Re: [Samba] samba on solaris 11 can not longer join Windows AD domain
- Date: Tue, 19 Sep 2017 08:26:02 -0400
- From: Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] samba on solaris 11 can not longer join Windows AD domain
On 09/19/17 05:30, Rowland Penny via samba wrote:
On Mon, 18 Sep 2017 22:45:04 -0400
Gaeseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:
I would like to move my Samba file server (Samba 4.4.14 on Solaris
11) from a classic domain into an Active Directory domain. The
active directory domain has one Win 2008 directory server / domain
controller, and one Win 2012 R2 DS. E-mail, among other things,
depends on a Microsoft AD backend.
A few months ago I was able to join a test server to the AD
domain. Today I tried joining a 2nd one, but without success.
testmachine1# net ads join -U Administrator@xxxxxxxxxxxx
Enter Administrator@xxxxxxxxxxxx's password:
Failed to join domain: Failed to set machine spn: Time limit exceeded
Do you have sufficient permissions to create machine accounts?
I thought that I may have not properly replicated the configuration,
so I tried it on the first test server, with the same error.
The event log on the AD DS shows
Log Name: System
Date: 9/18/2017 10:01:27 PM
Event ID: 3
Task Category: None
A Kerberos Error Message was received:
on logon session
Server Time: 2:1:27.0000 9/19/2017 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Server Realm: MYDOMAIN.COM
Server Name: DS1.mydomain.com
Target Name: DS1.mydomain.com@xxxxxxxxxxxx
I have applied patches over the last few months to the Windows
servers. Can't think of any significant changes on the windows side.
I have copied and pasted the partial output of testparm -v.
root@testmachine1:~# testparm -v
Please don't ever do that again, never send the verbose output from
testparm, just send the output of 'cat'
Before going any further, can I ask how you how (once you have joined
the domain) you propose to make your Windows users known to the Unix
system ? There is a distinct lack of 'idmap config' lines.
Does the /etc/resolv.conf point to a DC as a nameserver ?
Does the proposed Unix domain member get its IP via DHCP ?
What is in /etc/hosts ?
What is in /etc/krb5.conf ?
Sorry, meant to copy and paste only the relevant stuff. I think I hit paste twice.
The problem with showing just the config file is that options not explicitly set may have different defaults depending on version. I have attached part of cat smb.conf below.
/etc/hosts does not include the AD Domain controllers.
/etc/resolv.conf shows 2ndary DNS servers, which in turn sync data from the AD Domain controllers. I don't think this is a DNS issue since "net join" and "net ads join" are locating the AD domain controllers.
/etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the ldapclient and kinit to join the machine to the MYDOMAIN AD realm for "Unix" level user and group lookups (via ldap) and kerberos authentication. I did find that Solaris "native" kerberos and Samba expect krb5.keytab files in different locations , which I resolved with a sym link between /etc/krb5.keytab and /etc/krb5/krb5.keytab.
All member servers use static IP.
#======================= Global Settings =====================================
private dir = /etc/samba/private
smb passwd file = /etc/samba/private/smbpasswd
syslog = 3
log level = 10
client ldap sasl wrapping = plain
ldap server require strong auth = no
create krb5 conf = no
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
workgroup = MYDOMAIN
server string = Samba Server Version %v
netbios name = MYSERVER
; max protocol = SMB2
passdb backend = tdbsam
security = ads
realm = MYDOMAIN.COM
idmap config *:backend = tdb
idmap config *:range = 2000-2999
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 100-1999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
domain master = no
domain logons = no
To unsubscribe from this list go to the following URL and read the