Ubuntu + AD; Failed to join domain: failed to set machine spn: Constraint violation
Solution 1
I also ran in to the same issue winbindd simply would not start. The entry was already in /etc/hosts but I needed to change /etc/nsswitch.conf and changed to order so that 'files' came first.
hosts: mdns4_minimal files nis dns mdns4 myhostname
to
hosts: files mdns4_minimal nis dns mdns4 myhostname
Solution 2
I know this post is old but I just ran into the same problem and here is what I found. If you are trying to add a computer to the domain but you are not using a "domain admin" account. The delegated account rights need to include at least the following:
-This object and all descendants
•Create Computer objects
•Delete Computer objects
-Descendant Computer objects
•Read all properties
•Write all properties
•Change password
•Reset password
•Validated write to DNS host name
•Validated write to service principal
Hope that helps!
Solution 3
Ran into this error during our production Solaris samba upgrade AND moving to a different AD domain at the same time. We had deleted the object in the old domain but had not told samba to leave the old domain. The solution was trying a "net ads leave" even though it said "Failed to leave domain: failed to connect to AD: Cannot contact any KDC for requested realm". However, it must have cleared something up in samba and we were able to then join the new domain.
A couple items of note that some may find useful we experienced with this upgrade from samba 3 to samba 4:
Having winbind in nsswitch for passwd caused some issues changing passwords with this error "detected unsupported configuration in /etc/nsswitch.conf"
Using local Unix accounts and the samba user map we did not need winbind in nsswitch for passwd or group (or anywhere). In fact if we used winbind in nsswitch we had to add "set ngroups_max = " in /etc/system (and reboot) or samba would panic and core dump when it enumerated more than 16 groups. It would also panic if it enumerated more groups than .
Using a non-fqdn hostname to access samba shares across domains would fail with NT_STATUS_NO_SUCH_USER. The solution was to add [NOTFOUND=continue] for hosts after files and before dns in nsswitch. i.e. "hosts: files [NOTFOUND=continue] dns"
These are probably rare but thought I'd share what we experienced.
Related videos on Youtube
Jon Skarpeteig
Updated on September 18, 2022Comments
-
Jon Skarpeteig almost 2 years
I'm attempting to join a Ubuntu 12.04 server to Active Directory. I installed
samba
, andkb5-user
, created a machine account in AD, and did:> net ads testjoin Join is OK
So far so good. Then I hit a problem:
> sudo net join -U myuser Failed to join domain: failed to set machine spn: Constraint violation
I do not have access to modify anything on the Active Directory server as I'm not admin. Is there any way around this error?
-
growse about 12 yearsSilly question - does
myuser
have permissions to join machines to the domain? Also, what Windows version? -
Jon Skarpeteig about 12 yearsThe machine account is already created, and the user is set as owner of the machine account
-
growse about 12 yearsEvery time I've done a winbind Ubuntu AD join, the process creates the machine account in the AD for me. Honestly, I didn't think it'd work if you already have the machine account created, but can't say for sure that this is what's wrong here.
-
Jon Skarpeteig about 12 yearsTo create the machine account in AD using winbind requires administrative privileges, which I do not have.
-
-
sorin almost 10 yearsCan you be more explicit, where did you had to create a DNS entry. The default domain of your computer happened to match the one of the AD. What if it doesn't?
-
David Gardner about 6 yearsThis was the correct answer in our case -- permissions which the non-domain-admin user we use to join computers to our AD domain with were insufficient. Presumably this started happening at some point in the past when samba (4?) starting requiring more permissions to successfully complete a join, but the "constraint violation" error hadn't caused us any problems until the CentOS 7.5 update bumped samba to 4.7.1.