SOLVED - Joining Domain failed - napp-it

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Bronko

Member
May 13, 2016
111
10
18
105
OS: OmniOS 5.11 omnios-r151018-ae3141d April 2016
Napp-it: 16.07 PRO

Isn't entirely napp-it related, but lets summarize:

When I try to join my fresh Windows 2012R2 domain via Services -> SMB -> Active Directory it fails with:
Code:
Joining home.lan ... this may take a minute ...
failed to join domain home.lan
using AD server: ads.home.lan
Failed to set machine password.
Please refer to the service log for more information.
# tail -f /var/adm/messages (take care about the time stamp between the log entries #1 and #2)
Code:
Jul 17 19:04:11 tanker idmap[458]: [ID 452651 daemon.error] adutils: ldap_lookup_init failed
Jul 17 19:04:30 tanker smbd[604]: [ID 972153 daemon.error] smbns_ksetpwd: KPASSWD protocol exchange failed (Cannot contact any KDC for requested realm)
Jul 17 19:04:30 tanker smbd[604]: [ID 871254 daemon.error] smbd: failed joining home.lan (UNSUCCESSFUL)
Doesn’t matter which LM authentication level is set.

Log message #2
Code:
KPASSWD protocol exchange failed (Cannot contact any KDC for requested realm)
Common error messages for the Kerberos commands:
http://docs.oracle.com/cd/E19253-01/816-4557/trouble-6/index.html
Cannot contact any KDC for requested realm

Cause:
No KDC responded in the requested realm.

Solution:
Make sure that at least one KDC (either the master or a slave) is reachable or that the krb5kdc daemon is running on the KDCs. Check the /etc/krb5/krb5.conf file for the list of configured KDCs (kdc = kdc-name).
@gea napp-it consequently use the IP address in the [realms] declaration of /etc/krb5/krb5.conf
Exchange of IP to FQDN for the domain server and a smbadm join -u admin home.lan on CLI doesn't solved the problem.

Nevertheless, after the first try to join kerberos seems to work:
# klist
Code:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@HOME.LAN

Valid starting               Expires               Service principal
17/07/2016 20:41  18/07/2016 06:41  krbtgt/HOME.LAN@HOME.LAN
        renew until 24/07/2016 20:41
# kinit -V administrator
Code:
Password for administrator@HOME.LAN:
Authenticated to Kerberos v5
LDAP wireshark package analysis: bindRequest -> bindResponse -> success
But all followed LDAP packages are malformed? This is what wireshark spoke:
Code:
Lightweight Directory Access Protocol
    SASL Buffer Length: 67
    SASL Buffer
        GSS-API Generic Security Service Application Program Interface
            krb5_blob: 050406ff000000000000000029518538caecf3a1aeeab8ad...
                krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)
                krb5_cfx_flags: 0x06, AcceptorSubkey, Sealed
                    .... .1.. = AcceptorSubkey: Set
                    .... ..1. = Sealed: Set
                    .... ...0 = SendByAcceptor: Not set
                krb5_filler: ff
                krb5_cfx_ec: 0
                krb5_cfx_rrc: 0
                krb5_cfx_seq: 693208376
                krb5_sgn_cksum: caecf3a1aeeab8ad8272ac722ac802b33b11e005815b181c...
        GSS-API payload (60 bytes)
            LDAPMessage
                BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected
                    [Expert Info (Warn/Malformed): BER Error: Sequence expected]
                        [BER Error: Sequence expected]
                        [Severity level: Warn]
                        [Group: Malformed]
Finally, there is no computer object created for the napp-it server on the domain controller.

Any hints for me?
 
Last edited:

Bronko

Member
May 13, 2016
111
10
18
105
SOLVED
Since my management interface is created as a VNIC of ixgbe1 (10Gbit/s) the MTU=9000 was inherited.
Finally I found these hint (one of the first google results ;-):
Join AD fails with "Failed to set machine password" in logs | Syneto US

Now I changed to MTU=1500 for management VNIC and the setup joined my domain instantly.
I think the malformed LDAP packages could be understand as a hint of package fragmentation, isn't it?
 
Last edited:
  • Like
Reactions: gb00s, gea and nle

BullCreek

New Member
Jan 5, 2016
18
6
3
55
Thank you so much for posting this - i just ran into this same problem - you saved me much frustration and wiresharking!
 
  • Like
Reactions: gb00s

Bronko

Member
May 13, 2016
111
10
18
105
you are welcome...

(wayback machine hasn't any snapshot of my formerly google hint)