Problem with joining a Samba3 box as a member to an upgraded Samba4 AD domain

Andrew Bartlett abartlet at samba.org
Thu Apr 19 17:32:26 MDT 2012 

On Sat, 2012-04-14 at 17:58 +1200, Andrew Walters wrote:
> > From: "Ricky Nance" <ricky.nance at weaubleau.k12.mo.us>
> 
> > "My next challenge is to migrate over a Samba 3 + LDAP domain to AD
> > at another school." Check out this wiki
> > http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO ,
> > hopefully it has everything you need to get that done, if its
> > missing something, or you just need help, let us (the list) know.
> > You will likely need alpha 17 (possibly 18) as the samba3upgrade
> > command wasn't added before that.
> 
> 
> Well, I've hit a snag I can't get past and I need help!
> 
> I've made it through several other snags to do with migration (a duplicate SID, missing account flags, changing group names where they match user names, some fun with DNS) but this one's got me.
> 
> I have Samba4 tucked in /srv/adsrv which is fine, and it is configured to listen on a specific IP address. I have reconfigured Samba3 to listen on a different IP (it's to provide file and print sharing, keeping nice things like %U in the home share name etc).
> 
> The Samba4 server name is dc.ad.domain.name (as in Domain Controller) and the Samba3 server is fs.ad.domain.name (as in File Server.
> 
> When it comes to joining the Samba3 service to the AD domain it fails with:
> 
> # net ads join -U (myusername)
> (typed in password)
> [2012/04/14 17:38:32.744193,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
> Failed to join domain: failed to connect to AD: Server not found in Kerberos database
> 
> My username has inherited Domain Admin membership from the old domain and can successfully be used to join a test Windows XP box. This test Windows XP workstation joins without any complaints, and I can log in with my domain account and browse/change the directory with dsa.msc on it fine.
> 
> Using Wireshark I've found that the Samba4 server comes back to the Samba3 "net ads join..." with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for the principal ldap/dc.ad.domain.name.

When you upgraded, what netbios name were you using?  This could happen
if what you have have set the netbios name in the smb.conf at upgrade
time doesn't match what you put into your zone file manually.  Find out
what Samba4 thinks it's full DNS name is, and ensure that is in your DNS
etc.

Or, try the upgrade against with BIND 9.8 or 9.8 and bind_dlz, as that
is what we require these days (until we get the internal dns server
finished, when that will be another option).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list