[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames

Jean-Vincent BAYARRI bayarri at lcpc.fr
Wed Nov 8 08:21:51 GMT 2006


Hi,

I also run FreeBSD 6.1 (and also experience a lot of trouble with
version 3.0.23c...)

For your problem you should check your /etc/hosts.
It must have the "CHILD1.AD.WGA" as fqdn for your IP like this:

xxx.xxx.xxx.xxx	CHILD1.AD.WGA	CHILD1 alias1 alias2 ... aliasN

Le Tue, Nov 07, 2006 at 02:56:29PM -0800, Raj Pagaku a écrit :
> Hello,
> 
> We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba
> system and the AD belong to the same domain, I am able to perform a 'net
> ads join' by supplying either a 'Domain Admins' or a 'Domain Users'
> credential.
> 
> However if the Samba system and the AD belong to different domain, I can
> perform the 'net ads join' by supplying a 'Domain Admins' credential but
> not a user belonging to 'Domain Users'.  If the user belongs only to the
> 'Domain Users', I get the 'Failed to set servicePrincipalNames' error.
> 
> Samba System domain = WGA
> AD Server domain = CHILD1.AD.WGA
> 
> wsa29:] winbindd -V
> Version 3.0.23c
> 
> wsa29:] hostname
> wsa29.wga
> 
> wsa29:] klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: olympus at CHILD1.AD.WGA
> 
>   Issued           Expires          Principal
> Nov  7 14:31:19  Nov  8 00:31:19  krbtgt/CHILD1.AD.WGA at CHILD1.AD.WGA
> Nov  7 14:32:07  Nov  8 00:31:19  child1-server$@CHILD1.AD.WGA
> 
> wsa29:] cat smb.conf
> [global]
>    workgroup = CHILD1
>    server string = Samba Server
>    load printers = yes
>    log file = /var/log/samba.log.%m
>    lock directory = /var/run/locks
>    pid directory = /var/run/locks
>    max log size = 100
>    security = ads
>    password server = child1-server.child1.ad.wga
>    realm = CHILD1.AD.WGA
>    encrypt passwords = yes
>    smb passwd file = /usr/local/samba/lib/smbpasswd
>    socket options = TCP_NODELAY
>    dns proxy = no
>    winbind uid = 10000-20000
>    winbind gid = 10000-20000
>    winbind enum users = yes
>    winbind enum groups = yes
> 
> wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator
> administrator's password:
> Using short domain name -- CHILD1
> Joined 'WSA29' to realm 'CHILD1.AD.WGA'
> 
> wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
> olympus's password:
> Using short domain name -- CHILD1
> Failed to set servicePrincipalNames. Please ensure that
> the DNS domain of this server matches the AD domain,
> Or rejoin with using Domain Admin credentials.
> Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'
> 
> Here the user 'administrator' belongs to 'Domain Admins' and the user
> 'olympus' belongs to 'Domain Users'.
> 
> Shouldn't I be able to use a 'Domain Users' account to perform the 'net
> ads join' operation in 3.0.23c? Or is this restricted to both Samba
> system and AD server being on the same domain?
> 
> Thanks in advance
> 
> -Raj
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
***************************************************************************
* Jean-Vincent BAYARRI                         Ingénieur système & réseau *
* Service Informatique         Laboratoire Central des Ponts et Chaussées *
* 58, boulevard Lefebvre                             75732 PARIS CEDEX 15 *
* Tel 01 40 43 51 70                                   Fax 01 56 56 16 99 *
***************************************************************************


More information about the samba mailing list