[OpenIndiana-discuss] Problems joining an AD domain

[Ryan John]

Hi,

I’m trying to join an AD domain, but can’t.
This used to work with snv_134, and I’m using the same config.
I’m not a top level domain admin, just an OU admin.

In snv_134, I had to set lmauthlevel to 2, but that apparently doesn’t work anymore.

If I set lmauthlevel=2, I simply get:

~# smbadm join -u john domain.example.com
After joining domain.example.com the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining domain.example.com... this may take a minute ...
failed to join domain.example.com: LOGON_FAILURE
Please refer to the system log for more information.

If I set lmauthlevel=4, I get:
~# smbadm join -u john domain.example.com
After joining domain.example.com  the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining domain.example.com ... this may take a minute ... 
failed to join domain.example.com: UNSUCCESSFUL
Please refer to the system log for more information.

And in the log, I see:
smbd[12965]: [ID 972153 daemon.error] smbns_ksetpwd: KPASSWD protocol exchange failed (Cannot contact any KDC for requested realm)
smbd[12965]: [ID 702911 daemon.notice] Failed to set machine password.
smbd[12965]: [ID 871254 daemon.error] smbd: failed joining domain.example.com  (UNSUCCESSFUL)

My krb5.conf looks like:
[libdefaults]
        default_realm = DOMAIN.EXAMPLE.COM  

[realms]
        DOMAIN.EXAMPLE.COM = {
                kdc = curare. domain.example.com  
                admin_server = curare. domain.example.com  
                kpasswd_server = curare. domain.example.com  
                kpasswd_protocol = SET_CHANGE
        }

[domain_realm]
 . domain.example.com  = DOMAIN.EXAMPLE.COM  
 domain.example.com    = DOMAIN.EXAMPLE.COM  
 .example.com               = DOMAIN.EXAMPLE.COM  
 example.com                = DOMAIN.EXAMPLE.COM  

Anyone any idea what the problem might be?

Cheers
John