Discussion:
[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Raj Pagaku
19 years ago
Permalink
Hello,

We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba
system and the AD belong to the same domain, I am able to perform a 'net
ads join' by supplying either a 'Domain Admins' or a 'Domain Users'
credential.

However if the Samba system and the AD belong to different domain, I can
perform the 'net ads join' by supplying a 'Domain Admins' credential but
not a user belonging to 'Domain Users'. If the user belongs only to the
'Domain Users', I get the 'Failed to set servicePrincipalNames' error.

Samba System domain = WGA
AD Server domain = CHILD1.AD.WGA

wsa29:] winbindd -V
Version 3.0.23c

wsa29:] hostname
wsa29.wga

wsa29:] klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ***@CHILD1.AD.WGA

Issued Expires Principal
Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/***@CHILD1.AD.WGA
Nov 7 14:32:07 Nov 8 00:31:19 child1-server$@CHILD1.AD.WGA

wsa29:] cat smb.conf
[global]
workgroup = CHILD1
server string = Samba Server
load printers = yes
log file = /var/log/samba.log.%m
lock directory = /var/run/locks
pid directory = /var/run/locks
max log size = 100
security = ads
password server = child1-server.child1.ad.wga
realm = CHILD1.AD.WGA
encrypt passwords = yes
smb passwd file = /usr/local/samba/lib/smbpasswd
socket options = TCP_NODELAY
dns proxy = no
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator
administrator's password:
Using short domain name -- CHILD1
Joined 'WSA29' to realm 'CHILD1.AD.WGA'

wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
olympus's password:
Using short domain name -- CHILD1
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'

Here the user 'administrator' belongs to 'Domain Admins' and the user
'olympus' belongs to 'Domain Users'.

Shouldn't I be able to use a 'Domain Users' account to perform the 'net
ads join' operation in 3.0.23c? Or is this restricted to both Samba
system and AD server being on the same domain?

Thanks in advance

-Raj
Jean-Vincent BAYARRI
19 years ago
Permalink
Hi,

I also run FreeBSD 6.1 (and also experience a lot of trouble with
version 3.0.23c...)

For your problem you should check your /etc/hosts.
It must have the "CHILD1.AD.WGA" as fqdn for your IP like this:

xxx.xxx.xxx.xxx CHILD1.AD.WGA CHILD1 alias1 alias2 ... aliasN
...
--
***************************************************************************
* Jean-Vincent BAYARRI Ing?nieur syst?me & r?seau *
* Service Informatique Laboratoire Central des Ponts et Chauss?es *
* 58, boulevard Lefebvre 75732 PARIS CEDEX 15 *
* Tel 01 40 43 51 70 Fax 01 56 56 16 99 *
***************************************************************************
Raj Pagaku
19 years ago
Permalink
I tried the suggested solution and i still run into the same issue (Further searching in the Samba list led me to another thread where the same solution was proposed, don't know whether that worked for the thread originator)

wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
olympus's password:
Using short domain name -- CHILD1
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'

After I execute the above command, I see that my system is listed in the AD server 'Computer' list but has a red 'x' symbol to indicate that it is disabled.

However if I execute the command 'net ads status -s /etc/samba/smb.conf -Uolympus' after the 'net ads join' command, I am able to retrieve status information properly.

-Raj
...
Gerald (Jerry) Carter
19 years ago
Permalink
Post by Raj Pagaku
wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus
Using short domain name -- CHILD1
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA'
Either (a) the fqdn of the local machine (the one you are joining to
the domain) is not set correctly or (b) is set to a domain
outside the AD domain name and you are not a domain admin.




cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
Raj Pagaku
19 years ago
Permalink
Thanks Jerry for your response. It is case (b). The fqdn of the local
machine is set to a domain outside the AD domain name and the user
credentials being used is 'Domain User' and not a 'Domain Admin'.

Do we need 'Domain Admin' if the local machine domain is outside the AD
domain name? Is this a restriction that will be addressed in the near
future?

Thanks
Raj
...
Gerald (Jerry) Carter
19 years ago
Permalink
Post by Raj Pagaku
Thanks Jerry for your response. It is case (b). The fqdn of the local
machine is set to a domain outside the AD domain name and the user
credentials being used is 'Domain User' and not a 'Domain Admin'.
Do we need 'Domain Admin' if the local machine domain is outside the AD
domain name? Is this a restriction that will be addressed in the near
future?
This is an AD restriction on the default security assigned
to a computer object. When a non-admin is given the right
to join a specific machine to the domain, that user is only
granted validated write access to thye DnsHostName and
servicePrincipalName attributes. A Windows XP box would fail
to join the domain in the same way.

This doc explains it:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp






cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
Raj Pagaku
19 years ago
Permalink
Thanks Jerry for your response as well as the useful link to the
reference article.

Once I delegated the following Permissions' for the specific 'Domain
User' on the 'Computer Objects' on my AD server, I was able to join the
Samba system to the domain.

Permissions Delegated via the 'Delegation Control Wizard':
1> Allow 'Write DNS Host Name Attributes' property
2> Allow 'Write Service Principal Name' property

I am sharing the steps I performed on my Windows 2003 AD server for
benefit of others:

* Invoke the 'Delegate Control Wizard' for the 'Computers'
* Add the specific 'Domain User' to the 'Selected users and groups'.
* Create a custom task to delegate.
* Select the 'Computer Objects'
* Select the 'Property-Specific'. Then select the 'Write dNSHostName'
and the 'Write servicePrincipalName'
* Finish your task

If there are any known side-effects of delegating these permissions,
please let me know.

Thanks
Raj Pagaku
-----Original Message-----
Sent: Friday, November 10, 2006 11:16 AM
To: Raj Pagaku
Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set
servicePrincipalNames
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Raj Pagaku
Thanks Jerry for your response. It is case (b). The fqdn of the
local
Post by Raj Pagaku
machine is set to a domain outside the AD domain name and the user
credentials being used is 'Domain User' and not a 'Domain Admin'.
Do we need 'Domain Admin' if the local machine domain is outside the
AD
Post by Raj Pagaku
domain name? Is this a restriction that will be addressed in the
near
...
Gerald (Jerry) Carter
19 years ago
Permalink
Post by Raj Pagaku
Thanks Jerry for your response as well as the useful link to the
reference article.
Once I delegated the following Permissions' for the specific 'Domain
User' on the 'Computer Objects' on my AD server, I was able to join the
Samba system to the domain.
1> Allow 'Write DNS Host Name Attributes' property
2> Allow 'Write Service Principal Name' property
You only need #1 I think. The validated write to SPN is help
to ensure that matches the dNSHostName value.





jerry

Loading...