samba - Apr 2016 - net join fail

I am trying to reconfigure a samba server to use authentication from the
University domain.

* smbd seems to start OK
* net ads testjoin is fine
* net ads join -U xxUSERNAME createcomputer="xxCOMPUTER" fails with:
Failed to join domain: failed to set machine spn: Constraint violation

(where xxTEXT indicates redaction - sorry I'm not sure what's
confidential and what isn't)

xxUSERNAME and xxCOMPUTER are valid (changing either changes the error
message).


 smb.conf starts:

       security = ads
        realm = xxDOMAIN
        workgroup = xxWORKGROUP
        idmap config * : range = 16667216-33554431
        idmap config * : backend = tdb
        encrypt passwords = yes


The diagnostics are:

net -d 1 ads join -U xxUSERNAME createcomputer="xxCOMPUTER" 
Enter xxUSERNAME's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'xxHOST'
            domain_name              : *
                domain_name              : 'xxMYDOMAIN'
            account_ou               : 'xxCOMPUTER'
            admin_account            : 'xxUSERNAME'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
The machine account already exists in the specified OU.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'xxNAME'
            dns_domain_name          : 'xxNAME'
            forest_name              : 'xxFORREST'
            dn                       :
'CN=xxHOST,OU=Servers,OU=xxCOMPUTER,OU=Resources,DC=xxFIRSTNAME,DC=xxROOT,DC=ex,DC=ac,DC=uk'
            domain_sid               : *
                domain_sid               :
S-1-2-34-5678901234-567890123-4567890123 
            modified_config          : 0x00 (0)
            error_string             : 'failed to set machine spn:
Constraint violation'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to set machine spn: Constraint violation


Any help would be greatly appreciated.

Thanks

John

On 12/04/16 12:09, John Rowe wrote:
> I am trying to reconfigure a samba server to use authentication from the
University domain.
>
> * smbd seems to start OK
> * net ads testjoin is fine
> * net ads join -U xxUSERNAME createcomputer="xxCOMPUTER" fails
with:
> Failed to join domain: failed to set machine spn: Constraint violation
>
> (where xxTEXT indicates redaction - sorry I'm not sure what's
> confidential and what isn't)
>
> xxUSERNAME and xxCOMPUTER are valid (changing either changes the error
> message).
>
>
>   smb.conf starts:
>
>         security = ads
>          realm = xxDOMAIN
>          workgroup = xxWORKGROUP
>          idmap config * : range = 16667216-33554431
>          idmap config * : backend = tdb
>          encrypt passwords = yes
>
>
> The diagnostics are:
>
> net -d 1 ads join -U xxUSERNAME createcomputer="xxCOMPUTER"
> Enter xxUSERNAME's password:
> libnet_Join:
>      libnet_JoinCtx: struct libnet_JoinCtx
>          in: struct libnet_JoinCtx
>              dc_name                  : NULL
>              machine_name             : 'xxHOST'
>              domain_name              : *
>                  domain_name              : 'xxMYDOMAIN'
>              account_ou               : 'xxCOMPUTER'
>              admin_account            : 'xxUSERNAME'
>              machine_password         : NULL
>              join_flags               : 0x00000023 (35)
>                     0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>              os_version               : NULL
>              os_name                  : NULL
>              create_upn               : 0x00 (0)
>              upn                      : NULL
>              modify_config            : 0x00 (0)
>              ads                      : NULL
>              debug                    : 0x01 (1)
>              use_kerberos             : 0x00 (0)
>              secure_channel_type      : SEC_CHAN_WKSTA (2)
> The machine account already exists in the specified OU.
> libnet_Join:
>      libnet_JoinCtx: struct libnet_JoinCtx
>          out: struct libnet_JoinCtx
>              account_name             : NULL
>              netbios_domain_name      : 'xxNAME'
>              dns_domain_name          : 'xxNAME'
>              forest_name              : 'xxFORREST'
>              dn                       :
>
'CN=xxHOST,OU=Servers,OU=xxCOMPUTER,OU=Resources,DC=xxFIRSTNAME,DC=xxROOT,DC=ex,DC=ac,DC=uk'
>              domain_sid               : *
>                  domain_sid               :
> S-1-2-34-5678901234-567890123-4567890123
>              modified_config          : 0x00 (0)
>              error_string             : 'failed to set machine spn:
> Constraint violation'
>              domain_is_ad             : 0x01 (1)
>              result                   : WERR_GENERAL_FAILURE
> Failed to join domain: failed to set machine spn: Constraint violation
>
>
> Any help would be greatly appreciated.
>
> Thanks
>
> John
>
>
>
>
>
Try again without the 'createcomputer="xxCOMPUTER"', your
computer seems
to already exist:

The machine account already exists in the specified OU.

Rowland

Thanks for the reply Rowland:

On Tue, 2016-04-12 at 12:21 +0100, Rowland penny wrote:
> 
> Try again without the 'createcomputer="xxCOMPUTER"', your
computer
> seems 
> to already exist:
> 
> The machine account already exists in the specified OU. 
I am told this is in fact a necessary feature: xxCOMPUTER is a class of
computers we are allowed to be one.

John