FWIW AD binds do work - I'm currently running a number of OI systems bound to an AD without any special magic.
Then again, I'm also running DNS services with a delegation for the AD subdomain, so that differs from your setup... - Rich On Thu, Dec 6, 2012 at 12:28 PM, Peter Tripp <pe...@psych.columbia.edu>wrote: > Wow, this is certainly not the voodoo type suggestions I was hoping for, > but maybe it'll point me in the right direction. > > It's not a multi-domain or multi-controller environment. Single domain on > a single domain controller. Time is not out of sync (drift <0.01sec). My > domain controller does not run it's own DNS services. I went to some > trouble so that I wouldn't have to maintain MS DNS, not excited about > enabling anytime I need to bind an Illumos host to AD. As far as I can > tell this is literally the most simplistic Active Directory setup possible. > > I guess that leaves setting up a mini DNS server with the records I need > and then logging the incorrect queries; or even just firing up wireshark > and logging the DNS on the wire. I'd really like to try and track down the > bad code and fix it. Making AD binds work would probably benefit quite a > few downstream illumos distros (OmniOS, etc). Does anyone know of a simple > dtrace script to log DNS queries or where I could throw a probe to catch > them from smbadm? > > Thanks > -Peter > > On Dec 5, 2012, at 5:08 PM, Lucas Van Tol wrote: > > > > > I think I've seen that one before. I can't quite recall if it was the > OI system doing some bad DNS requests, or just due to > multi-domain/multi-domain-controller environment not being friendly. > > > > A simple fix MAY be: > > Ensure DNS is working correctly, and set the primary AD domain > controller as your only nameserver in /etc/resolv.conf ; and match your > date to it via 'ntpdate -u *primary domain server*'. > > > > > > I ended up setting up a small DNS server with only entries for one > domain controller, along with entries for some incorrect lookups I saw > fairly frequently. (Along the lines of > > _ldap._tcp.dc._msdcs.MY.DOMAIN.EDU.MY.DOMAIN.EDU ; note the domain > showing up twice in a row...) > > Those systems work fine with standard DNS once they are joined. > > > > -Lucas Van Tol > > > > > >> From: pe...@psych.columbia.edu > >> Date: Wed, 5 Dec 2012 16:36:35 -0500 > >> To: openindiana-discuss@openindiana.org > >> Subject: [OpenIndiana-discuss] Joining an Active Directory Domain with > smbadm > >> > >> Hi folks, > >> > >> I've been trying to join an active directory domain for use with the > kernel mode CIFS server, but am running into some trouble. Specifically > when I run: > >> # smbadm join -u administrator my.domain.edu. > >> here's what I get: > >> failed to find any domain controllers for MY.DOMAIN.EDU > >> > >> Here's output form dmesg > >> Dec 5 15:55:07 duchamp smbd[970]: [ID 807464 daemon.error] > ndr_rpc_bind: smbrdr_ctx_new(S=myadc, D=MY.DOMAIN.EDU, U=administrator), > err=61 > >> Dec 5 15:55:07 duchamp last message repeated 3 times > >> Dec 5 15:55:07 duchamp smbd[970]: [ID 700049 daemon.error] smbd: > failed locating domain controller for MY.DOMAIN.EDU > >> > >> I've already gotten Kerberos, LDAP and idmapping working with AD and > configured PAM such that ssh logins work, but this one has me stumped. > I've seen plenty of other folks with similar errors, but none with > 'err=61'. For reference I'm running Windows 2008r2, my domain is currently > set to the 2003 compatibility mode. > >> > >> Following the instructions here: > >> http://wiki.illumos.org/display/illumos/CIFS+Service+Troubleshooting > >> I have left my lmauth_level at the default (4) and have not modified it > with: sharectl set -p lmauth_level=X smb > >> > >> Anyone have any suggestions for how to troubleshoot this further? How > can I enable debug logging for smbadm? > >> > >> Thanks > >> -Peter > >> _______________________________________________ > >> OpenIndiana-discuss mailing list > >> OpenIndiana-discuss@openindiana.org > >> http://openindiana.org/mailman/listinfo/openindiana-discuss > > > > _______________________________________________ > > OpenIndiana-discuss mailing list > > OpenIndiana-discuss@openindiana.org > > http://openindiana.org/mailman/listinfo/openindiana-discuss > > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss