Hi, I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to join a Solaris 11 machine this domain: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. In /var/adm/messages: Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: Insufficient access Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation trust account update failed Windows 7 clients are able to join, but Solaris 11 fails. Kerberos seems to be fine: # kinit oskar Password for oskar at DOMAIN.COM: Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 But if I run it for Administrator: # kinit Administrator Password for Administrator at DOMAIN.COM: Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 kinit: no ktkt_warnd warning possible Any idea what is going wrong here? Ihsan -- ihsan at dogan.ch http://blog.dogan.ch/
Hi. I can probably help there, because I have been through similar problems. 1. Remember that smbadm has nothing to do with samba at all. It's primarily concerned with Solaris 11's CIFS service (in kernel windows-appropriate file serving from Oracle). 2. I am pretty sure you'll find your /etc/krb5/krb5.conf needs to be solid and in place before smbadm works. That was the case for me. 3. I needed to create the object in my active directory forest first, before anything worked. That's what got it working for me. You probably won't get any help from this list from this kind of thing, as it's very much a Samba focused list. Samba != oracle's CIFS. Hope me spotting this helped you, though. --JC On 31/01/13 6:49 AM, "?hsan Do?an" <ihsan at dogan.ch> wrote:> >Hi, > >I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to >join a Solaris 11 machine this domain: > ># smbadm join -u Administrator DOMAIN >After joining DOMAIN the smb service will be restarted automatically. >Would you like to continue? [no]: yes >Enter domain password: >Locating DC in DOMAIN ... this may take a minute ... >Joining DOMAIN ... this may take a minute ... >failed to join DOMAIN: UNSUCCESSFUL >Please refer to the system log for more information. > >In /var/adm/messages: >Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: >Insufficient access >Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation >trust account update failed > >Windows 7 clients are able to join, but Solaris 11 fails. > >Kerberos seems to be fine: ># kinit oskar >Password for oskar at DOMAIN.COM: >Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 > >But if I run it for Administrator: ># kinit Administrator >Password for Administrator at DOMAIN.COM: >Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 >kinit: no ktkt_warnd warning possible > >Any idea what is going wrong here? > > > >Ihsan >-- >ihsan at dogan.ch http://blog.dogan.ch/ >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
I can help (I run various openindiana storage servers in my company),
basically you need to check 3 things
1) /etc/krb/krb5.conf
make sure you have your [realms], [domain_realm] configs correct, e.g.
if you have a domain called DOMAIN.LOCAL, and a DC server hostname
dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts
file):
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
kpasswd_server = dc.domain.local
kpasswd_protocol = SET_CHANGE
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
2) time
make sure you ntpdate with your DC to ensure your time is sync
3) LMauth level
sharectl set -p lmauth_level=4 smb
depending on your AD forest version, you may need to do either level=2 or 4
Hope this helps.
Andrew Bartlett
2013-Feb-06 10:46 UTC
[Samba] Solaris 11 can't join Active Directory Domain
On Wed, 2013-01-30 at 21:49 +0100, ?hsan Do?an wrote:> Hi, > > I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to > join a Solaris 11 machine this domain: > > # smbadm join -u Administrator DOMAIN > After joining DOMAIN the smb service will be restarted automatically. > Would you like to continue? [no]: yes > Enter domain password: > Locating DC in DOMAIN ... this may take a minute ... > Joining DOMAIN ... this may take a minute ... > failed to join DOMAIN: UNSUCCESSFUL > Please refer to the system log for more information. > > In /var/adm/messages: > Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: > Insufficient access > Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation > trust account update failed > > Windows 7 clients are able to join, but Solaris 11 fails. > > Kerberos seems to be fine: > # kinit oskar > Password for oskar at DOMAIN.COM: > Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 > > But if I run it for Administrator: > # kinit Administrator > Password for Administrator at DOMAIN.COM: > Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 > kinit: no ktkt_warnd warning possible > > Any idea what is going wrong here?Does this work against a freshly provisioned Samba 4.0.3 domain? We fixed a lot of ACL related things with that release. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org