[Samba] samba on solaris 11 can not longer join Windows AD domain
Rowland Penny
rpenny at samba.org
Tue Sep 19 09:30:58 UTC 2017
On Mon, 18 Sep 2017 22:45:04 -0400
Gaeseric Vandal via samba <samba at lists.samba.org> wrote:
> I would like to move my Samba file server (Samba 4.4.14 on Solaris
> 11) from a classic domain into an Active Directory domain. The
> active directory domain has one Win 2008 directory server / domain
> controller, and one Win 2012 R2 DS. E-mail, among other things,
> depends on a Microsoft AD backend.
>
>
> A few months ago I was able to join a test server to the AD
> domain. Today I tried joining a 2nd one, but without success.
>
>
>
> testmachine1# net ads join -U Administrator at mydomain.com
>
> Enter Administrator at mydomain.com's password:
>
> Failed to join domain: Failed to set machine spn: Time limit exceeded
>
> Do you have sufficient permissions to create machine accounts?
>
>
>
>
>
> I thought that I may have not properly replicated the configuration,
> so I tried it on the first test server, with the same error.
>
>
>
> The event log on the AD DS shows
>
>
>
>
>
>
>
> Log Name: System
>
> Source: Microsoft-Windows-Security-Kerberos
>
> Date: 9/18/2017 10:01:27 PM
>
> Event ID: 3
>
> Task Category: None
>
> Level: Error
>
> Keywords: Classic
>
> User: N/A
>
> Computer: DS1.mydomain.com
>
> Description:
>
> A Kerberos Error Message was received:
>
> on logon session
>
> Client Time:
>
> Server Time: 2:1:27.0000 9/19/2017 Z
>
> Error Code: 0xd KDC_ERR_BADOPTION
>
> Extended Error: 0xc00000bb KLIN(0)
>
> Client Realm:
>
> Client Name:
>
> Server Realm: MYDOMAIN.COM
>
> Server Name: DS1.mydomain.com
>
> Target Name: DS1.mydomain.com at MYDOMAIN.COM
> <mailto:DS1.mydomain.com at MYDOMAIN.COM>
>
>
>
>
>
>
>
> I have applied patches over the last few months to the Windows
> servers. Can't think of any significant changes on the windows side.
>
>
>
> I have copied and pasted the partial output of testparm -v.
>
>
>
> root at testmachine1:~# testparm -v
>
Please don't ever do that again, never send the verbose output from
testparm, just send the output of 'cat'
I believe your smb.conf on disk will look like this:
[global]
netbios name = ZION
realm = SSCI.COM
server string = Samba Server Version %v
workgroup = SSCI
domain master = No
client ldap sasl wrapping = plain
ntlm auth = Yes
private dir = /etc/samba/private
security = ADS
smb passwd file = /etc/samba/private/smbpasswd
create krb5 conf = No
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
wins server = 192.x.x.x
Before going any further, can I ask how you how (once you have joined
the domain) you propose to make your Windows users known to the Unix
system ? There is a distinct lack of 'idmap config' lines.
Does the /etc/resolv.conf point to a DC as a nameserver ?
Does the proposed Unix domain member get its IP via DHCP ?
What is in /etc/hosts ?
What is in /etc/krb5.conf ?
Rowland
More information about the samba
mailing list