[Samba] samba on solaris 11 can not longer join Windows AD domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Sep 19 12:26:02 UTC 2017


On 09/19/17 05:30, Rowland Penny via samba wrote:
> On Mon, 18 Sep 2017 22:45:04 -0400
> Gaeseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> I would like to move my Samba file server (Samba 4.4.14 on Solaris
>> 11) from a classic domain  into an Active Directory domain.    The
>> active directory domain has one Win 2008 directory server / domain
>> controller, and one Win 2012 R2 DS.    E-mail, among other things,
>> depends on a Microsoft AD backend.
>>
>>
>> A few months ago I was able to join a test server to the AD
>> domain.    Today I tried joining a 2nd one, but without success.
>>
>>   
>>
>> testmachine1# net ads join -U Administrator at mydomain.com
>>
>> Enter Administrator at mydomain.com's password:
>>
>> Failed to join domain: Failed to set machine spn: Time limit exceeded
>>
>> Do you have sufficient permissions to create machine accounts?
>>
>>   
>>
>>   
>>
>> I thought that I may  have not properly replicated the configuration,
>> so I tried it on the first test server, with the same error.
>>
>>   
>>
>> The event log on the AD DS shows
>>
>>   
>>
>>   
>>
>>   
>>
>> Log Name:      System
>>
>> Source:        Microsoft-Windows-Security-Kerberos
>>
>> Date:          9/18/2017 10:01:27 PM
>>
>> Event ID:      3
>>
>> Task Category: None
>>
>> Level:         Error
>>
>> Keywords:      Classic
>>
>> User:          N/A
>>
>> Computer:      DS1.mydomain.com
>>
>> Description:
>>
>> A Kerberos Error Message was received:
>>
>> on logon session
>>
>>   Client Time:
>>
>>   Server Time: 2:1:27.0000 9/19/2017 Z
>>
>> Error Code: 0xd KDC_ERR_BADOPTION
>>
>> Extended Error: 0xc00000bb KLIN(0)
>>
>> Client Realm:
>>
>>   Client Name:
>>
>>   Server Realm: MYDOMAIN.COM
>>
>> Server Name: DS1.mydomain.com
>>
>> Target Name:  DS1.mydomain.com at MYDOMAIN.COM
>> <mailto:DS1.mydomain.com at MYDOMAIN.COM>
>>
>>   
>>
>>   
>>
>>   
>>
>> I have applied patches over the last few months to the Windows
>> servers. Can't think of any significant changes on the windows side.
>>
>>   
>>
>> I have copied and pasted the partial output of testparm -v.
>>
>>   
>>
>> root at testmachine1:~# testparm -v
>>
> Please don't ever do that again, never send the verbose output from
> testparm, just send the output of 'cat'
>

>
> Before going any further, can I ask how you how (once you have joined
> the domain) you propose to make your Windows users known to the Unix
> system ? There is a distinct lack of 'idmap config' lines.
>
> Does the /etc/resolv.conf point to a DC as a nameserver ?
> Does the proposed Unix domain member get its IP via DHCP ?
> What is in /etc/hosts ?
> What is in /etc/krb5.conf ?
>
> Rowland
>


Sorry, meant to copy and paste only the relevant stuff.   I think I hit paste twice.

The problem with showing just the config file is that options not explicitly set may have different defaults depending on version.  I have attached part of cat smb.conf below.

/etc/hosts does not include the AD Domain controllers.
/etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data from the AD Domain controllers.   I don't think this is a DNS issue since "net join" and "net ads join" are locating the AD domain controllers.



/etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the ldapclient and kinit to join the machine to the MYDOMAIN AD realm for "Unix" level  user and group lookups (via ldap) and kerberos authentication.      I did find that Solaris "native" kerberos  and Samba expect krb5.keytab files in different locations , which I resolved with a sym link between /etc/krb5.keytab and /etc/krb5/krb5.keytab.



All member servers use static IP.


Thanks





  ________________________________________________________________________________________________________________

#cat /etc/samba/smb.conf
...

#======================= Global Settings =====================================

[global]

         private dir = /etc/samba/private
         smb passwd file = /etc/samba/private/smbpasswd


syslog = 3

log level = 10
client ldap sasl wrapping = plain
ldap server require strong auth = no
create krb5 conf = no

...
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
  
         workgroup = MYDOMAIN
         server string = Samba Server Version %v


         netbios name = MYSERVER
;       max protocol = SMB2

         passdb backend = tdbsam
         security = ads
         realm = MYDOMAIN.COM


       idmap config *:backend = tdb
       idmap config *:range = 2000-2999

       idmap config MYDOMAIN:backend = ad
       idmap config MYDOMAIN:schema_mode = rfc2307
       idmap config MYDOMAIN:range = 100-1999




        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307
         winbind enum users = yes
         winbind enum groups = yes



         domain master = no
         domain logons = no

_______________________________________________________________________________________________________________




More information about the samba mailing list