[Samba] Samba AD member join failure - internal error

[shash.chatterjee at aol.com]

Hi,

I have setup a Samba AD Domain Controller on a fresh Ubuntu 16.04 installation, and at face value it looks to be working. The member join from two clients are not working, one another fresh Ubuntu 16.04 install, the other a Mac.  The Mac used to join my old server install (which I had done a long time back with Centrify) just fine, but following same steps it does not join the new server.  I have a feeling my issue is on the server side, where I missing something fundamental, but I need help figuring it out.

Server side setup: http://pastebin.com/hnfZdn7i
Client side setup:  http://pastebin.com/sbPZUAEQ

On the server side, I had to manually create and initialize the Kerberos domain. The only thing unusual is I had to add Kerberos principals manually for "administrator" and "admin/admin".  I did not add a principal for Administrator (with capital "a"), I notice Samba adds that user internally.

On the Ubuntu client/AD Member side, I can kinit and receive principals correctly. However, the "net ads join" fails, as below.
On the Mac client, I get a failure complaining about NTP time sync, but I have ensured that all three machines are syncing of the Ubuntu NTP servers (including the Mac).

When I used to use Unix auth with Samba (prior to Centrify/AD), I used to have to add "machine$" using "useradd -m". I tried adding Samba users with "samba-tool", it didn't help. I wonder if I need to do something similar with Kerberos as well? I tried adding principals to Kerberos, but it didn't help, and I am not sure what the exact format of the principal would be any way.

Any and all help would be most appreciated!  Please let me know if I can provide more specific logs.

Thanks,
Shash

Failure from net join as "Administrator":  http://pastebin.com/KX4u5NLc
Failure from net join as "administrator":  http://pastebin.com/8yrhd735