Solaris 11 AD Integration - cannot find domain controller
Solaris 11 AD Integration - cannot find domain controller
(OP)
I am working an interesting problem here - hopefully someone can help.
I cannot get my Solaris 11 host to join an AD domain. Here is what I have thus far:
First, I am using the following as refernce as I try to do this:
Oracle.com
Solaris 11: Join AD Domain for Samba
Next, in my troubleshooting, I am getting an error message of smbrdr_exchange[115]: failed (INVALID_PARAMETER)
Thing is, I don't know what parameter is invalid and don't know where to go from here....
Here is my /etc/krb5/krb5.conf:
My /etc/resolv.conf
Then, I do the following
svcadm enable -r smb/server
smbadm join -u areed patriots.dds.net
After joining patriots.dds.net the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining patriots.dds.net ... this may take a minute ...
failed to find any domain controllers for patriots.dds.net
tail /var/adm/messages
I am at a loss here...can anyone shed some light on this?
I cannot get my Solaris 11 host to join an AD domain. Here is what I have thus far:
First, I am using the following as refernce as I try to do this:
Oracle.com
Solaris 11: Join AD Domain for Samba
Next, in my troubleshooting, I am getting an error message of smbrdr_exchange[115]: failed (INVALID_PARAMETER)
Thing is, I don't know what parameter is invalid and don't know where to go from here....
Here is my /etc/krb5/krb5.conf:
CODE
[libdefaults]
# default_realm = ___default_realm___
default_realm = PATRIOTS.DDS.NET
[realms]
# ___default_realm___ = {
# kdc = ___master_kdc___
# kdc = ___slave_kdc1___
# kdc = ___slave_kdc2___
# kdc = ___slave_kdcN___
# admin_server = ___master_kdc___
# }
PATRIOTS.DDS.NET = {
kdc = washington.patriots.dds.net
admin_server = washington.patriots.dds.net
kpasswd_server = washington.patriots.dds.net
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
# ___domainname___ = ___default_realm___
.patriots.dds.net = PATRIOTS.DDS.NET
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
# default_realm = ___default_realm___
default_realm = PATRIOTS.DDS.NET
[realms]
# ___default_realm___ = {
# kdc = ___master_kdc___
# kdc = ___slave_kdc1___
# kdc = ___slave_kdc2___
# kdc = ___slave_kdcN___
# admin_server = ___master_kdc___
# }
PATRIOTS.DDS.NET = {
kdc = washington.patriots.dds.net
admin_server = washington.patriots.dds.net
kpasswd_server = washington.patriots.dds.net
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
# ___domainname___ = ___default_realm___
.patriots.dds.net = PATRIOTS.DDS.NET
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
My /etc/resolv.conf
CODE
domain patriots.dds.net
nameserver 10.14.1.10
[code]
My /etc/nsswitch.conf
[code]
hosts: files dns mdns
ipnodes: files dns mdns
nameserver 10.14.1.10
[code]
My /etc/nsswitch.conf
[code]
hosts: files dns mdns
ipnodes: files dns mdns
Then, I do the following
svcadm enable -r smb/server
smbadm join -u areed patriots.dds.net
After joining patriots.dds.net the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining patriots.dds.net ... this may take a minute ...
failed to find any domain controllers for patriots.dds.net
tail /var/adm/messages
CODE
May 5 11:55:27 robotics smbd[1215]: [ID 702911 daemon.notice] service shutting down
May 5 11:55:27 robotics smbd[1215]: [ID 702911 daemon.notice] service terminated
May 5 11:55:46 robotics smbd[1246]: [ID 702911 daemon.notice] service initialized
May 5 11:56:38 robotics smbd[1246]: [ID 702911 daemon.error] smbrdr_exchange[115]: failed (INVALID_PARAMETER)
May 5 11:56:38 robotics last message repeated 3 times
May 5 11:56:38 robotics smbd[1246]: [ID 702911 daemon.error] cannot locate domain controller for patriots.dds.net
May 5 11:55:27 robotics smbd[1215]: [ID 702911 daemon.notice] service terminated
May 5 11:55:46 robotics smbd[1246]: [ID 702911 daemon.notice] service initialized
May 5 11:56:38 robotics smbd[1246]: [ID 702911 daemon.error] smbrdr_exchange[115]: failed (INVALID_PARAMETER)
May 5 11:56:38 robotics last message repeated 3 times
May 5 11:56:38 robotics smbd[1246]: [ID 702911 daemon.error] cannot locate domain controller for patriots.dds.net
I am at a loss here...can anyone shed some light on this?
-----
Allan D. Reed
http://www.linkedin.com/in/adreed
RE: Solaris 11 AD Integration - cannot find domain controller
The issue stems from Server 2008 and NTLMv2. By default, the domain policy is to only use NTLMv2. Solaris 11 is still only using NTLM (a bit obsolete, wouldn't you say?) so you have to set your domain controller to accept both NTLM and NTLMv2. You can find that under the GPO for "Default Domain Controller Policy" in the network security settings.
Also, you want to set the LAN Manager authentication level to two to allow it to bind properly. Here is the command:
CODE
There is a great deal more info on this website: Joining a Windows 2008 Domain
Now, to just get it to work for logins..... getting closer!
-----
Allan D. Reed
http://www.linkedin.com/in/adreed
RE: Solaris 11 AD Integration - cannot find domain controller
RE: Solaris 11 AD Integration - cannot find domain controller
Thanks for the reply. In Solaris 11 Express, CIFS is now a kernel mode driver meaning no Samba and thus no smb.conf
Using the fix I described above,I was able to join the box to the AD domain. Now, I am working on authenticating users who log into the Solaris 11 box against the same AD server.
-----
Allan D. Reed
http://www.linkedin.com/in/adreed