I recently tried to (re)join a OI machine to my companies AD. I had it joined previously but my AD integration broke when the AD admins turned on LDAPS. OI does not have the required libraries to join an AD environment that has LDAPS enabled.
You can troubleshoot this further if you issue the join command yourself and at the same time running it in debug mode: net ads join -U username -d5 If the domain you are trying to join does have LDAPS enabled you should see this line, "StartTLS not supported by LDAP client libraries!", a few lines from the bottom when the join completes. Unless you have other errors that first need fixing. Eventually however once you have them all sorted out you will get this error. -----Original Message----- From: Andrew Martin [mailto:amar...@xes-inc.com] Sent: 08 October 2014 20:56 To: Discussion list for OpenIndiana Subject: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server Hello, I am attempting to join an OpenIndiana server to an Active Directory domain for authenticating smb/server following this guide: http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html However, I do not want to specify just a single domain controller in the kdc, admin_server, and kpasswd_server fields since that would be a single point of failure. I have a pair of forwarding servers that host a VIP (ad.example.com) and NAT traffic to any of the available DCs, so I'd prefer to put the hostname of this VIP in these fields instead: [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = ad.example.com admin_server = ad.example.com kpasswd_server = ad.example.com kpasswd_protocol = SET_CHANGE } [domain_realm] .example.com = EXAMPLE.COM However, this doesn't work when I run "smbadm join": Tree Connection SUCCEEDED (0) Authentication SUCCEEDED (0) for administra...@example.com by dc0 Using ad.example.com (dc0) as DC for domain example.com (example) Tree Connection SUCCEEDED (0) Authentication SUCCEEDED (0) for administra...@example.com by dc0 getting initial credentials (Incorrect net address) getting initial credentials (Incorrect net address) Joining domain to alter computer account FAILED (1) using administra...@example.com credentials. Failed to connect to an Active Directory server. Joining domain failed (c0000001) I think this "Incorrect net address" error is occurring because the address list provided to Kerberos contains the IP addresses of the OpenIndiana server, not the NAT server (ad.example.com). According to the manpage, I should be able to add no_addresses to the [appdefaults] section to request an address-less ticket: [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = ad.example.com admin_server = ad.example.com kpasswd_server = ad.example.com kpasswd_protocol = SET_CHANGE } [domain_realm] .example.com = EXAMPLE.COM [appdefaults] kinit = { renewable = true forwardable = true no_addresses = true } However, doing this does not improve the situation when running "smbadm join". This DOES work when running "kinit" manually. Changing the kdc, admin_server, and kpasswd_server to use one of the DCs directly, e.g dc0.example.com, makes "smbadm join" work successfully. What can I do to successfully join the domain using this NAT server for HA? Thanks, Andrew Martin _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
