[Samba] samba on solaris 11 can not longer join Windows AD domain

Tue Sep 19 09:30:58 UTC 2017

On Mon, 18 Sep 2017 22:45:04 -0400
Gaeseric Vandal via samba <samba at lists.samba.org> wrote:

> I would like to move my Samba file server (Samba 4.4.14 on Solaris
> 11) from a classic domain  into an Active Directory domain.    The
> active directory domain has one Win 2008 directory server / domain
> controller, and one Win 2012 R2 DS.    E-mail, among other things,
> depends on a Microsoft AD backend.
> 
> 
> A few months ago I was able to join a test server to the AD
> domain.    Today I tried joining a 2nd one, but without success.
> 
>  
> 
> testmachine1# net ads join -U Administrator at mydomain.com
> 
> Enter Administrator at mydomain.com's password:
> 
> Failed to join domain: Failed to set machine spn: Time limit exceeded
> 
> Do you have sufficient permissions to create machine accounts?
> 
>  
> 
>  
> 
> I thought that I may  have not properly replicated the configuration,
> so I tried it on the first test server, with the same error.
> 
>  
> 
> The event log on the AD DS shows
> 
>  
> 
>  
> 
>  
> 
> Log Name:      System
> 
> Source:        Microsoft-Windows-Security-Kerberos
> 
> Date:          9/18/2017 10:01:27 PM
> 
> Event ID:      3
> 
> Task Category: None
> 
> Level:         Error
> 
> Keywords:      Classic
> 
> User:          N/A
> 
> Computer:      DS1.mydomain.com
> 
> Description:
> 
> A Kerberos Error Message was received:
> 
> on logon session 
> 
>  Client Time: 
> 
>  Server Time: 2:1:27.0000 9/19/2017 Z
> 
> Error Code: 0xd KDC_ERR_BADOPTION
> 
> Extended Error: 0xc00000bb KLIN(0)
> 
> Client Realm: 
> 
>  Client Name: 
> 
>  Server Realm: MYDOMAIN.COM
> 
> Server Name: DS1.mydomain.com
> 
> Target Name:  DS1.mydomain.com at MYDOMAIN.COM
> <mailto:DS1.mydomain.com at MYDOMAIN.COM> 
> 
>  
> 
>  
> 
>  
> 
> I have applied patches over the last few months to the Windows
> servers. Can't think of any significant changes on the windows side.
> 
>  
> 
> I have copied and pasted the partial output of testparm -v.
> 
>  
> 
> root at testmachine1:~# testparm -v
> 

Please don't ever do that again, never send the verbose output from
testparm, just send the output of 'cat'

I believe your smb.conf on disk will look like this:

 [global]
        netbios name = ZION
        realm = SSCI.COM
        server string = Samba Server Version %v
        workgroup = SSCI
        domain master = No
        client ldap sasl wrapping = plain 
        ntlm auth = Yes
        private dir = /etc/samba/private
        security = ADS
        smb passwd file = /etc/samba/private/smbpasswd
        create krb5 conf = No
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        wins server = 192.x.x.x

Before going any further, can I ask how you how (once you have joined
the domain) you propose to make your Windows users known to the Unix
system ? There is a distinct lack of 'idmap config' lines.

Does the /etc/resolv.conf point to a DC as a nameserver ?
Does the proposed Unix domain member get its IP via DHCP ?
What is in /etc/hosts ?
What is in /etc/krb5.conf ?

Rowland