OpenSolaris

Printable Version Enter a New Search
Bug ID 6850508
Synopsis Unable to join Windows 2008 domain (SP2 or later)
State 10-Fix Delivered (Fix available in build)
Category:Subcategory utility:cifs
Keywords bopmail-exception
Responsible Engineer Natalie Li
Reported Against
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_119
Fixed In snv_119
Release Fixed solaris_nevada(snv_119)
Related Bugs 6287615 , 6685931 , 6855867 , 2179531 , 6862941 , 6874552
Submit Date 11-June-2009
Last Update Date 19-January-2010
Description 
Unable to join CIFS server to W2K8 R2 domain
Same domain join failure has been observed when testing against a Windows Server 2008 with Service Pack 2.
System log
===========
Jun 18 14:45:14 tc022 smbd[104484]: [ID 702911 daemon.debug] NETR[0x0f]: error: ACCESS_DENIED (0xc0000022)
Jun 18 14:45:14 tc022 smbd[104484]: [ID 526780 daemon.notice] Failed to establish NETLOGON credential chain
Jun 18 14:45:14 tc022 smbd[104484]: [ID 871254 daemon.error] smbd: failed joining w2k8ads.com (UNSUCCESSFUL)
For more information on the impact of this bug fix, please read the following flag day email:

-------- Original Message --------
Subject: 	Flag Day: Joining a Windows 2008 domain
Date: 	Fri, 07 Aug 2009 13:27:26 -0700




You can safely ignore this message if you are not a consumer of the
Solaris CIFS service.

The push for 6850508 is a flag day for the use of kclient or smbadm
to join a Windows 2008 domain:

   6850508 Unable to join Windows 2008 domain (SP2 or later)

Prior to snv_119, the Solaris CIFS services contained a workaround for
the Windows 2008 SP1 problem described in KB951191.

   http://support.microsoft.com/default.aspx/kb/951191

If you upgrade to snv_119 or later and your Windows 2008 domain controller
is running Windows Server 2008 SP2 or R2, no action is required.

If you upgrade to snv_119 or later and your Windows 2008 domain controller
is running Windows Server 2008 SP1, you must apply the hotfix described
in KB951191 or install Windows 2008 SP2.

Otherwise you will see the following error messages when attempting to
join a Windows 2008 domain:

smbd[100938]: [ID 702911 daemon.debug] NETR[0x0f]: error: ACCESS_DENIED 
(0xc0000022)
idmap[100512]: [ID 706612 daemon.debug] LDAP SASL bind to 
w2k8dc.w2k8ads.com:389 failed (Local error)
smbd[100938]: [ID 526780 daemon.notice] Failed to establish NETLOGON 
credential chain
smbd[100938]: [ID 871254 daemon.error] smbd: failed joining w2k8ads.com 
(UNSUCCESSFUL)

NOTE:  Installing Windows 20008 SP2 or the Microsoft Kerberos hotfix
KB951191 or Windows Server 2008 R2 without upgrading to snv_119 will
break idmapd and other Solaris applications using Kerberos.  If make
any of these changes on Windows 2008, you must upgrade to snv_119 (or
later) and rejoin the domain.

Regards,

Natalie
Work Around 
The work around for Windows 2008 server is to uninstall SP2.
Comments 
Have sent (w2k8 SP1, SP2, R2) Time Travel Tracing outputs and network traces to a Microsoft engineer for investigation.
Natalie Li wrote:
> Hongwei,
>
> Thanks for the investigation.
> Yes, we've been using the correct UPN format when joining a pre-Windows 2008 domain and the incorrect one (i.e. without @REALM) when joining a Windows 2008 SP1 domain.  Our Kerberos team has stumbled over the problem as described in KB951191 and had thought that the UPN format has changed starting from Windows Server 2008.  Hence, our domain join utility has been coded up to determine which UPN format to use based on the domain controller functional level.  I've made the necessary changes and we are now capable of joining both Windows 2008 SP2 and R2 domains.  Thank you so much!
>
> We weren't aware of the Kerberos hotfix for Windows Server 2008 SP1 has been made available since late February.  Thanks for the pointer for Kb051191. 
>
> Regards,
>
> Natalie
>
> Hongwei Sun wrote:
>>
>> Natalie,
>>
>>  
>>
>>    The information and the traces you provided  are very helpful. 
>>
>>  
>>
>>    After  debugging , we believe that we found the root cause of the issue.  This issue is not related to the Netlogon service itself.  The problem is the format of UserPrincipleName attribute of the computer account created during your domain join process, which currently has the value of host/tc22.w2k8ads.com.  The correct  format of a UPN  should have the form of X@<DomainName> (host/ xxxxx@xxxxx.COM) (see MS-ADTS 5.1.1.1.1).   DC  failed  to look up the computer account.  That is why NetrServerAuthentica3() failed to calculate matching ClientCredential.
>>
>>  
>>
>>    We understand that your current implementation works with Windows 2008 SP1, but it is not the way expected and just works around the problem that we fixed for Window 2008  SP1 in KB951191 (http://support.microsoft.com/default.aspx/kb/951191).   For Windows server 2008 SP2 and Windows 2008 R2,  they already have the change for looking up using correct UPN.  This is the reason why your current implementation fails on both versions.   
>>
>>  
>>
>>   The following is the suggestion of the changes for  you to make so your implementation works with various versions of Windows servers:
>>
>>  
>>
>> ·        Change UserPrincipleName attribute to the form of X@<DomainName>.  (This will ensure domain join to work for Windows 2003,Windows 2008 SP2 and R2)
>>
>> ·        Apply  KB951191  on  Windows 2008 SP1                                                         (This will ensure domain join to work for Windows 2008 SP1)
>>
>>  
>>
>>  
>>
>>    Please let us know how it works out.
>>
>>  
>>
>> Thanks!
>>
>>  
>>
>> Hongwei  
>>
>>
  Add Yourself to the Interest List