[OmniOS-discuss] cifs connectivity to DC gets lost

Geoff Nordli geoffn at gnaa.net
Tue May 31 23:54:10 UTC 2016 

On 16-05-30 07:24 PM, Gordon Ross wrote:
> On Tue, May 24, 2016 at 6:52 PM, Geoff Nordli <geoffn at gnaa.net> wrote:
>> On 16-05-24 03:41 PM, Geoff Nordli wrote:
>>> I just upgraded a server from OI to OmniOS-r151018.
>>>
>>> I am having a few issues with the connectivity to AD.
>>>
>>> I was able to join the domain no problem, but then the domain is getting
>>> disconnected and after several hours I need to join the domain again.
>>>
>>> May 24 15:25:12 stor1 idmap[472]: [ID 849457 daemon.error]   >
>>> ::ffff:172.16.100.10 rc=0
>>> May 24 15:25:12 stor1 idmap[472]: [ID 778215 daemon.error] DC name
>>> dc1.domain.ca != 172.16.100.10?
>>> May 24 15:25:12 stor1 idmap[472]: [ID 884951 daemon.notice] Configuration
>>> changed
>>> May 24 15:25:12 stor1 idmap[472]: [ID 452651 daemon.error] adutils:
>>> ldap_lookup_init failed
>>> May 24 15:25:12 stor1 idmap[472]: [ID 884951 daemon.notice] Configuration
>>> changed
>>> May 24 15:25:13 stor1 smbd[15085]: [ID 511178 daemon.notice] Failed to
>>> establish NETLOGON credential chain with DC: 172.16.100.10 (UNSUCCESSFUL)
>>> May 24 15:25:13 stor1 smbd[15085]: [ID 714496 daemon.notice] The machine
>>> account information on the domain controller does not match the local
>>> storage.
>>> May 24 15:25:13 stor1 smbd[15085]: [ID 777225 daemon.notice] To correct
>>> this, use 'smbadm join'
>>> May 24 15:25:13 stor1 smbd[15085]: [ID 527292 daemon.notice] failed to
>>> establish NETLOGON credential chain
>>> May 24 15:25:13 stor1 smbd[15085]: [ID 505820 daemon.notice]  with server
>>> 172.16.100.10 for domain domain.ca (UNSUCCESSFUL)
>>>
>>> time is synced between the two machines.
>>>
>>> When I issue the join, I am able to get things connected again.
>>>
>>> any thoughts?
>>>
>> Pulled from the idmap log:
>>
>> adutils: ldap_lookup_init, host 172.16.100.10
>> LDAP: 172.16.100.10:3268: Local error
>> 172.16.100.10: Local error
>> 172.16.100.10: additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (Server
>> not found in Kerberos database)
>> adutils: ldap_lookup_init failed
>> unable to discover Domains in the Forest
> You figured it out.  Kerberos can only authenticate with a named host,
> and the log message above say that idmap/libadutils is trying to use
> ldap+gssapi+kerberos to authenticate with a DC specified only by IP
> address.
> That's never going to work...

Good to know.  That must have gotten set somewhere when I was trying 
different things.

Right now the:

kpasswd_server is set to a host name.
pdc is set to an IP address.

This configuration seems to be working OK.

thanks,

Geoff

More information about the OmniOS-discuss mailing list