Difference between revisions of "Troubleshooting Samba Domain Members"

m (Updated introduction sentence)
(Added error: Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error)
Line 21: Line 21:
 
== Troubleshooting the Domain Join Procedure ==
 
== Troubleshooting the Domain Join Procedure ==
  
=== Error: No DNS domain configured. Unable to perform DNS Update. ===
+
=== No DNS domain configured. Unable to perform DNS Update. ===
  
 
When joining a host to an Active Directory (AD), the <code>net</code> command fails to update the DNS:
 
When joining a host to an Active Directory (AD), the <code>net</code> command fails to update the DNS:
Line 48: Line 48:
  
  
=== Error: DNS Update failed: ERROR_DNS_UPDATE_FAILED ===
+
=== DNS Update failed: ERROR_DNS_UPDATE_FAILED ===
  
 
When joining a host to an Active Directory (AD), the <code>net</code> fails to update the DNS:
 
When joining a host to an Active Directory (AD), the <code>net</code> fails to update the DNS:
Line 99: Line 99:
  
 
For further details, see [[Time_Synchronisation|Time Synchronisation]].
 
For further details, see [[Time_Synchronisation|Time Synchronisation]].
 +
 +
 +
 +
=== Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error ===
 +
 +
When joining a host to an Active Directory (AD), the <code>net</code> command fails to locate the domain controller (DC):
 +
 +
# net ads join -U administrator
 +
Enter administrator's password:
 +
Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error
 +
 +
Samba uses DNS requests and broadcasts to locate DCs when joining a domain. If both methods fail, the <code>failed to find DC for domain SAMDOM - Undetermined error</code> error is displayed.
 +
 +
For a short term solution, you can pass the "-S" parameter and the name of a DC to the command. For example:
 +
 +
# net ads join -U administrator -S DC1.samdom.example.com
 +
 +
However, a correct DNS configuration is important in an AD. To avoid future problems based on an incorrect DNS configuration, set up your DNS resolver configuration correctly. For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]].
  
  

Revision as of 09:55, 3 December 2016

Introduction

This documentation helps you to troubleshoot problems users can encounter when running Samba as a member in an Active Directory (AD) forest or NT4 domain.



General

Setting the Samba Log Level

For details, see Setting the Samba Log Level.



Domain Members in an Active Directory Forest

Troubleshooting the Domain Join Procedure

No DNS domain configured. Unable to perform DNS Update.

When joining a host to an Active Directory (AD), the net command fails to update the DNS:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'AD-Member' to dns domain 'samdom.example.com'
No DNS domain configured for AD-Member. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

Note, that the join was successful and only the DNS updated failed.

After the client was joined to the domain, the net command look up the fully qualified domain name (FQDN) using name service switch (NSS) libraries. If the FQDN can not be resolved, for example using DNS or the /etc/hosts file, the DNS update fails.

To solve the problem:

  • Add the IP address and FQDN to the /etc/hosts file. For example:
10.99.0.5     AD-Member.samdom.example.com     AD-Member
  • Run the net ads join command again.

If dynamic DNS updates still fail, verify on the AD DNS server that dynamic updates are working.


DNS Update failed: ERROR_DNS_UPDATE_FAILED

When joining a host to an Active Directory (AD), the net fails to update the DNS:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'M1' to dns domain 'samdom.example.com'
DNS Update for m1.samdom.example.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

Note, that the join was successful and only the DNS updated failed.

To solve the problem:

  • Run the net ads join command again.


DNS Update failed: ERROR_DNS_GSS_ERROR

When using the BIND9_DLZ back end, dynamic DNS updates can fail because of an incorrect Kerberos setup on the AD domain controller (DC) running the DNS server:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'AD-Member' to dns domain 'samdom.example.com'
DNS Update for AD-Member.samdom.example.com failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

To solve the problem, see Reconfiguring the BIND9_DLZ Back End.


gss_init_sec_context failed with: Miscellaneous failure: Clock skew too great

When joining a host to an AD, the net command fails with the following error:

# net ads join -U administrator 
Enter administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Failed to join domain: failed to connect to AD: An internal error occurred.

Kerberos requires a syncronised time to prevent replay attacks. The local time must not differ more than 5 minutes to the DC.

To fix, set the correct time and run the net ads join command again.

For further details, see Time Synchronisation.


Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error

When joining a host to an Active Directory (AD), the net command fails to locate the domain controller (DC):

# net ads join -U administrator
Enter administrator's password:
Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error

Samba uses DNS requests and broadcasts to locate DCs when joining a domain. If both methods fail, the failed to find DC for domain SAMDOM - Undetermined error error is displayed.

For a short term solution, you can pass the "-S" parameter and the name of a DC to the command. For example:

# net ads join -U administrator -S DC1.samdom.example.com

However, a correct DNS configuration is important in an AD. To avoid future problems based on an incorrect DNS configuration, set up your DNS resolver configuration correctly. For details, see Linux and Unix DNS Configuration.



Domain Members in an NT4 Domain

Currently, we do not have content here.