Raj Pagaku
2006-Nov-07 23:06 UTC
[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Hello,
We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba
system and the AD belong to the same domain, I am able to perform a 'net
ads join' by supplying either a 'Domain Admins' or a 'Domain
Users'
credential.
However if the Samba system and the AD belong to different domain, I can
perform the 'net ads join' by supplying a 'Domain Admins'
credential but
not a user belonging to 'Domain Users'. If the user belongs only to the
'Domain Users', I get the 'Failed to set servicePrincipalNames'
error.
Samba System domain = WGA
AD Server domain = CHILD1.AD.WGA
wsa29:] winbindd -V
Version 3.0.23c
wsa29:] hostname
wsa29.wga
wsa29:] klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: olympus@CHILD1.AD.WGA
Issued Expires Principal
Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/CHILD1.AD.WGA@CHILD1.AD.WGA
Nov 7 14:32:07 Nov 8 00:31:19 child1-server$@CHILD1.AD.WGA
wsa29:] cat smb.conf
[global]
workgroup = CHILD1
server string = Samba Server
load printers = yes
log file = /var/log/samba.log.%m
lock directory = /var/run/locks
pid directory = /var/run/locks
max log size = 100
security = ads
password server = child1-server.child1.ad.wga
realm = CHILD1.AD.WGA
encrypt passwords = yes
smb passwd file = /usr/local/samba/lib/smbpasswd
socket options = TCP_NODELAY
dns proxy = no
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator
administrator's password:
Using short domain name -- CHILD1
Joined 'WSA29' to realm 'CHILD1.AD.WGA'
wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
olympus's password:
Using short domain name -- CHILD1
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'
Here the user 'administrator' belongs to 'Domain Admins' and the
user
'olympus' belongs to 'Domain Users'.
Shouldn't I be able to use a 'Domain Users' account to perform the
'net
ads join' operation in 3.0.23c? Or is this restricted to both Samba
system and AD server being on the same domain?
Thanks in advance
-Raj
Jean-Vincent BAYARRI
2006-Nov-08 08:21 UTC
[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Hi, I also run FreeBSD 6.1 (and also experience a lot of trouble with version 3.0.23c...) For your problem you should check your /etc/hosts. It must have the "CHILD1.AD.WGA" as fqdn for your IP like this: xxx.xxx.xxx.xxx CHILD1.AD.WGA CHILD1 alias1 alias2 ... aliasN Le Tue, Nov 07, 2006 at 02:56:29PM -0800, Raj Pagaku a ?crit :> Hello, > > We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba > system and the AD belong to the same domain, I am able to perform a 'net > ads join' by supplying either a 'Domain Admins' or a 'Domain Users' > credential. > > However if the Samba system and the AD belong to different domain, I can > perform the 'net ads join' by supplying a 'Domain Admins' credential but > not a user belonging to 'Domain Users'. If the user belongs only to the > 'Domain Users', I get the 'Failed to set servicePrincipalNames' error. > > Samba System domain = WGA > AD Server domain = CHILD1.AD.WGA > > wsa29:] winbindd -V > Version 3.0.23c > > wsa29:] hostname > wsa29.wga > > wsa29:] klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: olympus@CHILD1.AD.WGA > > Issued Expires Principal > Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/CHILD1.AD.WGA@CHILD1.AD.WGA > Nov 7 14:32:07 Nov 8 00:31:19 child1-server$@CHILD1.AD.WGA > > wsa29:] cat smb.conf > [global] > workgroup = CHILD1 > server string = Samba Server > load printers = yes > log file = /var/log/samba.log.%m > lock directory = /var/run/locks > pid directory = /var/run/locks > max log size = 100 > security = ads > password server = child1-server.child1.ad.wga > realm = CHILD1.AD.WGA > encrypt passwords = yes > smb passwd file = /usr/local/samba/lib/smbpasswd > socket options = TCP_NODELAY > dns proxy = no > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > > wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator > administrator's password: > Using short domain name -- CHILD1 > Joined 'WSA29' to realm 'CHILD1.AD.WGA' > > wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus > olympus's password: > Using short domain name -- CHILD1 > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' > > Here the user 'administrator' belongs to 'Domain Admins' and the user > 'olympus' belongs to 'Domain Users'. > > Shouldn't I be able to use a 'Domain Users' account to perform the 'net > ads join' operation in 3.0.23c? Or is this restricted to both Samba > system and AD server being on the same domain? > > Thanks in advance > > -Raj > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba-- *************************************************************************** * Jean-Vincent BAYARRI Ing?nieur syst?me & r?seau * * Service Informatique Laboratoire Central des Ponts et Chauss?es * * 58, boulevard Lefebvre 75732 PARIS CEDEX 15 * * Tel 01 40 43 51 70 Fax 01 56 56 16 99 * ***************************************************************************
Raj Pagaku
2006-Nov-09 00:35 UTC
[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
I tried the suggested solution and i still run into the same issue (Further searching in the Samba list led me to another thread where the same solution was proposed, don't know whether that worked for the thread originator) wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus olympus's password: Using short domain name -- CHILD1 Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' After I execute the above command, I see that my system is listed in the AD server 'Computer' list but has a red 'x' symbol to indicate that it is disabled. However if I execute the command 'net ads status -s /etc/samba/smb.conf -Uolympus' after the 'net ads join' command, I am able to retrieve status information properly. -Raj> -----Original Message----- > From: Jean-Vincent BAYARRI [mailto:bayarri@lcpc.fr] > Sent: Wednesday, November 08, 2006 12:22 AM > To: Raj Pagaku > Cc: samba@lists.samba.org > Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set > servicePrincipalNames > > Hi, > > I also run FreeBSD 6.1 (and also experience a lot of trouble with > version 3.0.23c...) > > For your problem you should check your /etc/hosts. > It must have the "CHILD1.AD.WGA" as fqdn for your IP like this: > > xxx.xxx.xxx.xxx CHILD1.AD.WGA CHILD1 alias1 alias2 ... aliasN > > Le Tue, Nov 07, 2006 at 02:56:29PM -0800, Raj Pagaku a ?crit : > > Hello, > > > > We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba > > system and the AD belong to the same domain, I am able to perform a 'net > > ads join' by supplying either a 'Domain Admins' or a 'Domain Users' > > credential. > > > > However if the Samba system and the AD belong to different domain, I can > > perform the 'net ads join' by supplying a 'Domain Admins' credential but > > not a user belonging to 'Domain Users'. If the user belongs only to the > > 'Domain Users', I get the 'Failed to set servicePrincipalNames' error. > > > > Samba System domain = WGA > > AD Server domain = CHILD1.AD.WGA > > > > wsa29:] winbindd -V > > Version 3.0.23c > > > > wsa29:] hostname > > wsa29.wga > > > > wsa29:] klist > > Credentials cache: FILE:/tmp/krb5cc_0 > > Principal: olympus@CHILD1.AD.WGA > > > > Issued Expires Principal > > Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/CHILD1.AD.WGA@CHILD1.AD.WGA > > Nov 7 14:32:07 Nov 8 00:31:19 child1-server$@CHILD1.AD.WGA > > > > wsa29:] cat smb.conf > > [global] > > workgroup = CHILD1 > > server string = Samba Server > > load printers = yes > > log file = /var/log/samba.log.%m > > lock directory = /var/run/locks > > pid directory = /var/run/locks > > max log size = 100 > > security = ads > > password server = child1-server.child1.ad.wga > > realm = CHILD1.AD.WGA > > encrypt passwords = yes > > smb passwd file = /usr/local/samba/lib/smbpasswd > > socket options = TCP_NODELAY > > dns proxy = no > > winbind uid = 10000-20000 > > winbind gid = 10000-20000 > > winbind enum users = yes > > winbind enum groups = yes > > > > wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator > > administrator's password: > > Using short domain name -- CHILD1 > > Joined 'WSA29' to realm 'CHILD1.AD.WGA' > > > > wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus > > olympus's password: > > Using short domain name -- CHILD1 > > Failed to set servicePrincipalNames. Please ensure that > > the DNS domain of this server matches the AD domain, > > Or rejoin with using Domain Admin credentials. > > Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' > > > > Here the user 'administrator' belongs to 'Domain Admins' and the user > > 'olympus' belongs to 'Domain Users'. > > > > Shouldn't I be able to use a 'Domain Users' account to perform the 'net > > ads join' operation in 3.0.23c? Or is this restricted to both Samba > > system and AD server being on the same domain? > > > > Thanks in advance > > > > -Raj > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- > ************************************************************************** > * > * Jean-Vincent BAYARRI Ing?nieur syst?me & r?seau > * > * Service Informatique Laboratoire Central des Ponts et Chauss?es > * > * 58, boulevard Lefebvre 75732 PARIS CEDEX 15 > * > * Tel 01 40 43 51 70 Fax 01 56 56 16 99 > * > ************************************************************************** > *
Raj Pagaku
2006-Nov-10 19:01 UTC
[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Thanks Jerry for your response. It is case (b). The fqdn of the local machine is set to a domain outside the AD domain name and the user credentials being used is 'Domain User' and not a 'Domain Admin'. Do we need 'Domain Admin' if the local machine domain is outside the AD domain name? Is this a restriction that will be addressed in the near future? Thanks Raj> -----Original Message----- > From: Gerald (Jerry) Carter [mailto:jerry@samba.org] > Sent: Friday, November 10, 2006 10:21 AM > To: Raj Pagaku > Cc: Jean-Vincent BAYARRI; samba@lists.samba.org > Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set > servicePrincipalNames > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Raj Pagaku wrote: > > >>> wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus > >>> olympus's password: > >>> Using short domain name -- CHILD1 > >>> Failed to set servicePrincipalNames. Please ensure that > >>> the DNS domain of this server matches the AD domain, > >>> Or rejoin with using Domain Admin credentials. > >>> Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' > > Either (a) the fqdn of the local machine (the one you are joining to > the domain) is not set correctly or (b) is set to a domain > outside the AD domain name and you are not a domain admin. > > > > > cheers, jerry > ====================================================================> Samba ------- http://www.samba.org > Centeris ----------- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFFVMMNIR7qMdg1EfYRAtwFAJ4kijRr2l2J5gyWnfNbUtTBdHbTqgCfbDWM > i5ufx5EVRQq5I5QnSfr1G/c> =+Jx7 > -----END PGP SIGNATURE-----
Raj Pagaku
2006-Nov-10 21:25 UTC
[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Thanks Jerry for your response as well as the useful link to the reference article. Once I delegated the following Permissions' for the specific 'Domain User' on the 'Computer Objects' on my AD server, I was able to join the Samba system to the domain. Permissions Delegated via the 'Delegation Control Wizard': 1> Allow 'Write DNS Host Name Attributes' property 2> Allow 'Write Service Principal Name' property I am sharing the steps I performed on my Windows 2003 AD server for benefit of others: * Invoke the 'Delegate Control Wizard' for the 'Computers' * Add the specific 'Domain User' to the 'Selected users and groups'. * Create a custom task to delegate. * Select the 'Computer Objects' * Select the 'Property-Specific'. Then select the 'Write dNSHostName' and the 'Write servicePrincipalName' * Finish your task If there are any known side-effects of delegating these permissions, please let me know. Thanks Raj Pagaku> -----Original Message----- > From: Gerald (Jerry) Carter [mailto:jerry@samba.org] > Sent: Friday, November 10, 2006 11:16 AM > To: Raj Pagaku > Cc: Jean-Vincent BAYARRI; samba@lists.samba.org > Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set > servicePrincipalNames > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Raj Pagaku wrote: > > Thanks Jerry for your response. It is case (b). The fqdn of thelocal> > machine is set to a domain outside the AD domain name and the user > > credentials being used is 'Domain User' and not a 'Domain Admin'. > > > > Do we need 'Domain Admin' if the local machine domain is outside theAD> > domain name? Is this a restriction that will be addressed in thenear> > future? > > This is an AD restriction on the default security assigned > to a computer object. When a non-admin is given the right > to join a specific machine to the domain, that user is only > granted validated write access to thye DnsHostName and > servicePrincipalName attributes. A Windows XP box would fail > to join the domain in the same way. > > This doc explains it: > http://msdn.microsoft.com/library/default.asp?url=/library/en- > us/ad/ad/control_access_rights.asp > > > > > > > cheers, jerry > ====================================================================> Samba ------- http://www.samba.org > Centeris ----------- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFFVM/aIR7qMdg1EfYRAhswAKDYOM4LWTHDgsQGKv195kwT9Quo5wCg6xfA > NhDch9dN3aADNwSpQ70fxAE> =VrII > -----END PGP SIGNATURE-----