[Samba] help for join AD domain failure troubleshooting

rong zhao zhaorbox at gmail.com
Wed Jul 1 07:43:46 UTC 2020 

Hi team,
   I meet problem when join AD domain with Samba failed, want to get
some help from community, please let me put details.

1. Problem
   When run "net ads join -U username" on Linux client to join AD domain,
it failed with error message:

"""
Failed to join domain: Failed to set machine spn: Operations error
Do you have sufficient permissions to create machine accounts?
"""

It worked before, just failed from one day.

2. What my environment is

My AD domain cluster is made up by windows server 2012.
Using winbind on Linux client to do authentication through AD account.

3. What I did for troubleshooting
3.1 debug log
   The debug level 5 log shows some detail information:

"""
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Failed while searching for:
<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD
USA,dc=mycompany,dc=COM>

libnet_DomainJoin: Failed to pre-create account in OU
cn=Computers,dc=PROD-USA,dc=mycompany,dc=COM: Operations error

signed SMB2 message
"""

It showed failed while searching a wellknownobject, and Samba source code shows:

if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
DEBUG(1, ("asprintf failed!\n"));
return NULL;
}

status = ads_search_dn(ads, &res, base, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(1,("Failed while searching for: %s\n", base));
goto out;
}

It should fail at line: status = ads_search_dn(ads, &res, base, attrs);

However, if I search by ldapsearch command, it works well:

"""
[root at monitor-test-12 ~]# ldapsearch -H ldap://pd11scl-ads-02 -x -W -D
"username at prod-usa.mycompany.com" -b
"<WKGUID=AA312825768811D1ADED00C04FD8D5CD
,dc=PROD-USA,dc=mycompany,dc=COM>" distinguishedName  -z 2

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD-USA,dc=mycompany,dc=COM>>
with scope subtree

# filter: (objectclass=*)
# requesting: distinguishedName

#
.....  save some lines of computers information .....
"""

3.2 If using "net rpc join -U username", it works
     This means join NT4 domain success, but this is not what I want.


I have requested support from Microsoft to check if there was anything
wrong on Windows server, but no luck.

I am wondering how to get more details from samba, why ads_search_dn
failed? If it can print root cause, that will help a lot.

Thanks.

More information about the samba mailing list