samba - Jan 2009 - [Solaris 9][ads] net ads testjoin error

Hello folks,

I have been able to successfully compile (MIT) kerberos (1.5.4) and
samba (3.0.28a) on a Solaris 9 (Kernel version: SunOS 5.9 Generic
122300-31 Aug 2008) host.
I was able to successfully join this host to a DEVDOMAIN

This is the smb.conf file that I used:
  [global]
  # If there are no settings here, Samba uses the default values for all
global settings
  security          = ads
  realm             = DEVDOMAIN.CA
  workgroup         = DEVDOMAIN
  encrypt passwords = yes
  server string     = %h Samba %v
  smb ports = 445
  disable netbios = yes
  name resolve order = hosts
  log file          = /var/log/samba/samba_log.%m
  log level         = 2
  # This include statement will grab the share configuration information
from an external file
  include           = /usr/local/samba/lib/smb.conf.%h

Tested, and everything worked as expected. Shares listed in
/usr/local/samba/lib/smb.conf.hostname were available, and all was good.
Next step, was to join the host to the production domain...

I changed all mention of DEVDOMAIN to DOMAIN in smb.conf. 

However, when I run "net ads testjoin", I'm getting the following
error...

bash-2.05# net ads testjoin
[2009/01/07 09:27:34, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password TSTSMB09$@DOMAIN.CA failed: Cannot resolve
network address for KDC in requested realm
[2009/01/07 09:27:34, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password TSTSMB09$@DOMAIN.CA failed: Cannot resolve
network address for KDC in requested realm
Join to domain is not valid: Undetermined error


Is this related to the host having belonged to a different domain to
begin with? Or am I missing something bigger?

Avron,

In addition to below, try restarting Smb + Winbind after you obtain new
Kerberos ticket via kinit.

-Kums

On Wed, Jan 7, 2009 at 5:28 PM, Kums <kumaran.rajaram@gmail.com> wrote:
> Avron,
>
> Did you update your "/etc/krb5.conf"  to include the new domain +
KDC info
> and "kinit" before joining to the new Domain via "net ads
join"?
>
> -Kums
>
>
> On Wed, Jan 7, 2009 at 9:39 AM, Avron Gray <agray@aeso.ca> wrote:
>
>> Hello folks,
>>
>> I have been able to successfully compile (MIT) kerberos (1.5.4) and
>> samba (3.0.28a) on a Solaris 9 (Kernel version: SunOS 5.9 Generic
>> 122300-31 Aug 2008) host.
>> I was able to successfully join this host to a DEVDOMAIN
>>
>> This is the smb.conf file that I used:
>>  [global]
>>  # If there are no settings here, Samba uses the default values for all
>> global settings
>>  security          = ads
>>  realm             = DEVDOMAIN.CA
>>  workgroup         = DEVDOMAIN
>>  encrypt passwords = yes
>>  server string     = %h Samba %v
>>  smb ports = 445
>>  disable netbios = yes
>>  name resolve order = hosts
>>  log file          = /var/log/samba/samba_log.%m
>>  log level         = 2
>>  # This include statement will grab the share configuration information
>> from an external file
>>  include           = /usr/local/samba/lib/smb.conf.%h
>>
>> Tested, and everything worked as expected. Shares listed in
>> /usr/local/samba/lib/smb.conf.hostname were available, and all was
good.
>> Next step, was to join the host to the production domain...
>>
>> I changed all mention of DEVDOMAIN to DOMAIN in smb.conf.
>>
>> However, when I run "net ads testjoin", I'm getting the
following
>> error...
>>
>> bash-2.05# net ads testjoin
>> [2009/01/07 09:27:34, 0] libads/kerberos.c:ads_kinit_password(228)
>>  kerberos_kinit_password TSTSMB09$@DOMAIN.CA failed: Cannot resolve
>> network address for KDC in requested realm
>> [2009/01/07 09:27:34, 0] libads/kerberos.c:ads_kinit_password(228)
>>  kerberos_kinit_password TSTSMB09$@DOMAIN.CA failed: Cannot resolve
>> network address for KDC in requested realm
>> Join to domain is not valid: Undetermined error
>>
>>
>> Is this related to the host having belonged to a different domain to
>> begin with? Or am I missing something bigger?
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>
>