Web lists-archives.com

[Samba] samba on solaris 11 can not longer join Windows AD domain




I would like to move my Samba file server (Samba 4.4.14 on Solaris 11) from
a classic domain  into an Active Directory domain.    The active directory
domain has one Win 2008 directory server / domain controller, and one Win
2012 R2 DS.    E-mail, among other things, depends on a Microsoft AD
backend.


A few months ago I was able to join a test server to the AD domain.    Today
I tried joining a 2nd one, but without success.

 

testmachine1# net ads join -U Administrator@xxxxxxxxxxxx

Enter Administrator@xxxxxxxxxxxx's password:

Failed to join domain: Failed to set machine spn: Time limit exceeded

Do you have sufficient permissions to create machine accounts?

 

 

I thought that I may  have not properly replicated the configuration, so I
tried it on the first test server, with the same error.

 

The event log on the AD DS shows

 

 

 

Log Name:      System

Source:        Microsoft-Windows-Security-Kerberos

Date:          9/18/2017 10:01:27 PM

Event ID:      3

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DS1.mydomain.com

Description:

A Kerberos Error Message was received:

on logon session 

 Client Time: 

 Server Time: 2:1:27.0000 9/19/2017 Z

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc00000bb KLIN(0)

Client Realm: 

 Client Name: 

 Server Realm: MYDOMAIN.COM

Server Name: DS1.mydomain.com

Target Name:  DS1.mydomain.com@xxxxxxxxxxxx
<mailto:DS1.mydomain.com@xxxxxxxxxxxx> 

 

 

 

I have applied patches over the last few months to the Windows servers.
Can't think of any significant changes on the windows side.

 

I have copied and pasted the partial output of testparm -v.

 

root@testmachine1:~# testparm -v

Load smb config files from /etc/samba/smb.conf

rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)

WARNING: The "syslog" option is deprecated

.

WARNING: You have some share names that are longer than 12 characters.

These may not be accessible to some older clients.

(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)

Server role: ROLE_DOMAIN_MEMBER

 

Press enter to see a dump of your service definitions

 

# Global parameters

[global]

        bind interfaces only = No

        config backend = file

        dos charset = CP850

        enable core files = Yes

        interfaces =

        multicast dns register = Yes

        netbios aliases =

        netbios name = ZION

        netbios scope =

        realm = SSCI.COM

        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns

        server string = Samba Server Version %v

        share backend = classic

        unix charset = UTF-8

        workgroup = SSCI

        browse list = Yes

        domain master = No

        enhanced browsing = Yes

        lm announce = Auto

        lm interval = 60

        local master = Yes

        os level = 20

        preferred master = Auto

        allow dns updates = secure only

        dns forwarder =

        dns update command = /usr/lib/samba/sbin/samba_dnsupdate

        machine password timeout = 604800

        nsupdate command = /usr/bin/nsupdate -g

        rndc command = /usr/sbin/rndc

        spn update command = /usr/lib/samba/sbin/samba_spnupdate

        mangle prefix = 1

        mangling method = hash2

        max stat cache size = 256

        stat cache = Yes

        client ldap sasl wrapping = plain 

.

        cldap port = 389

        client ipc max protocol = default

        client ipc min protocol = default

        client max protocol = default

        client min protocol = CORE

        client use spnego = Yes

        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver

        defer sharing violations = Yes

        dgram port = 138

        disable netbios = No

        enable asu support = No

        eventlog list =

        large readwrite = Yes

        max mux = 50

        max ttl = 259200

        max wins ttl = 518400

        max xmit = 16644

        min receivefile size = 0

        min wins ttl = 21600

        name resolve order = lmhosts wins host bcast

        nbt port = 137

        nt pipe support = Yes

        nt status support = Yes

        read raw = Yes

        rpc big endian = No

        server max protocol = SMB3

        server min protocol = LANMAN1

        server multi channel support = No 

 

.

        name resolve order = lmhosts wins host bcast

        nbt port = 137

        nt pipe support = Yes

        nt status support = Yes

        read raw = Yes

        rpc big endian = No

        server max protocol = SMB3

        server min protocol = LANMAN1

        server multi channel support = No

        smb2 max credits = 8192

        smb2 max read = 8388608

        smb2 max trans = 8388608

        smb2 max write = 8388608

        smb ports = 445 139

        svcctl list =

        time server = No

        unicode = Yes

        unix extensions = Yes

        use spnego = Yes

        web port = 901

        write raw = Yes

        algorithmic rid base = 1000

        allow dcerpc auth level connect = No

        allow trusted domains = Yes

        auth methods =

        check password script =

        client ipc signing = default

        client lanman auth = No

        client NTLMv2 auth = Yes

        client plaintext auth = No

        client schannel = Auto

        client signing = default

        client use spnego principal = No

        dedicated keytab file =

        encrypt passwords = Yes

        guest account = nobody

        kerberos method = default

        kpasswd port = 464

        krb5 port = 88

        lanman auth = No

        log nt token command =

        map to guest = Never

        map untrusted to domain = No

        ntlm auth = Yes

        ntp signd socket directory = /var/samba/lib/ntp_signd

        null passwords = No

        obey pam restrictions = No

        old password allowed period = 60

        pam password change = No

        passdb backend = tdbsam

        passdb expand explicit = No

        passwd chat = *new*password* %n\n *new*password* %n\n *changed*

        passwd chat debug = No

        passwd chat timeout = 2

        passwd program =

        password server = *

        preload modules =

        private dir = /etc/samba/private

        raw NTLMv2 auth = No

        rename user script =

        restrict anonymous = 0

        root directory =

       samba kcc command = /usr/lib/samba/sbin/samba_kcc

        security = ADS

        server role = auto

        server schannel = Auto

        server signing = default

        smb passwd file = /etc/samba/private/smbpasswd

        tls cafile = tls/ca.pem

        tls certfile = tls/cert.pem

        tls crlfile =

        tls dh params file =

        tls enabled = Yes

        tls keyfile = tls/key.pem

        tls priority = NORMAL:-VERS-SSL3.0

        tls verify peer = as_strict_as_possible

        unix password sync = No

        username level = 0

        username map =

        username map cache time = 0

        username map script =

        aio max threads = 100

        deadtime = 0

        getwd cache = Yes

        hostname lookups = No

       keepalive = 300

        max disk size = 0

        max open files = 16384

        max smbd processes = 0

        name cache timeout = 660

        socket options = TCP_NODELAY

        use mmap = Yes

        get quota command =

        host msdfs = Yes

        set quota command =

        create krb5 conf = No

        idmap backend = tdb

        idmap cache time = 604800

        idmap gid =

        idmap negative cache time = 120

        idmap uid =

        include system krb5 conf = Yes

        neutralize nt4 emulation = No

        reject md5 servers = No

        require strong key = Yes

        template homedir = /home/%D/%U

        template shell = /bin/false

        winbind cache time = 300

        winbindd privileged socket directory =
/var/samba/lib/winbindd_privileged

        winbindd socket directory = /var/samba/run/winbindd

        winbind enum groups = Yes

        winbind enum users = Yes

        winbind expand groups = 0

        winbind max clients = 200

        winbind max domain connections = 1

        winbind nested groups = Yes

        winbind normalize names = No

        winbind nss info = rfc2307

        winbind offline logon = No

        winbind reconnect delay = 30

        winbind refresh tickets = No

        winbind request timeout = 60

        winbind rpc only = No

        winbind sealed pipes = Yes

        winbind separator = \

        winbind trusted domains only = No

        winbind use default domain = No

        dns proxy = Yes

        wins hook =

        wins proxy = No

        wins server = 192.x.x.x

        wins support = No

...

 

 

 

 

 

Appreciate any advice

 

Thanks

 

 

  

 

 

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba