Forums » Help »

Join Active Directory errors

Added by Justa Guy over 3 years ago

I've gone through the process outlined in the User Guide with the exception of the step instructing me to add users to the computer via a tab that doesn't exist in my version of Active Directory.

The first error I got: "Operation completed with error: kinit(v5): Clock skew too great while getting initial credentials." Which turned out to be valid. The time on the DC was off by an hour somehow.

So I fixed that & the next error I have is: "Operation completed with error: Unable to join AD domain: failed to find any domain controllers for domainname.local."

In case that was a syntax error on my part, I tried again without the trailing .local in the "AD Server" field & now the error is: "Operation completed with error: Can't resolve SRV record 'ldap.tcp.dc._msdcs.domainname'. Check DNS server settings."

Please advise.


Replies

RE: Join Active Directory errors - Added by Dmitry Yusupov over 3 years ago

Is this 3.x ? Is the problem resolved?

Is it 2003 or 2008 AD? Which SP ?

Thanks

RE: Join Active Directory errors - Added by Justa Guy over 3 years ago

This was in 2.2.1. I'll see about trying 3.x in the next couple weeks & post what happens.

RE: Join Active Directory errors - Added by Matt Weatherford over 3 years ago

I am seeing this error in 3.0.2 community edition. I have a solid 3x domain controller setup that is working perfectly in production, but the NexentaStor appliance consistently throws:

failed to find any domain controllers

My srv record is good:

dig @128.yyy.zzz.x ldap.tcp.dc._msdcs.csde.washington.edu SRV +short 0 100 389 CSDE-DC2.csde.washington.edu. 0 100 389 csde-dc3.csde.washington.edu. 0 100 389 csde-dc1.csde.washington.edu.

My DNS entries map forwards and backwards.... what the heck is going on?

ok.... spoke to soon - I changed the IP to a different Domain controller and changed the username from admin to MYDOMAIN\admin, applied, then changed it back to just admin and it worked.

Weird

-Matt

RE: Join Active Directory errors - Added by Jason Litka over 3 years ago

I'm also having the issue under 3.0.2. I've got two DCs, both of which have valid ldap.tcp.dc._msdcs.mydomain.local records. I've got no issues joining Windows clients to the domain.

Using "administrator" as the user name results in a long pause, followed by "Unable to join AD domain: failed to find any domain controllers for mydomain.local". Using "MYDOMAIN\administrator" results in an immediate "kinit(v5): Client not found in Kerberos database while getting initial credentials". Using "administrator@mydomain.local" returns "kinit(v5): KDC reply did not match expectations while getting initial credentials".

Can anyone provide guidance?

RE: Join Active Directory errors - Added by Jason Litka over 3 years ago

Ok, figured it out.

option expert_mode=1 -s !bash sharectl set -p lmauth_level=2 smb

Once that was done I could join AD. The manual says that the sharectl command was only required for 2008 Domains but that seems to be inaccurate. It is required when talking to 2008 domain controllers, regardless of the functional level of the domain (which in my case is 2003).

RE: Join Active Directory errors - Added by Jason Litka over 3 years ago

Forum ate the code... Let's try it as an unordered list...

  • option expert_mode=1 -s
  • !bash
  • sharectl set -p lmauth_level=2 smb

RE: Join Active Directory errors - Added by churnd . over 2 years ago

Jason Litka wrote:

Forum ate the code... Let's try it as an unordered list...

  • option expert_mode=1 -s
  • !bash
  • sharectl set -p lmauth_level=2 smb

I'm having the same problem as you guys. I'm trying NexentaStor in a VM environment, have all CIFS stuff turned off, nothing shared out of the VM at all. I have rights to join the appliance to AD, and DNS is setup correctly... DNS and AD are same server. However, when I try, I get: May 28 11:38:17 nexenta smbd[460]: [ID 232655 daemon.notice] ldap_modify: Insufficient access May 28 11:38:17 nexenta smbd[460]: [ID 702911 daemon.notice] Failed to modify the workstation trust account. May 28 11:38:17 nexenta smbd[460]: [ID 871254 daemon.error] smbd: failed joining DOMAIN.EXAMPLE.COM (UNSUCCESSFUL)

The domain admin insists he pre-created the machine account in AD and gave me rights to join. Right now, I'm just typing my credentials in as "user"... should they be "DOMAIN\user"?

RE: Join Active Directory errors - Added by Dmitry Yusupov over 2 years ago

On 05/28/2010 09:08 AM, NexentaStor.org wrote:

http://www.nexentastor.org/boards/2/topics/52 Christopher Hearn

Jason Litka wrote:

Forum ate the code... Let's try it as an unordered list...

  • option expert_mode=1 -s
  • !bash
  • sharectl set -p lmauth_level=2 smb

I'm having the same problem as you guys. I'm trying NexentaStor in a VM environment, have all CIFS stuff turned off, nothing shared out of the VM at all. I have rights to join the appliance to AD, and DNS is setup correctly... DNS and AD are same server. However, when I try, I get: May 28 11:38:17 nexenta smbd[460]: [ID 232655 daemon.notice] ldap_modify: Insufficient access May 28 11:38:17 nexenta smbd[460]: [ID 702911 daemon.notice] Failed to modify the workstation trust account. May 28 11:38:17 nexenta smbd[460]: [ID 871254 daemon.error] smbd: failed joining DOMAIN.EXAMPLE.COM (UNSUCCESSFUL)

The domain admin insists he pre-created the machine account in AD and gave me rights to join. Right now, I'm just typing my credentials in as "user"... should they be "DOMAIN\user"?

Ensure that computer object permissions are set on AD server side..

RE: Join Active Directory errors - Added by churnd . over 2 years ago

Dmitry Yusupov wrote:

On 05/28/2010 09:08 AM, NexentaStor.org wrote:

http://www.nexentastor.org/boards/2/topics/52 Christopher Hearn

Jason Litka wrote:

Forum ate the code... Let's try it as an unordered list...

  • option expert_mode=1 -s
  • !bash
  • sharectl set -p lmauth_level=2 smb

I'm having the same problem as you guys. I'm trying NexentaStor in a VM environment, have all CIFS stuff turned off, nothing shared out of the VM at all. I have rights to join the appliance to AD, and DNS is setup correctly... DNS and AD are same server. However, when I try, I get: May 28 11:38:17 nexenta smbd[460]: [ID 232655 daemon.notice] ldap_modify: Insufficient access May 28 11:38:17 nexenta smbd[460]: [ID 702911 daemon.notice] Failed to modify the workstation trust account. May 28 11:38:17 nexenta smbd[460]: [ID 871254 daemon.error] smbd: failed joining DOMAIN.EXAMPLE.COM (UNSUCCESSFUL)

The domain admin insists he pre-created the machine account in AD and gave me rights to join. Right now, I'm just typing my credentials in as "user"... should they be "DOMAINuser"?

Ensure that computer object permissions are set on AD server side..

Domain admin insists they are. Do I need certain permissions?

RE: Join Active Directory errors - Added by Martin Rasmusson about 1 year ago

I'm having similar problems as you had last year when you started this thread so I thought I'd chime in and see if anyone has more information a year later.

I'm running Nexenta 3.1.1 and me and our IT department have been trying to add the machine to the company AD for a week now without success. It feels like we have tried everything.

First off, we have tried everything found in this thread as well as in these documents:

  • http://www.nexenta.com/cop/nexentasto-faq-table/116
  • http://www.nexenta.com/cop/nexentasto-faq-table/651-how-to-join-nexentasto-to-active-diectoy-windows-2008-domain
  • http://www.nexenta.com/cop/static/docs-stable/NexentaSto-WindowsAD-Integation.pdf
  • http://www.nexenta.com/static/use-guide-html/NexentaSto-UseGuide.html#9.5.1.Joining%20Active%20Diectoy|outline

And with the same results all the time. "Operation completed with error: Unable to join AD domain: failed to find any domain controllers for domain.com " (I'm using "domain.com" as placeholder for our own domain just to make this more generic).

I have enabled debug logging and dmesg says the following:

Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.200 name server
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.201 name server
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.202 name server
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 10.85.13.12 in reverse lookup zone...
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 10.85.13.12 in reverse lookup zone...
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 10.85.13.12 in reverse lookup zone...
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.200 name server
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.201 name server
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.202 name server
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 1.2.3.11 in reverse lookup zone...
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: DNS: server is not authoritative for specified zone: 9
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 1.2.3.11 in reverse lookup zone...
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: DNS: server is not authoritative for specified zone: 9
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 1.2.3.11 in reverse lookup zone...
Dec 13 11:15:13 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: DNS: server is not authoritative for specified zone: 9
Dec 13 11:15:14 sa-nas-2 smbd[6835]: [ID 208731 daemon.debug] SA-NAS-2          <20> flags=0x1
Dec 13 11:15:14 sa-nas-2 smbd[6835]: [ID 370951 daemon.debug]   10.85.13.12 ttl=600 flags=0x1 port=35328
Dec 13 11:15:14 sa-nas-2 smbd[6835]: [ID 370951 daemon.debug]   1.2.3.11 ttl=600 flags=0x1 port=35328
Dec 13 11:15:16 sa-nas-2 smbd[6835]: [ID 208731 daemon.debug] SA-NAS-2          <00> flags=0x1
Dec 13 11:15:16 sa-nas-2 smbd[6835]: [ID 370951 daemon.debug]   10.85.13.12 ttl=598 flags=0x1 port=35328
Dec 13 11:15:16 sa-nas-2 smbd[6835]: [ID 370951 daemon.debug]   1.2.3.11 ttl=598 flags=0x1 port=35328
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.200 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.201 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.202 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 499623 daemon.debug] Removing all entries of sa-nas-2.domain.com in forward lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 499623 daemon.debug] Removing all entries of sa-nas-2.domain.com in forward lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 499623 daemon.debug] Removing all entries of sa-nas-2.domain.com in forward lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.200 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.201 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.202 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 10.85.13.12 in reverse lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 10.85.13.12 in reverse lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 10.85.13.12 in reverse lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: dynamic updates: not supported: 4
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.200 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.201 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 873867 daemon.debug] Found 10.0.2.202 name server
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 1.2.3.11 in reverse lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: DNS: server is not authoritative for specified zone: 9
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 1.2.3.11 in reverse lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: DNS: server is not authoritative for specified zone: 9
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 408190 daemon.debug] Removing all entries of 1.2.3.11 in reverse lookup zone...
Dec 13 11:15:18 sa-nas-2 smbd[6835]: [ID 380301 daemon.notice] dyndns: DNS: server is not authoritative for specified zone: 9
Dec 13 11:15:46 sa-nas-2 smbd[6835]: [ID 208731 daemon.debug] DOMAIN.COM          <00> flags=0x8000
Dec 13 11:15:46 sa-nas-2 smbd[6835]: [ID 370951 daemon.debug]   10.85.13.12 ttl=600 flags=0x1 port=35328
Dec 13 11:15:47 sa-nas-2 smbd[6835]: [ID 208731 daemon.debug] DOMAIN.COM          <00> flags=0x8000
Dec 13 11:15:47 sa-nas-2 smbd[6835]: [ID 370951 daemon.debug]   1.2.3.11 ttl=600 flags=0x1 port=35328
Dec 13 11:16:45 sa-nas-2 smbd[6835]: [ID 700049 daemon.error] smbd: failed locating domain controller for domain.com

The biggest question is this: All the links above, which show screenshots of the AD Join web GUI, indicate that there is a field between DNS server and AD Domain called "AD Server". It's no longer there in 3.1.1! Isn't it required anymore? If so, does that imply that something else needs to be set up in order to get this information?

In my attempts to find what is wrong I have done a network trace and I can see that Nexenta makes several DNS queries and gets responses for a bunch of them. Various domain controllers, _kerberos._tcp.DOMAIN.COM, _kpasswd._udp.DOMAIN.COM, _kpasswd._tcp.DOMAIN.COM, etc. They all resolve except "one": _kerberos-master._tcp.DOMAIN.COM (and _kerberos-master._udp.DOMAIN.COM). These are not found. (Are these absolutely required?)

It looks like the process continues after this. It makes some kinds of Kerberos call to one of the domain controllers, which in Wireshark are called "AS-REQ". The first as UDP which gets a response "KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG" (which apparently can happen when the returning data is too big for one UDP packet and in this case you are supposed to use TCP instead). So the second call is as TCP, which gets a "AS-REP" back. There is some more traffic going on which I really am not qualified to identify after this, but then nothing happens and about a minute later Nexenta gives up.

Does anybody have a clue as to what could be going on? Is there any way to increase the verbosity of the logs, for instance (other than enabling debug logging)? To me it seems like something suspicious is going on in the last few log lines between 11:15:18 and 11:15:46 (seems very close to 30 seconds which could be a timeout?) and between 11:15:47 and 11:16:45 (seems very close to 60 seconds which could also be a timeout).. if I only could tell what is going on there.

Anyone?