Good day.
The
problem during connecting Zentyal 5.0.7 (Development Edition) as aditional Domain Controller to Windows 2008 domain - XXX.local.
Other Workstations and Windows Servers connects to Domain without problems.
During connection following errors occures:
Some modules reported error when saving changes . More information on the logs in /var/log/zentyal/
The following modules failed while saving their changes, their state is unknown: samba
In
/var/log/zentyal.log following:
2017/03/19 15:10:13 INFO> Provision.pm:825 EBox::Samba::Provision::checkAddress - Resolving dc.XXX.local to an IP address
2017/03/19 15:10:13 INFO> Provision.pm:845 EBox::Samba::Provision::checkAddress - The DC dc.XXX.local has been resolved to 192.168.10.201
2017/03/19 15:10:13 INFO> Provision.pm:848 EBox::Samba::Provision::checkAddress - Checking reverse DNS resolution of '192.168.10.201'...
2017/03/19 15:10:13 INFO> Provision.pm:872 EBox::Samba::Provision::checkAddress - The IP address 192.168.10.201 does not have associated PTR record
2017/03/19 15:10:13 INFO> Provision.pm:771 EBox::Samba::Provision::checkServerReachable - Checking if AD server '192.168.10.201' is online...
2017/03/19 15:10:13 INFO> Provision.pm:881 EBox::Samba::Provision::checkFunctionalLevels - Checking forest and domain functional levels...
2017/03/19 15:10:13 INFO> Provision.pm:909 EBox::Samba::Provision::checkRfc2307 - Checking RFC2307 compliant schema...
2017/03/19 15:10:13 INFO> Provision.pm:790 EBox::Samba::Provision::checkLocalRealmAndDomain - Checking local domain and realm...
2017/03/19 15:10:13 INFO> Provision.pm:983 EBox::Samba::Provision::checkClockSkew - Checking clock skew with AD server...
2017/03/19 15:10:13 INFO> Provision.pm:1004 EBox::Samba::Provision::checkClockSkew - Clock skew below two minutes, should be enough.
2017/03/19 15:10:13 INFO> Provision.pm:690 EBox::Samba::Provision::checkDnsZonesInMainPartition - Checking for old DNS zones stored in main domain partition...
2017/03/19 15:10:13 INFO> Provision.pm:737 EBox::Samba::Provision::checkForestDomains - Checking number of domains inside forest...
2017/03/19 15:10:13 INFO> Provision.pm:943 EBox::Samba::Provision::checkTrustDomainObjects - Checking for domain trust relationships...
2017/03/19 15:10:13 INFO> Provision.pm:1045 EBox::Samba::Provision::checkADServerSite - Checking the site where the specified server is located
2017/03/19 15:10:13 INFO> Provision.pm:1053 EBox::Samba::Provision::checkADServerSite - The specified server has been located at site named Default-First-Site-Name
2017/03/19 15:10:13 INFO> Provision.pm:1070 EBox::Samba::Provision::checkADNebiosName - Checking domain neXXXos name...
2017/03/19 15:10:13 INFO> Provision.pm:1293 EBox::Samba::Provision::provisionADC - Joining to domain 'XXX.local' as DC
2017/03/19 15:10:14 INFO> Provision.pm:1306 EBox::Samba::Provision::provisionADC - Trying to get a kerberos ticket for principal '
ADMIN@XXX.LOCAL'
2017/03/19 15:10:14 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -e arcfour-hmac-md5 --password-file='/var/lib/zentyal/tmp/KOSxAe' '
ADMIN@XXX.LOCAL' failed.
Error output:
kinit: krb5_get_init_creds: unable to reach any KDC in realm XXX.LOCALCommand output: .
Exit value: 1 at root command kinit -e arcfour-hmac-md5 --password-file='/var/lib/zentyal/tmp/KOSxAe' '
ADMIN@XXX.LOCAL' failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm XXX.LOCAL
I've checked following is OK:
1. 88 port on AD Controller - 192.168.10.201 open
2. Time on both servers is correct
3. Admin users and passwords to join domain - is correct
Why I can not get a kerberos ticket for principal '
ADMIN@XXX.LOCAL' ?