2

I'm attempting to join a Ubuntu 12.04 server to Active Directory. I installed samba, and kb5-user, created a machine account in AD, and did: 

> net ads testjoin
Join is OK

So far so good. Then I hit a problem:

> sudo net join -U myuser
Failed to join domain: failed to set machine spn: Constraint violation

I do not have access to modify anything on the Active Directory server as I'm not admin. Is there any way around this error?

Jon Skarpeteig
  • 941
  • 2
  • 14
  • 28
  • Silly question - does `myuser` have permissions to join machines to the domain? Also, what Windows version? – growse May 16 '12 at 09:55
  • The machine account is already created, and the user is set as owner of the machine account – Jon Skarpeteig May 16 '12 at 10:07
  • Every time I've done a winbind Ubuntu AD join, the process creates the machine account in the AD for me. Honestly, I didn't think it'd work if you already have the machine account created, but can't say for sure that this is what's wrong here. – growse May 16 '12 at 10:59
  • To create the machine account in AD using winbind requires administrative privileges, which I do not have. – Jon Skarpeteig May 16 '12 at 11:32

7 Answers7

5

I know this post is old but I just ran into the same problem and here is what I found. If you are trying to add a computer to the domain but you are not using a "domain admin" account. The delegated account rights need to include at least the following:

-This object and all descendants

•Create Computer objects

•Delete Computer objects

-Descendant Computer objects

•Read all properties

•Write all properties

•Change password

•Reset password

•Validated write to DNS host name

•Validated write to service principal

Hope that helps!

Community
  • 1
Tom Sahaida
  • 51
  • 1
  • 1
  • This was the correct answer in our case -- permissions which the non-domain-admin user we use to join computers to our AD domain with were insufficient. Presumably this started happening at some point in the past when samba (4?) starting requiring more permissions to successfully complete a join, but the "constraint violation" error hadn't caused us any problems until the CentOS 7.5 update bumped samba to 4.7.1. – David Gardner May 22 '18 at 14:08
2

I also ran in to the same issue winbindd simply would not start. The entry was already in /etc/hosts but I needed to change /etc/nsswitch.conf and changed to order so that 'files' came first.

hosts: mdns4_minimal files nis dns mdns4 myhostname

to

hosts: files mdns4_minimal nis dns mdns4 myhostname

Chuck Sittes
  • 36
  • 2
1

Ran into this error during our production Solaris samba upgrade AND moving to a different AD domain at the same time. We had deleted the object in the old domain but had not told samba to leave the old domain. The solution was trying a "net ads leave" even though it said "Failed to leave domain: failed to connect to AD: Cannot contact any KDC for requested realm". However, it must have cleared something up in samba and we were able to then join the new domain.

A couple items of note that some may find useful we experienced with this upgrade from samba 3 to samba 4:

  • Having winbind in nsswitch for passwd caused some issues changing passwords with this error "detected unsupported configuration in /etc/nsswitch.conf"

  • Using local Unix accounts and the samba user map we did not need winbind in nsswitch for passwd or group (or anywhere). In fact if we used winbind in nsswitch we had to add "set ngroups_max = " in /etc/system (and reboot) or samba would panic and core dump when it enumerated more than 16 groups. It would also panic if it enumerated more groups than .

  • Using a non-fqdn hostname to access samba shares across domains would fail with NT_STATUS_NO_SUCH_USER. The solution was to add [NOTFOUND=continue] for hosts after files and before dns in nsswitch. i.e. "hosts: files [NOTFOUND=continue] dns"

These are probably rare but thought I'd share what we experienced.

Ike
  • 11
  • 1
0

I ran into the same error even the joining user has domain level full permission on the AD side. The solution was to uncheck the "do not require Kerberos Pre authentication" in the AD side user attributes of the joining user.

Sounak Choudhury
  • 1
0

I was able to solve this by adding a DNS entry for the host prior to attempting to join

Jon Skarpeteig
  • 941
  • 2
  • 14
  • 28
  • 4
    Can you be more explicit, where did you had to create a DNS entry. The default domain of your computer happened to match the one of the AD. What if it doesn't? – sorin Jul 29 '14 at 10:09
0

Ran in to the same issue... Needed to add an entry into /etc/hosts.

So the first entry needs to be the IP, the 2nd must be the fully qualified domain name for the domain you are joining, and the rest can be in any order.

Hil Palmer
  • 1
0

I ran into this problem while trying to set up a machine with sssd authentication. For the life of me, I couldn't get it to work. I was using the credentials of a Domain Administrator, and I was using a script I'd written that had worked on perhaps a dozen hosts already.

So I logged into my domain server, and perused the hierarchy looking for instances of my machine name. I deleted them (some entries were rather unusual looking, like "host-N55A1B", and I deleted those too), then went back to Linux and retried the kinit.

Worked.

Mike S
  • 1,103
  • 5
  • 19
  • 40