Web lists-archives.com

Re: [Samba] samba on solaris 11 can not longer join Windows AD domain

On 09/19/17 05:30, Rowland Penny via samba wrote:
On Mon, 18 Sep 2017 22:45:04 -0400
Gaeseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:

I would like to move my Samba file server (Samba 4.4.14 on Solaris
11) from a classic domain  into an Active Directory domain.    The
active directory domain has one Win 2008 directory server / domain
controller, and one Win 2012 R2 DS.    E-mail, among other things,
depends on a Microsoft AD backend.

A few months ago I was able to join a test server to the AD
domain.    Today I tried joining a 2nd one, but without success.

testmachine1# net ads join -U Administrator@xxxxxxxxxxxx

Enter Administrator@xxxxxxxxxxxx's password:

Failed to join domain: Failed to set machine spn: Time limit exceeded

Do you have sufficient permissions to create machine accounts?

I thought that I may  have not properly replicated the configuration,
so I tried it on the first test server, with the same error.

The event log on the AD DS shows

Log Name:      System

Source:        Microsoft-Windows-Security-Kerberos

Date:          9/18/2017 10:01:27 PM

Event ID:      3

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DS1.mydomain.com


A Kerberos Error Message was received:

on logon session

  Client Time:

  Server Time: 2:1:27.0000 9/19/2017 Z


Extended Error: 0xc00000bb KLIN(0)

Client Realm:

  Client Name:

  Server Realm: MYDOMAIN.COM

Server Name: DS1.mydomain.com

Target Name:  DS1.mydomain.com@xxxxxxxxxxxx

I have applied patches over the last few months to the Windows
servers. Can't think of any significant changes on the windows side.

I have copied and pasted the partial output of testparm -v.

root@testmachine1:~# testparm -v

Please don't ever do that again, never send the verbose output from
testparm, just send the output of 'cat'

Before going any further, can I ask how you how (once you have joined
the domain) you propose to make your Windows users known to the Unix
system ? There is a distinct lack of 'idmap config' lines.

Does the /etc/resolv.conf point to a DC as a nameserver ?
Does the proposed Unix domain member get its IP via DHCP ?
What is in /etc/hosts ?
What is in /etc/krb5.conf ?


Sorry, meant to copy and paste only the relevant stuff.   I think I hit paste twice.

The problem with showing just the config file is that options not explicitly set may have different defaults depending on version.  I have attached part of cat smb.conf below.

/etc/hosts does not include the AD Domain controllers.
/etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data from the AD Domain controllers.   I don't think this is a DNS issue since "net join" and "net ads join" are locating the AD domain controllers.

/etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the ldapclient and kinit to join the machine to the MYDOMAIN AD realm for "Unix" level  user and group lookups (via ldap) and kerberos authentication.      I did find that Solaris "native" kerberos  and Samba expect krb5.keytab files in different locations , which I resolved with a sym link between /etc/krb5.keytab and /etc/krb5/krb5.keytab.

All member servers use static IP.



#cat /etc/samba/smb.conf

#======================= Global Settings =====================================


        private dir = /etc/samba/private
        smb passwd file = /etc/samba/private/smbpasswd

syslog = 3

log level = 10
client ldap sasl wrapping = plain
ldap server require strong auth = no
create krb5 conf = no

# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
workgroup = MYDOMAIN
        server string = Samba Server Version %v

        netbios name = MYSERVER
;       max protocol = SMB2

        passdb backend = tdbsam
        security = ads
        realm = MYDOMAIN.COM

      idmap config *:backend = tdb
      idmap config *:range = 2000-2999

      idmap config MYDOMAIN:backend = ad
      idmap config MYDOMAIN:schema_mode = rfc2307
      idmap config MYDOMAIN:range = 100-1999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

        domain master = no
        domain logons = no


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba