[Samba] Problems joining a domain with a large number of DCs

Eric Diven eric.diven at edsiohio.com
Tue Nov 4 22:59:25 GMT 2008 

I'm having issues joining samba to a domain with a large number of
domain controllers.  The domain is a mixed windows 2003/windows 2008
domain.  The samba server is Solaris 10 update 5 running on SPARC.

I have a custom samba build of samba 3.0.28 on the server because we
need Tobi Oetiker's samfs patch.  Because of the issue that version has
with passwords longer than eight characters on Solaris, I've also build
samba 3.0.24 for using net to join the domain.

Using net from 3.0.24, I'm able to join the domain in the customary net
ads join -U user at DOMAIN.COM way.  A windows admin confirms that the
account is created in active directory, and that it's enabled.  When I
net ads testjoin, however, it fails with the following error:

[2008/11/04 15:39:50, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2008/11/04 15:39:50, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password HOUSSFSFL002P$@CORP.DVN.COM failed:
Preauthentication failed
Join to domain is not valid: Logon failure

Some googling around suggested that this might be caused by
inconsistencies in the information in the DCs on a large domain, so I
followed the suggestion to remove the machine account completely, create
it by hand, manually synch the DCs, and then try.  Various invocations
of net ads join caused account disablement and the same error as above.

Digging further into the kerberos error, I can kinit a user on the
domain without difficulty, and when I subsequently klist, I see some
tickets.  I can kdestroy and kinit, and tickets reappear.

Could anybody suggest what else I should look at?  Is this a kerberos
issue, a samba issue with caching the credentials, or something else?

Thanks,

~Eric

here's the stuff net pulls from the config file when it runs:

[2008/11/04 15:39:29, 3] param/loadparm.c:do_section(3778)
  Processing section "[global]"
  doing parameter aio read size = 1
  doing parameter aio write size = 1
  doing parameter workgroup = FOO
  doing parameter server string = MSR Server
  doing parameter security = ADS
  doing parameter log file = /var/samba/log/log.%m
  doing parameter max log size = 50
  doing parameter password server = server1 server2 server3
  doing parameter realm = FOO.DOMAIN.COM
  doing parameter passdb backend = smbpasswd
  doing parameter preferred master = no
  doing parameter dns proxy = no
  doing parameter encrypt passwords = yes
  doing parameter winbind separator = +
  doing parameter winbind use default domain = yes
  doing parameter winbind enum users = no
  doing parameter winbind enum groups = no
  doing parameter idmap uid = 10000-20000
  doing parameter idmap gid = 10000-20000

I'll post logs if people want to see 'em.

More information about the samba mailing list