Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Solaris 11 can't join Active Directory Domain
400 views
Skip to first unread message
İhsan Doğan
Jan 30, 2013, 4:00:02 PM1/30/13
to
Hi,
I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to
join a Solaris 11 machine this domain:
# smbadm join -u Administrator DOMAIN
After joining DOMAIN the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Locating DC in DOMAIN ... this may take a minute ...
Joining DOMAIN ... this may take a minute ...
failed to join DOMAIN: UNSUCCESSFUL
Please refer to the system log for more information.
In /var/adm/messages:
Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify:
Insufficient access
Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation
trust account update failed
Windows 7 clients are able to join, but Solaris 11 fails.
Kerberos seems to be fine:
# kinit oskar
Password for os...@DOMAIN.COM:
Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013
But if I run it for Administrator:
# kinit Administrator
Password for Admini...@DOMAIN.COM:
Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013
kinit: no ktkt_warnd warning possible
Any idea what is going wrong here?
Ihsan
--
ih...@dogan.ch http://blog.dogan.ch/
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jake Carroll
Jan 30, 2013, 5:00:01 PM1/30/13
to
Hi.
I can probably help there, because I have been through similar problems.
1. Remember that smbadm has nothing to do with samba at all. It's
primarily concerned with Solaris 11's CIFS service (in kernel
windows-appropriate file serving from Oracle).
2. I am pretty sure you'll find your /etc/krb5/krb5.conf needs to be solid
and in place before smbadm works. That was the case for me.
3. I needed to create the object in my active directory forest first,
before anything worked.
That's what got it working for me.
You probably won't get any help from this list from this kind of thing, as
it's very much a Samba focused list. Samba != oracle's CIFS.
Hope me spotting this helped you, though.
--JC
I can probably help there, because I have been through similar problems.
1. Remember that smbadm has nothing to do with samba at all. It's
primarily concerned with Solaris 11's CIFS service (in kernel
windows-appropriate file serving from Oracle).
2. I am pretty sure you'll find your /etc/krb5/krb5.conf needs to be solid
and in place before smbadm works. That was the case for me.
3. I needed to create the object in my active directory forest first,
before anything worked.
That's what got it working for me.
You probably won't get any help from this list from this kind of thing, as
it's very much a Samba focused list. Samba != oracle's CIFS.
Hope me spotting this helped you, though.
--JC
Ong Yu-Phing
Jan 30, 2013, 9:50:01 PM1/30/13
to
I can help (I run various openindiana storage servers in my company),
basically you need to check 3 things
1) /etc/krb/krb5.conf
make sure you have your [realms], [domain_realm] configs correct, e.g.
if you have a domain called DOMAIN.LOCAL, and a DC server hostname
dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts
file):
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
kpasswd_server = dc.domain.local
kpasswd_protocol = SET_CHANGE
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
2) time
make sure you ntpdate with your DC to ensure your time is sync
3) LMauth level
sharectl set -p lmauth_level=4 smb
depending on your AD forest version, you may need to do either level=2 or 4
Hope this helps.
basically you need to check 3 things
1) /etc/krb/krb5.conf
make sure you have your [realms], [domain_realm] configs correct, e.g.
if you have a domain called DOMAIN.LOCAL, and a DC server hostname
dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts
file):
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
kpasswd_server = dc.domain.local
kpasswd_protocol = SET_CHANGE
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
2) time
make sure you ntpdate with your DC to ensure your time is sync
3) LMauth level
sharectl set -p lmauth_level=4 smb
depending on your AD forest version, you may need to do either level=2 or 4
Hope this helps.
İhsan Doğan
Jan 31, 2013, 3:10:01 AM1/31/13
to
Hi,
On 01/31/2013 03:43 AM, Ong Yu-Phing wrote:
> 1) /etc/krb/krb5.conf
> make sure you have your [realms], [domain_realm] configs correct, e.g.
> if you have a domain called DOMAIN.LOCAL, and a DC server hostname
> dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts
> file):
I've verified the krb5.conf and it looks exaclty like yours.
> 2) time
> make sure you ntpdate with your DC to ensure your time is sync
Verified. All in sync.
> 3) LMauth level
>
> sharectl set -p lmauth_level=4 smb
>
> depending on your AD forest version, you may need to do either level=2 or 4
Which would be the appropriate version for an AD forest running on Samba
4.0.1?
I've set the lmauth version now to 4:
# sharectl set -p server_lmauth_level=4 smb
# sharectl set -p client_lmauth_level=4 smb
Created the krb5.conf and registered the machine in the AD forest:
# kclient
Starting client setup
---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: y
Which type of KDC is the server:
ms_ad: Microsoft Active Directory
mit: MIT KDC server
heimdal: Heimdal KDC server
shishi: Shishi KDC server
Enter required KDC type: ms_ad
Setting up /etc/krb5/krb5.conf.
Attempting to join 'HOST' to the 'DOMAIN.LOCAL' domain.
Password for Admini...@DOMAIN.LOCAL:
Site name not found. Local DCs/GCs will not be discovered.
Creating the machine account in AD via LDAP.
Warning: won't create DNS records for client.
ddns_enable property not set to 'true' through sharectl(1M).
---------------------------------------------------
Setup COMPLETE.
So far it looks good. After that, I've tried again to run smbadm:
# smbadm join -u Administrator DOMAIN
After joining DOMAIN the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Locating DC in DOMAIN ... this may take a minute ...
Joining DOMAIN ... this may take a minute ...
Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local)
On 01/31/2013 03:43 AM, Ong Yu-Phing wrote:
> 1) /etc/krb/krb5.conf
> make sure you have your [realms], [domain_realm] configs correct, e.g.
> if you have a domain called DOMAIN.LOCAL, and a DC server hostname
> dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts
> file):
> 2) time
> make sure you ntpdate with your DC to ensure your time is sync
> 3) LMauth level
>
> sharectl set -p lmauth_level=4 smb
>
> depending on your AD forest version, you may need to do either level=2 or 4
4.0.1?
I've set the lmauth version now to 4:
# sharectl set -p server_lmauth_level=4 smb
# sharectl set -p client_lmauth_level=4 smb
Created the krb5.conf and registered the machine in the AD forest:
# kclient
Starting client setup
---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: y
Which type of KDC is the server:
ms_ad: Microsoft Active Directory
mit: MIT KDC server
heimdal: Heimdal KDC server
shishi: Shishi KDC server
Enter required KDC type: ms_ad
Setting up /etc/krb5/krb5.conf.
Attempting to join 'HOST' to the 'DOMAIN.LOCAL' domain.
Password for Admini...@DOMAIN.LOCAL:
Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013
kinit: no ktkt_warnd warning possible
Forest name found: domain.local
kinit: no ktkt_warnd warning possible
Site name not found. Local DCs/GCs will not be discovered.
Creating the machine account in AD via LDAP.
Warning: won't create DNS records for client.
ddns_enable property not set to 'true' through sharectl(1M).
---------------------------------------------------
Setup COMPLETE.
So far it looks good. After that, I've tried again to run smbadm:
# smbadm join -u Administrator DOMAIN
After joining DOMAIN the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Locating DC in DOMAIN ... this may take a minute ...
Joining DOMAIN ... this may take a minute ...
failed to join DOMAIN: UNSUCCESSFUL
Please refer to the system log for more information.
Still no luck, but looks like I've made a step forward.
Please refer to the system log for more information.
İhsan Doğan
Jan 31, 2013, 8:50:01 AM1/31/13
to
Hi,
On 01/31/2013 09:03 AM, İhsan Doğan wrote:
> # smbadm join -u Administrator DOMAIN
> After joining DOMAIN the smb service will be restarted automatically.
> Would you like to continue? [no]: yes
> Enter domain password:
> Locating DC in DOMAIN ... this may take a minute ...
> Joining DOMAIN ... this may take a minute ...
> Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local)
> failed to join DOMAIN: UNSUCCESSFUL
> Please refer to the system log for more information.
I've started samba in debug mode and saw this:
auth_check_password_send: Checking password for unmapped user []\[]@[(null)]
Not sure how to understand the meaning of this. Can it be, that Solaris
is sending something weird to the Samba server?
İhsan Doğan
Feb 3, 2013, 3:50:02 PM2/3/13
to
Am 31.01.2013 14:46, schrieb İhsan Doğan:
>> # smbadm join -u Administrator DOMAIN
>> After joining DOMAIN the smb service will be restarted automatically.
>> Would you like to continue? [no]: yes
>> Enter domain password:
>> Locating DC in DOMAIN ... this may take a minute ...
>> Joining DOMAIN ... this may take a minute ...
>> Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local)
>> failed to join DOMAIN: UNSUCCESSFUL
>> Please refer to the system log for more information.
[...]
> auth_check_password_send: Checking password for unmapped user []\[]@[(null)]
Looks like I'm hitting this bug:
https://bugzilla.samba.org/show_bug.cgi?id=8805
Jake Carroll
Feb 3, 2013, 9:40:02 PM2/3/13
to
Do you have an Oracle support contract for OS/integration?
I'd log it in MOS if I were you, and see what they say. Approach this from
two angles ;).
--JC
I'd log it in MOS if I were you, and see what they say. Approach this from
two angles ;).
--JC
Andrew Bartlett
Feb 6, 2013, 5:50:01 AM2/6/13
to
Does this work against a freshly provisioned Samba 4.0.3 domain?
We fixed a lot of ACL related things with that release.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
İhsan Doğan
Feb 8, 2013, 5:50:02 AM2/8/13
to
On 02/04/2013 03:31 AM, Jake Carroll wrote:
> Do you have an Oracle support contract for OS/integration?
>
> I'd log it in MOS if I were you, and see what they say. Approach this from
> two angles ;).
I've contacted Oracle in the first place. According to them, it's not a
> Do you have an Oracle support contract for OS/integration?
>
> I'd log it in MOS if I were you, and see what they say. Approach this from
> two angles ;).
Solaris issue.
İhsan Doğan
Feb 8, 2013, 6:10:02 AM2/8/13
to
Hi,
Haven't tried. I'm running the AD now on a 2008R2 server.
Nico Kadel-Garcia
Feb 16, 2013, 11:10:02 PM2/16/13
to
On Fri, Feb 8, 2013 at 5:40 AM, İhsan Doğan <ih...@dogan.ch> wrote:
> On 02/04/2013 03:31 AM, Jake Carroll wrote:
>
>> Do you have an Oracle support contract for OS/integration?
>>
>> I'd log it in MOS if I were you, and see what they say. Approach this from
>> two angles ;).
>
> I've contacted Oracle in the first place. According to them, it's not a
> Solaris issue.
>
>
>
> Ihsan
> On 02/04/2013 03:31 AM, Jake Carroll wrote:
>
>> Do you have an Oracle support contract for OS/integration?
>>
>> I'd log it in MOS if I were you, and see what they say. Approach this from
>> two angles ;).
>
> I've contacted Oracle in the first place. According to them, it's not a
> Solaris issue.
>
>
>
> Ihsan
Solaris really has to be considered EOL, even though the support
poromises for Solaris are nominally until 2024. Sun is gone, they're
not *making* Sun hardware anymore, and Oracle is urging their
customers with Solaris to switch to so-called "Unbreakable Linux",
which is a repackaging of RHEL with customizations for Oraclie
database support. (And Red Hat is *really angry*, as they should be,
because they've customized the kernel and kept their changes closed
source.)
Do you have Linux servers you can test from?
Jake Carroll
Feb 17, 2013, 7:10:01 AM2/17/13
to
Hi.
On 17/02/13 2:01 PM, "Nico Kadel-Garcia" <nka...@gmail.com> wrote:
>On Fri, Feb 8, 2013 at 5:40 AM, İhsan Doğan <ih...@dogan.ch> wrote:
>> On 02/04/2013 03:31 AM, Jake Carroll wrote:
>>
>>> Do you have an Oracle support contract for OS/integration?
>>>
>>> I'd log it in MOS if I were you, and see what they say. Approach this
>>>from
>>> two angles ;).
>>
>> I've contacted Oracle in the first place. According to them, it's not a
>> Solaris issue.
>>
>>
>>
>> Ihsan
>
>Solaris really has to be considered EOL, even though the support
>poromises for Solaris are nominally until 2024. Sun is gone, they're
>not *making* Sun hardware anymore, and Oracle is urging their
>customers with Solaris to switch to so-called "Unbreakable Linux",
>which is a repackaging of RHEL with customizations for Oraclie
>database support. (And Red Hat is *really angry*, as they should be,
>because they've customized the kernel and kept their changes closed
>source.)
Well, without starting a small war (not the point of these lists at all),
I guess one of the problems some of us face is that, it's not just about
Samba. It's also about the file system technologies that Oracle owns that
don't really work on Linux platforms, and only currently work on Solaris
based systems. I guess there is a little bit of complication to it, in
that. Not sure if this is the case for Ihsan, but for my own purposes, I
actually *can't* use linux for the kinds of things I do, the file system
functions I need, and the technology problems I need to solve.
Not *yet* anyway ;). Maybe in time.
--JC
On 17/02/13 2:01 PM, "Nico Kadel-Garcia" <nka...@gmail.com> wrote:
>On Fri, Feb 8, 2013 at 5:40 AM, İhsan Doğan <ih...@dogan.ch> wrote:
>> On 02/04/2013 03:31 AM, Jake Carroll wrote:
>>
>>> Do you have an Oracle support contract for OS/integration?
>>>
>>> I'd log it in MOS if I were you, and see what they say. Approach this
>>>from
>>> two angles ;).
>>
>> I've contacted Oracle in the first place. According to them, it's not a
>> Solaris issue.
>>
>>
>>
>> Ihsan
>
>Solaris really has to be considered EOL, even though the support
>poromises for Solaris are nominally until 2024. Sun is gone, they're
>not *making* Sun hardware anymore, and Oracle is urging their
>customers with Solaris to switch to so-called "Unbreakable Linux",
>which is a repackaging of RHEL with customizations for Oraclie
>database support. (And Red Hat is *really angry*, as they should be,
>because they've customized the kernel and kept their changes closed
>source.)
I guess one of the problems some of us face is that, it's not just about
Samba. It's also about the file system technologies that Oracle owns that
don't really work on Linux platforms, and only currently work on Solaris
based systems. I guess there is a little bit of complication to it, in
that. Not sure if this is the case for Ihsan, but for my own purposes, I
actually *can't* use linux for the kinds of things I do, the file system
functions I need, and the technology problems I need to solve.
Not *yet* anyway ;). Maybe in time.
--JC
dave.st...@durham.ac.uk
Aug 5, 2015, 11:40:04 AM8/5/15
to
Old thread but still an ongoing problem from time to time I think and Oracle
docs didn't help
I was seeing similar problems with Solaris11 (July2015) joining 2008R2
forest/domain
client/server_lmauth_level=4, idmap identity mapping setup for "idmu"
smbadm join -u Administrator <DOMAIN>
Apparent problem with Kerberos (password exchange problem)
dmesg:
smbns_kpasswd: KPASSWD protocol exchange failed () (Cannot contact any KDC
for requested realm)
Try joining the domain with a different account that has UNIX attributes and
has the delegated right to join machines to the domain and has write
permission to the container holding the machine account.
smbadm join -u AnotherUser <DOMAIN>
Worked first time.
Tried with Administrator again - failed - suggests that there may be an
issue with mapping? Also noted that Solaris11 "knows" well known account
names in idmap-ing and may manipulate them differently.
--
View this message in context: http://samba.2283325.n4.nabble.com/Solaris-11-can-t-join-Active-Directory-Domain-tp4643480p4689510.html
Sent from the Samba - General mailing list archive at Nabble.com.
docs didn't help
I was seeing similar problems with Solaris11 (July2015) joining 2008R2
forest/domain
client/server_lmauth_level=4, idmap identity mapping setup for "idmu"
smbadm join -u Administrator <DOMAIN>
dmesg:
smbns_kpasswd: KPASSWD protocol exchange failed () (Cannot contact any KDC
for requested realm)
Try joining the domain with a different account that has UNIX attributes and
has the delegated right to join machines to the domain and has write
permission to the container holding the machine account.
smbadm join -u AnotherUser <DOMAIN>
Worked first time.
Tried with Administrator again - failed - suggests that there may be an
issue with mapping? Also noted that Solaris11 "knows" well known account
names in idmap-ing and may manipulate them differently.
--
View this message in context: http://samba.2283325.n4.nabble.com/Solaris-11-can-t-join-Active-Directory-Domain-tp4643480p4689510.html
Sent from the Samba - General mailing list archive at Nabble.com.
0 new messages