Date: Wed, 09 Apr 2008 16:04:50 -0500 From: Stephanie Bridges <sbridges@iastate.edu> To: freebsd-questions@freebsd.org Subject: samba 3.0.28 on 7.0-RELEASE with base heimdal Message-ID: <47FD2F72.1080801@iastate.edu>
next in thread | raw e-mail | index | archive | help
Hello, I've been trying to get samba installed and connecting to a Win2k03 AD using RFC2307 and having problems getting it to join the domain. I've got a 6.2 machine which is working with nearly the same configuration (I think the only differences are the idmap backends). I installed from the port after enabling the ADS support (and EXP_MODULES as I want the idmap backends provided there). I installed the openldap23-sasl-client as that is what I installed on the 6.2 machine (somewhere I read that was needed for things to work correctly). I copied a working krb5.conf file from my 6.2 machine and verified that I could successfully do kinit (this works great, I get a ticket for myself). However, when I try to do the net ads join command (after I kinit as the user who has permission to add the computer account to AD), I get prompted for my password, and then get the "Response too big for UDP, retry with TCP" error and am unable to join the domain. I *thought* that I didn't get prompted for my password with the 6.2 machine, but it has been since last summer that I set it up. I see that net ads join creates its own krb5.conf file in /var/db/samba/smb_krb5/krb5.conf.IASTATE which doesn't have the tcp/ service flag preceding the IP addresses. I ran the command with debug level at 10, and after a whole bunch of query stuff after it asked for my password, I got this: ------------ [2008/04/09 15:42:44, 4] libads/ldap.c:ads_current_time(2414) time offset is 0 seconds [2008/04/09 15:42:44, 4] libads/sasl.c:ads_sasl_bind(521) Found SASL mechanism GSS-SPNEGO [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = windc1$@IASTATE.EDU [2008/04/09 15:42:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2008/04/09 15:42:44, 10] libads/sasl.c:ads_sasl_spnego_bind(262) ads_sasl_spnego_krb5_bind failed with: No such file or directory, calling kinit [2008/04/09 15:42:44, 10] libads/kerberos.c:kerberos_kinit_password_ext(91) kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/db/samba/smb_krb5/krb5.conf.IASTATE] [2008/04/09 15:42:44, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password sbridges@IASTATE.EDU failed: Response too big for UDP, retry with TCP [2008/04/09 15:42:44, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: Response too big for UDP, retry with TCP Failed to join domain: NT_STATUS_PROTOCOL_UNREACHABLE [2008/04/09 15:42:44, 2] utils/net.c:main(1036) return code = -1 ------------------- Does any of this mean anything to anybody? I thought from reading the samba docs that it would automatically retry with TCP when it got this error. I can't find a whole lot on the net -- what I did find, people weren't able to successfully kinit at the command prompt either, but that works for me. -- Stephanie Bridges Department of Economics Iowa State University sbridges@iastate.edu "A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort." --Herm Albright
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47FD2F72.1080801>