Eric Diven
2008-Nov-04 23:12 UTC
[Samba] Problems joining a domain with a large number of DCs
I'm having issues joining samba to a domain with a large number of domain controllers. The domain is a mixed windows 2003/windows 2008 domain. The samba server is Solaris 10 update 5 running on SPARC. I have a custom samba build of samba 3.0.28 on the server because we need Tobi Oetiker's samfs patch. Because of the issue that version has with passwords longer than eight characters on Solaris, I've also build samba 3.0.24 for using net to join the domain. Using net from 3.0.24, I'm able to join the domain in the customary net ads join -U user@DOMAIN.COM way. A windows admin confirms that the account is created in active directory, and that it's enabled. When I net ads testjoin, however, it fails with the following error: [2008/11/04 15:39:50, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2008/11/04 15:39:50, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password HOUSSFSFL002P$@CORP.DVN.COM failed: Preauthentication failed Join to domain is not valid: Logon failure Some googling around suggested that this might be caused by inconsistencies in the information in the DCs on a large domain, so I followed the suggestion to remove the machine account completely, create it by hand, manually synch the DCs, and then try. Various invocations of net ads join caused account disablement and the same error as above. Digging further into the kerberos error, I can kinit a user on the domain without difficulty, and when I subsequently klist, I see some tickets. I can kdestroy and kinit, and tickets reappear. Could anybody suggest what else I should look at? Is this a kerberos issue, a samba issue with caching the credentials, or something else? Thanks, ~Eric here's the stuff net pulls from the config file when it runs: [2008/11/04 15:39:29, 3] param/loadparm.c:do_section(3778) Processing section "[global]" doing parameter aio read size = 1 doing parameter aio write size = 1 doing parameter workgroup = FOO doing parameter server string = MSR Server doing parameter security = ADS doing parameter log file = /var/samba/log/log.%m doing parameter max log size = 50 doing parameter password server = server1 server2 server3 doing parameter realm = FOO.DOMAIN.COM doing parameter passdb backend = smbpasswd doing parameter preferred master = no doing parameter dns proxy = no doing parameter encrypt passwords = yes doing parameter winbind separator = + doing parameter winbind use default domain = yes doing parameter winbind enum users = no doing parameter winbind enum groups = no doing parameter idmap uid = 10000-20000 doing parameter idmap gid = 10000-20000 I'll post logs if people want to see 'em.
Volker Lendecke
2008-Nov-05 10:24 UTC
[Samba] Problems joining a domain with a large number of DCs
On Tue, Nov 04, 2008 at 05:59:25PM -0500, Eric Diven wrote:> I'm having issues joining samba to a domain with a large number of > domain controllers. The domain is a mixed windows 2003/windows 2008 > domain. The samba server is Solaris 10 update 5 running on SPARC. > > I have a custom samba build of samba 3.0.28 on the server because we > need Tobi Oetiker's samfs patch. Because of the issue that version has > with passwords longer than eight characters on Solaris, I've also build > samba 3.0.24 for using net to join the domain.You might want to use the latest git checkout of 3-0-test, for example available via http://repo.or.cz/w/Samba.git?a=snapshot;h=af33c8b3521564c;sf=tgz as there have been fixes for the server affinity cache during join. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20081105/b32ed1be/attachment.bin