[OmniOS-discuss] cifs connectivity to DC gets lost
Gordon Ross
gordon.w.ross at gmail.com
Tue May 31 02:24:09 UTC 2016
On Tue, May 24, 2016 at 6:52 PM, Geoff Nordli <geoffn at gnaa.net> wrote:
> On 16-05-24 03:41 PM, Geoff Nordli wrote:
>>
>> I just upgraded a server from OI to OmniOS-r151018.
>>
>> I am having a few issues with the connectivity to AD.
>>
>> I was able to join the domain no problem, but then the domain is getting
>> disconnected and after several hours I need to join the domain again.
>>
>> May 24 15:25:12 stor1 idmap[472]: [ID 849457 daemon.error] >
>> ::ffff:172.16.100.10 rc=0
>> May 24 15:25:12 stor1 idmap[472]: [ID 778215 daemon.error] DC name
>> dc1.domain.ca != 172.16.100.10?
>> May 24 15:25:12 stor1 idmap[472]: [ID 884951 daemon.notice] Configuration
>> changed
>> May 24 15:25:12 stor1 idmap[472]: [ID 452651 daemon.error] adutils:
>> ldap_lookup_init failed
>> May 24 15:25:12 stor1 idmap[472]: [ID 884951 daemon.notice] Configuration
>> changed
>> May 24 15:25:13 stor1 smbd[15085]: [ID 511178 daemon.notice] Failed to
>> establish NETLOGON credential chain with DC: 172.16.100.10 (UNSUCCESSFUL)
>> May 24 15:25:13 stor1 smbd[15085]: [ID 714496 daemon.notice] The machine
>> account information on the domain controller does not match the local
>> storage.
>> May 24 15:25:13 stor1 smbd[15085]: [ID 777225 daemon.notice] To correct
>> this, use 'smbadm join'
>> May 24 15:25:13 stor1 smbd[15085]: [ID 527292 daemon.notice] failed to
>> establish NETLOGON credential chain
>> May 24 15:25:13 stor1 smbd[15085]: [ID 505820 daemon.notice] with server
>> 172.16.100.10 for domain domain.ca (UNSUCCESSFUL)
>>
>> time is synced between the two machines.
>>
>> When I issue the join, I am able to get things connected again.
>>
>> any thoughts?
>>
>
> Pulled from the idmap log:
>
> adutils: ldap_lookup_init, host 172.16.100.10
> LDAP: 172.16.100.10:3268: Local error
> 172.16.100.10: Local error
> 172.16.100.10: additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information (Server
> not found in Kerberos database)
> adutils: ldap_lookup_init failed
> unable to discover Domains in the Forest
You figured it out. Kerberos can only authenticate with a named host,
and the log message above say that idmap/libadutils is trying to use
ldap+gssapi+kerberos to authenticate with a DC specified only by IP
address.
That's never going to work...
More information about the OmniOS-discuss
mailing list