[OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

The Outsider openindiana at out-side.nl
Wed Oct 8 22:29:34 UTC 2014 

I think " joining domain failed (c0000001)" might give you a clue.
When the NAT translates you computers ip-address to a new local, no dns 
reference will exist for that IP.

At least that is what came up in google..


On 8 oktober 2014 21:00:00 Andrew Martin <amartin at xes-inc.com> wrote:

> Hello,
>
> I am attempting to join an OpenIndiana server to an Active Directory domain for
> authenticating smb/server following this guide:
> http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html
>
> However, I do not want to specify just a single domain controller in the kdc,
> admin_server, and kpasswd_server fields since that would be a single point of
> failure. I have a pair of forwarding servers that host a VIP (ad.example.com)
> and NAT traffic to any of the available DCs, so I'd prefer to put the hostname
> of this VIP in these fields instead:
>
> [libdefaults]
>    default_realm = EXAMPLE.COM
>
> [realms]
>    EXAMPLE.COM = {
>        kdc = ad.example.com
>        admin_server = ad.example.com
>        kpasswd_server = ad.example.com
>        kpasswd_protocol = SET_CHANGE
>    }
>
> [domain_realm]
>    .example.com = EXAMPLE.COM
>
> However, this doesn't work when I run "smbadm join":
> Tree Connection SUCCEEDED (0)
> Authentication SUCCEEDED (0) for Administrator at EXAMPLE.COM by dc0
> Using ad.example.com (dc0) as DC for domain example.com (example)
> Tree Connection SUCCEEDED (0)
> Authentication SUCCEEDED (0) for Administrator at example.com by dc0
> getting initial credentials (Incorrect net address)
> getting initial credentials (Incorrect net address)
> Joining domain to alter computer account FAILED (1) using 
> Administrator at example.com credentials.
> Failed to connect to an Active Directory server.
> Joining domain failed (c0000001)
>
> I think this "Incorrect net address" error is occurring because the address
> list provided to Kerberos contains the IP addresses of the OpenIndiana server,
> not the NAT server (ad.example.com). According to the manpage, I should be able
> to add no_addresses to the [appdefaults] section to request an address-less
> ticket:
>
>
> [libdefaults]
>    default_realm = EXAMPLE.COM
>
> [realms]
>    EXAMPLE.COM = {
>        kdc = ad.example.com
>        admin_server = ad.example.com
>        kpasswd_server = ad.example.com
>        kpasswd_protocol = SET_CHANGE
>    }
>
> [domain_realm]
>    .example.com = EXAMPLE.COM
>
> [appdefaults]
>         kinit = {
>                 renewable = true
>                 forwardable = true
>                 no_addresses = true
>         }
>
> However, doing this does not improve the situation when running "smbadm join".
> This DOES work when running "kinit" manually. Changing the kdc, admin_server,
> and kpasswd_server to use one of the DCs directly, e.g dc0.example.com, makes
> "smbadm join" work successfully. What can I do to successfully join the domain
> using this NAT server for HA?
>
> Thanks,
>
> Andrew Martin
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the openindiana-discuss mailing list