[SOLVED] Re: Problem with joining a Samba3 box as a member to an upgraded Samba4 AD domain

[Andrew Walters]

Solved my own problem.

Posting here in case anyone else encounters something similar. To recap for the sake of search engines:

I upgraded my samba 3 domain to samba 4 AD using the samba3upgrade HOWTO at http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO.

I was then unable to rejoin the old fileserver to the new AD domain using net ads join, this happened:

# net ads join -U (myusername.with.domain.admin.rights)
(typed in password)
[2012/04/14 17:38:32.744193,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database

In the background it was failing with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.

The problem was the SPN records created from the migration for the new AD domain controller were populated with the name of the old Samba3 domain controller - an example being servicePrincipalName = ldap/oldserver.ad.domain.name. I needed to correct all these to point to the new domain controller's correct name. I used LdapAdmin.exe (Sourceforge) to achieve this, by browsing to OU=Domain Controllers, OU=(my domain controller name), and correcting all wrong servicePrincipalName entries found.

Once done, the domain join from the samba3 server was successful.

Cheers,

Andrew