On Wed, Apr 4, 2012 at 1:22 PM, Andrew Bartlett <[email protected]> wrote: > On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote: >> Hello all, >> >> I've run into the issue described here: >> http://lists.samba.org/archive/samba-technical/2010-September/073075.html >> >> To sum it up, I installed samba4 from git on a debian wheezy system. >> Initially, I was able to join Windows 7 clients to the AD controller. >> However, trying to get freenas 8 to join has been failing. In the end, >> trying to get it to work I changed administrator's password (via >> dsa.msc) which broke AD joining for windows clients too. KVNO in >> secrets.keytab file has always been "1". Could this mismatch be the >> cause of the failures? >> >> I rebooted all clients (to get rid of stale tickets) to no avail. The >> only way to fix this was to run the provision script again, but now >> samba is not very stable (I managed to join the AD domain, but upon >> login I get The security database on the server does not have a >> computer account for this workstation trust relationship). >> >> I really don't know where to start. Do you think using samba from >> debian SID would be wiser than building from git? Are there any other >> errors in the log I didn't spot? Is KVNO mismatch the reason joining >> fails, or are there more errors? > > Samba is best installed from git. > > As to the KVNO mismatch, have you somehow installed a client with the > same name as the server (ADPDC), or attempted to 'join' the server to > itself? That can cause this kind of thing. > > Changing the administrator password won't be the issue, but if anything > (a join, or reset with any tool) of the machine account password > certainly could update sam.ldb but not the local > secrets.ldb/secrets.keytab. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > >
Thanks for the reply. That might have been the case, after all. FreeNAS AD Web Config has a non-intuitive field called "Host Name (NetBIOS-Name)" where I put ADPDC in at first, then changed it to freenas. I've reinstalled everything on clean VMs now and it seems to be working. User authentication on computers I had previously joined to the domain however is a little tricky now (for example, I need to explicitly set NT style domain in the username field such as SYNDOM\Administrator in order for login to work), but I've been changing so many settings I might have caused this. I guess I'll have to reinstall Windows on them. When FreeNAS authenticates, I get "Selected protocol [8][NT LANMAN 1.0]" on the samba4 console, and freenas logs print "freenas freenas: Using short domain name -- SYNDOM". On a side note, isn't the samba4 server supposed to join itself to the AD domain when running the provision script? At least that's what I get on STDOUT after running provision... It now seems I've run into this bug, though: http://support.freenas.org/ticket/1135 (which has a won't fix status from FreeNAS devs). It's a pity because samba4 and FreeNAS integration can prove very useful in some situations. There are not many references to this online, however. I think I spotted a discussion somewhere between a samba developer (I can't remember who it was) and a user (not sure either) where it was mentioned that it's most probably a samba 3/4 incompatibility issue and that it wouldn't be too hard to fix. Unfortunately I have been unable to find more information on this matter, and whether this . George -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
