Problem with joining a Samba3 box as a member to an upgraded Samba4 AD domain

Andrew Walters aw-sambalists at
Fri Apr 13 23:58:04 MDT 2012

> From: "Ricky Nance" <ricky.nance at>

> "My next challenge is to migrate over a Samba 3 + LDAP domain to AD
> at another school." Check out this wiki
> ,
> hopefully it has everything you need to get that done, if its
> missing something, or you just need help, let us (the list) know.
> You will likely need alpha 17 (possibly 18) as the samba3upgrade
> command wasn't added before that.

Well, I've hit a snag I can't get past and I need help!

I've made it through several other snags to do with migration (a duplicate SID, missing account flags, changing group names where they match user names, some fun with DNS) but this one's got me.

I have Samba4 tucked in /srv/adsrv which is fine, and it is configured to listen on a specific IP address. I have reconfigured Samba3 to listen on a different IP (it's to provide file and print sharing, keeping nice things like %U in the home share name etc).

The Samba4 server name is (as in Domain Controller) and the Samba3 server is (as in File Server.

When it comes to joining the Samba3 service to the AD domain it fails with:

# net ads join -U (myusername)
(typed in password)
[2012/04/14 17:38:32.744193,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database

My username has inherited Domain Admin membership from the old domain and can successfully be used to join a test Windows XP box. This test Windows XP workstation joins without any complaints, and I can log in with my domain account and browse/change the directory with dsa.msc on it fine.

Using Wireshark I've found that the Samba4 server comes back to the Samba3 "net ads join..." with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for the principal ldap/

Any ideas how this would have come about? The last site I set up like this was a newly provisioned AD domain where I didn't have this problem. This site however is a samba3upgrade. Other differences is the last site was set up using alpha17, this site with alpha19. I'm stuck with BIND 9.7.3 so instead of sam.ldb I've grabbed the zonefile from the other site and changed it to match this site. This seems to work as the abovementioned Windows XP box joins and works on the AD domain fine.

Any suggestions? I'm not well versed in security principals or how they work (this seems to be my introduction-by-fire to them!), and am not sure what should be present in the Samba4 Kerberos database nor how to correctly query or add it with samba-tool spn for a server rather than a user? Am I even on the right track?

Any help appreciated :)

Thanks heaps

Andrew W

More information about the samba-technical mailing list