Hello,
I recently updated to TrueNAS-13.0-U6.1 from 11.3-U5 (I know, long time, big upgrade) a few weeks ago. All seemed well. Then today, for the first time, I tried copying some files from my Windows box to a SMB share, and I am getting a permissions error no matter where I try to copy the file to or from. I can browse, read, and even delete files just fine, but I cannot write anything. From previous forum posts (Unable to connect to domain after upgrade from 11.2.7 to 11.3 | TrueNAS Community) it looks like my AD connection may be the issue, but I cannot seem to figure out what is wrong. I have posted the output of my domain status queries (domain obfuscated with DOMAIN), does anyone have any ideas what I can do to be able to write files from my windows clients again? Thanks.
Samba4 Log output
[2024/04/03 14:40:00.091629, 2] …/…/source3/lib/interface.c:346(add_interface)
added interface em1 ip=192.168.200.153 bcast=192.168.200.255 netmask=255.255.255.0
[2024/04/03 14:40:00.091649, 2] …/…/source3/lib/interface.c:346(add_interface)
added interface vmx0 ip=192.168.200.160 bcast=192.168.200.255 netmask=255.255.255.0
[2024/04/03 14:40:00.091657, 2] …/…/source3/lib/interface.c:346(add_interface)
added interface em0 ip=192.168.200.170 bcast=192.168.200.255 netmask=255.255.255.0
[2024/04/03 14:40:00.093559, 1] …/…/source3/librpc/crypto/gse_krb5.c:418(fill_mem_keytab_from_system_keytab)
…/…/source3/librpc/crypto/gse_krb5.c:417: krb5_kt_start_seq_get failed (No such file or directory)
[2024/04/03 14:40:00.094222, 1] …/…/source3/librpc/crypto/gse_krb5.c:418(fill_mem_keytab_from_system_keytab)
…/…/source3/librpc/crypto/gse_krb5.c:417: krb5_kt_start_seq_get failed (No such file or directory)
[2024/04/03 14:40:00.095588, 1] …/…/source3/librpc/crypto/gse_krb5.c:418(fill_mem_keytab_from_system_keytab)
…/…/source3/librpc/crypto/gse_krb5.c:417: krb5_kt_start_seq_get failed (No such file or directory)
[2024/04/03 14:40:00.101189, 2] …/…/source3/param/loadparm.c:2889(lp_do_section)
Processing section “[nas]”
[2024/04/03 14:40:00.102299, 2] …/…/source3/smbd/service.c:958(make_connection_snum)
192.168.200.175 (ipv4:192.168.200.175:63067) connect to service nas initially as user DOMAINNET\lidarr (uid=21653, gid=21648) (pid 2725)
[2024/04/03 14:40:11.164071, 2] …/…/source3/smbd/service.c:1239(close_cnum)
192.168.200.175 (ipv4:192.168.200.175:63067) closed connection to service nas
[2024/04/03 14:50:54.434366, 2] …/…/source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2024/04/03 14:50:54.438539, 2] …/…/source3/smbd/server.c:816(remove_child_pid)
Could not find child 2882 – ignoring
[2024/04/03 15:00:30.621979, 2] …/…/source3/smbd/open.c:1686(open_file)
DOMAINNET\USER opened file Unsorted/1.png read=Yes write=Yes (numopen=6)
[2024/04/03 15:00:30.628610, 2] …/…/source3/smbd/open.c:1686(open_file)
DOMAINNET\USER opened file Unsorted/1.png read=No write=No (numopen=7)
[2024/04/03 15:00:30.639846, 2] …/…/source3/smbd/open.c:1686(open_file)
DOMAINNET\USER opened file Unsorted/1.png:Zone.Identifier read=Yes write=Yes (numopen=8)
[2024/04/03 15:00:30.642257, 1] …/…/source3/smbd/trans2.c:6633(smb_set_file_dosmode)
smb_set_file_dosmode: file_set_dosmode of Unsorted/1.png failed: Operation not permitted
[2024/04/03 15:00:30.643544, 2] …/…/source3/smbd/close.c:837(close_normal_file)
DOMAINNET\USER closed file Unsorted/1.png:Zone.Identifier (numopen=6) NT_STATUS_OK
[2024/04/03 15:00:30.643579, 2] …/…/source3/smbd/close.c:837(close_normal_file)
DOMAINNET\USER closed file Unsorted/1.png (numopen=5) NT_STATUS_OK
[2024/04/03 15:00:30.644869, 2] …/…/source3/smbd/close.c:837(close_normal_file)
DOMAINNET\USER closed file Unsorted/1.png (numopen=4) NT_STATUS_OK
[2024/04/03 15:00:36.749294, 2] …/…/source3/smbd/open.c:1686(open_file)
DOMAINNET\USER opened file Unsorted/1.png read=Yes write=Yes (numopen=6)
[2024/04/03 15:00:36.758247, 2] …/…/source3/smbd/open.c:1686(open_file)
DOMAINNET\USER opened file Unsorted/1.png read=No write=No (numopen=7)
[2024/04/03 15:00:36.758447, 2] …/…/source3/smbd/open.c:1686(open_file)
DOMAINNET\USER opened file Unsorted/1.png:Zone.Identifier read=Yes write=Yes (numopen=8)
[2024/04/03 15:00:36.765999, 1] …/…/source3/smbd/trans2.c:6633(smb_set_file_dosmode)
smb_set_file_dosmode: file_set_dosmode of Unsorted/1.png failed: Operation not permitted
[2024/04/03 15:00:36.767257, 2] …/…/source3/smbd/close.c:837(close_normal_file)
DOMAINNET\USER closed file Unsorted/1.png:Zone.Identifier (numopen=6) NT_STATUS_OK
[2024/04/03 15:00:36.767296, 2] …/…/source3/smbd/close.c:837(close_normal_file)
DOMAINNET\USER closed file Unsorted/1.png (numopen=5) NT_STATUS_OK
[2024/04/03 15:00:36.768817, 2] …/…/source3/smbd/close.c:837(close_normal_file)
DOMAINNET\USER closed file Unsorted/1.png (numopen=4) NT_STATUS_OK
AD status Log Output
root@nas:~ # net -k -d 5 ads status
WARNING: The option -k|–kerberos is deprecated!
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section “[global]”
doing parameter dns proxy = No
doing parameter aio max threads = 2
doing parameter max log size = 5120
doing parameter load printers = No
doing parameter printing = bsd
doing parameter disable spoolss = Yes
doing parameter dos filemode = Yes
doing parameter kernel change notify = No
doing parameter directory name cache size = 0
doing parameter server multi channel support = No
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter unix charset = UTF-8
doing parameter log level = 2 auth_json_audit:3@/var/log/samba4/auth_audit.log
doing parameter obey pam restrictions = False
doing parameter rpc_daemon:mdssd = disabled
doing parameter rpc_server:mdssvc = disabled
doing parameter enable web service discovery = True
doing parameter logging = file
doing parameter server min protocol = SMB2_02
doing parameter unix extensions = No
doing parameter restrict anonymous = 2
doing parameter server string = Andrew’s Storage Server
doing parameter bind interfaces only = Yes
doing parameter netbios name = nas
doing parameter netbios aliases =
doing parameter server role = member server
doing parameter kerberos method = secrets and keytab
doing parameter workgroup = DOMAINNET
doing parameter realm = DOMAIN.NET
doing parameter security = ADS
doing parameter local master = No
doing parameter domain master = No
doing parameter preferred master = No
doing parameter winbind cache time = 7200
doing parameter winbind max domain connections = 10
doing parameter client ldap sasl wrapping = seal
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter ads dns update = Yes
doing parameter allow trusted domains = Yes
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter winbind use default domain = Yes
doing parameter idmap config DOMAINNET: backend = rid
doing parameter idmap config DOMAINNET: range = 20000-90000000
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter ea support = no
doing parameter store dos attributes = no
doing parameter map archive = no
doing parameter map hidden = no
doing parameter map readonly = no
doing parameter map system = no
doing parameter registry shares = yes
doing parameter include = registry
doing parameter registry shares = yes
process_registry_service: service name global
pm_process() returned Yes
added interface em1 ip=192.168.200.153 bcast=192.168.200.255 netmask=255.255.255.0
added interface vmx0 ip=192.168.200.160 bcast=192.168.200.255 netmask=255.255.255.0
added interface em0 ip=192.168.200.170 bcast=192.168.200.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
added interface em1 ip=192.168.200.153 bcast=192.168.200.255 netmask=255.255.255.0
added interface vmx0 ip=192.168.200.160 bcast=192.168.200.255 netmask=255.255.255.0
added interface em0 ip=192.168.200.170 bcast=192.168.200.255 netmask=255.255.255.0
Opening cache file at /var/run/samba4/gencache.tdb
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
ads_dc_name: domain=DOMAINNET
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
get_sorted_dc_list: attempting lookup for name DOMAIN.NET (sitename Default-First-Site-Name)
saf_fetch: Returning “DOMAINserver.DOMAIN.net” for “DOMAIN.NET” domain
get_dc_list: preferred server list: “DOMAINserver.DOMAIN.net, *”
namecache_fetch: name DOMAIN.NET#1C found.
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
namecache_fetch: name DOMAINserver.DOMAIN.net#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.200.250 192.168.200.252
ads_try_connect: sending CLDAP request to 192.168.200.250 (realm: DOMAIN.NET)
Successfully contacted LDAP server 192.168.200.250
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
saf_fetch: Returning “DOMAINserver.DOMAIN.net” for “DOMAIN.NET” domain
get_dc_list: preferred server list: “DOMAINserver.DOMAIN.net, *”
resolve_ads: Attempting to resolve KDCs for DOMAIN.NET using DNS
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS AAAA lookup for wvm2016-01.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for wvm2016-01.DOMAIN.net [0] got wvm2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS A lookup for WVM2016-01.DOMAIN.net [0] got wvm2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS AAAA lookup for WVM2016-01.DOMAIN.net returned 0 addresses.
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
namecache_fetch: name DOMAINserver.DOMAIN.net#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.200.250 192.168.200.252
saf_fetch: Returning “DOMAINserver.DOMAIN.net” for “DOMAIN.NET” domain
get_dc_list: preferred server list: “DOMAINserver.DOMAIN.net, *”
resolve_ads: Attempting to resolve KDCs for DOMAIN.NET using DNS
dns_rr_srv_fill_done: async DNS A lookup for wvm2016-01.DOMAIN.net [0] got wvm2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS AAAA lookup for wvm2016-01.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for WVM2016-01.DOMAIN.net [0] got WVM2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS AAAA lookup for WVM2016-01.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
namecache_fetch: name DOMAINserver.DOMAIN.net#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.200.250 192.168.200.252
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf.DOMAINNET with realm DOMAIN. NET KDC list:
kdc = 192.168.200.250
kdc = 192.168.200.252
ads_dc_name: using server=‘DOMAINSERVER.DOMAIN.NET’ IP=192.168.200.250
ads_try_connect: sending CLDAP request to 192.168.200.250 (realm: DOMAIN.NET)
Successfully contacted LDAP server 192.168.200.250
Connecting to 192.168.200.250 at port 389
Connected to LDAP server DOMAINserver.DOMAIN.net
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘ntlmssp_resume_ccache’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘http_negotiate’ registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
gensec_update_done: spnego[0x8108cb960]: NT_STATUS_INVALID_PARAMETER
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/DOMAINserver.DOMAIN.net with user[root] realm=[DOMAIN.NET]: Cannot read password
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
ads_dc_name: domain=DOMAINNET
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
get_sorted_dc_list: attempting lookup for name DOMAIN.NET (sitename Default-First-Site-Name)
saf_fetch: Returning “DOMAINserver.DOMAIN.net” for “DOMAIN.NET” domain
get_dc_list: preferred server list: “DOMAINserver.DOMAIN.net, *”
namecache_fetch: name DOMAIN.NET#1C found.
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
namecache_fetch: name DOMAINserver.DOMAIN.net#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.200.250 192.168.200.252
ads_try_connect: sending CLDAP request to 192.168.200.250 (realm: DOMAIN.NET)
Successfully contacted LDAP server 192.168.200.250
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
saf_fetch: Returning “DOMAINserver.DOMAIN.net” for “DOMAIN.NET” domain
get_dc_list: preferred server list: “DOMAINserver.DOMAIN.net, *”
resolve_ads: Attempting to resolve KDCs for DOMAIN.NET using DNS
dns_rr_srv_fill_done: async DNS A lookup for WVM2016-01.DOMAIN.net [0] got WVM2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS AAAA lookup for WVM2016-01.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for wvm2016-01.DOMAIN.net [0] got wvm2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS AAAA lookup for wvm2016-01.DOMAIN.net returned 0 addresses.
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
namecache_fetch: name DOMAINserver.DOMAIN.net#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.200.250 192.168.200.252
saf_fetch: Returning “DOMAINserver.DOMAIN.net” for “DOMAIN.NET” domain
get_dc_list: preferred server list: “DOMAINserver.DOMAIN.net, *”
resolve_ads: Attempting to resolve KDCs for DOMAIN.NET using DNS
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for wvm2016-01.DOMAIN.net [0] got wvm2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS AAAA lookup for wvm2016-01.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for WVM2016-01.DOMAIN.net [0] got WVM2016-01.DOMAIN.net → 192.168.200.252
dns_rr_srv_fill_done: async DNS AAAA lookup for WVM2016-01.DOMAIN.net returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for DOMAINserver.DOMAIN.net [0] got DOMAINserver.DOMAIN.net → 192.168.200.2 50
dns_rr_srv_fill_done: async DNS AAAA lookup for DOMAINserver.DOMAIN.net returned 0 addresses.
sitename_fetch: Returning sitename for realm ‘DOMAIN.NET’: “Default-First-Site-Name”
namecache_fetch: name DOMAINserver.DOMAIN.net#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.200.250 192.168.200.252
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf.DOMAINNET with realm DOMAIN. NET KDC list:
kdc = 192.168.200.250
kdc = 192.168.200.252
ads_dc_name: using server=‘DOMAINSERVER.DOMAIN.NET’ IP=192.168.200.250
ads_try_connect: sending CLDAP request to 192.168.200.250 (realm: DOMAIN.NET)
Successfully contacted LDAP server 192.168.200.250
Connecting to 192.168.200.250 at port 389
Connected to LDAP server DOMAINserver.DOMAIN.net
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
gensec_update_done: spnego[0x8108cb360]: NT_STATUS_INVALID_PARAMETER
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/DOMAINserver.DOMAIN.net with user[root] realm=[DOMAIN.NET]: Cannot read password
return code = -1