I am trying to add a (CentOS4.4) Samba-3.0.23d server to a AD Win2K3 domain and the following error occurs # /usr/kerberos/bin/kinit administrator@SUBDOM.DOMAIN # net join Using short domain name -- SUBDOM Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'SAMBA-4BCA' in realm 'SUBDOM.DOMAIN' ADS join did not work, falling back to RPC... Unable to find a suitable server Unable to find a suitable server /etc/resolv.conf contains "domain subdom.domain", /etc/krb5.conf is configured for SUBDOM.DOMAIN, and yet that fails. Also "ping subdom.domain" returns tonnes of domain controllers - so I can't understand how it can't find a "suitable server". If I add the admin username to the command line, and point it explicitly at a DC I get: # net join -Uadministrator%password -Wsubdom -S dc.subdom.domain kerberos_kinit_password administrator@SUBDOM.DOMAIN failed: Preauthentication failed [2006/12/06 03:43:33, 0] utils/net_ads.c:ads_startup(289) ads_connect: Preauthentication failed ADS join did not work, falling back to RPC... Joined domain SUBDOM. ..but it didn't work. MMC Users and Computers shows the hostname in the Computers container - but it either has 8bit garbage after the name (i.e it's corrupt), or it's marked as Disabled. Any ideas what's wrong? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On Wednesday 06 December 2006 09:53, Jason Haar wrote:> I am trying to add a (CentOS4.4) Samba-3.0.23d server to a AD Win2K3 > domain and the following error occurs > > # /usr/kerberos/bin/kinit administrator@SUBDOM.DOMAIN > # net join > Using short domain name -- SUBDOM > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Disabled account for 'SAMBA-4BCA' in realm 'SUBDOM.DOMAIN' > ADS join did not work, falling back to RPC... > Unable to find a suitable server > Unable to find a suitable serverI had have this ugly trap some days ago. As workaround you can join in DCE-RPC mode: net rpc join -U administrator -w DOMAIN (here DOMAIN - is Pre-Windows 2000 domain name!) and next testjoin: net ads testjoin Join is OK :-) Probably, your hostname is not equal your AD full name (i.e. box.hostname.com but AD named hostname.org). Today I'll put a big pile of debug messages to trace problem in source (it is net_ads.c in utils) and try to reach 'natural' solve... -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://www.askd.ru/~shelton OOO "ACK" telecommunications administrator, e-mail: achilov-rn [at] askd.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A
On Wednesday 06 December 2006 09:53, Jason Haar wrote:> I am trying to add a (CentOS4.4) Samba-3.0.23d server to a AD Win2K3 > domain and the following error occurs > > # /usr/kerberos/bin/kinit administrator@SUBDOM.DOMAIN > # net join > Using short domain name -- SUBDOM > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Disabled account for 'SAMBA-4BCA' in realm 'SUBDOM.DOMAIN' > ADS join did not work, falling back to RPC... > Unable to find a suitable server > Unable to find a suitable serverSome days ago I had this bug. And I had traced, how to 'net ads' works. This error will throw, when 'net' try to set principals HOST/hostname and HOST/hostname.domain.tld. First, it take macine name and create HOST/hostname. Second it call my_fqdn() to convert machine name to fqdn, BUT (!!) it uses only /etc/hosts here! No nsswitch, no gethostyname(). So, check your /etc/hosts - probably here is wrong record. -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://www.askd.ru/~shelton OOO "ACK" telecommunications administrator, e-mail: achilov-rn [at] askd.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A