Yo estoy tratando desde hace un par de semanas una solución similar y tampoco logro resolverlo.
El detalle de mi entorno es:
Tengo 2 Windows Server 2003 R2 Enterprise Edition ambos como controladores de dominio redundantes y con DNS integrado en el AD también redundantes, quiero añadir un Zentyal también como controlador adicional ganando en redundancia y para ir migrando poco a poco a una solución basada únicamente en Zentyal. En Usuarios y grupos puedo activar la opción de leer el AD de Windows y se ve perfecto (al menos en Zentyal 3.2) pero ese modo es sólo lectura.
He probado con Zentyal 3.2 y 3.0 recibiendo errores en ambos el Controlador Adicional de Dominio de Compartir archivos. En mi opinión parece ser que el dns no se propaga correctamente al Zentyal y por tanto no activa el servicio de Compartir archivos.
En Zentyal y Windows puedo hacer ping y se ven correctamente, el dns aparentemente está OK. Según el log aparentemente el inicio de autenticación en Win de la máquina Zentyal parece ir OK (el zentyal está incluso en los Domain Controllers de Win) pero al reiniciar el dns aparece el error. Ver abajo la salida del Zentyal 3.2 en /var/log/zentyal/zentyal.log:
2013/11/20 12:50:17 INFO> Service.pm:986 EBox::Module::Service::restartService - Restarting service for module: samba
2013/11/20 12:50:17 INFO> Provision.pm:818 EBox::Samba::Provision::checkAddress - Resolving server1.control.com to an IP address
2013/11/20 12:50:17 INFO> Provision.pm:838 EBox::Samba::Provision::checkAddress - The DC server1.control.com has been resolved to 10.10.0.1
2013/11/20 12:50:17 INFO> Provision.pm:841 EBox::Samba::Provision::checkAddress - Checking reverse DNS resolution of '10.10.0.1'...
2013/11/20 12:50:17 INFO> Provision.pm:862 EBox::Samba::Provision::checkAddress - The IP address 10.10.0.1 has been resolved to server1.control.com
2013/11/20 12:50:17 INFO> Provision.pm:764 EBox::Samba::Provision::checkServerReachable - Checking if AD server '10.10.0.1' is online...
2013/11/20 12:50:17 INFO> Provision.pm:874 EBox::Samba::Provision::checkFunctionalLevels - Checking forest and domain functional levels...
2013/11/20 12:50:17 INFO> Provision.pm:783 EBox::Samba::Provision::checkLocalRealmAndDomain - Checking local domain and realm...
2013/11/20 12:50:17 INFO> Provision.pm:942 EBox::Samba::Provision::__ANON__ - Checking clock skew with AD server...
2013/11/20 12:50:17 INFO> Provision.pm:963 EBox::Samba::Provision::checkClockSkew - Clock skew below two minutes, should be enought.
2013/11/20 12:50:17 INFO> Provision.pm:683 EBox::Samba::Provision::checkDnsZonesInMainPartition - Checking for old DNS zones stored in main domain partition
...
2013/11/20 12:50:17 INFO> Provision.pm:730 EBox::Samba::Provision::checkForestDomains - Checking number of domains inside forest...
2013/11/20 12:50:17 INFO> Provision.pm:902 EBox::Samba::Provision::checkTrustDomainObjects - Checking for domain trust relationships...
2013/11/20 12:50:17 INFO> Provision.pm:1004 EBox::Samba::Provision::checkADServerSite - Checking the site where the specified server is located
2013/11/20 12:50:17 INFO> Provision.pm:1012 EBox::Samba::Provision::checkADServerSite - The specified server has been located at site named Default-First-Si
te-Name
2013/11/20 12:50:17 INFO> Provision.pm:1029 EBox::Samba::Provision::checkADNebiosName - Checking domain netbios name...
2013/11/20 12:50:17 INFO> Provision.pm:1252 EBox::Samba::Provision::__ANON__ - Joining to domain 'control.com' as DC
2013/11/20 12:50:18 INFO> Provision.pm:1265 EBox::Samba::Provision::__ANON__ - Trying to get a kerberos ticket for principal 'admin@control.com'2013/11/20 12:50:18 INFO> Provision.pm:1274 EBox::Samba::Provision::__ANON__ - Executing domain join
2013/11/20 12:50:56 INFO> Provision.pm:283 EBox::Samba::Provision::setupDNS - Setting up DNS
2013/11/20 12:50:56 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dns
2013/11/20 12:51:00 ERROR> Sudo.pm:231 EBox::Sudo::_rootError - root command /etc/init.d/bind9 restart failed. Error output:
Command output: * Stopping domain name service... bind9
waiting for pid 17191 to die
...done.
* Starting domain name service... bind9
...fail!
.
Exit value: 1 at /usr/share/perl5/Error.pm line 182
Error::throw('EBox::Exceptions::Sudo::Command', 'cmd', '/etc/init.d/bind9 restart', 'output', 'ARRAY(0xba251a88)', 'error', 'ARRAY(0xba25e0f0)', 'ex
itValue', 1, ...) called at /usr/share/perl5/EBox/Sudo.pm line 231
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/WrIfCxWorh.cmd 2>...', '/etc/init.d/bind9 restart', 256, 'ARRAY(0xba251a88)', 'A
RRAY(0xba25e0f0)') called at /usr/share/perl5/EBox/Sudo.pm line 201
EBox::Sudo::_root(1, '/etc/init.d/bind9 restart') called at /usr/share/perl5/EBox/Sudo.pm line 152
EBox::Sudo::root('/etc/init.d/bind9 restart') called at /usr/share/perl5/EBox/Module/Service.pm line 757
EBox::Module::Service::_startDaemon('EBox::DNS=HASH(0xba866a80)', 'HASH(0xba216638)') called at /usr/share/perl5/EBox/Module/Service.pm line 796
EBox::Module::Service::_manageService('EBox::DNS=HASH(0xba866a80)', 'start') called at /usr/share/perl5/EBox/Module/Service.pm line 821
EBox::Module::Service::_startService('EBox::DNS=HASH(0xba866a80)') called at /usr/share/perl5/EBox/Module/Service.pm line 1017
EBox::Module::Service::_enforceServiceState('EBox::DNS=HASH(0xba866a80)') called at /usr/share/perl5/EBox/Module/Service.pm line 968 EBox::Module::Service::_regenConfig('EBox::DNS=HASH(0xba866a80)') called at /usr/share/perl5/EBox/Module/Base.pm line 232
EBox::Module::Base::save('EBox::DNS=HASH(0xba866a80)') called at /usr/share/perl5/EBox/Samba/Provision.pm line 296
EBox::Samba::Provision::setupDNS('EBox::Samba::Provision=HASH(0xba1977ec)') called at /usr/share/perl5/EBox/Samba/Provision.pm line 1296
EBox::Samba::Provision::provisionADC('EBox::Samba::Provision=HASH(0xba1977ec)') called at /usr/share/perl5/EBox/Samba/Provision.pm line 340
EBox::Samba::Provision::provision('EBox::Samba::Provision=HASH(0xba1977ec)') called at /usr/share/perl5/EBox/Samba.pm line 1051
EBox::Samba::_setConf('EBox::Samba=HASH(0xba0e6b9c)', 'restart', 1) called at /usr/share/perl5/EBox/Module/Base.pm line 977
EBox::Module::Base::_regenConfig('EBox::Samba=HASH(0xba0e6b9c)', 'restart', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 961
EBox::Module::Service::_regenConfig('EBox::Samba=HASH(0xba0e6b9c)', 'restart', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 988
EBox::Module::Service::restartService('EBox::Samba=HASH(0xba0e6b9c)') called at /usr/share/perl5/EBox/SysInfo/CGI/RestartService.pm line 55
EBox::SysInfo::CGI::RestartService::_process('EBox::SysInfo::CGI::RestartService=HASH(0xba252a14)') called at /usr/share/perl5/EBox/CGI/Base.pm line 279
EBox::CGI::Base::run('EBox::SysInfo::CGI::RestartService=HASH(0xba252a14)') called at /usr/share/perl5/EBox/CGI/Run.pm line 85
EBox::CGI::Run::run('EBox::CGI::Run', 'SysInfo/RestartService') called at /usr/share/zentyal/cgi/ebox.cgi line 36
ModPerl::ROOT::ModPerl::Registry::usr_share_zentyal_cgi_ebox_2ecgi::handler('Apache2::RequestRec=SCALAR(0xba25bb10)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
eval {...} called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
ModPerl::RegistryCooker::run('ModPerl::Registry=HASH(0xba257e7c)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 170
ModPerl::RegistryCooker::default_handler('ModPerl::Registry=HASH(0xba257e7c)') called at /usr/lib/perl5/ModPerl/Registry.pm line 31
ModPerl::Registry::handler('ModPerl::Registry', 'Apache2::RequestRec=SCALAR(0xba25bb10)') called at -e line 0
eval {...} called at -e line 0
2013/11/20 12:51:00 INFO> Provision.pm:283 EBox::Samba::Provision::setupDNS - Setting up DNS
2013/11/20 12:51:00 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dns
2013/11/20 12:51:04 ERROR> Service.pm:991 EBox::Module::Service::__ANON__ - Error restarting service: root command /etc/init.d/bind9 restart failed.
Error output:
Command output: * Stopping domain name service... bind9
waiting for pid 17191 to die
...done.
* Starting domain name service... bind9
...fail!
.
Exit value: 1
2013/11/20 12:51:04 ERROR> RestartService.pm:67 EBox::SysInfo::CGI::RestartService::__ANON__ - Restart of File Sharing from dashboard failed: root command /etc/init.d/bind9 restart failed.
Error output:
Command output: * Stopping domain name service... bind9
waiting for pid 17191 to die
...done.
* Starting domain name service... bind9
...fail!
.
Exit value: 1
En Zentyal 3.0 el log dice:
Error joining to domain: GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Cannot do GSSAPI to an IP address Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088235 Using binding ncacn_ip_tcp:10.10.0.1[,seal] Cannot do GSSAPI to an IP address Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088235 ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 > <> File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 1169, in join_DC ctx.do_join() File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 1072, in do_join ctx.join_add_objects() File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 616, in join_add_objects ctx.samdb.add(msg)
En Windows activé que exista transferencia de zona a los servidores declarados como servidores de nombres, esto no cambió nada.
Saludos cordiales