Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002333Endian FirewallProxy HTTPpublic2009-10-30 12:292010-11-22 13:06
Reporterzael 
Assigned Tosimon-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.3 
Target Version2.3.1Fixed in Version2.3.1 
Summary0002333: Can't AD join
DescriptionSince Endian 2.3-rc1 I can't join my W2K domain (2.2 could join successfully) and apply NTLM authentication in Squid. All requirements needed in EFW 2.2 were tried with no luck in 2.3-rc1 and now in 2.3:

- Add PDC and BDC hostnames in Network -> Edit Hosts
- Add Domain name and PDC IP in Proxy -> DNS -> DNS Routing
- Add Domain name in Authentication Realm and PDC/BDC hostnames/IPs in Proxy -> HTTP -> Authentication

Then, after clicking in "Join Domain" button and inserting my domain admin user/pass, all I get is "Failed to join domain".

In /var/log/messages there's only a notification about restarting samba:

Oct 28 09:54:06 efw-1256721870 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/bin/restartsamba.py --winbind-only

Running restartsamba.py manually returns:

# ./restartsamba.py --winbind-only
Traceback (most recent call last):
 File "./restartsamba.py", line 348, in ?
   restartWinbind()
 File "./restartsamba.py", line 273, in restartWinbind
   write_winbind_config(proxy_conf)
 File "./restartsamba.py", line 144, in write_winbind_config
   write_config(WINBIND_TPL,WINBIND_CONF,proxy_conf)
 File "./restartsamba.py", line 134, in write_config
   content = t.respond()
 File "_etc_samba_winbind_conf_tmpl.py", line 96, in respond
AttributeError: 'str' object has no attribute 'VFFSL'

And there aren't any smb/winbind related processes running.

Luca suggested reading this bug report (http://bugs.endian.it/view.php?id=2202 [^]) in efw-users mailing list, but krb5.conf.tmpl is already set correctly, and smb.conf.tmpl doesn't have any reference like the one in krb5.conf.tmpl. Instead, winbind.conf.tmpl has this line:

password server = $NTLM_PDC.$NTLM_DOMAIN #if $NTLM_BDC != '' then $NTLM_BDC.$NTLM_DOMAIN else ""#

Correcting it as suggested in bug report doesn't change a thing, as I keep getting "Failed to join domain" error.
Additional InformationEndian 2.3 is installed in a VirtualBox VM, using a SATA HD and Intel PRO/1000 T Server NICs.
TagsNo tags attached.
Attached Files? file icon winbind.conf [^] (585 bytes) 2009-11-03 21:49
? file icon winbind.conf.tmpl [^] (766 bytes) 2009-11-07 14:51

- Relationships
duplicate of 0002204closedsimon-endian joining a w2k domain fails 
related to 0002202closedsimon-endian ntlm auth does not work when using a BDC because of an error in krb5.conf.tmpl and smb.conf.tmpl 

-  Notes
(0003191)
simon-endian (developer)
2009-10-30 12:42

at moment there is a problem with joining w2k domains (see 0002204)

- with 2.3 it is not required anymore to create host and dns entries manually because they are autogenerated
- quick workaround for the moment is to use ldap with w2k domains
- for joining and winbind /etc/samba/winbind.conf.tmpl are used.
- smb and nmbd are not required to run anymore and winbind will only start/run if join was successfully.

can you post the output of:

net ads join -U <ad admin user>
(0003192)
zael (reporter)
2009-10-30 12:49

simon, here's the output:

# net ads join -U a_idjjunior
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: WERR_INVALID_DOMAIN_ROLE
(0003194)
luca-endian (developer)
2009-10-30 14:21

> Correcting it as suggested in bug report doesn't change a thing, as I keep
> getting "Failed to join domain" error.

But you still get this error?
AttributeError: 'str' object has no attribute 'VFFSL'
(0003196)
zael (reporter)
2009-10-30 14:30

After removing BDC from HTTP Proxy config /usr/local/bin/restartsamba.py --winbindonly says Winbind services were started. No AttributeError is given.
(0003199)
nathan_peterson (reporter)
2009-10-30 22:09

Removed BDC from error log however winbind still crashed.
Still could not join domain. From command line ran:

net ads join -U{user) that failed.

Found that /etc/smb.conf is not getting created from template.
Copied smb.conf from previous version and ran net ad join again with success.

workgroup = <Workgroup Name>
password server = <Domain Server1> <Domain Server2>
security = ADS
realm = <Full Domain Name>
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = Yes
local master = no
winbind separator = +
unix charset = UTF8
hosts allow = localhost
interfaces = br0 br2
bind interfaces only = yes
preferred master = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
(0003227)
zael (reporter)
2009-11-03 18:32

Following nathan_peterson's suggestion, net ads join runs succesfully:

# net ads join -U <admin_user>
Enter <admin_user>'s password:
Using short domain name -- <SHORT_DOMAIN>
Joined 'EFW-SEDE' to realm '<domain_name>'
(0003228)
simon-endian (developer)
2009-11-03 21:39

the gui uses the command net ads join -U <admin_user> -s /etc/samba/winbind.conf
winbind.conf is generated by restartsamba.py --winbindonly

can you please test if the generated winbind.conf is correct by running

net ads join -U <admin_user> -s /etc/samba/winbind.conf -d 5

and then post the output if it fails and maybe also the /etc/samba/winbind.conf to see the difference between winbind.conf and the postet smb.conf

winbind.conf is used because only winbind (not smb and nmbd) is required to run in order to be able to join, read user/groups from ad and to authenticate a user. smb.conf is not used, to keep the possibility to use it to create smb shares with samba.

regards simon
(0003229)
nathan_peterson (reporter)
2009-11-03 21:49

when running restartsamba.py i get the following:

root@thomas:~ # restartsamba.py --winbindonly
usage: restartsamba.py <options>

restartsamba.py: error: no such option: --winbindonly

That said the net ads join fails:

root@thomas:/etc/samba # net ads join -U npp -s /etc/samba/winbind.conf -d 5
[2009/11/03 14:45:21, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels:
    all: True/5
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    registry: False/0
[2009/11/03 14:45:21, 3] param/loadparm.c:lp_load_ex(8753) lp_load_ex: refreshing parameters
[2009/11/03 14:45:21, 3] param/loadparm.c:init_globals(4597) Initialising global parameters
[2009/11/03 14:45:21, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "/etc/samba/winbind.conf"
[2009/11/03 14:45:21, 3] param/loadparm.c:do_section(7416) Processing section "[global]"
  doing parameter security = ADS
  doing parameter password server = <Domain Controller>
  doing parameter realm = <Domain>
  doing parameter syslog only = Yes
Enter npp's password:
Failed to join domain: Invalid configuration and configuration modification was not requested
(0003231)
nathan_peterson (reporter)
2009-11-03 23:15

winbind does use the samba smb.conf configuration file. The net ads join command defaults to /etc/samba/smb.conf if the configuration file is not specified.

I reset my configuration with the restartsamba.py and removed the smb.conf file in my workaround and started working line by line through the winbind.conf file; It appears as the workgroup parameter is set incorrectly. In the configuration, workgroup is set to the short domain name(constco) instead of the full domain name(constco.com). Once this was changed updated, i was able to join my domain.
(0003234)
zael (reporter)
2009-11-04 11:26

simon, net ads join fails here too:

# net ads join -U <admin_user> -s winbind.conf -d 5
[2009/11/04 04:24:49, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels:
    all: True/5
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    registry: False/0
[2009/11/04 04:24:49, 3] param/loadparm.c:lp_load_ex(8753) lp_load_ex: refreshing parameters
[2009/11/04 04:24:49, 3] param/loadparm.c:init_globals(4597) Initialising global parameters
[2009/11/04 04:24:49, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "winbind.conf"
[2009/11/04 04:24:49, 3] param/loadparm.c:do_section(7416) Processing section "[global]"
  doing parameter security = ADS
  doing parameter password server = <dc_hostname>
  doing parameter realm = <FULL_DOMAIN_NAME>
  doing parameter syslog only = Yes
Enter <admin_user>'s password:
Failed to join domain: Invalid configuration and configuration modification was not requested
(0003264)
bodo olschewski (reporter)
2009-11-07 14:47
edited on: 2009-11-07 14:52

Hello,

the problem can be fixed by editing the /etc/samba/winbind.conf.tmpl file.

The line "workgroup = ${AUTH_REALM.split(".")[0].upper()}" has to be changed.

For me it was ok to change it to
"workgroup = ${NTLM_DOMAIN.upper()}"

(changed file is uploaded ...)

(0003278)
nathan_peterson (reporter)
2009-11-09 23:02

Just noticed that if smb.conf is missing, the Authentication groups under access policy -> Authentication -> Group Based does not populate. When you return the smb.conf as a copy of winbind.conf it will populate.
(0003303)
zael (reporter)
2009-11-16 11:19

Following bodo olschewski's suggestion didn't work for me. I got this error on Endian web interface:

Failed to join domain: Invalid configuration and configuration modification was not requested
(0003323)
zael (reporter)
2009-11-19 19:46

Any suggestion, guys?
(0003529)
GianniCorona (reporter)
2009-12-09 11:40

Hi
I modified winbind.conf.tmpl
      # password server = $NTLM_PDC.$NTLM_DOMAIN #if $NTLM_BDC != '' then $NTLM_BDC.$NTLM_DOMAIN else ""#
      password server = $NTLM_PDC.${AUTH_REALM.upper()}

I then remade the autentication process and join to domain.

The Group Base is correct populated now.
(0003682)
luca-endian (developer)
2010-01-21 15:14

As soon as I removed the BDC configuration this error disappeared..
(0003683)
luca-endian (developer)
2010-01-21 16:32

This is the fix for this issue.
Basically the on-line if on the third line doesn't work.. I know it's a bit ugly but it works..

root@kenny:/etc/samba # cat winbind.conf.tmpl
[global]
security = ADS
password server = $NTLM_PDC.$NTLM_DOMAIN #slurp
#if $NTLM_BDC != ''
$NTLM_BDC.$NTLM_DOMAIN
#else

#end if
realm = $AUTH_REALM.upper()
# handle logging
syslog only = Yes
log level = 0 winbind:2
syslog = 1
max log size = 1000
(0003707)
luca-endian (developer)
2010-01-27 10:43

Ok the fix is the one already applied to the files krb5.conf.tmpl and smb.conf.tmpl. Also the file winbind.conf.tmpl must be patched.
This is the bug report: http://bugs.endian.it/view.php?id=2202 [^]

Forget the fix above it's unclean compared to the following.
You have to change the third line with this:

password server = ${NTLM_PDC}.${NTLM_DOMAIN} #if $NTLM_BDC != '' then "%s.%s" % ($NTLM_BDC, $NTLM_DOMAIN) else ""#
(0003731)
zael (reporter)
2010-02-01 19:09

Alright, lucagiove, let's go. These are the steps I've done:

1. Installed Endian 2.3, configured everything except HTTP Proxy;
2. Changed "password server" line on winbind.conf.tmpl as suggested. krb5.conf.tmpl didn't need any changes (was already as suggested on the other bug report). smb.conf.tmpl didn't need changes;
3. Tried to join AD through web interface, but didn't work;
4. Run 'net ads join -U<username> -s /etc/samba/winbind.conf' and it worked;
5. Removed computer account in AD;
6. Tried to join AD through web interface, and it worked.

Don't know what went wrong, but it finally worked. Groups and Users are populated.
(0003732)
luca-endian (developer)
2010-02-01 19:17

You always have to avoid the common pitfalls:
http://kb.endian.com/entry/49/ [^]

- Issue History
Date Modified Username Field Change
2009-10-30 12:29 zael New Issue
2009-10-30 12:33 simon-endian Relationship added duplicate of 0002204
2009-10-30 12:42 simon-endian Note Added: 0003191
2009-10-30 12:49 zael Note Added: 0003192
2009-10-30 14:19 luca-endian Note Added: 0003193
2009-10-30 14:20 luca-endian Note Deleted: 0003193
2009-10-30 14:21 luca-endian Note Added: 0003194
2009-10-30 14:30 zael Note Added: 0003196
2009-10-30 22:09 nathan_peterson Note Added: 0003199
2009-11-03 18:32 zael Note Added: 0003227
2009-11-03 21:39 simon-endian Note Added: 0003228
2009-11-03 21:49 nathan_peterson Note Added: 0003229
2009-11-03 21:49 nathan_peterson File Added: winbind.conf
2009-11-03 23:15 nathan_peterson Note Added: 0003231
2009-11-04 11:26 zael Note Added: 0003234
2009-11-07 14:47 bodo olschewski Note Added: 0003264
2009-11-07 14:51 bodo olschewski File Added: winbind.conf.tmpl
2009-11-07 14:52 bodo olschewski Note Edited: 0003264
2009-11-09 23:02 nathan_peterson Note Added: 0003278
2009-11-16 11:19 zael Note Added: 0003303
2009-11-19 19:46 zael Note Added: 0003323
2009-11-25 11:13 christian-endian Assigned To => simon-endian
2009-11-25 11:13 christian-endian Status new => acknowledged
2009-11-25 18:36 peter-endian Target Version => 2.3.1
2009-12-09 11:40 GianniCorona Note Added: 0003529
2009-12-10 00:48 simon-endian Status acknowledged => resolved
2009-12-10 00:48 simon-endian Fixed in Version => 2.3.1
2009-12-10 00:48 simon-endian Resolution open => unable to reproduce
2010-01-21 15:14 luca-endian Note Added: 0003682
2010-01-21 15:14 luca-endian Status resolved => confirmed
2010-01-21 16:32 luca-endian Note Added: 0003683
2010-01-27 10:43 luca-endian Note Added: 0003707
2010-01-27 10:44 luca-endian Relationship added parent of 0002202
2010-01-27 11:05 luca-endian Relationship replaced child of 0002202
2010-01-27 17:54 luca-endian Relationship deleted child of 0002202
2010-01-28 12:27 Anonymous Note Added: 0003712
2010-01-28 12:27 Anonymous Status confirmed => feedback
2010-01-28 12:28 Anonymous Note Edited: 0003712
2010-01-28 13:06 Anonymous Note Deleted: 0003712
2010-01-28 17:14 zael Note Added: 0003714
2010-01-29 11:37 luca-endian Relationship added related to 0002202
2010-02-01 19:02 zael Note Deleted: 0003714
2010-02-01 19:09 zael Note Added: 0003731
2010-02-01 19:17 luca-endian Note Added: 0003732
2010-02-01 19:18 luca-endian Status feedback => resolved
2010-02-01 19:18 luca-endian Resolution unable to reproduce => fixed
2010-11-22 13:06 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker