[OpenIndiana-discuss] Joining an Active Directory Domain with smbadm

Rich rercola at acm.jhu.edu
Thu Dec 6 18:07:49 UTC 2012 

FWIW AD binds do work - I'm currently running a number of OI systems bound
to an AD without any special magic.

Then again, I'm also running DNS services with a delegation for the AD
subdomain, so that differs from your setup...

- Rich


On Thu, Dec 6, 2012 at 12:28 PM, Peter Tripp <peter at psych.columbia.edu>wrote:

> Wow, this is certainly not the voodoo type suggestions I was hoping for,
> but maybe it'll point me in the right direction.
>
> It's not a multi-domain or multi-controller environment. Single domain on
> a single domain controller.  Time is not out of sync (drift <0.01sec).  My
> domain controller does not run it's own DNS services. I went to some
> trouble so that I wouldn't have to maintain MS DNS, not excited about
> enabling anytime I need to bind an Illumos host to AD.  As far as I can
> tell this is literally the most simplistic Active Directory setup possible.
>
> I guess that leaves setting up a mini DNS server with the records I need
> and then logging the incorrect queries; or even just firing up wireshark
> and logging the DNS on the wire.  I'd really like to try and track down the
> bad code and fix it.  Making AD binds work would probably benefit quite a
> few downstream illumos distros (OmniOS, etc).  Does anyone know of a simple
> dtrace script to log DNS queries or where I could throw a probe to catch
> them from smbadm?
>
> Thanks
> -Peter
>
> On Dec 5, 2012, at 5:08 PM, Lucas Van Tol wrote:
>
> >
> > I think I've seen that one before.  I can't quite recall if it was the
> OI system doing some bad DNS requests, or just due to
> multi-domain/multi-domain-controller environment not being friendly.
> >
> > A simple fix MAY be:
> > Ensure DNS is working correctly, and set the primary AD domain
> controller as your only nameserver in /etc/resolv.conf ; and match your
> date to it via 'ntpdate -u *primary domain server*'.
> >
> >
> > I ended up setting up a small DNS server with only entries for one
> domain controller, along with entries for some incorrect lookups I saw
> fairly frequently. (Along the lines of
> > _ldap._tcp.dc._msdcs.MY.DOMAIN.EDU.MY.DOMAIN.EDU ; note the domain
> showing up twice in a row...)
> > Those systems work fine with standard DNS once they are joined.
> >
> > -Lucas Van Tol
> >
> >
> >> From: peter at psych.columbia.edu
> >> Date: Wed, 5 Dec 2012 16:36:35 -0500
> >> To: openindiana-discuss at openindiana.org
> >> Subject: [OpenIndiana-discuss] Joining an Active Directory Domain with
> smbadm
> >>
> >> Hi folks,
> >>
> >> I've been trying to join an active directory domain for use with the
> kernel mode CIFS server, but am running into some trouble.  Specifically
> when I run:
> >> # smbadm join -u administrator my.domain.edu.
> >> here's what I get:
> >> failed to find any domain controllers for MY.DOMAIN.EDU
> >>
> >> Here's output form dmesg
> >> Dec  5 15:55:07 duchamp smbd[970]: [ID 807464 daemon.error]
> ndr_rpc_bind: smbrdr_ctx_new(S=myadc, D=MY.DOMAIN.EDU, U=administrator),
> err=61
> >> Dec  5 15:55:07 duchamp last message repeated 3 times
> >> Dec  5 15:55:07 duchamp smbd[970]: [ID 700049 daemon.error] smbd:
> failed locating domain controller for MY.DOMAIN.EDU
> >>
> >> I've already gotten Kerberos, LDAP and idmapping working with AD and
> configured PAM such that ssh logins work, but this one has me stumped.
>  I've seen plenty of other folks with similar errors, but none with
> 'err=61'.  For reference I'm running Windows 2008r2, my domain is currently
> set to the 2003 compatibility mode.
> >>
> >> Following the instructions here:
> >> http://wiki.illumos.org/display/illumos/CIFS+Service+Troubleshooting
> >> I have left my lmauth_level at the default (4) and have not modified it
> with: sharectl set -p lmauth_level=X smb
> >>
> >> Anyone have any suggestions for how to troubleshoot this further? How
> can I enable debug logging for smbadm?
> >>
> >> Thanks
> >> -Peter
> >> _______________________________________________
> >> OpenIndiana-discuss mailing list
> >> OpenIndiana-discuss at openindiana.org
> >> http://openindiana.org/mailman/listinfo/openindiana-discuss
> >
> > _______________________________________________
> > OpenIndiana-discuss mailing list
> > OpenIndiana-discuss at openindiana.org
> > http://openindiana.org/mailman/listinfo/openindiana-discuss
>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>

More information about the OpenIndiana-discuss mailing list