Since you aren't using your AD system for DNS; you may be missing some entries specific to an AD environment. It may be easiest to enable dns there; but only use it on your storage server. (maybe also firewall it off so nobody else tries to use it...)
These are the records I have in my workaround DNS named.domain (identifying information sed'ed away...). It also has workarounds for some other software that didn't like complicated domains; but I can't recall which entries fix which problems. domain.edu. NS smb.domain.edu. smb.domain.edu. A 192.168.1.23 my A 192.168.1.68 dc1 A 192.168.1.68 dc1.my.domain.edu. A 192.168.1.68 dc1.my.domain.edu.domain.edu. A 192.168.1.68 _ldap._tcp.dc._msdcs.my.domain.edu. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp.my.domain.edu. SRV 0 0 88 dc1.my.domain.edu. _ldap._tcp.my.domain.edu. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp.dc._msdcs.my.domain.edu. SRV 0 0 389 dc1.my.domain.edu. _ldap._tcp.dc._msdcs. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp. SRV 0 0 88 dc1.my.domain.edu. _ldap._tcp. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp.dc._msdcs. SRV 0 0 389 dc1.my.domain.edu. _kerberos-master._tcp.MY.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu _kerberos-master._tcp.my.domain.edu. SRV 0 0 88 dc1.my.domain.edu _kerberobomaster._udp.MY.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu _kerberos-master._udp.my.domain.edu. SRV 0 0 88 dc1.my.domain.edu _ldap._tcp.gc._msdcs.domain.edu. SRV 0 0 3268 dc1.my.domain.edu _ldap._tcp.gc._msdcs.DOMAIN.EDU. SRV 0 0 3268 dc1.my.domain.edu _ldap._tcp.dc._msdcs.my.domain.edu.domain.edu. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp.my.domain.edu.domain.edu. SRV 0 0 88 dc1.my.domain.edu. _ldap._tcp.my.domain.edu.domain.edu. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp.dc._msdcs.my.domain.edu.domain.edu. SRV 0 0 389 dc1.my.domain.edu. _ldap._tcp.dc._msdcs. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp. SRV 0 0 88 dc1.my.domain.edu. _ldap._tcp. SRV 0 0 389 dc1.my.domain.edu. _kerberos._tcp.dc._msdcs. SRV 0 0 389 dc1.my.domain.edu. _kerberos-master._tcp.MY.DOMAIN.EDU.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu _kerberos-master._tcp.my.domain.edu.domain.edu. SRV 0 0 88 dc1.my.domain.edu _kerberobomaster._udp.MY.DOMAIN.EDU.DOMAIN.EDU. SRV 0 0 88 dc1.my.domain.edu _kerberos-master._udp.my.domain.edu.domain.edu. SRV 0 0 88 dc1.my.domain.edu _ldap._tcp.gc._msdcs.domain.edu.domain.edu. SRV 0 0 3268 dc1.my.domain.edu _ldap._tcp.gc._msdcs.DOMAIN.EDU.DOMAIN.EDU. SRV 0 0 3268 dc1.my.domain.edu -Lucas Van Tol > From: pe...@psych.columbia.edu > Date: Thu, 6 Dec 2012 12:28:40 -0500 > To: openindiana-discuss@openindiana.org > Subject: Re: [OpenIndiana-discuss] Joining an Active Directory Domain with > smbadm > > Wow, this is certainly not the voodoo type suggestions I was hoping for, but > maybe it'll point me in the right direction. > > It's not a multi-domain or multi-controller environment. Single domain on a > single domain controller. Time is not out of sync (drift <0.01sec). My > domain controller does not run it's own DNS services. I went to some trouble > so that I wouldn't have to maintain MS DNS, not excited about enabling > anytime I need to bind an Illumos host to AD. As far as I can tell this is > literally the most simplistic Active Directory setup possible. > > I guess that leaves setting up a mini DNS server with the records I need and > then logging the incorrect queries; or even just firing up wireshark and > logging the DNS on the wire. I'd really like to try and track down the bad > code and fix it. Making AD binds work would probably benefit quite a few > downstream illumos distros (OmniOS, etc). Does anyone know of a simple > dtrace script to log DNS queries or where I could throw a probe to catch them > from smbadm? > > Thanks > -Peter > > On Dec 5, 2012, at 5:08 PM, Lucas Van Tol wrote: > > > > > I think I've seen that one before. I can't quite recall if it was the OI > > system doing some bad DNS requests, or just due to > > multi-domain/multi-domain-controller environment not being friendly. > > > > A simple fix MAY be: > > Ensure DNS is working correctly, and set the primary AD domain controller > > as your only nameserver in /etc/resolv.conf ; and match your date to it via > > 'ntpdate -u *primary domain server*'. > > > > > > I ended up setting up a small DNS server with only entries for one domain > > controller, along with entries for some incorrect lookups I saw fairly > > frequently. (Along the lines of > > _ldap._tcp.dc._msdcs.MY.DOMAIN.EDU.MY.DOMAIN.EDU ; note the domain showing > > up twice in a row...) > > Those systems work fine with standard DNS once they are joined. > > > > -Lucas Van Tol > > > > > >> From: pe...@psych.columbia.edu > >> Date: Wed, 5 Dec 2012 16:36:35 -0500 > >> To: openindiana-discuss@openindiana.org > >> Subject: [OpenIndiana-discuss] Joining an Active Directory Domain with > >> smbadm > >> > >> Hi folks, > >> > >> I've been trying to join an active directory domain for use with the > >> kernel mode CIFS server, but am running into some trouble. Specifically > >> when I run: > >> # smbadm join -u administrator my.domain.edu. > >> here's what I get: > >> failed to find any domain controllers for MY.DOMAIN.EDU > >> > >> Here's output form dmesg > >> Dec 5 15:55:07 duchamp smbd[970]: [ID 807464 daemon.error] ndr_rpc_bind: > >> smbrdr_ctx_new(S=myadc, D=MY.DOMAIN.EDU, U=administrator), err=61 > >> Dec 5 15:55:07 duchamp last message repeated 3 times > >> Dec 5 15:55:07 duchamp smbd[970]: [ID 700049 daemon.error] smbd: failed > >> locating domain controller for MY.DOMAIN.EDU > >> > >> I've already gotten Kerberos, LDAP and idmapping working with AD and > >> configured PAM such that ssh logins work, but this one has me stumped. > >> I've seen plenty of other folks with similar errors, but none with > >> 'err=61'. For reference I'm running Windows 2008r2, my domain is > >> currently set to the 2003 compatibility mode. > >> > >> Following the instructions here: > >> http://wiki.illumos.org/display/illumos/CIFS+Service+Troubleshooting > >> I have left my lmauth_level at the default (4) and have not modified it > >> with: sharectl set -p lmauth_level=X smb > >> > >> Anyone have any suggestions for how to troubleshoot this further? How can > >> I enable debug logging for smbadm? > >> > >> Thanks > >> -Peter > >> _______________________________________________ > >> OpenIndiana-discuss mailing list > >> OpenIndiana-discuss@openindiana.org > >> http://openindiana.org/mailman/listinfo/openindiana-discuss > > > > _______________________________________________ > > OpenIndiana-discuss mailing list > > OpenIndiana-discuss@openindiana.org > > http://openindiana.org/mailman/listinfo/openindiana-discuss > > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
