[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

ivenhov iwan.daniel at gmail.com
Wed Jun 3 14:29:51 MDT 2015 

I reproduced error WERR_DEFAULT_JOIN_REQUIRED in two scenarios:
- user account that is used to join machine to domain is not part of Domain
Admin group.
- OU path for computer (specified in createcomputer) is invalid

In both of those cases I'm getting detailed error messages: 'insufficient
access' and 'invalid path' respectively but on customer site I'm always
getting: 

Failed to join domain: failed to connect to AD: Cannot contact any KDC for
requested realm

Instead of valid error message

I'm sure krb5.conf is OK because it has exactly the same details as server
with Samba 3.6 (which could join domain).
smb.conf has security = ads and correct realm.

I can resolve DNS name of the KDC and AD. Reverse lookup is also OK.
Time is correct on the server and is synced with NTP server.

But I still cannot joint it to domain. Most recent error I get:


saf_store: domain = [MYNAT], server = [BGB48DC1001.mynat.myco.bcu], expire =
[1433259373]
Adding cache entry with key=[SAF/DOMAIN/MYNAT] and timeout=[Tue Jun  2
15:36:13 2015 UTC] (900 seconds ahead)
tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success
saf_store: domain = [mynat.myco.bcu], server = [BGB48DC1001.mynat.myco.bcu],
expire = [1433259373]
Adding cache entry with key=[SAF/DOMAIN/MYNAT.MYCO.BCU] and timeout=[Tue Jun 
2 15:36:13 2015 UTC] (900 seconds ahead)
tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
ads_sasl_spnego_krb5_bind failed with:  Miscellaneous failure (see text) :
Did not find a plugin for ccache_ops, calling kinit
kerberos_kinit_password: as wal-sa-omtest at MYNAT.MYCO.BCU using
[MEMORY:net_ads] as ccache and config
[/var/cache/samba/smb_krb5/krb5.conf.MYNAT]


kerberos_kinit_password wal-sa-omtest at MYNAT.MYCO.BCU failed: Cannot contact
any KDC for requested realm
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'MYNAT'
            dns_domain_name          : 'mynat.myco.bcu'
            forest_name              : 'myco.bcu'
            dn                       : NULL
            domain_sid               : *
                domain_sid               :
S-1-5-21-73586283-854245398-682003330
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: Cannot
contact any KDC for requested realm'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Cannot contact any KDC for
requested realm
return code = -1

I also get the same error on ubuntu 14.04 with Sernet Samba 4.2.2

Any help appreciated
D.



--
View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686672.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list