vincent.blondel@ing.be
2008-Oct-28 11:45 UTC
[Samba] "Failed to set servicePrincipalNames" join ADS issue.
Hello all,
I am trying to make one of my solaris server member of our w2k3 ads
domain. ldap and kerberos packages are installed.
* when I try to get a ticket granting ticket, no problem ... kinit klist
are all running fine .. below my krb5 config file
# cat /etc/krb5/krb5.conf
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
# admin_server = FILE:/var/log/krb5/kadmind.log
default = FILE:/var/log/krb5/krb5libs.log
[libdefaults]
default_realm = XXX.XXX
default_keytab_name = /etc/krb5/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
ticket_lifetime = 24000
[realms]
XXX.XXX = {
kdc = server1.xxx.xxx:88
kdc = server2.xxx.xxx:88
default_domain = XXX.XXX
}
[domain_realm]
.xxx.xxx = XXX.XXX
xxx.xxx = XXX.XXX
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
* when I try to run an ldap query through the sasl/gssapi api,
everything is also working fine. I get the answer to my ldap query
without giving any password. sasl api takes my kerberos ticket to
authentify myself on the ads. Just after receiving answer to my query, I
see I also no get a ldap service ticket ... below my ldap config file
# cat /etc/ldap/ldap.conf
BASE dc=xxx, dc=xxx
URI ldap://server1.xxx.xxx:389 ldap://server2.xxx.xxx:389
so this is okay but ... now comes the time to join my server to this ad.
I become root
kinit myuser
net ads join createcomputer="BE/Server" .. first of all I get a prompt
for password .. why ? I do not know why my kerberos ticket is not used
??
so I try another way to do it net ads join createcomputer="BE/Server"
-U
admin ... and I get this error message
Using short domain name -- XXXXX
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'SERVER' in realm 'XXX.XXX'
Failed to join domain: Type or value exists
this is my samba comfig file ..
[global]
security = ADS
workgroup = XXX
realm = XXX.XXX
winbind separator = +
encrypt passwords = true
I do not really understand the error message. I always get 20 machines
defined in my ads and uses the same procedure as before. the only
difference is I added option createcomputer. this one did not exist
before ( my previous version was 3.0.20 ).
this is the first time I create an account with this version (3.0.32).
my server is correctly defined in the dns with fqdn
"myserver.srv.domain.tlddomain.". I checked dns A and PTR, everything
is
coherent.
many thanks to help me going further in this job.
thanks
Vincent
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
Linux Addict
2008-Oct-28 18:27 UTC
[Samba] "Failed to set servicePrincipalNames" join ADS issue.
vincent.blondel@ing.be wrote:> Hello all, > > I am trying to make one of my solaris server member of our w2k3 ads > domain. ldap and kerberos packages are installed. > > * when I try to get a ticket granting ticket, no problem ... kinit klist > are all running fine .. below my krb5 config file > > # cat /etc/krb5/krb5.conf > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > # admin_server = FILE:/var/log/krb5/kadmind.log > default = FILE:/var/log/krb5/krb5libs.log > > [libdefaults] > default_realm = XXX.XXX > default_keytab_name = /etc/krb5/krb5.keytab > dns_lookup_realm = false > dns_lookup_kdc = false > forwardable = true > ticket_lifetime = 24000 > > [realms] > XXX.XXX = { > kdc = server1.xxx.xxx:88 > kdc = server2.xxx.xxx:88 > default_domain = XXX.XXX > } > > [domain_realm] > .xxx.xxx = XXX.XXX > xxx.xxx = XXX.XXX > > [appdefaults] > kinit = { > renewable = true > forwardable= true > } > > * when I try to run an ldap query through the sasl/gssapi api, > everything is also working fine. I get the answer to my ldap query > without giving any password. sasl api takes my kerberos ticket to > authentify myself on the ads. Just after receiving answer to my query, I > see I also no get a ldap service ticket ... below my ldap config file > > # cat /etc/ldap/ldap.conf > > BASE dc=xxx, dc=xxx > URI ldap://server1.xxx.xxx:389 ldap://server2.xxx.xxx:389 > > so this is okay but ... now comes the time to join my server to this ad. > > I become root > kinit myuser > net ads join createcomputer="BE/Server" .. first of all I get a prompt > for password .. why ? I do not know why my kerberos ticket is not used > ?? > > so I try another way to do it net ads join createcomputer="BE/Server" -U > admin ... and I get this error message > > Using short domain name -- XXXXX > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Deleted account for 'SERVER' in realm 'XXX.XXX' > Failed to join domain: Type or value exists > > this is my samba comfig file .. > > [global] > security = ADS > workgroup = XXX > realm = XXX.XXX > winbind separator = + > encrypt passwords = true > > I do not really understand the error message. I always get 20 machines > defined in my ads and uses the same procedure as before. the only > difference is I added option createcomputer. this one did not exist > before ( my previous version was 3.0.20 ). > > this is the first time I create an account with this version (3.0.32). > my server is correctly defined in the dns with fqdn > "myserver.srv.domain.tlddomain.". I checked dns A and PTR, everything is > coherent. > > many thanks to help me going further in this job. > > thanks > Vincent > ----------------------------------------------------------------- > ATTENTION: > The information in this electronic mail message is private and > confidential, and only intended for the addressee. Should you > receive this message by mistake, you are hereby notified that > any disclosure, reproduction, distribution or use of this > message is strictly prohibited. Please inform the sender by > reply transmission and delete the message without copying or > opening it. > > Messages and attachments are scanned for all viruses known. > If this message contains password-protected attachments, the > files have NOT been scanned for viruses by the ING mail domain. > Always scan attachments before opening them. > ----------------------------------------------------------------- > > >Usually this error is something to do with hostname or domain name. When you do "hostname", what is the output? Add "-d 10" to net join command see what is failing or post the output.