samba - Oct 2008 - "Failed to set servicePrincipalNames" join ADS issue.

Hello all,

I am trying to make one of my solaris server member of our w2k3 ads
domain. ldap and kerberos packages are installed.

* when I try to get a ticket granting ticket, no problem ... kinit klist
are all running fine .. below my krb5 config file

# cat /etc/krb5/krb5.conf

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    # admin_server = FILE:/var/log/krb5/kadmind.log
    default = FILE:/var/log/krb5/krb5libs.log

[libdefaults]
    default_realm = XXX.XXX
    default_keytab_name = /etc/krb5/krb5.keytab
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true
    ticket_lifetime = 24000

[realms]
    XXX.XXX = {
        kdc = server1.xxx.xxx:88
        kdc = server2.xxx.xxx:88
        default_domain = XXX.XXX
    }

[domain_realm]
.xxx.xxx = XXX.XXX
xxx.xxx = XXX.XXX

[appdefaults]
    kinit = {
        renewable = true
        forwardable= true
    }

* when I try to run an ldap query through the sasl/gssapi api,
everything is also working fine. I get the answer to my ldap query
without giving any password. sasl api takes my kerberos ticket to
authentify myself on the ads. Just after receiving answer to my query, I
see I also no get a ldap service ticket ... below my ldap config file

# cat /etc/ldap/ldap.conf

BASE    dc=xxx, dc=xxx
URI     ldap://server1.xxx.xxx:389 ldap://server2.xxx.xxx:389

so this is okay but ... now comes the time to join my server to this ad.

I become root
kinit myuser
net ads join createcomputer="BE/Server" .. first of all I get a prompt
for password .. why ? I do not know why my kerberos ticket is not used
??

so I try another way to do it net ads join createcomputer="BE/Server"
-U
admin ... and I get this error message

Using short domain name -- XXXXX
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'SERVER' in realm 'XXX.XXX'
Failed to join domain: Type or value exists

this is my samba comfig file ..

[global]
security = ADS
workgroup = XXX
realm = XXX.XXX
winbind separator = +
encrypt passwords = true

I do not really understand the error message. I always get 20 machines
defined in  my ads and uses the same procedure as before. the only
difference is I added option createcomputer. this one did not exist
before ( my previous version was 3.0.20 ).

this is the first time I create an account with this version (3.0.32).
my server is correctly defined in the dns with fqdn
"myserver.srv.domain.tlddomain.". I checked dns A and PTR, everything
is
coherent.

many thanks to help me going further in this job.

thanks
Vincent
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------

vincent.blondel@ing.be wrote:
> Hello all,
>
> I am trying to make one of my solaris server member of our w2k3 ads
> domain. ldap and kerberos packages are installed.
>
> * when I try to get a ticket granting ticket, no problem ... kinit klist
> are all running fine .. below my krb5 config file
>
> # cat /etc/krb5/krb5.conf
>
> [logging]
>     kdc = FILE:/var/log/krb5/krb5kdc.log
>     # admin_server = FILE:/var/log/krb5/kadmind.log
>     default = FILE:/var/log/krb5/krb5libs.log
>
> [libdefaults]
>     default_realm = XXX.XXX
>     default_keytab_name = /etc/krb5/krb5.keytab
>     dns_lookup_realm = false
>     dns_lookup_kdc = false
>     forwardable = true
>     ticket_lifetime = 24000
>
> [realms]
>     XXX.XXX = {
>         kdc = server1.xxx.xxx:88
>         kdc = server2.xxx.xxx:88
>         default_domain = XXX.XXX
>     }
>
> [domain_realm]
> .xxx.xxx = XXX.XXX
> xxx.xxx = XXX.XXX
>
> [appdefaults]
>     kinit = {
>         renewable = true
>         forwardable= true
>     }
>
> * when I try to run an ldap query through the sasl/gssapi api,
> everything is also working fine. I get the answer to my ldap query
> without giving any password. sasl api takes my kerberos ticket to
> authentify myself on the ads. Just after receiving answer to my query, I
> see I also no get a ldap service ticket ... below my ldap config file
>
> # cat /etc/ldap/ldap.conf
>
> BASE    dc=xxx, dc=xxx
> URI     ldap://server1.xxx.xxx:389 ldap://server2.xxx.xxx:389
>
> so this is okay but ... now comes the time to join my server to this ad.
>
> I become root
> kinit myuser
> net ads join createcomputer="BE/Server" .. first of all I get a
prompt
> for password .. why ? I do not know why my kerberos ticket is not used
> ??
>
> so I try another way to do it net ads join
createcomputer="BE/Server" -U
> admin ... and I get this error message
>
> Using short domain name -- XXXXX
> Failed to set servicePrincipalNames. Please ensure that
> the DNS domain of this server matches the AD domain,
> Or rejoin with using Domain Admin credentials.
> Deleted account for 'SERVER' in realm 'XXX.XXX'
> Failed to join domain: Type or value exists
>
> this is my samba comfig file ..
>
> [global]
> security = ADS
> workgroup = XXX
> realm = XXX.XXX
> winbind separator = +
> encrypt passwords = true
>
> I do not really understand the error message. I always get 20 machines
> defined in  my ads and uses the same procedure as before. the only
> difference is I added option createcomputer. this one did not exist
> before ( my previous version was 3.0.20 ).
>
> this is the first time I create an account with this version (3.0.32).
> my server is correctly defined in the dns with fqdn
> "myserver.srv.domain.tlddomain.". I checked dns A and PTR,
everything is
> coherent.
>
> many thanks to help me going further in this job.
>
> thanks
> Vincent
> -----------------------------------------------------------------
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
>
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -----------------------------------------------------------------
>
>
>   
Usually this error is something to do with hostname or domain name.  
When you do "hostname", what is the output?

Add "-d 10" to net join command see what is failing or post the
output.