[Samba] Trouble Joining Windows 2008R2 Domain with Error 'failed to lookup DC info for domain 'FULLY.QUALIFIED.DOMAIN' over rpc: Access denied'

J. Alexander Jacocks jjacocks at gmail.com
Wed Mar 5 17:15:57 MST 2014


On Wed, Mar 5, 2014 at 7:05 PM, steve <steve at steve-ss.com> wrote:

> On Wed, 2014-03-05 at 18:54 -0500, J. Alexander Jacocks wrote:
> > On Wed, Mar 5, 2014 at 6:45 PM, steve <steve at steve-ss.com> wrote:
> >         On Wed, 2014-03-05 at 18:29 -0500, J. Alexander Jacocks wrote:
> >
> >         For the join, try simply:
> >         krb5.conf:
> >         [libdefaults]
> >                 default_realm = FULLY.QUALIFIED.DOMAIN
> >                 dns_lookup_realm = false
> >
> >                 dns_lookup_kdc = true
> >
> >         with smb.conf:
> >         [global]
> >            workgroup = FULLY
> >            realm = FULLY.QUALIFIED.DOMAIN
> >            security = ads
> >            kerberos method = system keytab
> >
> >         Put the frilly stuff back later.
> >         HTH
> >         Steve
> >
> >         > # cat /etc/krb5.conf
> >
> >         >
> >         > [libdefaults]
> >         >  default_realm = FULLY.QUALIFIED.DOMAIN
> >         >  dns_lookup_realm = false
> >         >  dns_lookup_kdc = false
> >         >  ticket_lifetime = 24h
> >         >  renew_lifetime = 7d
> >         >  forwardable = true
> >
> >
> > Steve,
> >
> > Indeed, I had tried that, but thanks for the suggestion.  I did this,
> > again, just for good measure, and I got the same error:
> >
> >  error_string             : 'failed to lookup DC info for domain
> > 'FULLY.QUALIFIED.DOMAIN' over rpc: Access denied'
> >
> >
> > Does anyone have a clue what Windows 2008 setting might cause that
> > error?  I've searched for almost a whole day, to no avail.
> >
> >
> > Thanks!
> > - Alex
> >
> Phew. Dunno. Firewall, 135 open? Does AD get the fqdn of the centos box?
> Is the fqdn included on the localhost line in /etc/hosts?
>
> Please post to the list, otherwise only I see it.
> HTH
> Steve
>
>
>
Whoops, sorry about that...meant to reply-to-list.

Anyway, I checked all those, as well, and I don't see anything:

# telnet dc1 135
Trying 172.16.50.2...
Connected to dc1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
# nslookup
> server dc1.fully.qualified.domain
Default server: dc1.fully.qualified.domain
Address: 172.16.50.2#53
> dc1.fully.qualified.domain
Server:         dc1.fully.qualified.domain
Address:        172.16.50.2#53

Name:   dc1.fully.qualified.domain
Address: 172.16.50.2
> 172.16.50.2
Server:         dc1.fully.qualified.domain
Address:        172.16.50.2#53

2.50.16.172.in-addr.arpa        name = dc1.fully.qualified.domain.
> scm2.fully.qualified.domain
Server:         dc1.fully.qualified.domain
Address:        172.16.50.2#53

Name:   scm2.fully.qualified.domain
Address: 172.16.50.21
> 172.16.50.21
Server:         dc1.fully.qualified.domain
Address:        172.16.50.2#53

21.50.16.172.in-addr.arpa       name = scm2.fully.qualified.domain.
# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
::1         localhost localhost.localdomain localhost6
localhost6.localdomain6

172.16.50.21 scm2.fully.qualified.domain scm2

I've been through the DNS, especially, with a fine-toothed comb, since the
error seems to point at that, but I can't find anything.

Many thanks!
- Alex


More information about the samba mailing list