samba - Nov 2006 - can't join samba to win2k3 domain - please help

Hello, I've managed to join four other samba servers to win2k3 domains 
in the past but I am stuck doing so with samba-3.0.23c_2,1. I've 
verified hosts / domain forward and reverse lookups succeed. Below are 
my configurations. I'm running FreeBSD 6.1-stable cvsupped as of Nov 17. 
I've built Samba with the following options...

WITH_LDAP=true
WITH_ADS=true
WITHOUT_CUPS=true
WITH_WINBIND=true
WITHOUT_ACL_SUPPORT=true
WITHOUT_AIO_SUPPORT=true
WITHOUT_FAM_SUPPORT=true
WITHOUT_SYSLOG=true
WITHOUT_QUOTAS=true
WITH_UTMP=true
WITHOUT_MSDFS=true
WITHOUT_SMBSH=true
WITHOUT_PAM_SMBPASS=true
WITHOUT_EXP_MODULES=true
WITH_POPT=true

Below are other relavent configs.

----- BEGIN /etc/krb5.conf -----
[realms]
TEST.K12.IN.US = {
        kdc = tcp/10.0.15.205
}

----- END /etc/krb5.conf -----

----- BEGIN /usr/local/etc/smb.conf -----
[global]
workgroup = TEST
realm = TEST.K12.IN.US
netbios name = FIREWALL
winbind separator = +
winbind cache time = 10
winbind nested groups = Yes
winbind use default domain = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
security = ADS
password server = 10.0.15.205
allow trusted domains = No
use spnego = Yes

interfaces = 172.30.1.2/32 127.0.0.1/32

----- END /usr/local/etc/smb.conf -----

----- BEGIN /etc/nsswitch.conf -----
group: files winbind
group_compat: nis
hosts: files dns winbind
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
----- END /etc/nsswitch.conf -----

Now, when I try and join the domain, I get the following...

<root@firewall:namedb>net ads join -U administrator
administrators's password:
Using short domain name -- TEST
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'FIREWALL' in realm 'TEST.K12.IN.US'


Can someone please help me get around this? I'm using the same 
configuration templates I used on the other four machines that I had no 
problems with. One of those four samba boxes is on the same domain and 
working just fine. The only difference is that it's samba version 
samba-3.0.21b,1.

Hello
> Hello, I've managed to join four other samba servers to win2k3 domains 
> in the past but I am stuck doing so with samba-3.0.23c_2,1. I've 
> verified hosts / domain forward and reverse lookups succeed. 
...

I've got this type of error, when domain and samba machines were in
/etc/hosts but I've forgot to put newline after the string with samba
credenitals (it was the last string in file).

=Dmitry Panoff
Network administrator
Donetsk, Ukraine

Thanks to Senthil Kumar Ramamurthy I was able to get my joining of the 
samba server to Win2k3 domain fixed. He worked with me via email off the 
list and it turned out my problem was the order in which I had entries 
in the /etc/hosts file. The freebsd hosts file by default uses the 
format of 'xxx.xxx.xxx.xxx   alias    FQDN' which DOES NOT WORK with 
samba when joining to a win2k3 domain. Samba requires host entries which 
are relevant to the KDC etc to be in the format 'xxx.xxx.xxx.xxx   
FQDN    alias'. So, I hope this helps some others out there.

Again, a big thanks to Senthil Kumar Ramamurthy for his help and patience!

Elvar wrote:
> Hello, I've managed to join four other samba servers to win2k3 domains 
> in the past but I am stuck doing so with samba-3.0.23c_2,1. I've 
> verified hosts / domain forward and reverse lookups succeed. Below are 
> my configurations. I'm running FreeBSD 6.1-stable cvsupped as of Nov 
> 17. I've built Samba with the following options...
>
> WITH_LDAP=true
> WITH_ADS=true
> WITHOUT_CUPS=true
> WITH_WINBIND=true
> WITHOUT_ACL_SUPPORT=true
> WITHOUT_AIO_SUPPORT=true
> WITHOUT_FAM_SUPPORT=true
> WITHOUT_SYSLOG=true
> WITHOUT_QUOTAS=true
> WITH_UTMP=true
> WITHOUT_MSDFS=true
> WITHOUT_SMBSH=true
> WITHOUT_PAM_SMBPASS=true
> WITHOUT_EXP_MODULES=true
> WITH_POPT=true
>
> Below are other relavent configs.
>
> ----- BEGIN /etc/krb5.conf -----
> [realms]
> TEST.K12.IN.US = {
>        kdc = tcp/10.0.15.205
> }
>
> ----- END /etc/krb5.conf -----
>
> ----- BEGIN /usr/local/etc/smb.conf -----
> [global]
> workgroup = TEST
> realm = TEST.K12.IN.US
> netbios name = FIREWALL
> winbind separator = +
> winbind cache time = 10
> winbind nested groups = Yes
> winbind use default domain = Yes
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> security = ADS
> password server = 10.0.15.205
> allow trusted domains = No
> use spnego = Yes
>
> interfaces = 172.30.1.2/32 127.0.0.1/32
>
> ----- END /usr/local/etc/smb.conf -----
>
> ----- BEGIN /etc/nsswitch.conf -----
> group: files winbind
> group_compat: nis
> hosts: files dns winbind
> networks: files
> passwd: files winbind
> passwd_compat: nis
> shells: files
> ----- END /etc/nsswitch.conf -----
>
> Now, when I try and join the domain, I get the following...
>
> <root@firewall:namedb>net ads join -U administrator
> administrators's password:
> Using short domain name -- TEST
> Failed to set servicePrincipalNames. Please ensure that
> the DNS domain of this server matches the AD domain,
> Or rejoin with using Domain Admin credentials.
> Disabled account for 'FIREWALL' in realm 'TEST.K12.IN.US'
>
>
> Can someone please help me get around this? I'm using the same 
> configuration templates I used on the other four machines that I had 
> no problems with. One of those four samba boxes is on the same domain 
> and working just fine. The only difference is that it's samba version 
> samba-3.0.21b,1.
>
>