[Samba] Joining ADS: unodocumented error

pablo at compugenic.com pablo at compugenic.com
Mon Nov 24 06:44:49 GMT 2008 

On Mon, Nov 24, 2008 at 03:47:52AM +0100, Alessandro Baretta wrote:
> Hi everyone,
>
> I am trying to set up a file server on Linux for Windows XP boxes in a  
> Windows Server 2003 environment. I followed an excellent tutorial on  
> Samba and ADS, which I recommend to all newbies like myself:  
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081.  
> Kerberos authentication seems to succeed, and apparently there is  
> nothing wrong with my smb.conf file, yet when I try to add the server to  
> the ADS I get the following error message: "Failed to join domain:  
> Invalid configuration and configuration modification was not requested".  
> This error seems to be undocumented: I have found nothing either on  
> Google or on the samba.org site.
>
> Here's a transcript of a shell session showing this error.
>
>
> samba:~# kinit
> Password for Administrator at ARM.PRIV: <--- Authentication succeeds
> samba:~# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[fileserver]"
> Processing section "[printers]"
> Processing section "[print$]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>    workgroup = ARM.PRIV
>    realm = ARM.PRIV
>    server string = File server avanzato
>    security = ADS
>    log level = 3
>    syslog = 0
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    panic action = /usr/share/samba/panic-action %d
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>
> [homes]
>    comment = Home Directories
>    valid users = %S
>    create mask = 0700
>    directory mask = 0700
>    browseable = No
>
> [fileserver]
>    comment = Cartelle condivise
>    path = /var/samba
>    read only = No
>    create mask = 0700
>
> [printers]
>    comment = All Printers
>    path = /var/spool/samba
>    create mask = 0700
>    printable = Yes
>    browseable = No
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
> samba:~# net ads join -U administrator
> Enter administrator's password:
> Failed to join domain: Invalid configuration and configuration  
> modification was not requested
>                        
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> If I mistype the password I get a different error message:
> samba:~# net ads join -U administrator%wrongpassword
> Failed to join domain: failed to lookup DC info for domain 'ARM.PRIV'  
> over rpc: Logon failure
>
>
> Can anyone help me?
>
> -- 
> Alessandro Baretta
>
> World Family of Radio Maria
> http://www.radiomaria.org/
>
> tel. +39 0332 228 150
> fax. +39 0332 222 411
> cel. +39 335 830 3189
> skype alex.baretta
> ekiga alexbaretta at ekiga.net
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

Alessandro,

I was able to reproduce your problem on my virtual machines. By that I
mean that in trying to join a 2003 domain in ADS mode, I get the exact
same error as you.

I was able to solve it as explained below.  Keep in mind that the same
error may be caused by different problems.  

My test domain name is 'DOMAIN', and my realm is 'DOMAIN.COM'.  

Setting either of the of 2 following lines caused the error indicated:
workgroup   = DOMAIN.COM
or
realm       = DOMAIN

Setting as follows, I joined the domain no problem.
workgroup   = DOMAIN
realm       = DOMAIN.COM

So it appears the domain name is the leftmost portion of the REALM, and
the REALM must be the entire name.  Anything else will fail.

So try changing your workgroup line setting it as follows:
workgroup = ARM

I believe you will then be able to join sambe to the 2003 domain.

Give it a shot and let me know.

--
Pablo

More information about the samba mailing list