11.3-U1 Failed to join AD

[SerialMonkey]

I am attempting to join our Windows AD with fresh install of 11.3-U1.

I am getting the following error:
Failed to validate bind credentials: [EFAULT] [Errno 8] hostname nor servname provided, or not known

If I intentionally enter a bad password, I get the following error:
Failed to validate bind credentials: [EFAULT] kinit for domain [DOMAIN.COM] with password failed: kinit: Password incorrect

Which indicates its able to find, connect to the domain DC and validate the credentials provided.

I manually enabled Samba and running the following from CLI:

#net -k -d 5 ads join

Output;
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
return code = -1

Updated the /usr/local/etc/smb4.conf as follows:
server role = member

Restarted samba_server:
# service samba_server restart

Reran
#net -k -d 5 ads join

Output:
realm must be set in in /usr/local/etc/smb4.conf for ADS join to succeed.
Invalid configuration. Exiting....
Failed to join domain: The parameter is incorrect.
return code = -1

Once again updated /usr/local/etc/smb4.conf
realm = domain.com

Restart samba_service and ran ads join
# service samba_server restart
#net -k -d 5 ads join

This time, the AD join completed successfully. However, the AD join via the Web GUI continues to fail.

Why am I able to join the domain using Samba, but the AD module fails?
Fresh install with 11.2-U8 joins the domain without issue.

Curtis

 

[SerialMonkey]

Updating should anyone else run into this issue

I was able to identify some stale SRV _ldap and _kerberos records in the _msdcs zone in the AD DNS for some old DCs that were not properly decommed by my predecessor. Cleaned up these records and now able to properly join the AD domain.

 

[anodos]

There was a bug related to timeouts on trying to connect to DCs based on SRV records in U1 that made it more susceptible to these sorts of domain issues. Should be fixed in U2 when it's released.

 

[SerialMonkey]

Yeah, I read thorugh and was watching those threads. In this case, the error was being reported immediately, which indicated to me it wasnt a timeout issue. The error text "hostname nor servname provided, or not known " is a bit vague as the domain name was specified. It wasnt until I tailed the logs as I attempted to join the domain that I noticed it was attmeptiong to connect to a DC in another datacenter that I realized something was up with our AD environment specifically. This was further confirmed when I was able to join a second domain in our environment without issue. I then began to systematically go through all of the AD services (Sites and Services, Users and Computers, DNS, etc) that I discovered the DNS issue.