Re: [Samba] Solaris 11 can't join Active Directory Domain
Hi. On 17/02/13 2:01 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Fri, Feb 8, 2013 at 5:40 AM, İhsan Doğan ih...@dogan.ch wrote: On 02/04/2013 03:31 AM, Jake Carroll wrote: Do you have an Oracle support contract for OS/integration? I'd log it in MOS if I were you, and see what they say. Approach this from two angles ;). I've contacted Oracle in the first place. According to them, it's not a Solaris issue. Ihsan Solaris really has to be considered EOL, even though the support poromises for Solaris are nominally until 2024. Sun is gone, they're not *making* Sun hardware anymore, and Oracle is urging their customers with Solaris to switch to so-called Unbreakable Linux, which is a repackaging of RHEL with customizations for Oraclie database support. (And Red Hat is *really angry*, as they should be, because they've customized the kernel and kept their changes closed source.) Well, without starting a small war (not the point of these lists at all), I guess one of the problems some of us face is that, it's not just about Samba. It's also about the file system technologies that Oracle owns that don't really work on Linux platforms, and only currently work on Solaris based systems. I guess there is a little bit of complication to it, in that. Not sure if this is the case for Ihsan, but for my own purposes, I actually *can't* use linux for the kinds of things I do, the file system functions I need, and the technology problems I need to solve. Not *yet* anyway ;). Maybe in time. --JC Do you have Linux servers you can test from? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
On Fri, Feb 8, 2013 at 5:40 AM, İhsan Doğan ih...@dogan.ch wrote: On 02/04/2013 03:31 AM, Jake Carroll wrote: Do you have an Oracle support contract for OS/integration? I'd log it in MOS if I were you, and see what they say. Approach this from two angles ;). I've contacted Oracle in the first place. According to them, it's not a Solaris issue. Ihsan Solaris really has to be considered EOL, even though the support poromises for Solaris are nominally until 2024. Sun is gone, they're not *making* Sun hardware anymore, and Oracle is urging their customers with Solaris to switch to so-called Unbreakable Linux, which is a repackaging of RHEL with customizations for Oraclie database support. (And Red Hat is *really angry*, as they should be, because they've customized the kernel and kept their changes closed source.) Do you have Linux servers you can test from? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
On 02/04/2013 03:31 AM, Jake Carroll wrote: Do you have an Oracle support contract for OS/integration? I'd log it in MOS if I were you, and see what they say. Approach this from two angles ;). I've contacted Oracle in the first place. According to them, it's not a Solaris issue. Ihsan -- ih...@dogan.ch http://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
Hi, On 02/06/2013 11:46 AM, Andrew Bartlett wrote: I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to join a Solaris 11 machine this domain: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. In /var/adm/messages: Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: Insufficient access Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation trust account update failed Windows 7 clients are able to join, but Solaris 11 fails. Kerberos seems to be fine: # kinit oskar Password for os...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 But if I run it for Administrator: # kinit Administrator Password for administra...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 kinit: no ktkt_warnd warning possible Any idea what is going wrong here? Does this work against a freshly provisioned Samba 4.0.3 domain? We fixed a lot of ACL related things with that release. Haven't tried. I'm running the AD now on a 2008R2 server. Ihsan -- ih...@dogan.ch http://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
On Wed, 2013-01-30 at 21:49 +0100, İhsan Doğan wrote: Hi, I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to join a Solaris 11 machine this domain: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. In /var/adm/messages: Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: Insufficient access Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation trust account update failed Windows 7 clients are able to join, but Solaris 11 fails. Kerberos seems to be fine: # kinit oskar Password for os...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 But if I run it for Administrator: # kinit Administrator Password for administra...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 kinit: no ktkt_warnd warning possible Any idea what is going wrong here? Does this work against a freshly provisioned Samba 4.0.3 domain? We fixed a lot of ACL related things with that release. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
Am 31.01.2013 14:46, schrieb İhsan Doğan: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local) failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. [...] auth_check_password_send: Checking password for unmapped user []\[]@[(null)] Looks like I'm hitting this bug: https://bugzilla.samba.org/show_bug.cgi?id=8805 Ihsan -- ih...@dogan.chhttp://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
Do you have an Oracle support contract for OS/integration? I'd log it in MOS if I were you, and see what they say. Approach this from two angles ;). --JC On 4/02/13 6:49 AM, İhsan Doğan ih...@dogan.ch wrote: Am 31.01.2013 14:46, schrieb İhsan Doğan: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local) failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. [...] auth_check_password_send: Checking password for unmapped user []\[]@[(null)] Looks like I'm hitting this bug: https://bugzilla.samba.org/show_bug.cgi?id=8805 Ihsan -- ih...@dogan.chhttp://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
Hi, On 01/31/2013 03:43 AM, Ong Yu-Phing wrote: 1) /etc/krb/krb5.conf make sure you have your [realms], [domain_realm] configs correct, e.g. if you have a domain called DOMAIN.LOCAL, and a DC server hostname dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts file): I've verified the krb5.conf and it looks exaclty like yours. 2) time make sure you ntpdate with your DC to ensure your time is sync Verified. All in sync. 3) LMauth level sharectl set -p lmauth_level=4 smb depending on your AD forest version, you may need to do either level=2 or 4 Which would be the appropriate version for an AD forest running on Samba 4.0.1? I've set the lmauth version now to 4: # sharectl set -p server_lmauth_level=4 smb # sharectl set -p client_lmauth_level=4 smb Created the krb5.conf and registered the machine in the AD forest: # kclient Starting client setup --- Is this a client of a non-Solaris KDC ? [y/n]: y Which type of KDC is the server: ms_ad: Microsoft Active Directory mit: MIT KDC server heimdal: Heimdal KDC server shishi: Shishi KDC server Enter required KDC type: ms_ad Setting up /etc/krb5/krb5.conf. Attempting to join 'HOST' to the 'DOMAIN.LOCAL' domain. Password for Administrator@DOMAIN.LOCAL: Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 kinit: no ktkt_warnd warning possible Forest name found: domain.local Site name not found. Local DCs/GCs will not be discovered. Creating the machine account in AD via LDAP. Warning: won't create DNS records for client. ddns_enable property not set to 'true' through sharectl(1M). --- Setup COMPLETE. So far it looks good. After that, I've tried again to run smbadm: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local) failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. Still no luck, but looks like I've made a step forward. Ihsan -- ih...@dogan.ch http://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
Hi, On 01/31/2013 09:03 AM, İhsan Doğan wrote: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... Computer account exists (CN=HOST,CN=Computers,DC=domain,DC=local) failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. I've started samba in debug mode and saw this: auth_check_password_send: Checking password for unmapped user []\[]@[(null)] Not sure how to understand the meaning of this. Can it be, that Solaris is sending something weird to the Samba server? Ihsan -- ih...@dogan.ch http://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Solaris 11 can't join Active Directory Domain
Hi, I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to join a Solaris 11 machine this domain: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. In /var/adm/messages: Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: Insufficient access Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation trust account update failed Windows 7 clients are able to join, but Solaris 11 fails. Kerberos seems to be fine: # kinit oskar Password for os...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 But if I run it for Administrator: # kinit Administrator Password for administra...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 kinit: no ktkt_warnd warning possible Any idea what is going wrong here? Ihsan -- ih...@dogan.chhttp://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
Hi. I can probably help there, because I have been through similar problems. 1. Remember that smbadm has nothing to do with samba at all. It's primarily concerned with Solaris 11's CIFS service (in kernel windows-appropriate file serving from Oracle). 2. I am pretty sure you'll find your /etc/krb5/krb5.conf needs to be solid and in place before smbadm works. That was the case for me. 3. I needed to create the object in my active directory forest first, before anything worked. That's what got it working for me. You probably won't get any help from this list from this kind of thing, as it's very much a Samba focused list. Samba != oracle's CIFS. Hope me spotting this helped you, though. --JC On 31/01/13 6:49 AM, İhsan Doğan ih...@dogan.ch wrote: Hi, I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to join a Solaris 11 machine this domain: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. In /var/adm/messages: Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: Insufficient access Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation trust account update failed Windows 7 clients are able to join, but Solaris 11 fails. Kerberos seems to be fine: # kinit oskar Password for os...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 But if I run it for Administrator: # kinit Administrator Password for administra...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 kinit: no ktkt_warnd warning possible Any idea what is going wrong here? Ihsan -- ih...@dogan.chhttp://blog.dogan.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 can't join Active Directory Domain
I can help (I run various openindiana storage servers in my company),
basically you need to check 3 things
1) /etc/krb/krb5.conf
make sure you have your [realms], [domain_realm] configs correct, e.g.
if you have a domain called DOMAIN.LOCAL, and a DC server hostname
dc.domain.local (make sure that hostname resolves via DNS or /etc/hosts
file):
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
kpasswd_server = dc.domain.local
kpasswd_protocol = SET_CHANGE
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
2) time
make sure you ntpdate with your DC to ensure your time is sync
3) LMauth level
sharectl set -p lmauth_level=4 smb
depending on your AD forest version, you may need to do either level=2 or 4
Hope this helps.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
