[Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)

Andrew Bartlett abartlet at samba.org
Wed Apr 4 04:22:10 MDT 2012

On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote:
> Hello all,
> I've run into the issue described here:
> http://lists.samba.org/archive/samba-technical/2010-September/073075.html
> To sum it up, I installed samba4 from git on a debian wheezy system.
> Initially, I was able to join Windows 7 clients to the AD controller.
> However, trying to get freenas 8 to join has been failing. In the end,
> trying to get it to work I changed administrator's password (via
> dsa.msc) which broke AD joining for windows clients too. KVNO in
> secrets.keytab file has always been "1". Could this mismatch be the
> cause of the failures?
> I rebooted all clients (to get rid of stale tickets) to no avail. The
> only way to fix this was to run the provision script again, but now
> samba is not very stable (I managed to join the AD domain, but upon
> login I get The security database on the server does not have a
> computer account for this workstation trust relationship).
> I really don't know where to start. Do you think using samba from
> debian SID would be wiser than building from git? Are there any other
> errors in the log I didn't spot? Is KVNO mismatch the reason joining
> fails, or are there more errors?

Samba is best installed from git.  

As to the KVNO mismatch, have you somehow installed a client with the
same name as the server (ADPDC), or attempted to 'join' the server to
itself? That can cause this kind of thing.

Changing the administrator password won't be the issue, but if anything
(a join, or reset with any tool) of the machine account password
certainly could update sam.ldb but not the local

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list