[Samba] "Failed to set servicePrincipalNames" join ADS issue.

Linux Addict linuxaddict7 at gmail.com
Tue Oct 28 18:18:03 GMT 2008


vincent.blondel at ing.be wrote:
> Hello all,
>
> I am trying to make one of my solaris server member of our w2k3 ads
> domain. ldap and kerberos packages are installed.
>
> * when I try to get a ticket granting ticket, no problem ... kinit klist
> are all running fine .. below my krb5 config file
>
> # cat /etc/krb5/krb5.conf
>
> [logging]
>     kdc = FILE:/var/log/krb5/krb5kdc.log
>     # admin_server = FILE:/var/log/krb5/kadmind.log
>     default = FILE:/var/log/krb5/krb5libs.log
>
> [libdefaults]
>     default_realm = XXX.XXX
>     default_keytab_name = /etc/krb5/krb5.keytab
>     dns_lookup_realm = false
>     dns_lookup_kdc = false
>     forwardable = true
>     ticket_lifetime = 24000
>
> [realms]
>     XXX.XXX = {
>         kdc = server1.xxx.xxx:88
>         kdc = server2.xxx.xxx:88
>         default_domain = XXX.XXX
>     }
>
> [domain_realm]
> .xxx.xxx = XXX.XXX
> xxx.xxx = XXX.XXX
>
> [appdefaults]
>     kinit = {
>         renewable = true
>         forwardable= true
>     }
>
> * when I try to run an ldap query through the sasl/gssapi api,
> everything is also working fine. I get the answer to my ldap query
> without giving any password. sasl api takes my kerberos ticket to
> authentify myself on the ads. Just after receiving answer to my query, I
> see I also no get a ldap service ticket ... below my ldap config file
>
> # cat /etc/ldap/ldap.conf
>
> BASE    dc=xxx, dc=xxx
> URI     ldap://server1.xxx.xxx:389 ldap://server2.xxx.xxx:389
>
> so this is okay but ... now comes the time to join my server to this ad.
>
> I become root
> kinit myuser
> net ads join createcomputer="BE/Server" .. first of all I get a prompt
> for password .. why ? I do not know why my kerberos ticket is not used
> ??
>
> so I try another way to do it net ads join createcomputer="BE/Server" -U
> admin ... and I get this error message
>
> Using short domain name -- XXXXX
> Failed to set servicePrincipalNames. Please ensure that
> the DNS domain of this server matches the AD domain,
> Or rejoin with using Domain Admin credentials.
> Deleted account for 'SERVER' in realm 'XXX.XXX'
> Failed to join domain: Type or value exists
>
> this is my samba comfig file ..
>
> [global]
> security = ADS
> workgroup = XXX
> realm = XXX.XXX
> winbind separator = +
> encrypt passwords = true
>
> I do not really understand the error message. I always get 20 machines
> defined in  my ads and uses the same procedure as before. the only
> difference is I added option createcomputer. this one did not exist
> before ( my previous version was 3.0.20 ).
>
> this is the first time I create an account with this version (3.0.32).
> my server is correctly defined in the dns with fqdn
> "myserver.srv.domain.tlddomain.". I checked dns A and PTR, everything is
> coherent.
>
> many thanks to help me going further in this job.
>
> thanks
> Vincent
> -----------------------------------------------------------------
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
>
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -----------------------------------------------------------------
>
>
>   
Usually this error is something to do with hostname or domain name.  
When you do "hostname", what is the output?

Add "-d 10" to net join command see what is failing or post the output.






More information about the samba mailing list