[OpenIndiana-discuss] Joining an Active Directory Domain with smbadm

Peter Tripp peter at psych.columbia.edu
Thu Jan 3 16:13:08 UTC 2013 

This is just to follow up, I finally busted out Wireshark to catch the DNS request it was making and it became abundantly clear what was causing my 'err=61' condition, it was an nsswitch.conf issue. smbadm was looking for ad1.univ.edu instead of ad1.dept.univ.edu.

nsswitch domain: dept.univ.edu
nsswitch search domain: univ.edu
ad domain: dept.univ.edu
ad controller: ad1.dept.univ.edu

The following DNS query would fail: ad1.univ.edu

Although it would properly look up the domain controller based on my DNS records, it would truncate to the domain component (ad1) and the add that to my search domain (univ.edu) instead of just using the SRV record unmolested (ad1.dept.univ.edu). So if you run into err 61 when using smbadm, check and make sure both your domain and your search domain match the AD domain you're trying to join.

Thanks Lucas and everyone else for your help.  It turns out (as is often the case) actually capturing traffic on the wire lets you know what has happened rather than just what you assume has happened.

-Pete

On Dec 6, 2012, at 1:21 PM, Lucas Van Tol wrote:

> 
> Since you aren't using your AD system for DNS; you may be missing some entries specific to an AD environment.
> It may be easiest to enable dns there; but only use it on your storage server.  (maybe also firewall it off so nobody else tries to use it...)
> 
> These are the records I have in my workaround DNS named.domain (identifying information sed'ed away...). 
> It also has workarounds for some other software that didn't like complicated domains; but I can't recall which entries fix which problems.  
> 
> 
> domain.edu.     NS      smb.domain.edu.
> smb.domain.edu.      A       192.168.1.23
> my   A       192.168.1.68
> dc1     A       192.168.1.68
> dc1.my.domain.edu.      A       192.168.1.68
> dc1.my.domain.edu.domain.edu.   A       192.168.1.68
> _ldap._tcp.dc._msdcs.my.domain.edu.  SRV 0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.my.domain.edu.           SRV     0 0 88  dc1.my.domain.edu.
> _ldap._tcp.my.domain.edu.       SRV     0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.dc._msdcs.my.domain.edu.         SRV 0 0 389 dc1.my.domain.edu.
> _ldap._tcp.dc._msdcs.  SRV 0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.         SRV     0 0 88  dc1.my.domain.edu.
> _ldap._tcp.     SRV     0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.dc._msdcs.       SRV 0 0 389 dc1.my.domain.edu.
> _kerberos-master._tcp.MY.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu
> _kerberos-master._tcp.my.domain.edu. SRV 0 0 88 dc1.my.domain.edu
> _kerberobomaster._udp.MY.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu
> _kerberos-master._udp.my.domain.edu. SRV 0 0 88 dc1.my.domain.edu
> _ldap._tcp.gc._msdcs.domain.edu.  SRV 0 0 3268 dc1.my.domain.edu
> _ldap._tcp.gc._msdcs.DOMAIN.EDU. SRV 0 0 3268 dc1.my.domain.edu
> _ldap._tcp.dc._msdcs.my.domain.edu.domain.edu.  SRV 0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.my.domain.edu.domain.edu.                SRV     0 0 88  dc1.my.domain.edu.
> _ldap._tcp.my.domain.edu.domain.edu.    SRV     0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.dc._msdcs.my.domain.edu.domain.edu.      SRV 0 0 389 dc1.my.domain.edu.
> _ldap._tcp.dc._msdcs.  SRV 0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.         SRV     0 0 88  dc1.my.domain.edu.
> _ldap._tcp.     SRV     0 0 389 dc1.my.domain.edu.
> _kerberos._tcp.dc._msdcs.       SRV 0 0 389 dc1.my.domain.edu.
> _kerberos-master._tcp.MY.DOMAIN.EDU.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu
> _kerberos-master._tcp.my.domain.edu.domain.edu. SRV 0 0 88 dc1.my.domain.edu
> _kerberobomaster._udp.MY.DOMAIN.EDU.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu
> _kerberos-master._udp.my.domain.edu.domain.edu. SRV 0 0 88 dc1.my.domain.edu
> _ldap._tcp.gc._msdcs.domain.edu.domain.edu.  SRV 0 0 3268 dc1.my.domain.edu
> _ldap._tcp.gc._msdcs.DOMAIN.EDU.DOMAIN.EDU. SRV 0 0 3268 dc1.my.domain.edu 
> 
> 
> 
> -Lucas Van Tol
> 
> 
>> From: peter at psych.columbia.edu
>> Date: Thu, 6 Dec 2012 12:28:40 -0500
>> To: openindiana-discuss at openindiana.org
>> Subject: Re: [OpenIndiana-discuss] Joining an Active Directory Domain with	smbadm
>> 
>> Wow, this is certainly not the voodoo type suggestions I was hoping for, but maybe it'll point me in the right direction.
>> 
>> It's not a multi-domain or multi-controller environment. Single domain on a single domain controller.  Time is not out of sync (drift <0.01sec).  My domain controller does not run it's own DNS services. I went to some trouble so that I wouldn't have to maintain MS DNS, not excited about enabling anytime I need to bind an Illumos host to AD.  As far as I can tell this is literally the most simplistic Active Directory setup possible.
>> 
>> I guess that leaves setting up a mini DNS server with the records I need and then logging the incorrect queries; or even just firing up wireshark and logging the DNS on the wire.  I'd really like to try and track down the bad code and fix it.  Making AD binds work would probably benefit quite a few downstream illumos distros (OmniOS, etc).  Does anyone know of a simple dtrace script to log DNS queries or where I could throw a probe to catch them from smbadm?
>> 
>> Thanks
>> -Peter
>> 
>> On Dec 5, 2012, at 5:08 PM, Lucas Van Tol wrote:
>> 
>>> 
>>> I think I've seen that one before.  I can't quite recall if it was the OI system doing some bad DNS requests, or just due to multi-domain/multi-domain-controller environment not being friendly. 
>>> 
>>> A simple fix MAY be:
>>> Ensure DNS is working correctly, and set the primary AD domain controller as your only nameserver in /etc/resolv.conf ; and match your date to it via 'ntpdate -u *primary domain server*'.
>>> 
>>> 
>>> I ended up setting up a small DNS server with only entries for one domain controller, along with entries for some incorrect lookups I saw fairly frequently. (Along the lines of   
>>> _ldap._tcp.dc._msdcs.MY.DOMAIN.EDU.MY.DOMAIN.EDU ; note the domain showing up twice in a row...) 
>>> Those systems work fine with standard DNS once they are joined.
>>> 
>>> -Lucas Van Tol
>>> 
>>> 
>>>> From: peter at psych.columbia.edu
>>>> Date: Wed, 5 Dec 2012 16:36:35 -0500
>>>> To: openindiana-discuss at openindiana.org
>>>> Subject: [OpenIndiana-discuss] Joining an Active Directory Domain with smbadm
>>>> 
>>>> Hi folks,
>>>> 
>>>> I've been trying to join an active directory domain for use with the kernel mode CIFS server, but am running into some trouble.  Specifically when I run:
>>>> # smbadm join -u administrator my.domain.edu.
>>>> here's what I get:
>>>> failed to find any domain controllers for MY.DOMAIN.EDU
>>>> 
>>>> Here's output form dmesg
>>>> Dec  5 15:55:07 duchamp smbd[970]: [ID 807464 daemon.error] ndr_rpc_bind: smbrdr_ctx_new(S=myadc, D=MY.DOMAIN.EDU, U=administrator), err=61
>>>> Dec  5 15:55:07 duchamp last message repeated 3 times
>>>> Dec  5 15:55:07 duchamp smbd[970]: [ID 700049 daemon.error] smbd: failed locating domain controller for MY.DOMAIN.EDU
>>>> 
>>>> I've already gotten Kerberos, LDAP and idmapping working with AD and configured PAM such that ssh logins work, but this one has me stumped.  I've seen plenty of other folks with similar errors, but none with 'err=61'.  For reference I'm running Windows 2008r2, my domain is currently set to the 2003 compatibility mode.
>>>> 
>>>> Following the instructions here:
>>>> http://wiki.illumos.org/display/illumos/CIFS+Service+Troubleshooting
>>>> I have left my lmauth_level at the default (4) and have not modified it with: sharectl set -p lmauth_level=X smb
>>>> 
>>>> Anyone have any suggestions for how to troubleshoot this further? How can I enable debug logging for smbadm?
>>>> 
>>>> Thanks
>>>> -Peter
>>>> _______________________________________________
>>>> OpenIndiana-discuss mailing list
>>>> OpenIndiana-discuss at openindiana.org
>>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>> 		 	   		  
>>> _______________________________________________
>>> OpenIndiana-discuss mailing list
>>> OpenIndiana-discuss at openindiana.org
>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>> 
>> 
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
> 		 	   		  
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the OpenIndiana-discuss mailing list