[Samba] Failed to set servicePrincipalNames
Jeremy Nelson
jeremyrnelson at gmail.com
Thu Mar 6 15:30:06 GMT 2008
When trying to execute "net ads join", I was getting the following message:
"Failed to set servicePrincipalNames. Please ensure that the DNS
domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials."
A couple of tips to troubleshoot this problem:
1. Do a kinit username at KERBEROS.REALM so that you can get a ticket
opened and not have to authenticate each time you try this.
2. Make sure that "hostname --fqdn" returns the same fully-qualified
domain name as the account you're trying to add.
3. For me, I had a second line in /etc/hosts that was messing things
up. 127.0.0.1 had the right samba1.domain.com name, but a secondary
interface just had samba1.
4. add "-d 10" to the command line to print debugging information. I
found the following line:
name_to_fqdn: lookup for SAMBA1 -> SAMBA1.
INSTEAD OF:
name_to_fqdn: lookup for SAMBA1 -> SAMBA1.domain.com.
Which was my clue that even though hostname --fqdn was returning the
right thing (samba1.domain.com), the name_to_fqdn function was getting
a different fqdn returned.
5. I also had to mess with /etc/nsswitch.conf - I previously had hosts
resolving as "files wins dns", and switching to just "files dns" fixed
the problem.
I'd sure love to find some good documentation on hostnames - it seems
that different functions resolve in different ways. In particular,
/etc/hosts is a real mess since it allows fqdn's and non-fqdn's, and
apparently reads the hostname from various addresses belonging to the
local machine. There seems to be something just not right about
having a line 127.0.0.1 hostname hostname.domain.com and then having
the system just pick one to be its hostname.
Also, I should mention for anyone who doesn't know it (you probably
already figured it out if you got here) that Kerberos is
case-sensitive, and at least Windows expects all CAPS for DOMAIN.COM.
Annoying, but I'm sure there's some reason for it...
Anyway, I hope this info saves somebody else the pain I've been through....
Jeremy
More information about the samba
mailing list