samba 3.0.28 on 7.0-RELEASE with base heimdal

Wed Apr 9 21:23:58 UTC 2008

Hello,

I've been trying to get samba installed and connecting to a Win2k03 AD 
using RFC2307 and having problems getting it to join the domain.  I've 
got a 6.2 machine which is working with nearly the same configuration (I 
think the only differences are the idmap backends).

I installed from the port after enabling the ADS support (and 
EXP_MODULES as I want the idmap backends provided there).  I installed 
the openldap23-sasl-client as that is what I installed on the 6.2 
machine (somewhere I read that was needed for things to work correctly).

I copied a working krb5.conf file from my 6.2 machine and verified that 
I could successfully do kinit (this works great, I get a ticket for myself).

However, when I try to do the net ads join command (after I kinit as the 
user who has permission to add the computer account to AD), I get 
prompted for my password, and then get the "Response too big for UDP, 
retry with TCP" error and am unable to join the domain.  I *thought* 
that I didn't get prompted for my password with the 6.2 machine, but it 
has been since last summer that I set it up.

I see that net ads join creates its own krb5.conf file in 
/var/db/samba/smb_krb5/krb5.conf.IASTATE which doesn't have the tcp/ 
service flag preceding the IP addresses.

I ran the command with debug level at 10, and after a whole bunch of 
query stuff after it asked for my password, I got this:

------------
[2008/04/09 15:42:44, 4] libads/ldap.c:ads_current_time(2414)
   time offset is 0 seconds
[2008/04/09 15:42:44, 4] libads/sasl.c:ads_sasl_bind(521)
   Found SASL mechanism GSS-SPNEGO
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
   ads_sasl_spnego_bind: got server principal name = windc1$@IASTATE.EDU
[2008/04/09 15:42:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2008/04/09 15:42:44, 10] libads/sasl.c:ads_sasl_spnego_bind(262)
   ads_sasl_spnego_krb5_bind failed with: No such file or directory, 
calling kinit
[2008/04/09 15:42:44, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
   kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config 
[/var/db/samba/smb_krb5/krb5.conf.IASTATE]
[2008/04/09 15:42:44, 0] libads/kerberos.c:ads_kinit_password(228)
   kerberos_kinit_password sbridges at IASTATE.EDU failed: Response too big 
for UDP, retry with TCP
[2008/04/09 15:42:44, 1] utils/net_ads.c:net_ads_join(1470)
   error on ads_startup: Response too big for UDP, retry with TCP
Failed to join domain: NT_STATUS_PROTOCOL_UNREACHABLE
[2008/04/09 15:42:44, 2] utils/net.c:main(1036)
   return code = -1
-------------------

Does any of this mean anything to anybody?  I thought from reading the 
samba docs that it would automatically retry with TCP when it got this 
error.  I can't find a whole lot on the net -- what I did find, people 
weren't able to successfully kinit at the command prompt either, but 
that works for me.

-- 
Stephanie Bridges
Department of Economics
Iowa State University
sbridges at iastate.edu

"A positive attitude may not solve all your problems, but it will
annoy enough people to make it worth the effort." --Herm Albright