[100] SSO unable to join AD

Mark_D · #1 (**permalink**) 12-04-2007, 03:34 PM

Hi I've been following the various threads for this problem and have been unable to join my AD.
I have a MS SBS Server with a .local AD.
below are the setting that are configured.
Under AD authentification: I have Server Host(zmain), port 389, Bind user: CN=administrator,CN=users,DC=ncs,DC=local. Click apply, all OK.
DNS Request Routing from Astaro to SBS (working):zmain.ncs.local has address 172.16.10.1
DNS entry for roxy7 (Astaro) in SBS (working):roxy7.ncs.local has address 172.16.1.1
LAN Manager auth level set to: Send LM & NTLM - use NTLMv2 session security if negotiated
Using a LDAP Browser I can navigate the tree.
Using: host -t srv _ldap._tcp.dc._msdcs.ncs.local I receive:_ldap._tcp.dc._msdcs.ncs.local has SRV record 0 100 389 zmain.ncs.local.

Under SSO.
NCS.LOCAL (Which system put there after .100 upgrade) and have manually changed.
Admin User: I have tried every option that I can think of with administrator ie. administrator, ncs.local\administrator, NCS.LOCAL\administrator, CN=administrator, CN=administrator,CN=users,DC=ncs,DC=local.
Click Apply. and receive a number of "the running request has reached a timeout without finishing, do you want it to be aborted?" click no wait another 30 sec. "Then unable to complete backend request".
Note if I change the Domain to NCS I get an instant (15sec) "Joining the domain failed."

Tests completed so far:
1. DNS working.
2. LDAP working.
3. Looking in fallback log I get
2007:12:04-16:59:49 (none) [user:err] net: [2007/12/04 16:59:49, 0] utils/net_ads.c:ads_startup(289)
2007:12:04-16:59:49 (none) [user:err] net: ads_connect: Operations error
2007:12:04-17:00:29 (none) [user:err] net: [2007/12/04 17:00:29, 0] utils/net_ads.c:ads_startup(289)
2007:12:04-17:00:29 (none) [user:err] net: ads_connect: Operations error

Where have I gone wrong or what am I missing.

Thanks for any responses
Help
Mark

Simon Shaw · #2 (**permalink**) 12-04-2007, 10:02 PM

I can only get SSO working using short domain name to join the AD.

ie PERTH and not the long name which is company.com.au

TXGARobert · #3 (**permalink**) 12-04-2007, 10:15 PM

I had to use the full domain name (DOMAIN.ORG) , and it had to be in CAPS. Weird.

BrucekConvergent · #4 (**permalink**) 12-04-2007, 10:58 PM

Hey Mark, I had an issue too... after some time with Astaro support, found that the winbindd process was "flipping out." A trip to /var/locks found that the file winbinddd.pid had an old timestamp on it (from yesterday)... manually deleting that file, then stopping and starting the http proxy (which causes winbindd to reinitialize) fixed my problem. It's the only system I've had the problem on, just got done updating a customer's system an hour or so ago and had no problem.

One Idea: check for a computer account matching the name of your Astaro in AD; delete it, make sure all your DCs are synced up, then try rejoining.

BrucekConvergent · #5 (**permalink**) 12-04-2007, 11:00 PM

Mark: Also make sure your timezone setting on the Astaro matches your DC, and that the times are within 5 minutes of each other; Kerberos is quite sensitive about the time.

TXGARobert · #6 (**permalink**) 12-04-2007, 11:04 PM

Bruce -

Any suggestions on where to start looking if my Basic authentication fails, but AD SSO and AD web auth works?

My network is all Windows 2003 DCs running in 2003 native mode. Mixture of WinXp and Win2k computers. all exibit the same problem. Auth box pops up, name and password entered, fails auth. The log shows "DENIED" as a reson.

Have tried the domain\user method when entering the username, but it fails always.

I have rejoined the domain since 7.100, same results. Even tried using a different DC to authenticate against. Same thing.

I submitted a ticket, but they are looking at other things right now. Just trying to get an idea where to look.

Thanks,

BrucekConvergent · #7 (**permalink**) 12-04-2007, 11:42 PM

Don't know about Basic Authentication... my problem was with AD.

Mark_D · #8 (**permalink**) 12-05-2007, 12:37 AM

Thanks Guy's for your response.
I did forget to mention that I checked the time zones and clocks are currently 12 sec out, I also tried adding and deleting computer name for astaro.
Checking /var/locks I found that the file winbinddd.pid did not exist.
I'm about to download a new iso of 7.100 and install on a new box to see what happens.

Any other suggestions out there?

Thanks again
Mark

apave · #9 (**permalink**) 12-11-2007, 05:21 PM

Hi,

I'm new to Astaro. I'm getting the same problem. Unable to join my AD domain (I was when using v7.011).
When I try to join the domain I get a failed message. A look at the computers account shows astaro's box hostame desactivated.

Fallback logs shows :
unable to determine machine account's DNS name in AD (nslookup for DC is ok) and

another one :
no dNSHostName attribute

maybe it'll help...

svens · #10 (**permalink**) 12-11-2007, 05:30 PM

Hi,

Quote:

Originally Posted by apave

unable to determine machine account's DNS name in AD (nslookup for DC is ok)

Do you have the FQDN as hostname configured (means asg.domain.com instead of only 'asg'), and is the ASG in the same DNS domain as the Domain Controller?

Cheers,

Sven.