Dominic Marks
2007-May-17 09:15 UTC
[Samba] Failed to set servicePrincipalNames (driving me insane!)
List,
I've searched extensively on this issue and I understand that it is
related to having an incorrectly set hostname. The problem is I have made
the changes and I still cannot get one specific machine to join to AD.
I have successfully used the process on six other hosts with no issues.
Some information:
LON01330# hostname
LON01330.COMPANY.NET
=============================
LON01330# cat /etc/krb5.conf
[libdefaults]
default_realm = COMPANY.NET
[realms]
COMPANY.NET = {
kdc = tcp/dc.company.net
admin_server = tcp/dc.company.net
=============================
Kerberos is working.
LON01330# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: USER@COMPANY.NET
Issued Expires Principal
May 17 09:50:43 May 17 19:50:43 krbtgt/COMPANY.NET@COMPANY.NET
=============================
There is nothing in my hosts file:
LON01330# grep -e '^[^#]' /etc/hosts
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
=============================
LON01330# cat /usr/local/etc/smb.conf
[global]
workgroup = COMPANY
realm = COMPANY.NET
netbios name = LON01330
security = ADS
allow trusted domains = yes
idmap uid = 3000-30000
idmap gid = 3000-30000
template homedir = /home/%D/%U
template shell = /bin/tcsh
winbind cache time = 3600
winbind separator = +
winbind nested groups = yes
client use spnego = yes
domain master = no
password server = dc.company.net
syslog = 1
syslog only = yes
log level = 1
socket options = TCP_NODELAY
=============================
The user account I am using is not a Domain Administrator, but has
sufficient rights to add Computers to AD. I have used the same account for
many other Computer accounts (Windows & UNIX) with no problems. I am
forward-creating the Computer account in the appropriate OU prior to
executing 'net ads join [...]'.
Something *must* be different to the other systems that work, but I cannot
see what it might be. Is there something else I can do which will give
more specific information on the problem?
PS>>
This system was happily connected to 'Domain A' prior to this, and I am
attempting to move it to 'Domain B'. For a while there was a trust
relationship between them and I was logging on to 'Domain B'
successfully
although my DC was in 'Domain A'. Now the trust is gone and I can't
join
to 'Domain B' at all.
Thanks
Dominic
Hansjörg Maurer
2007-May-17 13:11 UTC
[Samba] Failed to set servicePrincipalNames (driving me insane!)
Hi I had a similar problem and adding IP FULLQUALLIFIEDHOSTNAME SHORTHOSTNAME to /etc/hosts solves the problem in my case see https://bugzilla.samba.org/show_bug.cgi?id=4497 regards Hansj?rg Dominic Marks schrieb:> List, > > I've searched extensively on this issue and I understand that it is > related to having an incorrectly set hostname. The problem is I have made > the changes and I still cannot get one specific machine to join to AD. > > I have successfully used the process on six other hosts with no issues. > > Some information: > > LON01330# hostname > LON01330.COMPANY.NET > > =============================> > LON01330# cat /etc/krb5.conf > [libdefaults] > default_realm = COMPANY.NET > > [realms] > COMPANY.NET = { > kdc = tcp/dc.company.net > admin_server = tcp/dc.company.net > > =============================> > Kerberos is working. > > LON01330# klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: USER@COMPANY.NET > > Issued Expires Principal > May 17 09:50:43 May 17 19:50:43 krbtgt/COMPANY.NET@COMPANY.NET > > =============================> > There is nothing in my hosts file: > > LON01330# grep -e '^[^#]' /etc/hosts > ::1 localhost localhost.my.domain > 127.0.0.1 localhost localhost.my.domain > > =============================> > LON01330# cat /usr/local/etc/smb.conf > [global] > workgroup = COMPANY > realm = COMPANY.NET > netbios name = LON01330 > security = ADS > allow trusted domains = yes > idmap uid = 3000-30000 > idmap gid = 3000-30000 > template homedir = /home/%D/%U > template shell = /bin/tcsh > winbind cache time = 3600 > winbind separator = + > winbind nested groups = yes > client use spnego = yes > domain master = no > password server = dc.company.net > syslog = 1 > syslog only = yes > log level = 1 > socket options = TCP_NODELAY > > =============================> > The user account I am using is not a Domain Administrator, but has > sufficient rights to add Computers to AD. I have used the same account for > many other Computer accounts (Windows & UNIX) with no problems. I am > forward-creating the Computer account in the appropriate OU prior to > executing 'net ads join [...]'. > > Something *must* be different to the other systems that work, but I cannot > see what it might be. Is there something else I can do which will give > more specific information on the problem? > > PS>> > > This system was happily connected to 'Domain A' prior to this, and I am > attempting to move it to 'Domain B'. For a while there was a trust > relationship between them and I was logging on to 'Domain B' successfully > although my DC was in 'Domain A'. Now the trust is gone and I can't join > to 'Domain B' at all. > > Thanks > Dominic >
Dominic Marks
2007-May-17 13:15 UTC
[Samba] Failed to set servicePrincipalNames (driving me insane!)
Hansj?rg Maurer wrote:> Hi > > I had a similar problem and adding > > IP FULLQUALLIFIEDHOSTNAME SHORTHOSTNAME > > to /etc/hosts solves the problem in my case > > see > > https://bugzilla.samba.org/show_bug.cgi?id=4497 > > regards > > Hansj?rg >Worked a treat! Thank you very much Hansj?rg. Dominic