6 Replies Latest reply: Feb 4, 2013 7:39 PM by 988169 RSS

    Can't join Active Directory Domain

    988169
      Hi,

      I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to join a Solaris 11 a domain:

      # smbadm join -u Administrator DOMAIN
      After joining DOMAIN the smb service will be restarted automatically.
      Would you like to continue? [no]: yes
      Enter domain password:
      Locating DC in DOMAIN ... this may take a minute ...
      Joining DOMAIN ... this may take a minute ...
      failed to join DOMAIN: UNSUCCESSFUL
      Please refer to the system log for more information.

      In /var/adm/messages:
      Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: Insufficient access
      Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation trust account update failed

      Windows 7 clients are able to join, but Solaris 11 fails.

      Any idea what is going wrong here?
        • 1. Re: Can't join Active Directory Domain
          bobthesungeek76036
          Has the AD administrator added a computer account for your Solaris 11 system?
          • 2. Re: Can't join Active Directory Domain
            988169
            No, a computer account doesn't exist yet.
            • 3. Re: Can't join Active Directory Domain
              988169
              Hi,

              I've set the lmauth version now to 4:
              # sharectl set -p server_lmauth_level=4 smb
              # sharectl set -p client_lmauth_level=4 smb

              Created the krb5.conf and registered the machine in the AD forest:
              # kclient

              Starting client setup

              ---------------------------------------------------
              Is this a client of a non-Solaris KDC ? [y/n]: y
              Which type of KDC is the server:
              ms_ad: Microsoft Active Directory
              mit: MIT KDC server
              heimdal: Heimdal KDC server
              shishi: Shishi KDC server
              Enter required KDC type: ms_ad

              Setting up /etc/krb5/krb5.conf.

              Attempting to join 'HOST' to the 'DOMAIN.LOCAL' domain.

              Password for Administrator@DOMAIN.LOCAL:
              Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013
              kinit: no ktkt_warnd warning possible

              Forest name found: domain.local

              Site name not found. Local DCs/GCs will not be discovered.

              Creating the machine account in AD via LDAP.

              Warning: won't create DNS records for client.
              ddns_enable property not set to 'true' through sharectl(1M).
              ---------------------------------------------------
              Setup COMPLETE.

              So far it looks good. I would say, there are no authentication or permission problems.
              Now, I've tried again to run smbadm:

              # smbadm join -u Administrator DOMAIN
              After joining DOMAIN the smb service will be restarted automatically.
              Would you like to continue? [no]: yes
              Enter domain password:
              Locating DC in DOMAIN ... this may take a minute ...
              Joining DOMAIN ... this may take a minute ...
              Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local)
              failed to join DOMAIN: UNSUCCESSFUL
              Please refer to the system log for more information.

              Still no luck. :-(
              • 4. Re: Can't join Active Directory Domain
                988169
                On Samba side, I've seen this:

                auth_check_password_send: Checking password for unmapped user []\[]@[(null)]

                This is sent by smbadm and I don't think that this is right.
                • 5. Re: Can't join Active Directory Domain
                  bandit84
                  i might be wrong but....once you run the kclient command the Solaris computer should now show up in your domain computers list. this is why you're getting this error...

                  " Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local)"

                  because it sees that there's already a entry for the Solaris computer.

                  but your original attempt should have worked.

                  what's in the following files

                  /etc/nsswitch.conf
                  /etc/resolv.conf
                  /etc/krb5/krb5.conf
                  • 6. Re: Can't join Active Directory Domain
                    988169
                    Looks like I'm hitting this bug:
                    https://bugzilla.samba.org/show_bug.cgi?id=8805

                    Definitely not a Solaris issue.