[SOLVED!] Joining AD domain fails: "Failed to set servicePrincipalNames. [...] Type or value exists"

Kurt Pfeifle kurt.pfeifle at infotec.com
Sat Jun 23 00:21:26 GMT 2007 

Kurt Pfeifle now responds once more to himself; earlier he wrote:
> Kurt Pfeifle now responds to himself; earlier he wrote:
>> Guenther Deschner wrote:
>>> Hi Kurt,
>>>
>>> Kurt Pfeifle wrote:
>>>> Hi, list,
>>>> I'm having a problem to join a current Debian Sid/unstable system
>>>> (running Samba 3.0.25a) to an AD domain (where the DC is a Windows
>>>> 2003 Server with SP2):
> 
> [....]
> 
>>> Can you run your join with debug level 10 set and see if that is the
>>> case ?
>> Indeed, I see the following lines in the output now:
>>
>> -------------------------------------------------------------------
>> [2007/06/22 22:33:58, 10] lib/util.c:name_to_fqdn(3013)
>>   name_to_fqdn: lookup for PDFMAKER failed.
>> Failed to set servicePrincipalNames. Please ensure that
>> the DNS domain of this server matches the AD domain,
>> -------------------------------------------------------------------
>>
>>> pdfserver and pdfserver.infotecsys.de probably need to resolve to
>>> an ip-address.
>> Which they don't:
>>
>> -------------------------------------------------------------------
>> root at pdfserver:~# nslookup pdfserver.infotecsys.de
>>    Server:         10.162.2.3
>>    Address:        10.162.2.3#53
>>
>>    ** server can't find pdfserver.infotecsys.de: NXDOMAIN
>>
>> root at pdfserver:~# host pdfserver.infotecsys.de
>>    pdfserver.infotecsys.de does not exist (Authoritative answer)
>> -------------------------------------------------------------------
> 
> [...]
> 
>> (I'm still
>> trying to figure out how to teach the ADS DC's DNS service what IP
>> address the pdfserver uses  ...).
> 
> 
> OK, meanwhile I managed to insert the IP<->hostname mapping into the
> DNS of the ADS DC:
> 
> -------------------------------------------------------------------
> root at pdfserver:~# nslookup pdfserver
>    Server:         10.162.2.3
>    Address:        10.162.2.3#53
> 
>    Name:   pdfserver.infotecsys.de
>    Address: 10.162.7.11
> 
> root at pdfserver:~# host pdfserver
>    pdfserver.infotecsys.de A       10.162.7.11
> -------------------------------------------------------------------
> 
> However, the result of my attempt to join the pdfserver to the domain
> is still exactly the same failure as before:
> 
> 
> -------------------------------------------------------------------
> root at pdfserver:~# net ads join -W infotecsys.de -S dc -U Administrator
>    Administrator's password:
>    Using short domain name -- INFOTECSYS
>    Failed to set servicePrincipalNames. Please ensure that
>    the DNS domain of this server matches the AD domain,
>    Or rejoin with using Domain Admin credentials.
>    Deleted account for 'PDFMAKER' in realm 'INFOTECSYS.DE'
>    Failed to join domain: Type or value exists
> -------------------------------------------------------------------
> 
> 
> Interestingly, now the debug level 10 output is a little bit different:
> 
> -------------------------------------------------------------------
> root at pdfserver:~# net ads join -W infotecsys.de -S dc -U Administrator -d 10
>    [2007/06/23 00:53:47, 10] lib/util.c:name_to_fqdn(3009)
>      name_to_fqdn: lookup for PDFMAKER -> PDFMAKER.
>    Failed to set servicePrincipalNames. Please ensure that
>    the DNS domain of this server matches the AD domain,
> -------------------------------------------------------------------
> 
> 
> So, first there was no successful resolution of the pdfserver name to
> an IP address, and debug level 10 showed:
> 
>   "name_to_fqdn: lookup for PDFMAKER failed."
> 
> Now that the pdfserver name is resolved to an IP address, debug level
> 10 shows:
> 
>   "name_to_fqdn: lookup for PDFMAKER -> PDFMAKER."

Oh, my!

It's there, in plain sight: while I had meant to configure everything
to use pdf*server*, in smb.conf a line "netbios name = pdf*maker*"
had slipped in. What a stupid mistake!

Removal of that line then did the magic. Now it's all cool again:

-------------------------------------------------------------------
root at pdfserver:~# net ads join -W infotecsys.de -S dc -U Administrator
   Administrator's password:
   Using short domain name -- INFOTECSYS
   Joined 'PDFSERVER' to realm 'INFOTECSYS.DE'
-------------------------------------------------------------------


Sorry if I wasted everyone's time. (May Google now help other people
to find *that* cause for the error message of "Failed to set
servicePrincipalNames. [...] Type or value exists"  as well... People
remember to never set a different/wrong "netbios name" in smb.conf
when you want to become part of an ADS...)

Cheers & Thanks!
Kurt 
---
Infotec Deutschland GmbH
Hedelfingerstrasse 58
D-70327 Stuttgart
Telefon +49 711 4017-0, Fax +49 711 4017-5752
www.infotec.com
Geschaeftsfuehrer: Elmar Karl Josef Wanderer, Frank Grosch, Heinz-Josef Jansen
Sitz der Gesellschaft: Stuttgart, Handelsregister HRB Stuttgart 20398

Der Inhalt dieser E-Mail ist vertraulich und ist nur für den Empfänger bestimmt. Falls Sie nicht der angegebene Empfänger sind oder falls diese E-Mail irrtümlich an Sie adressiert wurde, verständigen Sie bitte den Absender sofort und löschen Sie die E-Mail sodann. Das unerlaubte Veröffentlichen, Kopieren sowie die unbefugte Übermittlung komplett oder in Teilen sind nicht gestattet.Private Ansichten und Meinungen sind, wenn nicht ausdrücklich erklärt, die des Autors und nicht die der Infotec Deutschland GmbH oder deren verantwortliche Direktoren und Angestellte. Eine Haftung für Schäden oder Verlust von Daten durch den Gebrauch dieser Email oder deren Anhänge wird ausgeschlossen.
Weitere Informationen erhalten Sie im Internet unter www.infotec.com oder in jeder Infotec Niederlassung.
This E-Mail is for the exclusive use of the recipient and may contain information which is confidential. Any disclosure, distribution or copying of this communication, in whole or in part, is not permitted. Any views or opinions presented are those of the author and (unless otherwise specifically stated) do not represent those of Infotec Deutschland GmbH or their directors or officers; none of whom are responsible for any reliance placed on the information contained herein. Although reasonable precautions have been taken to ensure that no viruses are present, all liability is excluded for any loss or damage arising from the use of this email or attachments.
For further information please see our website at www.infotec.com or refer to any Infotec office.

More information about the samba-technical mailing list