[SOLVED] Re: Problem with joining a Samba3 box as a member to an upgraded Samba4 AD domain

[Andrew Bartlett]

On Sun, 2012-04-15 at 11:29 +1200, Andrew Walters wrote:
> Solved my own problem.
> 
> Posting here in case anyone else encounters something similar. To recap for the sake of search engines:
> 
> I upgraded my samba 3 domain to samba 4 AD using the samba3upgrade HOWTO at http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO.
> 
> I was then unable to rejoin the old fileserver to the new AD domain using net ads join, this happened:
> 
> # net ads join -U (myusername.with.domain.admin.rights)
> (typed in password)
> [2012/04/14 17:38:32.744193,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
> Failed to join domain: failed to connect to AD: Server not found in Kerberos database
> 
> In the background it was failing with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
> 
> The problem was the SPN records created from the migration for the new AD domain controller were populated with the name of the old Samba3 domain controller - an example being servicePrincipalName = ldap/oldserver.ad.domain.name. I needed to correct all these to point to the new domain controller's correct name. I used LdapAdmin.exe (Sourceforge) to achieve this, by browsing to OU=Domain Controllers, OU=(my domain controller name), and correcting all wrong servicePrincipalName entries found.
> 
> Once done, the domain join from the samba3 server was successful.

When you upgrade, the server name is kept if you specify it in the
smb.conf with 'netbios name ='.

If you upgraded with the wrong server name, and cannot keep using the
'wrong' name, a re-upgrade would be the safest option, if practical (in
terms of post-upgrade changes).  Otherwise, see the
source4/scripting/bin/renamedc script.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org