[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames

Raj Pagaku rpagaku at ironport.com
Tue Nov 7 22:56:29 GMT 2006 

Hello,

We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba
system and the AD belong to the same domain, I am able to perform a 'net
ads join' by supplying either a 'Domain Admins' or a 'Domain Users'
credential.

However if the Samba system and the AD belong to different domain, I can
perform the 'net ads join' by supplying a 'Domain Admins' credential but
not a user belonging to 'Domain Users'.  If the user belongs only to the
'Domain Users', I get the 'Failed to set servicePrincipalNames' error.

Samba System domain = WGA
AD Server domain = CHILD1.AD.WGA

wsa29:] winbindd -V
Version 3.0.23c

wsa29:] hostname
wsa29.wga

wsa29:] klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: olympus at CHILD1.AD.WGA

  Issued           Expires          Principal
Nov  7 14:31:19  Nov  8 00:31:19  krbtgt/CHILD1.AD.WGA at CHILD1.AD.WGA
Nov  7 14:32:07  Nov  8 00:31:19  child1-server$@CHILD1.AD.WGA

wsa29:] cat smb.conf
[global]
   workgroup = CHILD1
   server string = Samba Server
   load printers = yes
   log file = /var/log/samba.log.%m
   lock directory = /var/run/locks
   pid directory = /var/run/locks
   max log size = 100
   security = ads
   password server = child1-server.child1.ad.wga
   realm = CHILD1.AD.WGA
   encrypt passwords = yes
   smb passwd file = /usr/local/samba/lib/smbpasswd
   socket options = TCP_NODELAY
   dns proxy = no
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes

wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator
administrator's password:
Using short domain name -- CHILD1
Joined 'WSA29' to realm 'CHILD1.AD.WGA'

wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
olympus's password:
Using short domain name -- CHILD1
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'

Here the user 'administrator' belongs to 'Domain Admins' and the user
'olympus' belongs to 'Domain Users'.

Shouldn't I be able to use a 'Domain Users' account to perform the 'net
ads join' operation in 3.0.23c? Or is this restricted to both Samba
system and AD server being on the same domain?

Thanks in advance

-Raj

More information about the samba mailing list