[Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)

George Diamantopoulos georgediam at gmail.com
Thu Apr 5 16:08:30 MDT 2012

On Wed, Apr 4, 2012 at 1:22 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote:
>> Hello all,
>> I've run into the issue described here:
>> http://lists.samba.org/archive/samba-technical/2010-September/073075.html
>> To sum it up, I installed samba4 from git on a debian wheezy system.
>> Initially, I was able to join Windows 7 clients to the AD controller.
>> However, trying to get freenas 8 to join has been failing. In the end,
>> trying to get it to work I changed administrator's password (via
>> dsa.msc) which broke AD joining for windows clients too. KVNO in
>> secrets.keytab file has always been "1". Could this mismatch be the
>> cause of the failures?
>> I rebooted all clients (to get rid of stale tickets) to no avail. The
>> only way to fix this was to run the provision script again, but now
>> samba is not very stable (I managed to join the AD domain, but upon
>> login I get The security database on the server does not have a
>> computer account for this workstation trust relationship).
>> I really don't know where to start. Do you think using samba from
>> debian SID would be wiser than building from git? Are there any other
>> errors in the log I didn't spot? Is KVNO mismatch the reason joining
>> fails, or are there more errors?
> Samba is best installed from git.
> As to the KVNO mismatch, have you somehow installed a client with the
> same name as the server (ADPDC), or attempted to 'join' the server to
> itself? That can cause this kind of thing.
> Changing the administrator password won't be the issue, but if anything
> (a join, or reset with any tool) of the machine account password
> certainly could update sam.ldb but not the local
> secrets.ldb/secrets.keytab.
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

Thanks for the reply.

That might have been the case, after all. FreeNAS AD Web Config has a
non-intuitive field called "Host Name (NetBIOS-Name)" where I put
ADPDC in at first, then changed it to freenas. I've reinstalled
everything on clean VMs now and it seems to be working.

User authentication on computers I had previously joined to the domain
however is a little tricky now (for example, I need to explicitly set
NT style domain in the username field such as SYNDOM\Administrator in
order for login to work), but I've been changing so many settings I
might have caused this. I guess I'll have to reinstall Windows on
them. When FreeNAS authenticates, I get "Selected protocol [8][NT
LANMAN 1.0]" on the samba4 console, and freenas logs print "freenas
freenas: Using short domain name -- SYNDOM".

On a side note, isn't the samba4 server supposed to join itself to the
AD domain when running the provision script? At least that's what I
get on STDOUT after running provision...

It now seems I've run into this bug, though:
http://support.freenas.org/ticket/1135 (which has a won't fix status
from FreeNAS devs). It's a pity because samba4 and FreeNAS integration
can prove very useful in some situations.
There are not many references to this online, however. I think I
spotted a discussion somewhere between a samba developer (I can't
remember who it was) and a user (not sure either) where it was
mentioned that it's most probably a samba 3/4 incompatibility issue
and that it wouldn't be too hard to fix. Unfortunately I have been
unable to find more information on this matter, and whether this .


More information about the samba mailing list