# samba34 vs Win 2008R2 AD



## alecv (Dec 29, 2010)

Hi!

Did anyone success with samba34 and Windows Server 2008R2 ?

I'm trying to connect to the 2008R2 domain using ADS on the samba34. It worked before our windows admins updated Windows server to the 2008R2 a month ago. As far as I understand R2 introduced new AD features and also they deployed dedicated Windows CA (PKI).

As a result, *wbinfo -g* and *-u* do not work anymore and winbind can't connect to the AD/LDAP.

I've installed CA cerificate, the Kerberos and LDAP/SASL SPNEGO works on my system with 2008R2 DC.  *ldapsearch -ZZ* works too. The only problem is a 'ldap' timeout _inside_ my winbindd.


7.3-STABLE FreeBSD 7.3-STABLE #0: Fri Jul 16 09:50:27 MSD 2010    GENERIC  amd64
standard system Kerberos (not from ports)
cyrus-sasl-2.1.23_1
openldap-sasl-client-2.4.23
samba34-3.4.9

I have to use *client ldap sasl wrapping = sign* since 2008R2 requires strong authentication.


```
2010/12/29 18:04:54,  4] libsmb/namequery_dc.c:143(ads_dc_name)
  ads_dc_name: using server='DOCON.OFFICE' IP=192.168.0.120
[2010/12/29 18:04:54,  5] libads/ldap.c:203(ads_try_connect)
  ads_try_connect: sending CLDAP request to DOCON.OFFICE (realm: office)
[2010/12/29 18:04:54,  3] libads/ldap.c:621(ads_connect)
  Successfully contacted LDAP server 192.168.0.120
[2010/12/29 18:04:54,  3] libads/ldap.c:675(ads_connect)
  Connected to LDAP server DOCON.office
[2010/12/29 18:04:54,  4] libads/ldap.c:2851(ads_current_time)
  time offset is 0 seconds
[2010/12/29 18:04:54,  4] libads/sasl.c:1112(ads_sasl_bind)
  Found SASL mechanism GSS-SPNEGO
[2010/12/29 18:04:54,  3] libads/sasl.c:780(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2010/12/29 18:04:54,  3] libads/sasl.c:780(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2010/12/29 18:04:54,  3] libads/sasl.c:780(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2010/12/29 18:04:54,  3] libads/sasl.c:780(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2010/12/29 18:04:54,  3] libads/sasl.c:780(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2010/12/29 18:04:54,  3] libads/sasl.c:789(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
[2010/12/29 18:04:54,  3] libads/ldap.c:995(ads_do_paged_search_args)
  ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) -> Time limit exceeded
[2010/12/29 18:04:54,  1] libads/ldap_utils.c:111(ads_do_search_retry_internal)
  ads reopen failed after error Time limit exceeded
```

Tried *ldap timeout = 20000*, no changes.

Any suggestions ?


----------



## SirDice (Dec 29, 2010)

You're probably running into this issue: http://support.microsoft.com/kb/942564


----------

