4 Replies Latest reply: May 11, 2012 6:05 PM by user13479189 RSS

    Solaris 11 - can't join AD domain

    899667
      I've upgraded to Solaris 11 from 11 Express and am trying to join the system to an Active Directory domain. I first joined workgroup, then tried to rejoin the domain, at which time I get the following (names changed to protect the anonymous):

      myuser@ganesh:~# smbadm join -u "DomainAdmin" lothlorien.domain.com
      After joining lothlorien.domain.com the smb service will be restarted automatically.
      Would you like to continue? [no]: yes
      Enter domain password:
      Locating DC in lothlorien.domain.com ... this may take a minute ...
      Joining lothlorien.domain.com ... this may take a minute ...
      failed to join lothlorien.domain.com: UNSUCCESSFUL
      Please refer to the system log for more information.

      /var/adm/messages shows this:

      Nov 11 00:46:17 ganesh smbd[641]: [ID 270243 daemon.error] smb_ads_update_dsattr: ldap_sasl_interactive_bind_s Local error
      Nov 11 00:46:35 ganesh smbd[641]: [ID 702911 daemon.error] smbns_kpasswd: KPASSWD protocol exchange failed (Cannot contact any KDC for requested realm)
      Nov 11 00:46:35 ganesh smbd[641]: [ID 702911 daemon.notice] Machine password update failed
      Nov 11 00:46:35 ganesh smbd[641]: [ID 702911 daemon.error] unable to join lothlorien.domain.com (UNSUCCESSFUL)


      I know for sure the system is locating the DC and trying to register itself - I can see the events in the Windows event log. Having deleted the previous computer account, if I watch the Computers node of the AD Users & Computers MMC snap-in, I can see the Solaris system appear briefly as disabled, then disappear a few seconds later (with corresponding events in the DC's Security event log).

      I can't find any documentation specific to S11 (as opposed to SE11) that addresses what might be different (if anything) in the smb join protocols. I know by now that S11 can autogenerate your /etc/krb5/krb5.conf so the fact that I can delete/rename that file and it will reappear with valid information validates the fact that it does locate and connect to the (K)DC and get relevant config info, not to mention that I can type garbage for my domain password and the behavior is different so it can do kerberos authentication.

      I think the key error here is the "ldap_sasl_interactive_bind_s Local error" but it's not enough information for me to determine causality. I've already gone through Google searches and implemented changes related to the NTLM levels and so forth, but unlike with SE11 which I did have working, these did not solve the issue.

      I'm still trying to go through the S11 documentation including the End of Feature Notices for what's changed but I didn't see anything revelatory in the Interop guide. I know this could also be something that's in my AD/GP configuration on the Windows side (e.g. I've implemented a PKI and strengthened system authentication among certain domain members). Has anyone run into anything similar? Do you have S11 (as opposed to SE11) joined to your domain?
        • 1. Re: Solaris 11 - can't join AD domain
          899667
          Just to follow up on my own message... something's definitely different in the inner workings of S11's smb code than SE11.

          I used VMWare to create a quick barebones SE11 machine and did the following:
          svcadm disable nwam
          svcadm enable network/physical:default
          ipadm create-if e1000g0
          ipadm create-addr -T static -a 192.168.1.82/24 e1000g0/v4
          route -p add default 192.168.1.1

          Edit /etc/krb5/krb5.conf for my domain/realm

          svcadm disable smb/server; svcadm enable -r smb/server

          Edit /etc/nsswitch.conf for dns

          ntpdate dc.lothlorien.domain.com
          sharectl set -p lmauth_level=2 smb
          smbadm join -u "DomainAdmin" lothlorien.domain.com

          Enter domain admin password and boom, joins the domain right away. I can see that the smb service on S11 doesn't have the lmauth_level setting; it has server_lmauth_level and client_lmauth_level, but setting both to 2 and retrying didn't help.

          Unfortunately, I haven't seen anything in the S11 docs to address what the difference is.
          • 2. Re: Solaris 11 - can't join AD domain
            user9062184
            Hi.

            Well - I can't help you in totality, but I do know the smbadm interface is now deprecated, and the replacement interface/manipulation mechanism is kclient.

            Try something like using kclient -a AdminUserNameonDomain -T ms_ad

            ...and go from there.

            It certainly helped me in my test scenarios. From there, after that smbadm can be used to manipulate CIFS.

            z
            • 3. Re: Solaris 11 - can't join AD domain
              hartparr
              Did you ever get this figured out? I'm having the same exact problem.
              • 4. Re: Solaris 11 - can't join AD domain
                user13479189
                I finally got this figured out. It's a problem with client_lmauth_level on the smb service. the below script snippet configures Solaris 11 to join an AD domain on Windows 2008 R2:

                echo *** Installing SMB system
                pkg install system/file-system/smb
                echo *** Installing SMB service
                pkg install service/file-system/smb

                echo server $TIMESERVER > /etc/inet/ntp.conf
                svcadm enable ntp

                echo *** Joining domain: $DOMAIN
                svccfg -s smb setprop smb/client_lmauth_level=2
                svcadm enable -r smb/server
                smbadm join -u $DOMAIN/$DOMAINADMIN

                Obviously, you should set the various variables for your local environment and probably a good idea to sync the clock explicitly instead of assuming ntpd will do it for you.

                In addition, I had to set the auth level on the Windows 2008 domain:
                Start -> Admin Tools -> Local Secuity Policy: Security Settings -> Local Policies -> Security Optiopns:
                Network Security: LAN Manager authentication Level = Send LM & NTLM - Use NTLMv2 security session if negotiated