Failed to join domain: failed to set machine spn: Constraint violation
in [Samba]
|
Prev: [Samba] smbmount NT_STATUS_INVALID_WORKSTATION problem
Next: Failed to join domain: failed to set machine spn: Constraint violation
From: Alex Green on 12 Dec 2008 05:20 Anyone?.... any ideas? -----Original Message----- From: samba-bounces+alex.green=db.com(a)lists.samba.org [mailto:samba-bounces+alex.green=db.com(a)lists.samba.org] On Behalf Of Alex Green Sent: 11 December 2008 17:09 To: samba(a)lists.samba.org Subject: [Samba] Failed to join domain: failed to set machine spn: Constraint violation Hi, I'm seeing this error on 3.0.24, 3.0.28, 3.0.32 and 3.2.6: Failed to join domain: failed to set machine spn: Constraint violation [Sanitised] First Run: net ads join createupn=HOST/FQDN(a)DOM.REALM.DOMAIN.COM createcomputer="OU/OU/OU/Services" -U username -d1 Enter username's password: [2008/12/11 17:02:32, 1] libnet/libnet_join.c:libnet_Join(1770) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'HOSTNAME' domain_name : * domain_name : 'DOM.REALM.DOMAIN.COM' account_ou : 'OU/OU/OU/Services' admin_account : 'username' admin_password : * machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x01 (1) upn : 'HOST/FQDN(a)DOM.REALM.DOMAIN.COM' modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) secure_channel_type : SEC_CHAN_WKSTA (2) [2008/12/11 17:02:33, 1] libnet/libnet_join.c:libnet_join_precreate_machine_acct(235) machine account creation created [2008/12/11 17:02:33, 1] libnet/libnet_join.c:libnet_Join(1801) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOM' dns_domain_name : 'DOM.REALM.DOMAIN.COM' dn : 'CN=HOSTNAME,OU=Services,OU=OU,OU=OU,OU=OU,DC=DOM,DC=REALM,DC=DOMAIN,DC=com' domain_sid : * domain_sid : S-1-5-21-1606980848-1965331169-1417001333 modified_config : 0x00 (0) error_string : 'failed to set machine spn: Constraint violation' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to set machine spn: Constraint violation SPN Created - but errors!!! Second Run: net ads join createupn=HOST/FQDN(a)DOM.REALM.DOMAIN.COM createcomputer="OU/OU/OU/Services" -U username -d1 Enter username's password: [2008/12/11 16:54:40, 1] libnet/libnet_join.c:libnet_Join(1770) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'HOSTNAME' domain_name : * domain_name : 'DOM.REALM.DOMAIN.COM' account_ou : 'OU/OU/OU/Services' admin_account : 'username' admin_password : * machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x01 (1) upn : 'HOST/FQDN(a)DOM.REALM.DOMAIN.COM' modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) secure_channel_type : SEC_CHAN_WKSTA (2) [2008/12/11 16:54:41, 1] libnet/libnet_join.c:libnet_join_precreate_machine_acct(258) The machine account already exists in the specified OU. [2008/12/11 16:54:41, 1] libnet/libnet_join.c:libnet_Join(1801) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOM' dns_domain_name : 'DOM.REALM.DOMAIN.COM' dn : 'CN=HOSTNAME,OU=Services,OU=OU,OU=OU,OU=OU,DC=DOM,DC=REALM,DC=DOMAIN,DC=com' domain_sid : * domain_sid : S-1-5-21-1606980848-1965331169-1417001333 modified_config : 0x00 (0) error_string : 'failed to set machine spn: Constraint violation' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to set machine spn: Constraint violation Is this a bug? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Alex Green on 12 Dec 2008 06:40 Sure, however the trace will take a bit to santitise. -----Original Message----- From: Guenther Deschner [mailto:gd(a)samba.org] Sent: 12 December 2008 10:25 To: Alex Green Cc: samba(a)lists.samba.org Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Green wrote: > Anyone?.... any ideas? Can you open a bug on this and upload a network trace as well ? Thanks, Guenther - -- Günther Deschner GPG-ID: 8EE11688 Red Hat gdeschner(a)redhat.com Samba Team gd(a)samba.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklCO+cACgkQSOk3aI7hFoiTLgCeJkjEOkx13ob9j7glt663YmJp Pr0An2flu3aPZvFeFlfjdDtYQpaFrPHm =Iz61 -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Alex Green on 12 Dec 2008 09:50 Found the issue: Validate Write for DNS and SPN were not set. However it now fails on DNS Update; I'm presuming this is because we're not using AD Integrated DNS (MS-DNS). Could this not be an option flag to disable DNS updates in this scenario? -----Original Message----- From: samba-bounces+alex.green=db.com(a)lists.samba.org [mailto:samba-bounces+alex.green=db.com(a)lists.samba.org] On Behalf Of Alex Green Sent: 12 December 2008 11:37 To: Guenther Deschner Cc: samba(a)lists.samba.org Subject: RE: [Samba] Failed to join domain: failed to set machine spn: Constraint violation Sure, however the trace will take a bit to santitise. -----Original Message----- From: Guenther Deschner [mailto:gd(a)samba.org] Sent: 12 December 2008 10:25 To: Alex Green Cc: samba(a)lists.samba.org Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Green wrote: > Anyone?.... any ideas? Can you open a bug on this and upload a network trace as well ? Thanks, Guenther - -- Günther Deschner GPG-ID: 8EE11688 Red Hat gdeschner(a)redhat.com Samba Team gd(a)samba.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklCO+cACgkQSOk3aI7hFoiTLgCeJkjEOkx13ob9j7glt663YmJp Pr0An2flu3aPZvFeFlfjdDtYQpaFrPHm =Iz61 -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Alex Green on 15 Dec 2008 12:50 Hey Jerry, I'm aware of that. Due the restrictions placed within our AD environment, even users who have access to create computer objects don't have access to update the SPN or the host DNS name (AD record). Additionally, my point was more; would it be possible to turn off the DNS update process by means of flag, rather than compile time option. Regards, Alex -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry(a)samba.org] Sent: 15 December 2008 16:50 To: Alex Green Cc: Guenther Deschner; samba(a)lists.samba.org Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Green wrote: > Found the issue: > > Validate Write for DNS and SPN were not set. > > However it now fails on DNS Update; I'm presuming > this is because we're not using AD Integrated DNS (MS-DNS). > Could this not be an option flag to disable DNS updates > in this scenario? Those attributes and perms have nothing to do with DNS. You need full access rights to the computer object to join a machine with a DNS name outside of the AD realm name. That's what the "validated write" means. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJRoS5IR7qMdg1EfYRAq/nAKDa3GwgMI1SzbyuU6UBAKR/r2X/7ACdFAaj Y5yzmHfOBD89pu0YXA5Y3fg= =J1Lb -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Alex Green on 15 Dec 2008 13:40
:)... it's this non-fatal error that our uses are getting confused about and it's this that I was asking for the cli option for... -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry(a)samba.org] Sent: 15 December 2008 18:16 To: Alex Green Cc: samba(a)lists.samba.org Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Green wrote: > Hey Jerry, > > I'm aware of that. Due the restrictions placed within our AD > environment, even users who have access to create computer > objects don't have access to update the SPN or the > host DNS name (AD record). > > Additionally, my point was more; would it be possible to turn > off the DNS update process by means of flag, rather than > compile time option. Youu confused me by saying "DNS update". Assuming now you mean just updating the dNSHostName and SPN attributes. This is always required in order to support Krb5 authentication. This is exactly what Windows XP does. The DDNS update you are asking about (i.e. the--with-dnsupdate option) has nothing to do with setting the attributes. If the DDNS update fails, it is not fatal. You only get a warning. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJRp7FIR7qMdg1EfYRAp/rAKC5IVsTNBNzIxE62FL5QaYfqMKzWQCfQxW8 GxpmNokZm3stFwqgHrFiC8g= =SEGF -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |