We had the following situation (RHEL3 and 3.0.25 pre1) REALM and AD-DNS Name: NTROBOTIC.ROBOTIC.DLR.DE FQDN of the samba-server [root@rmvbs02 root]# hostname -f rmvbs02.cluster.robotic.dlr.de krb config (RHEL3) seems to work (User Admin has full Domain Admin privileges in the AD): [root@rmvbs02 root]# kinit Admin Password for Admin@NTROBOTIC.ROBOTIC.DLR.DE: [root@rmvbs02 root]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Admin@NTROBOTIC.ROBOTIC.DLR.DE Valid starting Expires Service principal 03/20/07 07:52:01 03/20/07 17:52:01 krbtgt/NTROBOTIC.FOO.DE@NTROBOTIC.ROBOTIC.DLR.DE Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached When I try to join the domain it did not works net ads join createcomputer="RM Rechner/RM andere" -U Admin Admin's password: Using short domain name -- NTROBOTIC Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'NTROBOTIC.ROBOTIC.DLR.DE' Failed to join domain: Type or value exists The problem seems to occur first time with 3.0.23. With 3.0.24 the computer account the created in the right OU, but dNSHostName and ServicePrinciplaName are not populated. With older Version of samba, in dNSHostName the FQDN of the host was put and in ServicePrinciplaName entries like CIFS/rmvbs02 CIFS/rmvbs02.cluster.robotic.dlr.de CIFS/rmvbs02.ntrobotic.robotic.dlr.de HOST/rmvbs02 HOST/rmvbs02.cluster.robotic.dlr.de HOST/rmvbs02.ntrobotic.robotic.dlr.de are put. Starting with 3.0.25 the object is automatically deleted in the container, when the join failes. With 3.0.24 it just has been disabled. I try to set the values of ServicePrinciplaName and dNSHostName by hand with adsiedit and activated the account, but a net ads testjoin fails. I have controlled, that user Admin has the rights he change the settings of ServicePrinciplaName and dNSHostName (Security dialog in adsiedit, effective rights ...), but the join fails It is possible to join with net rpc join createcomputer="RM Rechner/RM andere" -U Admin but the, the computer is placed in the Computers OU. I have searched the archives and did not find any hint appart setting the right permissions to the user who performs the join. But this seems not to help in this case. I am not sure, if this is a bug, or if this is by design. But the error message in "Or rejoin with using Domain Admin credentials" does not solve the problem in our case regards Hansjörg
Is your NetBIOS name different than the hostname of the machine ?
grep netbios /etc/samba/smb.conf netbios name = RMVBS02 [root@rmvbs02 root]# hostname rmvbs02.cluster.robotic.dlr.de But when I change the netbiosname to the hostname [root@rmvbs02 root]# net ads join Our netbios name can be at most 15 chars long, "RMVBS02.CLUSTER.ROBOTIC.DLR.DE" is 30 chars long Invalid configuration. Exiting.... Failed to join domain: NT_STATUS_NAME_TOO_LONG here part of smb.conf security = ADS utmp = yes workgroup = NTROBOTIC realm = NTROBOTIC.ROBOTIC.DLR.DE encrypt passwords = yes netbios name = RMVBS02 net ads join -U Admin Admin's password: Using short domain name -- NTROBOTIC Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'NTROBOTIC.ROBOTIC.DLR.DE' if i set workgroup = NTROBOTIC.ROBOTIC.DLR.DE [root@rmvbs02 root]# net ads join -U Admin Admin's password: The workgroup in /etc/samba/smb.conf does not match the short domain name obtained from the server. Using the name [NTROBOTIC] from the server. You should set "workgroup = NTROBOTIC" in /etc/samba/smb.conf. Using short domain name -- NTROBOTIC Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'NTROBOTIC.ROBOTIC.DLR.DE' Failed to join domain: Type or value exists
according to an email from Martin Zielinski (Failed to verify incoming ticket! When clients use netbios names only!) I added the shortname rmvbs02 to /etc/hosts 192.168.4.192 rmvbs02.cluster.robotic.dlr.de therefore I changed it to 192.168.4.192 rmvbs02.cluster.robotic.dlr.de rmvbs02 and the join succeeds [root@rmvbs02 root]# net ads join createcomputer="RM Rechner/RM andere" -U Admin Admin's password: Using short domain name -- NTROBOTIC Joined 'RMVBS02' to realm 'NTROBOTIC.ROBOTIC.DLR.DE' removing it leeds to the error again. [root@rmvbs02 root]# net ads join createcomputer="RM Rechner/RM andere" -U Admin Admin's password: Using short domain name -- NTROBOTIC Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'NTROBOTIC.ROBOTIC.DLR.DE' Failed to join domain: Type or value exists Maybee this would be a good point forinclusion in the Howto collection in Domain-Join Errors (if it is not a bug)