Paul Smith
2012-Feb-09 16:14 UTC
[Samba] Unable to create principle and join domain with solaris / samba 3.5.8
Has anyone had any success using net ads join to create a new service principal and join Active Directory using samba 3.5.8. This works fine in 3.0.35 but I'm not able to get a working create/join with 3.5.8 In samba 3.0.35 (on a host which is already allowing kerberised loginsvia AD), the following works: net ads join createupn='CIFS/host.domain.com' \ createcomputer='path/to/principal/' -U myadlogin After upgrading and restarting, samba works fine but deleting the AD service principal and samba/private files to reconfigure, the net join fails: # net ads join createupn='CIFS/smbtest.uk.domain.com' createcomputer='MITKerberos/Services' -U myadlogin Enter myadlogin's password: Failed to join domain: failed to precreate account in ou MITKerberos/Services: Invalid DN syntax The OU exists in AD (and works for earlier samba versions). Looking at net ads join output with -d 99, it looks like the net command isn't passing the netbios name through? [2012/02/09 15:45:29.014700, 1] libnet/libnet_join.c:1978() libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'AAA' dns_domain_name : 'aaa.ads.domain.com' forest_name : 'ADS.DOMAIN.COM' dn : NULL domain_sid : * domain_sid : S-1-5-21-1606980848-1965331169-1417001333 modified_config : 0x00 (0) error_string : 'failed to precreate account in ou MITKerberos/Services: Invalid DN syntax' domain_is_ad : 0x01 (1) result : WERR_DEFAULT_JOIN_REQUIRED [2012/02/09 15:45:29.014909, 10] intl/lang_tdb.c:138() lang_tdb_init: /usr/lib/samba/en_GB.UTF-8.msg: No such file or directory Failed to join domain: failed to precreate account in ou MITKerberos/Services: Invalid DN syntax [2012/02/09 15:45:29.015245, 2] utils/net.c:916() return code = -1 The smb.conf for this is as follows [global] server string = SMBTEST Samba Server security = ADS realm = AAA.ADS.DOMAIN.COM netbios name = SMBTEST workgroup = AAA interfaces = SMBTEST.uk.domain.com bind interfaces only = Yes log level = 3 log file = /var/samba/log/log.%m max log size = 128 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE nis homedir = No hide dot files = Yes wide links = No local master = No domain master = No preferred master = No os level = 0 [homes] comment = Home Directories browseable = yes public = no writable = yes Anyone have any pointers on how to create principles and join AD using 3.5.8 or any ideas of relevant changes between 3.0.35 and 3.5.8 that might explain this? Regards Paul
Paul Smith
2012-Feb-16 15:27 UTC
[Samba] Unable to create principle and join domain with solaris / samba 3.5.8
Oracle are suggesting this is a known bug (oracle ID 7105257) with the createcomputer argument of net ads join. Has anyone come across this issue or have working examples of Samba >3.5.8 joining AD without requiring Administrator privileges? Regards Paul On 9 Feb 2012, at 16:14, Paul Smith <paul.bb.smith at gmail.com> wrote:> Has anyone had any success using net ads join to create a new service > principal and join Active Directory using samba 3.5.8. This works fine > in 3.0.35 but I'm not able to get a working create/join with 3.5.8 > > In samba 3.0.35 (on a host which is already allowing kerberised > loginsvia AD), the following works: > > net ads join createupn='CIFS/host.domain.com' \ > createcomputer='path/to/principal/' -U myadlogin > > After upgrading and restarting, samba works fine but deleting the AD > service principal and samba/private files to reconfigure, the net join > fails: > > # net ads join createupn='CIFS/smbtest.uk.domain.com' > createcomputer='MITKerberos/Services' -U myadlogin > Enter myadlogin's password: > Failed to join domain: failed to precreate account in ou > MITKerberos/Services: Invalid DN syntax > > The OU exists in AD (and works for earlier samba versions). Looking at > net ads join output with -d 99, it looks like the net command isn't > passing the netbios name through? > > [2012/02/09 15:45:29.014700, 1] libnet/libnet_join.c:1978() > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'AAA' > dns_domain_name : 'aaa.ads.domain.com' > forest_name : 'ADS.DOMAIN.COM' > dn : NULL > domain_sid : * > domain_sid : S-1-5-21-1606980848-1965331169-1417001333 > modified_config : 0x00 (0) > error_string : 'failed to precreate account in ou > MITKerberos/Services: Invalid DN syntax' > domain_is_ad : 0x01 (1) > result : WERR_DEFAULT_JOIN_REQUIRED > [2012/02/09 15:45:29.014909, 10] intl/lang_tdb.c:138() > lang_tdb_init: /usr/lib/samba/en_GB.UTF-8.msg: No such file or directory > Failed to join domain: failed to precreate account in ou > MITKerberos/Services: Invalid DN syntax > [2012/02/09 15:45:29.015245, 2] utils/net.c:916() > return code = -1 > > The smb.conf for this is as follows > > [global] > server string = SMBTEST Samba Server > security = ADS > realm = AAA.ADS.DOMAIN.COM > netbios name = SMBTEST > workgroup = AAA > interfaces = SMBTEST.uk.domain.com > bind interfaces only = Yes > log level = 3 > log file = /var/samba/log/log.%m > max log size = 128 > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 > SO_SNDBUF=65536 SO_KEEPALIVE > nis homedir = No > hide dot files = Yes > wide links = No > local master = No > domain master = No > preferred master = No > os level = 0 > > [homes] > comment = Home Directories > browseable = yes > public = no > writable = yes > > Anyone have any pointers on how to create principles and join AD using > 3.5.8 or any ideas of relevant changes between 3.0.35 and 3.5.8 that > might explain this? > > Regards > > Paul
Possibly Parallel Threads
- Failed to join domain: failed to set machine spn: Constraint violation
- single sign on using samba
- Failed to join domain: failed to precreate account in ou (null): Out of memory
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd