Ubuntu + AD; Failed to join domain: failed to set machine spn: Constraint violation

ubuntu active-directory kerberos winbind
30,023

Solution 1

I also ran in to the same issue winbindd simply would not start. The entry was already in /etc/hosts but I needed to change /etc/nsswitch.conf and changed to order so that 'files' came first.

hosts: mdns4_minimal files nis dns mdns4 myhostname

to

hosts: files mdns4_minimal nis dns mdns4 myhostname

Solution 2

I know this post is old but I just ran into the same problem and here is what I found. If you are trying to add a computer to the domain but you are not using a "domain admin" account. The delegated account rights need to include at least the following:

-This object and all descendants

•Create Computer objects

•Delete Computer objects

-Descendant Computer objects

•Read all properties

•Write all properties

•Change password

•Reset password

•Validated write to DNS host name

•Validated write to service principal

Hope that helps!

Solution 3

Ran into this error during our production Solaris samba upgrade AND moving to a different AD domain at the same time. We had deleted the object in the old domain but had not told samba to leave the old domain. The solution was trying a "net ads leave" even though it said "Failed to leave domain: failed to connect to AD: Cannot contact any KDC for requested realm". However, it must have cleared something up in samba and we were able to then join the new domain.

A couple items of note that some may find useful we experienced with this upgrade from samba 3 to samba 4:

  • Having winbind in nsswitch for passwd caused some issues changing passwords with this error "detected unsupported configuration in /etc/nsswitch.conf"

  • Using local Unix accounts and the samba user map we did not need winbind in nsswitch for passwd or group (or anywhere). In fact if we used winbind in nsswitch we had to add "set ngroups_max = " in /etc/system (and reboot) or samba would panic and core dump when it enumerated more than 16 groups. It would also panic if it enumerated more groups than .

  • Using a non-fqdn hostname to access samba shares across domains would fail with NT_STATUS_NO_SUCH_USER. The solution was to add [NOTFOUND=continue] for hosts after files and before dns in nsswitch. i.e. "hosts: files [NOTFOUND=continue] dns"

These are probably rare but thought I'd share what we experienced.

Share:
30,023

Related videos on Youtube

Jon Skarpeteig
Author by

Jon Skarpeteig

Updated on September 18, 2022

Comments

  • Jon Skarpeteig
    Jon Skarpeteig almost 2 years

    I'm attempting to join a Ubuntu 12.04 server to Active Directory. I installed samba, and kb5-user, created a machine account in AD, and did: 

    > net ads testjoin
Join is OK

    So far so good. Then I hit a problem:

    > sudo net join -U myuser
Failed to join domain: failed to set machine spn: Constraint violation

    I do not have access to modify anything on the Active Directory server as I'm not admin. Is there any way around this error?

    • growse
      growse about 12 years
      Silly question - does myuser have permissions to join machines to the domain? Also, what Windows version?
    • Jon Skarpeteig
      Jon Skarpeteig about 12 years
      The machine account is already created, and the user is set as owner of the machine account
    • growse
      growse about 12 years
      Every time I've done a winbind Ubuntu AD join, the process creates the machine account in the AD for me. Honestly, I didn't think it'd work if you already have the machine account created, but can't say for sure that this is what's wrong here.
    • Jon Skarpeteig
      Jon Skarpeteig about 12 years
      To create the machine account in AD using winbind requires administrative privileges, which I do not have.
  • sorin
    sorin almost 10 years
    Can you be more explicit, where did you had to create a DNS entry. The default domain of your computer happened to match the one of the AD. What if it doesn't?
  • David Gardner
    David Gardner about 6 years
    This was the correct answer in our case -- permissions which the non-domain-admin user we use to join computers to our AD domain with were insufficient. Presumably this started happening at some point in the past when samba (4?) starting requiring more permissions to successfully complete a join, but the "constraint violation" error hadn't caused us any problems until the CentOS 7.5 update bumped samba to 4.7.1.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials
Apache Kerberos Authentication - Client didn't delegate us their credential
How to verify kerberos token?
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
Edit Sudoers file to allow sudo rights to a AD domain group
How do I clear a user's cached Active Directory password on CentOS 7?
Couldn't join realm: Insufficient permissions to join the domain
Commands for successful domain controller replication on Ubuntu / Samba4 / Zentyal
Kerberos Server and logs
Can Ubuntu 11.10 authenticate against Active Directory?