0

I'm trying to join Active Directory in Xubuntu 16.04 in a enterprise business enviroment so I'll change the name of my REALM by MY.EXAMPLE.CORP. My issue is: when I run

net ads join -U Administrator

it appears:

Failed to join domain: failed to join domain 'MY.EXAMPLE.CORP' over rpc: Insufficient quota exists to complete the operation.

I tried the kinit and klist commands and the result is:

Tickect cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MY.EXAMPLE.CORP

Valid starting      Expires         Service principal
24/11/16 10:18:49   24/11/16 20:18:49   krbgt/MY.EXAMPLE.CORP@MY.EXAMPLE.CORP
    renew until   25/11/16 10:18:25

It means that kerberos is working well, it seems to be a problem of samba but I what is wrong with my smb.conf file or if I'm missing something else. I've tried every thing that I've read but it still no working

These are the changes that I've done in every file. krb5.conf, smb.conf, nsswitch.conf

krb5.conf

[libdefaults]
    default_realm = MY.DOMAIN.CORP

....

[realms]
DOMAIN = {
        kdc = SERVER01.MY.DOMAIN.CORP
        kdc = SERVER02.MY.DOMAIN.CORP
        admin_server = SERVER01.MY.DOMAIN.CORP SERVER.MY.DOMAIN.CORP
        default_domain = MY.DOMAIN.CORP
    }

....


[domain_realm]
    SERVER01.MY.DOMAIN.CORP = MY.DOMAIN.CORP
    SERVER02.MY.DOMAIN.CORP = MY.DOMAIN.CORP
    .MY.DOMAIN.CORP = MY.DOMAIN.CORP
    MY.DOMAIN.CORP = MY.DOMAIN.CORP

smb.conf

[global]
    workgroup = MYWORKGROUP
    realm = MY.DOMAIN.CORP
    security = ADS
    encrypt passwords = yes
    password server = SERVER01.MY.DOMAIN.CORP SERVER02.MYDOMAIN.CORP
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = true
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind use default domain = yes
    restrict anonymous = 2
    winbind offline logon = yes

nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat

And this is what I have in my .log file:

[2016/11/29 08:13:22.207182,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine SERVER01.MY.DOMAIN.CORP. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2016/11/29 08:13:22.211148,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine SERVER01.MY.DOMAIN.CORP. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2016/11/29 08:13:22.215292,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine SERVER01.MY.DOMAIN.CORP. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2016/11/29 08:13:22.215350,  0] ../source3/auth/auth_domain.c:184(domain_client_validate)
  domain_client_validate: Domain password server not available.
Ruben
  • 11
  • 1
  • 4

3 Answers3

0

In my case the user had reached the maximum of 10 default computers it could join, see - https://support.microsoft.com/en-gb/help/243327/default-limit-to-number-of-workstations-a-user-can-join-to-the-domain

jjj
  • 101
0

I had very similar issue with CentOS 7 joining Windows 2012 R2 Domain.

  • The time on one of the AD servers was not correct. so I fixed that by correcting the time zone and sync the time from NTP server.
  • Also account I was using to join the machine to the domain with was expired.
user2398069
  • 103
  • 1
  • 3
0

In my case, it was because the OU wasn't specified and the account didn't have appropriate rights elsewhere, explained here: http://atherbeg.com/2017/02/23/error-insufficient-quota-exists-to-complete-the-operation/

Guest
  • 1