[Samba] samba on solaris 11 can not longer join Windows AD domain
Gaeseric Vandal
gaiseric.vandal at gmail.com
Tue Sep 19 02:45:04 UTC 2017
I would like to move my Samba file server (Samba 4.4.14 on Solaris 11) from
a classic domain into an Active Directory domain. The active directory
domain has one Win 2008 directory server / domain controller, and one Win
2012 R2 DS. E-mail, among other things, depends on a Microsoft AD
backend.
A few months ago I was able to join a test server to the AD domain. Today
I tried joining a 2nd one, but without success.
testmachine1# net ads join -U Administrator at mydomain.com
Enter Administrator at mydomain.com's password:
Failed to join domain: Failed to set machine spn: Time limit exceeded
Do you have sufficient permissions to create machine accounts?
I thought that I may have not properly replicated the configuration, so I
tried it on the first test server, with the same error.
The event log on the AD DS shows
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 9/18/2017 10:01:27 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DS1.mydomain.com
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 2:1:27.0000 9/19/2017 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: MYDOMAIN.COM
Server Name: DS1.mydomain.com
Target Name: DS1.mydomain.com at MYDOMAIN.COM
<mailto:DS1.mydomain.com at MYDOMAIN.COM>
I have applied patches over the last few months to the Windows servers.
Can't think of any significant changes on the windows side.
I have copied and pasted the partial output of testparm -v.
root at testmachine1:~# testparm -v
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = No
config backend = file
dos charset = CP850
enable core files = Yes
interfaces =
multicast dns register = Yes
netbios aliases =
netbios name = ZION
netbios scope =
realm = SSCI.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
server string = Samba Server Version %v
share backend = classic
unix charset = UTF-8
workgroup = SSCI
browse list = Yes
domain master = No
enhanced browsing = Yes
lm announce = Auto
lm interval = 60
local master = Yes
os level = 20
preferred master = Auto
allow dns updates = secure only
dns forwarder =
dns update command = /usr/lib/samba/sbin/samba_dnsupdate
machine password timeout = 604800
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
spn update command = /usr/lib/samba/sbin/samba_spnupdate
mangle prefix = 1
mangling method = hash2
max stat cache size = 256
stat cache = Yes
client ldap sasl wrapping = plain
.
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = CORE
client use spnego = Yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
defer sharing violations = Yes
dgram port = 138
disable netbios = No
enable asu support = No
eventlog list =
large readwrite = Yes
max mux = 50
max ttl = 259200
max wins ttl = 518400
max xmit = 16644
min receivefile size = 0
min wins ttl = 21600
name resolve order = lmhosts wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
.
name resolve order = lmhosts wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smb ports = 445 139
svcctl list =
time server = No
unicode = Yes
unix extensions = Yes
use spnego = Yes
web port = 901
write raw = Yes
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow trusted domains = Yes
auth methods =
check password script =
client ipc signing = default
client lanman auth = No
client NTLMv2 auth = Yes
client plaintext auth = No
client schannel = Auto
client signing = default
client use spnego principal = No
dedicated keytab file =
encrypt passwords = Yes
guest account = nobody
kerberos method = default
kpasswd port = 464
krb5 port = 88
lanman auth = No
log nt token command =
map to guest = Never
map untrusted to domain = No
ntlm auth = Yes
ntp signd socket directory = /var/samba/lib/ntp_signd
null passwords = No
obey pam restrictions = No
old password allowed period = 60
pam password change = No
passdb backend = tdbsam
passdb expand explicit = No
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
passwd program =
password server = *
preload modules =
private dir = /etc/samba/private
raw NTLMv2 auth = No
rename user script =
restrict anonymous = 0
root directory =
samba kcc command = /usr/lib/samba/sbin/samba_kcc
security = ADS
server role = auto
server schannel = Auto
server signing = default
smb passwd file = /etc/samba/private/smbpasswd
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls crlfile =
tls dh params file =
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
unix password sync = No
username level = 0
username map =
username map cache time = 0
username map script =
aio max threads = 100
deadtime = 0
getwd cache = Yes
hostname lookups = No
keepalive = 300
max disk size = 0
max open files = 16384
max smbd processes = 0
name cache timeout = 660
socket options = TCP_NODELAY
use mmap = Yes
get quota command =
host msdfs = Yes
set quota command =
create krb5 conf = No
idmap backend = tdb
idmap cache time = 604800
idmap gid =
idmap negative cache time = 120
idmap uid =
include system krb5 conf = Yes
neutralize nt4 emulation = No
reject md5 servers = No
require strong key = Yes
template homedir = /home/%D/%U
template shell = /bin/false
winbind cache time = 300
winbindd privileged socket directory =
/var/samba/lib/winbindd_privileged
winbindd socket directory = /var/samba/run/winbindd
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = rfc2307
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind sealed pipes = Yes
winbind separator = \
winbind trusted domains only = No
winbind use default domain = No
dns proxy = Yes
wins hook =
wins proxy = No
wins server = 192.x.x.x
wins support = No
...
Appreciate any advice
Thanks
More information about the samba
mailing list