[OpenIndiana-discuss] Joining an Active Directory Domain with smbadm

Peter Tripp peter at psych.columbia.edu
Thu Dec 6 17:28:40 UTC 2012 

Wow, this is certainly not the voodoo type suggestions I was hoping for, but maybe it'll point me in the right direction.

It's not a multi-domain or multi-controller environment. Single domain on a single domain controller.  Time is not out of sync (drift <0.01sec).  My domain controller does not run it's own DNS services. I went to some trouble so that I wouldn't have to maintain MS DNS, not excited about enabling anytime I need to bind an Illumos host to AD.  As far as I can tell this is literally the most simplistic Active Directory setup possible.

I guess that leaves setting up a mini DNS server with the records I need and then logging the incorrect queries; or even just firing up wireshark and logging the DNS on the wire.  I'd really like to try and track down the bad code and fix it.  Making AD binds work would probably benefit quite a few downstream illumos distros (OmniOS, etc).  Does anyone know of a simple dtrace script to log DNS queries or where I could throw a probe to catch them from smbadm?

Thanks
-Peter

On Dec 5, 2012, at 5:08 PM, Lucas Van Tol wrote:

> 
> I think I've seen that one before.  I can't quite recall if it was the OI system doing some bad DNS requests, or just due to multi-domain/multi-domain-controller environment not being friendly. 
> 
> A simple fix MAY be:
> Ensure DNS is working correctly, and set the primary AD domain controller as your only nameserver in /etc/resolv.conf ; and match your date to it via 'ntpdate -u *primary domain server*'.
> 
> 
> I ended up setting up a small DNS server with only entries for one domain controller, along with entries for some incorrect lookups I saw fairly frequently. (Along the lines of   
> _ldap._tcp.dc._msdcs.MY.DOMAIN.EDU.MY.DOMAIN.EDU ; note the domain showing up twice in a row...) 
> Those systems work fine with standard DNS once they are joined.
> 
> -Lucas Van Tol
> 
> 
>> From: peter at psych.columbia.edu
>> Date: Wed, 5 Dec 2012 16:36:35 -0500
>> To: openindiana-discuss at openindiana.org
>> Subject: [OpenIndiana-discuss] Joining an Active Directory Domain with smbadm
>> 
>> Hi folks,
>> 
>> I've been trying to join an active directory domain for use with the kernel mode CIFS server, but am running into some trouble.  Specifically when I run:
>> # smbadm join -u administrator my.domain.edu.
>> here's what I get:
>> failed to find any domain controllers for MY.DOMAIN.EDU
>> 
>> Here's output form dmesg
>> Dec  5 15:55:07 duchamp smbd[970]: [ID 807464 daemon.error] ndr_rpc_bind: smbrdr_ctx_new(S=myadc, D=MY.DOMAIN.EDU, U=administrator), err=61
>> Dec  5 15:55:07 duchamp last message repeated 3 times
>> Dec  5 15:55:07 duchamp smbd[970]: [ID 700049 daemon.error] smbd: failed locating domain controller for MY.DOMAIN.EDU
>> 
>> I've already gotten Kerberos, LDAP and idmapping working with AD and configured PAM such that ssh logins work, but this one has me stumped.  I've seen plenty of other folks with similar errors, but none with 'err=61'.  For reference I'm running Windows 2008r2, my domain is currently set to the 2003 compatibility mode.
>> 
>> Following the instructions here:
>> http://wiki.illumos.org/display/illumos/CIFS+Service+Troubleshooting
>> I have left my lmauth_level at the default (4) and have not modified it with: sharectl set -p lmauth_level=X smb
>> 
>> Anyone have any suggestions for how to troubleshoot this further? How can I enable debug logging for smbadm?
>> 
>> Thanks
>> -Peter
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
> 		 	   		  
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the OpenIndiana-discuss mailing list