samba - Nov 2008 - Joining ADS: unodocumented error

Hi everyone,

I am trying to set up a file server on Linux for Windows XP boxes in a 
Windows Server 2003 environment. I followed an excellent tutorial on 
Samba and ADS, which I recommend to all newbies like myself: 
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081. 
Kerberos authentication seems to succeed, and apparently there is 
nothing wrong with my smb.conf file, yet when I try to add the server to 
the ADS I get the following error message: "Failed to join domain: 
Invalid configuration and configuration modification was not requested". 
This error seems to be undocumented: I have found nothing either on 
Google or on the samba.org site.

Here's a transcript of a shell session showing this error.


samba:~# kinit
Password for Administrator@ARM.PRIV: <--- Authentication succeeds
samba:~# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[fileserver]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
 
[global]
    workgroup = ARM.PRIV
    realm = ARM.PRIV
    server string = File server avanzato
    security = ADS
    log level = 3
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    panic action = /usr/share/samba/panic-action %d
    idmap uid = 10000-20000
    idmap gid = 10000-20000

[homes]
    comment = Home Directories
    valid users = %S
    create mask = 0700
    directory mask = 0700
    browseable = No

[fileserver]
    comment = Cartelle condivise
    path = /var/samba
    read only = No
    create mask = 0700

[printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    printable = Yes
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
samba:~# net ads join -U administrator
Enter administrator's password:
Failed to join domain: Invalid configuration and configuration 
modification was not requested
                       
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If I mistype the password I get a different error message:
samba:~# net ads join -U administrator%wrongpassword
Failed to join domain: failed to lookup DC info for domain 'ARM.PRIV' 
over rpc: Logon failure


Can anyone help me?

-- 
Alessandro Baretta

World Family of Radio Maria
http://www.radiomaria.org/

tel. +39 0332 228 150
fax. +39 0332 222 411
cel. +39 335 830 3189
skype alex.baretta
ekiga alexbaretta@ekiga.net

On Mon, Nov 24, 2008 at 03:47:52AM +0100, Alessandro Baretta
wrote:
> Hi everyone,
>
> I am trying to set up a file server on Linux for Windows XP boxes in a  
> Windows Server 2003 environment. I followed an excellent tutorial on  
> Samba and ADS, which I recommend to all newbies like myself:  
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081.  
> Kerberos authentication seems to succeed, and apparently there is  
> nothing wrong with my smb.conf file, yet when I try to add the server to  
> the ADS I get the following error message: "Failed to join domain:  
> Invalid configuration and configuration modification was not
requested".
> This error seems to be undocumented: I have found nothing either on  
> Google or on the samba.org site.
>
> Here's a transcript of a shell session showing this error.
>
>
> samba:~# kinit
> Password for Administrator@ARM.PRIV: <--- Authentication succeeds
> samba:~# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[fileserver]"
> Processing section "[printers]"
> Processing section "[print$]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>    workgroup = ARM.PRIV
>    realm = ARM.PRIV
>    server string = File server avanzato
>    security = ADS
>    log level = 3
>    syslog = 0
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    panic action = /usr/share/samba/panic-action %d
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>
> [homes]
>    comment = Home Directories
>    valid users = %S
>    create mask = 0700
>    directory mask = 0700
>    browseable = No
>
> [fileserver]
>    comment = Cartelle condivise
>    path = /var/samba
>    read only = No
>    create mask = 0700
>
> [printers]
>    comment = All Printers
>    path = /var/spool/samba
>    create mask = 0700
>    printable = Yes
>    browseable = No
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
> samba:~# net ads join -U administrator
> Enter administrator's password:
> Failed to join domain: Invalid configuration and configuration  
> modification was not requested
>                        
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> If I mistype the password I get a different error message:
> samba:~# net ads join -U administrator%wrongpassword
> Failed to join domain: failed to lookup DC info for domain
'ARM.PRIV'
> over rpc: Logon failure
>
>
> Can anyone help me?
>
> -- 
> Alessandro Baretta
>
A couple of things to try.
1. Try the 'net join' command by getting rid of the space after the -U
and type the username in caps, as follows:
net ads join -UADMINISTRATOR
* Mine failed to join with a similar error as yours, then without
* changing any configuration, I did what I suggested above and the join
* succeeded.
2. If that didn't work, try changing 'workgroup = ARM.PRIV' to
'workgroup = ARM' in smb.conf.
Then try joining again via 'net ads join ...'.

On Mon, Nov 24, 2008 at 03:47:52AM +0100, Alessandro Baretta
wrote:
> Hi everyone,
>
> I am trying to set up a file server on Linux for Windows XP boxes in a  
> Windows Server 2003 environment. I followed an excellent tutorial on  
> Samba and ADS, which I recommend to all newbies like myself:  
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081.  
> Kerberos authentication seems to succeed, and apparently there is  
> nothing wrong with my smb.conf file, yet when I try to add the server to  
> the ADS I get the following error message: "Failed to join domain:  
> Invalid configuration and configuration modification was not
requested".
> This error seems to be undocumented: I have found nothing either on  
> Google or on the samba.org site.
>
> Here's a transcript of a shell session showing this error.
>
>
> samba:~# kinit
> Password for Administrator@ARM.PRIV: <--- Authentication succeeds
> samba:~# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[fileserver]"
> Processing section "[printers]"
> Processing section "[print$]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>    workgroup = ARM.PRIV
>    realm = ARM.PRIV
>    server string = File server avanzato
>    security = ADS
>    log level = 3
>    syslog = 0
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    panic action = /usr/share/samba/panic-action %d
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>
> [homes]
>    comment = Home Directories
>    valid users = %S
>    create mask = 0700
>    directory mask = 0700
>    browseable = No
>
> [fileserver]
>    comment = Cartelle condivise
>    path = /var/samba
>    read only = No
>    create mask = 0700
>
> [printers]
>    comment = All Printers
>    path = /var/spool/samba
>    create mask = 0700
>    printable = Yes
>    browseable = No
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
> samba:~# net ads join -U administrator
> Enter administrator's password:
> Failed to join domain: Invalid configuration and configuration  
> modification was not requested
>                        
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> If I mistype the password I get a different error message:
> samba:~# net ads join -U administrator%wrongpassword
> Failed to join domain: failed to lookup DC info for domain
'ARM.PRIV'
> over rpc: Logon failure
>
>
> Can anyone help me?
>
> -- 
> Alessandro Baretta
>
> World Family of Radio Maria
> http://www.radiomaria.org/
>
> tel. +39 0332 228 150
> fax. +39 0332 222 411
> cel. +39 335 830 3189
> skype alex.baretta
> ekiga alexbaretta@ekiga.net
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
Alessandro,

I was able to reproduce your problem on my virtual machines. By that I
mean that in trying to join a 2003 domain in ADS mode, I get the exact
same error as you.

I was able to solve it as explained below.  Keep in mind that the same
error may be caused by different problems.  

My test domain name is 'DOMAIN', and my realm is 'DOMAIN.COM'.  

Setting either of the of 2 following lines caused the error indicated:
workgroup   = DOMAIN.COM
or
realm       = DOMAIN

Setting as follows, I joined the domain no problem.
workgroup   = DOMAIN
realm       = DOMAIN.COM

So it appears the domain name is the leftmost portion of the REALM, and
the REALM must be the entire name.  Anything else will fail.

So try changing your workgroup line setting it as follows:
workgroup = ARM

I believe you will then be able to join sambe to the 2003 domain.

Give it a shot and let me know.

--
Pablo