ADT.TEST
internal_resolve_name: looking up dc-master.adt.test#20 (sitename (null))
name dc-master.adt.test#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.10.1.33 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=17 destlen=16 - 'DC-MASTER.ADT.TEST'
Connecting to 10.10.1.33 at port 139
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 4
	TCP_KEEPCNT = 0
	TCP_KEEPIDLE = 0
	TCP_KEEPINTVL = 0
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 0
	SO_SNDBUF = 128480
	SO_RCVBUF = 128480
	SO_SNDLOWAT = 2048
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
cli_init_creds: user  domain 
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Bind RPC Pipe: host dc-master.adt.test auth_type 0, auth_level 1
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND (11)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0048 (72)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000001 (1)
        u                        : union dcerpc_payload(case 11)
        bind: struct dcerpc_bind
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x10b8 (4280)
            assoc_group_id           : 0x00000000 (0)
            num_contexts             : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0000 (0)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     : 12345678-1234-abcd-ef00-01234567cffb
                        if_version               : 0x00000001 (1)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                            if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 56
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND_ACK (12)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0048 (72)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000001 (1)
        u                        : union dcerpc_payload(case 12)
        bind_ack: struct dcerpc_bind_ack
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x2000 (8192)
            assoc_group_id           : 0x0000d7b5 (55221)
            secondary_address_size   : 0x000f (15)
            secondary_address        : '\PIPE\netlogon'
            _pad1                    : DATA_BLOB length=3
[0000] 00 00 00                                          ... 
            num_results              : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ack_ctx
                    result                   : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
                    reason                   : union dcerpc_bind_ack_reason(case 0)
                    value                    : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
                    syntax: struct ndr_syntax_id
                        uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                        if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: got frag len of 72 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 72 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe netlogon to machine dc-master.adt.test and bound anonymously.
check lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:/var/db/samba4/g_lock.tdb 3:<none>
Locking key 434C495B4F534F5A3031
Allocated locked data 0x0x8134b7da0
Unlocking key 434C495B4F534F5A3031
release lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:<none> 3:<none>
check lock order 2 for /var/etc/private/netlogon_creds_cli.tdb
lock order:  1:<none> 2:/var/etc/private/netlogon_creds_cli.tdb 3:<none>
Locking key 434C495B4F534F5A3031
Allocated locked data 0x0x8134b7da0
Unlocking key 434C495B4F534F5A3031
release lock order 2 for /var/etc/private/netlogon_creds_cli.tdb
lock order:  1:<none> 2:<none> 3:<none>
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        in: struct netr_ServerReqChallenge
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 45321fb501075fe3
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000002 (2)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000062 (98)
            context_id               : 0x0000 (0)
            opnum                    : 0x0004 (4)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=122, this_data=122, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 20
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0024 (36)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000002 (2)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x0000000c (12)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=12
[0000] 73 33 3B 53 F2 7B BB 7D   00 00 00 00              s3;S.{.} ....
Got pdu len 36, data_len 12, ss_len 0
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 12 bytes.
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        out: struct netr_ServerReqChallenge
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 73333b53f27bbb7d
            result                   : NT_STATUS_OK
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        in: struct netr_ServerAuthenticate3
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            account_name             : *
                account_name             : 'OSOZ01-MUC$'
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 9f0a75376e2dea25
            negotiate_flags          : *
                negotiate_flags          : 0x610fffff (1628438527)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       0: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000003 (3)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000090 (144)
            context_id               : 0x0000 (0)
            opnum                    : 0x001a (26)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=168, this_data=168, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 28
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x002c (44)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000003 (3)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000014 (20)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=20
[0000] 00 00 00 00 00 00 00 00   FF FF 3F 61 F8 66 02 00   ........ ..?a.f..
[0010] 22 00 00 C0                                       "... 
Got pdu len 44, data_len 20, ss_len 0
rpc_api_pipe: got frag len of 44 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 20 bytes.
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        out: struct netr_ServerAuthenticate3
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 0000000000000000
            negotiate_flags          : *
                negotiate_flags          : 0x613fffff (1631584255)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       1: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
            rid                      : *
                rid                      : 0x000266f8 (157432)
            result                   : NT_STATUS_ACCESS_DENIED
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        in: struct netr_ServerReqChallenge
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 8ec953b156c4f709
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000004 (4)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000062 (98)
            context_id               : 0x0000 (0)
            opnum                    : 0x0004 (4)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=122, this_data=122, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 20
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0024 (36)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000004 (4)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x0000000c (12)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=12
[0000] 87 0F 31 49 F6 41 6F E6   00 00 00 00              ..1I.Ao. ....
Got pdu len 36, data_len 12, ss_len 0
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 12 bytes.
     netr_ServerReqChallenge: struct netr_ServerReqChallenge
        out: struct netr_ServerReqChallenge
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 870f3149f6416fe6
            result                   : NT_STATUS_OK
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        in: struct netr_ServerAuthenticate3
            server_name              : *
                server_name              : '\\dc-master.adt.test'
            account_name             : *
                account_name             : 'OSOZ01-MUC$'
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            computer_name            : *
                computer_name            : 'OSOZ01-MUC'
            credentials              : *
                credentials: struct netr_Credential
                    data                     : 36680235f474df68
            negotiate_flags          : *
                negotiate_flags          : 0x613fffff (1631584255)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       1: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000005 (5)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000090 (144)
            context_id               : 0x0000 (0)
            opnum                    : 0x001a (26)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host dc-master.adt.test
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=168, this_data=168, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc_read_send: data_to_read: 28
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x002c (44)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000005 (5)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000014 (20)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                . 
            stub_and_verifier        : DATA_BLOB length=20
[0000] 00 00 00 00 00 00 00 00   FF FF 3F 61 F8 66 02 00   ........ ..?a.f..
[0010] 22 00 00 C0                                       "... 
Got pdu len 44, data_len 20, ss_len 0
rpc_api_pipe: got frag len of 44 at offset 0: NT_STATUS_OK
rpc_api_pipe: host dc-master.adt.test returned 20 bytes.
     netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
        out: struct netr_ServerAuthenticate3
            return_credentials       : *
                return_credentials: struct netr_Credential
                    data                     : 0000000000000000
            negotiate_flags          : *
                negotiate_flags          : 0x613fffff (1631584255)
                       1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                       1: NETLOGON_NEG_PERSISTENT_SAMREPL
                       1: NETLOGON_NEG_ARCFOUR     
                       1: NETLOGON_NEG_PROMOTION_COUNT
                       1: NETLOGON_NEG_CHANGELOG_BDC
                       1: NETLOGON_NEG_FULL_SYNC_REPL
                       1: NETLOGON_NEG_MULTIPLE_SIDS
                       1: NETLOGON_NEG_REDO        
                       1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                       1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                       1: NETLOGON_NEG_GENERIC_PASSTHROUGH
                       1: NETLOGON_NEG_CONCURRENT_RPC
                       1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                       1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                       1: NETLOGON_NEG_STRONG_KEYS 
                       1: NETLOGON_NEG_TRANSITIVE_TRUSTS
                       1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                       1: NETLOGON_NEG_PASSWORD_SET2
                       1: NETLOGON_NEG_GETDOMAININFO
                       1: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                       1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                       1: NETLOGON_NEG_RODC_PASSTHROUGH
                       0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                       1: NETLOGON_NEG_SUPPORTS_AES
                       1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                       1: NETLOGON_NEG_AUTHENTICATED_RPC
            rid                      : *
                rid                      : 0x000266f8 (157432)
            result                   : NT_STATUS_ACCESS_DENIED
check lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:/var/db/samba4/g_lock.tdb 3:<none>
Locking key 434C495B4F534F5A3031
Allocated locked data 0x0x813462060
Unlocking key 434C495B4F534F5A3031
release lock order 2 for /var/db/samba4/g_lock.tdb
lock order:  1:<none> 2:<none> 3:<none>
connect_to_domain_password_server: unable to open the domain client session to machine dc-master.adt.test. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED.
Join to domain 'ADT' is not valid: NT_STATUS_ACCESS_DENIED
return code = -1
Freeing parametrics:

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#27

Post by daoyama »

Thank you.
What happen if you clear Password server, WINS server, Trusted domains on Services|CIFS/SMB|Settings?
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

tps800
Starter
Starter
Posts: 16
Joined: 08 Sep 2015 10:16
Status: Offline

Re: NAS4Free does not join Windows Server 2012 domain?

#28

Post by tps800 »

I've cleared, as adviced, Trusted-Domain, Password-Server, and WINS-Server. Seems not to change anything:

MS Active Directory informations

Code: Select all

Results for net rpc testjoin:
Environment LOGNAME is not defined. Trying anonymous access.
connect_to_domain_password_server: unable to open the domain client session to machine dc-master. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED.
Join to domain 'BFS' is not valid: NT_STATUS_ACCESS_DENIED
Ping winbindd to see if it is alive:
Ping to winbindd succeeded
Check shared secret:
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
checking the trust secret for domain BFS via RPC calls failed
List of imported users

Code: Select all

[... deleted users-list with more than 1600 Users]

Post Reply

Return to “Active Directory”