From owner-freebsd-questions@FreeBSD.ORG Wed Apr 9 21:23:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEE1C106566C for ; Wed, 9 Apr 2008 21:23:58 +0000 (UTC) (envelope-from sbridges@iastate.edu) Received: from mailhub-5.iastate.edu (mailhub-5.iastate.edu [129.186.140.15]) by mx1.freebsd.org (Postfix) with ESMTP id 6F12A8FC24 for ; Wed, 9 Apr 2008 21:23:58 +0000 (UTC) (envelope-from sbridges@iastate.edu) Received: from devirus-10.iastate.edu (devirus-10.iastate.edu [129.186.1.47]) by mailhub-5.iastate.edu (8.12.11.20060614/8.12.10) with SMTP id m39L4wpg031720 for ; Wed, 9 Apr 2008 16:04:58 -0500 Received: from (despam-10.iastate.edu [129.186.140.80]) by devirus-10.iastate.edu with smtp id 02e6_67147e80_0678_11dd_9571_00137253420a; Wed, 09 Apr 2008 16:03:28 -0500 Received: from keynes.econ.iastate.edu (keynes.econ.iastate.edu [129.186.32.41]) by despam-10.iastate.edu (8.12.11.20060614/8.12.10) with ESMTP id m39L4qmC008879 for ; Wed, 9 Apr 2008 16:04:52 -0500 Received: from [129.186.32.12] (bridgespc.econ.iastate.edu [129.186.32.12]) (authenticated bits=0) by keynes.econ.iastate.edu (8.13.8/8.13.8) with ESMTP id m39L4vZa069533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 9 Apr 2008 16:04:57 -0500 (CDT) (envelope-from sbridges@iastate.edu) Message-ID: <47FD2F72.1080801@iastate.edu> Date: Wed, 09 Apr 2008 16:04:50 -0500 From: Stephanie Bridges User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-PMX-Version: 5.4.1.325704, Antispam-Engine: 2.6.0.325393, Antispam-Data: 2008.4.9.134841 X-ISUMailhub-test: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __PHISH_SPEAR_PASSWORD 0, __SANE_MSGID 0, __USER_AGENT 0' Subject: samba 3.0.28 on 7.0-RELEASE with base heimdal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 21:23:58 -0000 Hello, I've been trying to get samba installed and connecting to a Win2k03 AD using RFC2307 and having problems getting it to join the domain. I've got a 6.2 machine which is working with nearly the same configuration (I think the only differences are the idmap backends). I installed from the port after enabling the ADS support (and EXP_MODULES as I want the idmap backends provided there). I installed the openldap23-sasl-client as that is what I installed on the 6.2 machine (somewhere I read that was needed for things to work correctly). I copied a working krb5.conf file from my 6.2 machine and verified that I could successfully do kinit (this works great, I get a ticket for myself). However, when I try to do the net ads join command (after I kinit as the user who has permission to add the computer account to AD), I get prompted for my password, and then get the "Response too big for UDP, retry with TCP" error and am unable to join the domain. I *thought* that I didn't get prompted for my password with the 6.2 machine, but it has been since last summer that I set it up. I see that net ads join creates its own krb5.conf file in /var/db/samba/smb_krb5/krb5.conf.IASTATE which doesn't have the tcp/ service flag preceding the IP addresses. I ran the command with debug level at 10, and after a whole bunch of query stuff after it asked for my password, I got this: ------------ [2008/04/09 15:42:44, 4] libads/ldap.c:ads_current_time(2414) time offset is 0 seconds [2008/04/09 15:42:44, 4] libads/sasl.c:ads_sasl_bind(521) Found SASL mechanism GSS-SPNEGO [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = windc1$@IASTATE.EDU [2008/04/09 15:42:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2008/04/09 15:42:44, 10] libads/sasl.c:ads_sasl_spnego_bind(262) ads_sasl_spnego_krb5_bind failed with: No such file or directory, calling kinit [2008/04/09 15:42:44, 10] libads/kerberos.c:kerberos_kinit_password_ext(91) kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/db/samba/smb_krb5/krb5.conf.IASTATE] [2008/04/09 15:42:44, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password sbridges@IASTATE.EDU failed: Response too big for UDP, retry with TCP [2008/04/09 15:42:44, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: Response too big for UDP, retry with TCP Failed to join domain: NT_STATUS_PROTOCOL_UNREACHABLE [2008/04/09 15:42:44, 2] utils/net.c:main(1036) return code = -1 ------------------- Does any of this mean anything to anybody? I thought from reading the samba docs that it would automatically retry with TCP when it got this error. I can't find a whole lot on the net -- what I did find, people weren't able to successfully kinit at the command prompt either, but that works for me. -- Stephanie Bridges Department of Economics Iowa State University sbridges@iastate.edu "A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort." --Herm Albright