[Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)
Andrew Bartlett
abartlet at samba.org
Wed Apr 4 04:22:10 MDT 2012
On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote:
> Hello all,
>
> I've run into the issue described here:
> http://lists.samba.org/archive/samba-technical/2010-September/073075.html
>
> To sum it up, I installed samba4 from git on a debian wheezy system.
> Initially, I was able to join Windows 7 clients to the AD controller.
> However, trying to get freenas 8 to join has been failing. In the end,
> trying to get it to work I changed administrator's password (via
> dsa.msc) which broke AD joining for windows clients too. KVNO in
> secrets.keytab file has always been "1". Could this mismatch be the
> cause of the failures?
>
> I rebooted all clients (to get rid of stale tickets) to no avail. The
> only way to fix this was to run the provision script again, but now
> samba is not very stable (I managed to join the AD domain, but upon
> login I get The security database on the server does not have a
> computer account for this workstation trust relationship).
>
> I really don't know where to start. Do you think using samba from
> debian SID would be wiser than building from git? Are there any other
> errors in the log I didn't spot? Is KVNO mismatch the reason joining
> fails, or are there more errors?
Samba is best installed from git.
As to the KVNO mismatch, have you somehow installed a client with the
same name as the server (ADPDC), or attempted to 'join' the server to
itself? That can cause this kind of thing.
Changing the administrator password won't be the issue, but if anything
(a join, or reset with any tool) of the machine account password
certainly could update sam.ldb but not the local
secrets.ldb/secrets.keytab.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list