[Samba] help for join AD domain failure troubleshooting

Rowland penny rpenny at samba.org
Wed Jul 1 07:45:39 UTC 2020


On 01/07/2020 08:43, rong zhao via samba wrote:
> Hi team,
>     I meet problem when join AD domain with Samba failed, want to get
> some help from community, please let me put details.
>
> 1. Problem
>     When run "net ads join -U username" on Linux client to join AD domain,
> it failed with error message:
>
> """
> Failed to join domain: Failed to set machine spn: Operations error
> Do you have sufficient permissions to create machine accounts?
> """
>
> It worked before, just failed from one day.
>
> 2. What my environment is
>
> My AD domain cluster is made up by windows server 2012.
> Using winbind on Linux client to do authentication through AD account.
>
> 3. What I did for troubleshooting
> 3.1 debug log
>     The debug level 5 log shows some detail information:
>
> """
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> Failed while searching for:
> <WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD
> USA,dc=mycompany,dc=COM>
>
> libnet_DomainJoin: Failed to pre-create account in OU
> cn=Computers,dc=PROD-USA,dc=mycompany,dc=COM: Operations error
>
> signed SMB2 message
> """
>
> It showed failed while searching a wellknownobject, and Samba source code shows:
>
> if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
> DEBUG(1, ("asprintf failed!\n"));
> return NULL;
> }
>
> status = ads_search_dn(ads, &res, base, attrs);
> if (!ADS_ERR_OK(status)) {
> DEBUG(1,("Failed while searching for: %s\n", base));
> goto out;
> }
>
> It should fail at line: status = ads_search_dn(ads, &res, base, attrs);
>
> However, if I search by ldapsearch command, it works well:
>
> """
> [root at monitor-test-12 ~]# ldapsearch -H ldap://pd11scl-ads-02 -x -W -D
> "username at prod-usa.mycompany.com" -b
> "<WKGUID=AA312825768811D1ADED00C04FD8D5CD
> ,dc=PROD-USA,dc=mycompany,dc=COM>" distinguishedName  -z 2
>
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD-USA,dc=mycompany,dc=COM>>
> with scope subtree
>
> # filter: (objectclass=*)
> # requesting: distinguishedName
>
> #
> .....  save some lines of computers information .....
> """
>
> 3.2 If using "net rpc join -U username", it works
>       This means join NT4 domain success, but this is not what I want.
>
>
> I have requested support from Microsoft to check if there was anything
> wrong on Windows server, but no luck.
>
> I am wondering how to get more details from samba, why ads_search_dn
> failed? If it can print root cause, that will help a lot.
>
> Thanks.
>
Has your user hit the limit for joining computers ?

Is your smb.conf set up correctly ?

What OS is this ?

Do you have the correct packages installed ?

Rowland




More information about the samba mailing list