Re: [cifs-discuss] Change default idmap domain
Thanks, that was the problem. We opened tcp/464, not udp. Opening that port fixed it. Thanks! -- This message posted from opensolaris.org ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
Your domain controller doesn't respond to our KPASSWD request. Please configure your firewall as specified below: http://wiki.genunix.org/wiki/index.php/CIFS_Service_Troubleshooting#Ensuring_the_Firewall_Software_Does_Not_Filter_Out_Needed_Ports Natalie keegam wrote: It is attached. Thanks! ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
Run: snoop -o kpasswd_trace.cap Please send me the kpasswd_trace.cap. Regards, Natalie keegam wrote: The Kerberos hotfix hadn't been applied. It has now, but I'm still getting errors. Below is the syslog output. I'm not sure how to get a network trace, is there any documentation explaining the steps? Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 702911 daemon.debug] msdcsLookupADS: de-entdc1.de-ent.com [10.93.208.65] Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 327665 daemon.debug] smbrdr_exchange[116]: failed (-3) Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 752420 daemon.debug] smbrdr_logoffx: solarisuser: UNEXPECTED_NETWORK_ERROR Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 135458 daemon.debug] smbrdr: trying port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 508689 daemon.debug] smbrdr: connected on port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 434374 daemon.debug] smbrdr: connected port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 895027 daemon.debug] smbrdr: DE-ENTDC1: signing required Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \srvsvc Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=16399 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=32768 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=32769 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 135458 daemon.debug] smbrdr: trying port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 508689 daemon.debug] smbrdr: connected on port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 434374 daemon.debug] smbrdr: connected port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 895027 daemon.debug] smbrdr: DE-ENTDC1: signing required Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 706612 daemon.info] LDAP SASL bind to norddc2.tamtse.com:389 failed (Can't connect to the LDAP server) Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 405957 daemon.debug] unable to discover Forest Name for the trusted domain TAMTSE.COM Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'de-ent.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc2.de-ent.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc1.de-ent.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.gc._msdcs' for 'de-ent.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc2.de-ent.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc1.de-ent.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 341341 daemon.debug] Looking for domains in forest... Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 632961 daemon.debug] found de-ent.com Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'de-internal.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc2.de-internal.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc3.de-internal.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc1.de-internal.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.Default-First-Site._sites.gc._msdcs' for 'de-internal.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.Default-First-Site._sites.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc1.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.Default-First-Site._sites.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc2.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.gc._msdcs' for 'de-internal.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc2.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc1.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 341341 daemon.debug] Looking for dom
Re: [cifs-discuss] Change default idmap domain
The Kerberos hotfix hadn't been applied. It has now, but I'm still getting errors. Below is the syslog output. I'm not sure how to get a network trace, is there any documentation explaining the steps? Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 702911 daemon.debug] msdcsLookupADS: de-entdc1.de-ent.com [10.93.208.65] Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 327665 daemon.debug] smbrdr_exchange[116]: failed (-3) Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 752420 daemon.debug] smbrdr_logoffx: solarisuser: UNEXPECTED_NETWORK_ERROR Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 135458 daemon.debug] smbrdr: trying port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 508689 daemon.debug] smbrdr: connected on port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 434374 daemon.debug] smbrdr: connected port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 895027 daemon.debug] smbrdr: DE-ENTDC1: signing required Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \srvsvc Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=16399 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=32768 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=32769 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 135458 daemon.debug] smbrdr: trying port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 508689 daemon.debug] smbrdr: connected on port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 434374 daemon.debug] smbrdr: connected port 445 Jul 15 13:08:40 dsshare01 smbd[6269]: [ID 895027 daemon.debug] smbrdr: DE-ENTDC1: signing required Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 706612 daemon.info] LDAP SASL bind to norddc2.tamtse.com:389 failed (Can't connect to the LDAP server) Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 405957 daemon.debug] unable to discover Forest Name for the trusted domain TAMTSE.COM Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'de-ent.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc2.de-ent.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc1.de-ent.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.gc._msdcs' for 'de-ent.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc2.de-ent.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-ent.com 600 IN SRV [0][100] de-entdc1.de-ent.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 341341 daemon.debug] Looking for domains in forest... Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 632961 daemon.debug] found de-ent.com Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'de-internal.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc2.de-internal.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc3.de-internal.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc1.de-internal.com:389 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.Default-First-Site._sites.gc._msdcs' for 'de-internal.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.Default-First-Site._sites.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc1.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.Default-First-Site._sites.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc2.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.gc._msdcs' for 'de-internal.com' Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc2.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.gc._msdcs.de-internal.com 600 IN SRV [0][100] nordcoredc1.de-internal.com:3268 Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 341341 daemon.debug] Looking for domains in forest... Jul 15 13:08:42 dsshare01 idmapd[6170]: [ID 632961 daemon.debug] found de-int
Re: [cifs-discuss] Change default idmap domain
keegam wrote: If that is the one mentioned in the wiki article, then yes, that hot fix has been applied. There are multiple hot fixes for Windows 2008 (NTLM and Kerberos) . If you're sure that you have applied the Kerberos hot fix KB951191 on both your DCs, then please send me a network trace that captures the traffic between the Solaris CIFS server and de-entdc1.de-ent.com. I need to verify whether or not you've tripped over the Microsoft KPASSWD issue as described here: http://support.microsoft.com/kb/968140 Regards, Natalie ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
If that is the one mentioned in the wiki article, then yes, that hot fix has been applied. -- This message posted from opensolaris.org ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
keegam wrote: Server 2008. Do you have the following hot fix installed on your Windows 2008 DC? * Windows Server 2008 SP1 with Microsoft Kerberos hot fix KB951191: http://support.microsoft.com/default.aspx/kb/951191/ Natalie ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
Server 2008. -- This message posted from opensolaris.org ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
Which Windows OS version is running on de-entdc1.de-ent.com? Regards, Natalie keegam wrote: I have upgraded to the latest development build. It looks like progress is being made. the smbadm join command no longer hangs. Here is a snippet of the /var/adm/messages output Jul 14 13:48:23 dsshare01 idmapd[6170]: [ID 341341 daemon.debug] Looking for domains in forest... Jul 14 13:48:24 dsshare01 idmapd[6170]: [ID 632961 daemon.debug] found de-internal.com Jul 14 13:48:24 dsshare01 idmapd[6170]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'TAMTSE.COM' Jul 14 13:48:24 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.TAMTSE.COM 600 IN SRV [0][100] norddc2.tamtse.com:389 Jul 14 13:48:24 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.TAMTSE.COM 600 IN SRV [0][100] carddc1.tamtse.com:389 Jul 14 13:48:24 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.TAMTSE.COM 600 IN SRV [0][100] norddc1.tamtse.com:389 Jul 14 13:48:24 dsshare01 idmapd[6170]: [ID 537588 daemon.debug] Found _ldap._tcp.dc._msdcs.TAMTSE.COM 600 IN SRV [0][100] carddc2.tamtse.com:389 Jul 14 13:48:24 dsshare01 smbd[6269]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \srvsvc Jul 14 13:48:24 dsshare01 smbd[6269]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=16384 Jul 14 13:48:24 dsshare01 smbd[6269]: [ID 702911 daemon.debug] RemoteTime from de-entdc1: Wed Jul 14 13:48:25 2010 Jul 14 13:48:24 dsshare01 smbd[6269]: [ID 702911 daemon.debug] NetRemoteTOD from de-entdc1: NetRemoteTOD: 07/14/10 17:48:25 Jul 14 13:48:25 dsshare01 smbd[6269]: [ID 213798 daemon.error] smb_krb5_setpwd: Result: (-39676682) Jul 14 13:48:25 dsshare01 smbd[6269]: [ID 702911 daemon.notice] Failed to set machine password. Jul 14 13:48:25 dsshare01 smbd[6269]: [ID 871254 daemon.error] smbd: failed joining de-ent.com (UNSUCCESSFUL) Jul 14 13:48:26 dsshare01 smbd[6269]: [ID 208731 daemon.debug] TA_MEDIA <1B> flags=0x0 Jul 14 13:48:26 dsshare01 smbd[6269]: [ID 370951 daemon.debug] 10.93.7.73 ttl=300 flags=0x0 port=35328 Jul 14 13:48:26 dsshare01 smbd[6269]: [ID 208731 daemon.debug] TA_MEDIA <1D> flags=0x0 Jul 14 13:48:26 dsshare01 smbd[6269]: [ID 370951 daemon.debug] 10.93.7.73 ttl=300 flags=0x0 port=35328 Jul 14 13:48:29 dsshare01 idmapd[6170]: [ID 706612 daemon.info] LDAP SASL bind to norddc2.tamtse.com:389 failed (Can't connect to the LDAP server) Jul 14 13:48:34 dsshare01 idmapd[6170]: [ID 706612 daemon.info] LDAP SASL bind to carddc1.tamtse.com:389 failed (Can't connect to the LDAP server) Jul 14 13:48:39 dsshare01 idmapd[6170]: [ID 706612 daemon.info] LDAP SASL bind to norddc1.tamtse.com:389 failed (Can't connect to the LDAP server) Jul 14 13:48:44 dsshare01 idmapd[6170]: [ID 706612 daemon.info] LDAP SASL bind to carddc2.tamtse.com:389 failed (Can't connect to the LDAP server) Jul 14 13:48:44 dsshare01 idmapd[6170]: [ID 405957 daemon.debug] unable to discover Forest Name for the trusted domain TAMTSE.COM Jul 14 13:51:39 dsshare01 idmapd[6170]: [ID 558711 daemon.debug] Using server nor01.uamho.com:3268 There is a trust between the domain I want to join (de-ent) and the others mentioned here. I've requested the network team open ldap ports to the server it complains about but I'm not sure why it can't just authenticate off the de-ent.com domain. I've also attached an updated output from cifs-gendiag. Thanks. ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
+== | 1) OS and Hardware +== SunOS dsshare01 5.11 snv_111b i86pc i386 i86pc Solaris As far as CIFS service is concerned, snv_111b is unstable. You should upgrade to the latest available build. Regards, Natalie keegam wrote: Thanks for the reply. Adding debug output to syslog yielded no new output. r...@dsshare01:/tmp# svcs smb/server STATE STIMEFMRI online Jul_07 svc:/network/smb/server:default cifs-gendiag Hangs on section 8 (the sharemgr show -vp command) so I have commented that out. It also hangs under 8.3, at the command 'smbadm list'. It shows the following, then sits there [*] [TA_MEDIA] [*] [UAMHO.COM] Attached is a text file with the output from the rest of the script. Again, any domains like uamho or tamtse are old configurations. The new domain I need to join is de-ent.com. ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
As for the idmap default domain, rejoining the domain with smbadm join should be necessary and sufficient to change idmap's settings. ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
What's the output from the following command: svcs smb/server Please enable debug-level log by replacing 'daemon.notice' with 'daemon.debug' in /etc/syslog.conf. Then, run `svcadm refresh system/system-log. Please try again and report any messages in /var/adm/messages that are associated with the domain join. cifs-gendiag script: http://hub.opensolaris.org/bin/view/Project+cifs%2Dserver/files?viewer=attachments&language=en An output from cifs-gendiag would help us understand your system setup. Regards, Natalie keegam wrote: Hi, thanks for the response. The user I was using to join was not a domain admin. I've promoted it to that role, and now when running the join command, it just sits there. I've let it run for a few minutes a few times, and nothing happens. Here's some truss output (that was edited slightly) Enter domain password: write(3, " E n t e r d o m a i n".., 23) = 23 read(3, 0xFEF825E4, 1) (sleeping...) (password entered) write(3, "\n", 1) = 1 ioctl(3, TCSETAW, 0x08047890) = 0 sigaction(SIGINT, 0x080477C0, 0x) = 0 sigaction(SIGTSTP, 0x080477C0, 0x) = 0 close(3)= 0 Joining de-ent.com ... this may take a minute ... write(1, " J o i n i n g d e - e".., 50) = 50 open("/var/run/smbd_door", O_RDONLY)= 3 fstat64(3, 0x08047700) = 0 door_call(3, 0x08047850)(sleeping...) And that's it. No loops, no more output what so ever. ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
Hi, thanks for the response. The user I was using to join was not a domain admin. I've promoted it to that role, and now when running the join command, it just sits there. I've let it run for a few minutes a few times, and nothing happens. Here's some truss output (that was edited slightly) Enter domain password: write(3, " E n t e r d o m a i n".., 23) = 23 read(3, 0xFEF825E4, 1) (sleeping...) (password entered) write(3, "\n", 1) = 1 ioctl(3, TCSETAW, 0x08047890) = 0 sigaction(SIGINT, 0x080477C0, 0x) = 0 sigaction(SIGTSTP, 0x080477C0, 0x) = 0 close(3)= 0 Joining de-ent.com ... this may take a minute ... write(1, " J o i n i n g d e - e".., 50) = 50 open("/var/run/smbd_door", O_RDONLY)= 3 fstat64(3, 0x08047700) = 0 door_call(3, 0x08047850)(sleeping...) And that's it. No loops, no more output what so ever. -- This message posted from opensolaris.org ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
Re: [cifs-discuss] Change default idmap domain
r...@dsshare01:~# smbadm join -u solarisuser de-ent.com Is "solarisuser" an AD user? If not, please try using a domain administrator account to perform the domain join. When joining a Windows 2008 domain, please refer to the following troubleshooting guide: http://wiki.genunix.org/wiki/index.php/CIFS_Service_Troubleshooting#Joining_a_Windows_2008_Domain Regards, Natalie keegam wrote: I'm trying to get an opensolaris server to authenticate off a Windows 2008 AD server. I initially set up everything as one domain, and it didn't work, now I'm trying to set up on a new domain. However, it seems like there are some old entries somewhere I can't find, pointing to the old domain. Here's some output from /var/adm/messages when i start idmap: Jul 7 10:25:51 dsshare01 idmap[1492]: [ID 452674 daemon.info] change machine_sid=S-1-5-21-3983517302-1461505347-313232 Jul 7 10:25:51 dsshare01 idmap[1492]: [ID 452674 daemon.info] change default_domain=UAMHO.COM Jul 7 10:25:51 dsshare01 idmap[1492]: [ID 452674 daemon.info] change domain_name=UAMHO.COM Jul 7 10:25:51 dsshare01 idmap[1492]: [ID 673650 daemon.debug] Initial configuration loaded Jul 7 10:25:51 dsshare01 idmap[1492]: [ID 979816 daemon.debug] Querying DNS for SRV RRs named '_ldap._tcp.dc._msdcs' for 'UAMHO.COM' uamho.com is the old domain. Where do i specify the new one? I've set it up in my resolv.conf, as well as krb5.conf. I think this is causing my authentication issues, but it might be unrelated. The front problem is have is, when I try to join a domain, i get the following error: r...@dsshare01:~# smbadm join -u solarisuser de-ent.com After joining de-ent.com the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Joining de-ent.com ... this may take a minute ... Jul 7 10:31:22 dsshare01 smbd[432]: [ID 775558 daemon.debug] smb_door_srv_func: execute server routine(opcode=7) Jul 7 10:31:22 dsshare01 smbd[432]: [ID 702911 daemon.debug] msdcsLookupADS: de-entdc1.de-ent.com [10.93.208.65] Jul 7 10:31:22 dsshare01 smbd[432]: [ID 135458 daemon.debug] smbrdr: trying port 445 Jul 7 10:31:22 dsshare01 smbd[432]: [ID 508689 daemon.debug] smbrdr: connected on port 445 Jul 7 10:31:22 dsshare01 smbd[432]: [ID 434374 daemon.debug] smbrdr: connected port 445 Jul 7 10:31:22 dsshare01 smbd[432]: [ID 895027 daemon.debug] smbrdr: DE-ENTDC1: signing required Jul 7 10:31:22 dsshare01 smbd[432]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 7 10:31:22 dsshare01 smbd[432]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=6 Jul 7 10:31:22 dsshare01 smbd[432]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 7 10:31:22 dsshare01 smbd[432]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=32772 Jul 7 10:31:22 dsshare01 smbd[432]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 7 10:31:22 dsshare01 smbd[432]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=11 Jul 7 10:31:22 dsshare01 smbd[432]: [ID 395423 daemon.debug] smbrdr_ntcreatex: 14 \lsarpc Jul 7 10:31:22 dsshare01 smbd[432]: [ID 528497 daemon.debug] SmbRdrNtCreate: fid=15 Jul 7 10:31:22 dsshare01 smbd[432]: [ID 395604 daemon.debug] Authenticated with Kerberos v5 failed to join de-ent.com: UNSUCCESSFUL Please refer to the system log for more information. r...@dsshare01:~# Jul 7 10:31:22 dsshare01 smbd[432]: [ID 504979 daemon.notice] ldap_add: Insufficient access Jul 7 10:31:22 dsshare01 smbd[432]: [ID 702911 daemon.notice] Failed to create the workstation trust account. Jul 7 10:31:22 dsshare01 smbd[432]: [ID 871254 daemon.error] smbd: failed joining de-ent.com (UNSUCCESSFUL) ___ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss