Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Solaris 11 AD Integration - cannot find domain controller

Status
Not open for further replies.
artfulbodger

artfulbodger

Technical User
Jan 3, 2005
109
0
0
US
I am working an interesting problem here - hopefully someone can help.

I cannot get my Solaris 11 host to join an AD domain. Here is what I have thus far:

First, I am using the following as refernce as I try to do this:
Oracle.com
Solaris 11: Join AD Domain for Samba

Next, in my troubleshooting, I am getting an error message of smbrdr_exchange[115]: failed (INVALID_PARAMETER)

Thing is, I don't know what parameter is invalid and don't know where to go from here....


Here is my /etc/krb5/krb5.conf:
Code: 
[libdefaults]
#        default_realm = ___default_realm___
default_realm = PATRIOTS.DDS.NET

[realms]
#        ___default_realm___ = {
#                kdc = ___master_kdc___
#                kdc = ___slave_kdc1___
#                kdc = ___slave_kdc2___
#                kdc = ___slave_kdcN___
#                admin_server = ___master_kdc___
#        }
PATRIOTS.DDS.NET = {

kdc = washington.patriots.dds.net
admin_server = washington.patriots.dds.net
kpasswd_server = washington.patriots.dds.net
kpasswd_protocol = SET_CHANGE
}

[domain_realm]
#       ___domainname___ = ___default_realm___
.patriots.dds.net = PATRIOTS.DDS.NET

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }


My /etc/resolv.conf
Code: 
domain  patriots.dds.net
nameserver  10.14.1.10
[code]

My /etc/nsswitch.conf
[code]
hosts:      files dns mdns
ipnodes:   files dns mdns

Then, I do the following

[red]svcadm enable -r smb/server[/red]
[red]smbadm join -u areed patriots.dds.net[/red]

[blue]After joining patriots.dds.net the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining patriots.dds.net ... this may take a minute ...
failed to find any domain controllers for patriots.dds.net
[/blue]



[red]tail /var/adm/messages [/red]

Code: 
May  5 11:55:27 robotics smbd[1215]: [ID 702911 daemon.notice] service shutting down
May  5 11:55:27 robotics smbd[1215]: [ID 702911 daemon.notice] service terminated
May  5 11:55:46 robotics smbd[1246]: [ID 702911 daemon.notice] service initialized
May  5 11:56:38 robotics smbd[1246]: [ID 702911 daemon.error] smbrdr_exchange[115]: failed (INVALID_PARAMETER)
May  5 11:56:38 robotics last message repeated 3 times
May  5 11:56:38 robotics smbd[1246]: [ID 702911 daemon.error] cannot locate domain controller for patriots.dds.net


I am at a loss here...can anyone shed some light on this?





-----

Allan D. Reed
 
Sort by date Sort by votes
Nobody replied, but I was able to make some progress and I am going to post it here in case someone out there runs into the same issue.

The issue stems from Server 2008 and NTLMv2. By default, the domain policy is to only use NTLMv2. Solaris 11 is still only using NTLM (a bit obsolete, wouldn't you say?) so you have to set your domain controller to accept both NTLM and NTLMv2. You can find that under the GPO for "Default Domain Controller Policy" in the network security settings.

Also, you want to set the LAN Manager authentication level to two to allow it to bind properly. Here is the command:

Code: 
# sharectl set -p lmauth_level=2 smb


There is a great deal more info on this website: Joining a Windows 2008 Domain

Now, to just get it to work for logins..... getting closer!

-----

Allan D. Reed
 
Upvote 0 Downvote
Might want to post your smb.conf file too. Suspect you don't have "password server = " defined, and "use kerberos = yes"
 
Upvote 0 Downvote
Hi Chris,

Thanks for the reply. In Solaris 11 Express, CIFS is now a kernel mode driver meaning no Samba and thus no smb.conf

Using the fix I described above,I was able to join the box to the AD domain. Now, I am working on authenticating users who log into the Solaris 11 box against the same AD server.



-----

Allan D. Reed
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

arciua
  • Locked
  • Question
SUN Solaris 7: How to pin Workspace Menu?
Replies
0
Views
119
arciua
arciua
austinramsay
  • Locked
  • Question
Solaris 10 install hanging at 3%.. Where to find log file, or ideas?
Replies
1
Views
109
AvayaTier3
AvayaTier3
MauroCMSVR
  • Locked
  • Question
Print as PDF file in Solaris System
Replies
0
Views
81
MauroCMSVR
MauroCMSVR
BOKA
  • Locked
  • Question
Solaris NTP server
Replies
0
Views
76
BOKA
BOKA
thiruram
  • Locked
  • Question
SOLARIS 8
Replies
1
Views
105
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top