[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames

Raj Pagaku rpagaku at ironport.com
Thu Nov 9 00:25:12 GMT 2006 

I tried the suggested solution and i still run into the same issue (Further searching in the Samba list led me to another thread where the same solution was proposed, don't know whether that worked for the thread originator)

wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
olympus's password:
Using short domain name -- CHILD1
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'

After I execute the above command, I see that my system is listed in the AD server 'Computer' list but has a red 'x' symbol to indicate that it is disabled.

However if I execute the command 'net ads status -s /etc/samba/smb.conf -Uolympus' after the 'net ads join' command, I am able to retrieve status information properly.

-Raj

> -----Original Message-----
> From: Jean-Vincent BAYARRI [mailto:bayarri at lcpc.fr]
> Sent: Wednesday, November 08, 2006 12:22 AM
> To: Raj Pagaku
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set
> servicePrincipalNames
> 
> Hi,
> 
> I also run FreeBSD 6.1 (and also experience a lot of trouble with
> version 3.0.23c...)
> 
> For your problem you should check your /etc/hosts.
> It must have the "CHILD1.AD.WGA" as fqdn for your IP like this:
> 
> xxx.xxx.xxx.xxx	CHILD1.AD.WGA	CHILD1 alias1 alias2 ... aliasN
> 
> Le Tue, Nov 07, 2006 at 02:56:29PM -0800, Raj Pagaku a écrit :
> > Hello,
> >
> > We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba
> > system and the AD belong to the same domain, I am able to perform a 'net
> > ads join' by supplying either a 'Domain Admins' or a 'Domain Users'
> > credential.
> >
> > However if the Samba system and the AD belong to different domain, I can
> > perform the 'net ads join' by supplying a 'Domain Admins' credential but
> > not a user belonging to 'Domain Users'.  If the user belongs only to the
> > 'Domain Users', I get the 'Failed to set servicePrincipalNames' error.
> >
> > Samba System domain = WGA
> > AD Server domain = CHILD1.AD.WGA
> >
> > wsa29:] winbindd -V
> > Version 3.0.23c
> >
> > wsa29:] hostname
> > wsa29.wga
> >
> > wsa29:] klist
> > Credentials cache: FILE:/tmp/krb5cc_0
> >         Principal: olympus at CHILD1.AD.WGA
> >
> >   Issued           Expires          Principal
> > Nov  7 14:31:19  Nov  8 00:31:19  krbtgt/CHILD1.AD.WGA at CHILD1.AD.WGA
> > Nov  7 14:32:07  Nov  8 00:31:19  child1-server$@CHILD1.AD.WGA
> >
> > wsa29:] cat smb.conf
> > [global]
> >    workgroup = CHILD1
> >    server string = Samba Server
> >    load printers = yes
> >    log file = /var/log/samba.log.%m
> >    lock directory = /var/run/locks
> >    pid directory = /var/run/locks
> >    max log size = 100
> >    security = ads
> >    password server = child1-server.child1.ad.wga
> >    realm = CHILD1.AD.WGA
> >    encrypt passwords = yes
> >    smb passwd file = /usr/local/samba/lib/smbpasswd
> >    socket options = TCP_NODELAY
> >    dns proxy = no
> >    winbind uid = 10000-20000
> >    winbind gid = 10000-20000
> >    winbind enum users = yes
> >    winbind enum groups = yes
> >
> > wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator
> > administrator's password:
> > Using short domain name -- CHILD1
> > Joined 'WSA29' to realm 'CHILD1.AD.WGA'
> >
> > wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
> > olympus's password:
> > Using short domain name -- CHILD1
> > Failed to set servicePrincipalNames. Please ensure that
> > the DNS domain of this server matches the AD domain,
> > Or rejoin with using Domain Admin credentials.
> > Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'
> >
> > Here the user 'administrator' belongs to 'Domain Admins' and the user
> > 'olympus' belongs to 'Domain Users'.
> >
> > Shouldn't I be able to use a 'Domain Users' account to perform the 'net
> > ads join' operation in 3.0.23c? Or is this restricted to both Samba
> > system and AD server being on the same domain?
> >
> > Thanks in advance
> >
> > -Raj
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> --
> **************************************************************************
> *
> * Jean-Vincent BAYARRI                         Ingénieur système & réseau
> *
> * Service Informatique         Laboratoire Central des Ponts et Chaussées
> *
> * 58, boulevard Lefebvre                             75732 PARIS CEDEX 15
> *
> * Tel 01 40 43 51 70                                   Fax 01 56 56 16 99
> *
> **************************************************************************
> *

More information about the samba mailing list