[Samba] "Failed to set servicePrincipalNames" join ADS issue.

vincent.blondel at ing.be vincent.blondel at ing.be
Tue Oct 28 11:44:56 GMT 2008

Hello all,

I am trying to make one of my solaris server member of our w2k3 ads
domain. ldap and kerberos packages are installed.

* when I try to get a ticket granting ticket, no problem ... kinit klist
are all running fine .. below my krb5 config file

# cat /etc/krb5/krb5.conf

    kdc = FILE:/var/log/krb5/krb5kdc.log
    # admin_server = FILE:/var/log/krb5/kadmind.log
    default = FILE:/var/log/krb5/krb5libs.log

    default_realm = XXX.XXX
    default_keytab_name = /etc/krb5/krb5.keytab
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true
    ticket_lifetime = 24000

    XXX.XXX = {
        kdc = server1.xxx.xxx:88
        kdc = server2.xxx.xxx:88
        default_domain = XXX.XXX

.xxx.xxx = XXX.XXX
xxx.xxx = XXX.XXX

    kinit = {
        renewable = true
        forwardable= true

* when I try to run an ldap query through the sasl/gssapi api,
everything is also working fine. I get the answer to my ldap query
without giving any password. sasl api takes my kerberos ticket to
authentify myself on the ads. Just after receiving answer to my query, I
see I also no get a ldap service ticket ... below my ldap config file

# cat /etc/ldap/ldap.conf

BASE    dc=xxx, dc=xxx
URI     ldap://server1.xxx.xxx:389 ldap://server2.xxx.xxx:389

so this is okay but ... now comes the time to join my server to this ad.

I become root
kinit myuser
net ads join createcomputer="BE/Server" .. first of all I get a prompt
for password .. why ? I do not know why my kerberos ticket is not used

so I try another way to do it net ads join createcomputer="BE/Server" -U
admin ... and I get this error message

Using short domain name -- XXXXX
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'SERVER' in realm 'XXX.XXX'
Failed to join domain: Type or value exists

this is my samba comfig file ..

security = ADS
workgroup = XXX
realm = XXX.XXX
winbind separator = +
encrypt passwords = true

I do not really understand the error message. I always get 20 machines
defined in  my ads and uses the same procedure as before. the only
difference is I added option createcomputer. this one did not exist
before ( my previous version was 3.0.20 ).

this is the first time I create an account with this version (3.0.32).
my server is correctly defined in the dns with fqdn
"myserver.srv.domain.tlddomain.". I checked dns A and PTR, everything is

many thanks to help me going further in this job.

The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the samba mailing list