domainjoin-cli: Failed to join domain

Bug #555525 reported by Jerome Haltom
48
This bug affects 8 people
Affects Status Importance Assigned to Milestone
likewise-open (Ubuntu)
Incomplete
Undecided
Gerald Carter

Bug Description

Binary package hint: likewise-open

This is after an upgrade to Lucid. I used to have similar errors on Karmic, but --notimesync fixed them. It no longer fixes them on Lucid.

root@station-1:~# domainjoin-cli --loglevel info --log . join ad.isillc.com jhaltom
20100405001255:INFO:Domainjoin invoked with the join command (remaining arguments will be printed later):
20100405001255:INFO: [domainjoin-cli]
20100405001255:INFO: [--loglevel]
20100405001255:INFO: [info]
20100405001255:INFO: [--log]
20100405001255:INFO: [.]
20100405001255:INFO: [join]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lwsmd]
20100405001255:INFO:Daemon [/etc/init.d/lwsmd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lwsmd]
20100405001255:INFO:Daemon [/etc/init.d/lwsmd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lwregd]
20100405001255:INFO:Daemon [/etc/init.d/lwregd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lwregd]
20100405001255:INFO:Daemon [/etc/init.d/lwregd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/netlogond]
20100405001255:INFO:Daemon [/etc/init.d/netlogond]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/netlogond]
20100405001255:INFO:Daemon [/etc/init.d/netlogond]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lwiod]
20100405001255:INFO:Daemon [/etc/init.d/lwiod]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lwiod]
20100405001255:INFO:Daemon [/etc/init.d/lwiod]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/dcerpcd]
20100405001255:INFO:Daemon [/etc/init.d/dcerpcd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/dcerpcd]
20100405001255:INFO:Daemon [/etc/init.d/dcerpcd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/eventlogd]
20100405001255:INFO:Daemon [/etc/init.d/eventlogd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/eventlogd]
20100405001255:INFO:Daemon [/etc/init.d/eventlogd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lsassd]
20100405001255:INFO:Daemon [/etc/init.d/lsassd]: status [0]
20100405001255:INFO:Checking status of daemon [/etc/init.d/lsassd]
20100405001255:INFO:Daemon [/etc/init.d/lsassd]: status [0]
20100405001255:INFO:Domainjoin invoked with 2 arg(s) to the join command:
20100405001255:INFO: [ad.isillc.com]
20100405001255:INFO: [jhaltom]
20100405001255:INFO:Adding station-1 (fqdn station-1.ad.isillc.com) to /etc/hosts ip 127.0.1.1, removing station-1, station-1.ad.isillc.com, station-1, station-1.ad.isillc.com
20100405001255:INFO:Reading krb5 file /tmp/centeristmpug4zy3/etc/krb5.conf
20100405001255:INFO:Reading krb5 file /tmp/centeristmpI7NxO6/etc/krb5.conf
20100405001255:INFO:Reading nsswitch file /etc/nsswitch.conf
20100405001255:INFO:Found config file /etc/ssh/sshd_config
20100405001255:INFO:Found binary /usr/sbin/sshd
20100405001255:INFO:Reading ssh file /etc/ssh/sshd_config
20100405001255:INFO:Found open sshd version 5.1.-1p1
20100405001255:INFO:Testing option ChallengeResponseAuthentication
20100405001255:INFO:Testing option UsePAM
20100405001255:INFO:Testing option PAMAuthenticationViaKBDInt
20100405001255:INFO:Option PAMAuthenticationViaKBDInt not supported
20100405001255:INFO:Testing option KbdInteractiveAuthentication
20100405001255:INFO:Testing option GSSAPIAuthentication
20100405001255:INFO:Option GSSAPIAuthentication supported
20100405001255:INFO:Testing option GSSAPICleanupCredentials
20100405001255:INFO:Found config file /etc/ssh/ssh_config
20100405001255:INFO:Found binary /usr/bin/ssh
20100405001255:INFO:Reading ssh file /etc/ssh/ssh_config
20100405001255:INFO:Testing option GSSAPIAuthentication
20100405001255:INFO:Option GSSAPIAuthentication supported
20100405001255:INFO:Testing option GSSAPIDelegateCredentials
Joining to AD Domain: ad.isillc.com
With Computer DNS Name: station-1.ad.isillc.com

<email address hidden>'s password:
20100405001258:INFO:Running module join
20100405001258:INFO:Starting krb5.conf configuration (enabling)
20100405001258:INFO:Reading krb5 file /tmp/centeristmpRLHjig/etc/krb5.conf
20100405001258:WARNING:Short domain name not specified. Defaulting to 'ad'
20100405001258:INFO:Failed to run lwinet ads trusts. This is expected if not yet joined to the domain
20100405001258:INFO:Failed to run lwiinfo --details -m. This is expected if the auth daemon is not running
20100405001258:INFO:Writing krb5 file /tmp/centeristmpRLHjig/etc/krb5.conf
20100405001258:INFO:File /tmp/centeristmpRLHjig/etc/krb5.conf modified
20100405001258:INFO:Finishing krb5.conf configuration

Error: Lsass Error [code 0x00080047]

0x9D5E - Unknown error
20100405001258:ERROR:Lsass Error [CENTERROR_DOMAINJOIN_LSASS_ERROR]

0x9D5E - Unknown error

Stack Trace:
main.c:931
main.c:476
djmodule.c:319
djauthinfo.c:859
djauthinfo.c:1203
root@station-1:~#

Revision history for this message
Gerald Carter (coffeedude.jerry) wrote :

Could you check that your packages aren't in an incomplete state? The domainjoin-cli output is fishy to me. In necessary, on lucid purge all existing likewise-open and likewise-open5 packages, reinstall likewise-open and rejoin the domain.

Changed in likewise-open (Ubuntu):
assignee: nobody → Gerald Carter (coffeedude.jerry)
Revision history for this message
Jerome Haltom (wasabi) wrote :

I have. A few times now.

I have some more logging info for you:

Apr 5 12:13:00 station-1 lsassd[7679]: 0x7f21ab733710:[AD_JoinDomain() provider-main.c:1303] Affinitized to DC 'tarot.ad.isillc.com' for join request to domain 'ad.isillc.com'
Apr 5 12:13:00 station-1 netlogond[2123]: [LWNetSrvGetDCTimeFromDC() dcinfo.c:555] Failed ldap search on tarot.ad.isillc.com error=40286
Apr 5 12:13:00 station-1 netlogond[2123]: [LWNetSrvGetDCTimeFromDC() dcinfo.c:555] Failed ldap search on domino.ad.isillc.com error=40286
Apr 5 12:13:00 station-1 lsassd[7679]: 0x7f21ab733710:[LsaSyncTimeToDC() join.c:454] Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)
Apr 5 12:13:00 station-1 lsassd[7679]: 0x7f21ab733710:[LsaNetJoinDomain() join.c:97] Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)
Apr 5 12:13:00 station-1 lsassd[7679]: 0x7f21ab733710:[AD_JoinDomain() provider-main.c:1322] Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)
Apr 5 12:13:00 station-1 lsassd[7679]: 0x7f21ab733710:[AD_ProviderIoControl() provider-main.c:3006] Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)
Apr 5 12:13:00 station-1 lsassd[7679]: 0x7f21ab733710:[LsaSrvProviderIoControl() provider.c:86] Error code: 40286 (symbol: LW_ERROR_LDAP_SERVER_DOWN)
Apr 5 12:13:00 station-1 lsassd[7679]: 0x7f21ab733710:[LsaSrvProviderIoControl() provider.c:112] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 40286, symbol = LW_ERROR_LDAP_SERVER_DOWN, client pid = 24922
Apr 5 12:13:00 station-1 lsassd[7679]: [IPC] (assoc:0xefb270 >> 0) CALL RES LSA_R_PROVIDER_IO_CONTROL_FAILURE: <LSA_IPC_ERROR>#012{#012 .dwError = 40286#012 .pszErrorMessage = <null>#012}
Apr 5 12:13:00 station-1 lsassd[7679]: [IPC] (assoc:0xefb270) Dropping: Connection closed by peer

It looks like it's failing on trying to CLDAP query the DCs. But I don't know why. Both site DCs are reachable, and Windows boxes are working fine. Also, downgrading back to 5 fixes it.

Revision history for this message
Gerald Carter (coffeedude.jerry) wrote :

Jerome, Could you verify that 'lw-net-dc-name ad.isillc.com' works (or fails)? And that the output from "iptables -n -L" is not blocking traffic on things like port 389,88, 445, 53, or 3268

summary: - domainjoin-cli crashes (5.4)
+ domainjoin-cli: Failed to join domain
Changed in likewise-open (Ubuntu):
status: New → Incomplete
Revision history for this message
Jerome Haltom (wasabi) wrote :

ISI\jhaltom@station-1:/home/ISI/jhaltom$ lw-get-dc-name ad.isillc.com
Printing LWNET_DC_INFO fields:
===============================
dwDomainControllerAddressType = 23
dwFlags = 12796
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = domino.ad.isillc.com
pszDomainControllerAddress = 10.0.6.3
pucDomainGUID(hex) = 07 6A C4 27 2C 80 B6 49 96 B7 56 83 48 CB AE CD
pszNetBIOSDomainName = ISI
pszFullyQualifiedDomainName = ad.isillc.com
pszDnsForestName = ad.isillc.com
pszDCSiteName = HQ
pszClientSiteName = HQ
pszNetBIOSHostName = DOMINO
pszUserName = <EMPTY>

Seems to work okay.

Revision history for this message
Casey Jones (alpergurel) wrote :

I've gotta same error like;

Error: Lsass Error [code 0x00080047]

40286 (0x9D5E) LW_ERROR_LDAP_SERVER_DOWN - Unknown error

lw-get-dc-name dnsname.local is work and getting Domain name.

any suggestion for resolve that problem ?

Revision history for this message
Gerald Carter (coffeedude.jerry) wrote :

Honestly, I'm a little stumped. I have no local repro for the failure. If your domainname is really "dnsname.local", you could try removning any mdns references from /etc/nsswitch.conf.

Revision history for this message
jaimie@onsitepcs.net (jaimie) wrote :

I ran into this same problem and I created a host entry for the DC on the linux box and the join worked. DNS looks to be setup correctly on the windows server and every resolves both forward and reverse but the linux server would not join with out the host entry.

Revision history for this message
Joan Villalta (joan-villalta) wrote :

I have the same issue:
Error: Lsass Error [code 0x00080047]
40286 (0x9D5E) LW_ERROR_LDAP_SERVER_DOWN - Unknown error
Any suggestion?
Thx

Revision history for this message
Jure Sah (dustwolfy) wrote :

Adding the DC record in /etc/hosts worked for me as well and note that DNS resolution worked just fine beforehand.

Revision history for this message
Paul Webster (pwebster) wrote :

Jaimie-
What exactly would the host entry on the linux box look like. My /etc/hosts file looks like this. Do I put in the ip address of the DC?

127.0.0.1 localhost.localdomain localhost
127.0.1.1 pweb-lap
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Revision history for this message
Jerome Haltom (wasabi) wrote :

I have a funny feeling this is related to IPv6 being enabled on my network, but I have no way to verify it. All of my servers have AAAA records.

Gerald, does this seem like a reasonable line of investigation?

Revision history for this message
Paul Webster (pwebster) wrote :

I changed my /etc/hosts to the following but it still won't leave the domain (that it really never finished joining)

127.0.0.1 localhost.localdomain localhost
127.0.1.1 pweb-lap
10.1.67.51 SERVER-DC1.mydomain.domain SERVER-DC1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

There is a second DC server but it isn't referenced when I run
lw-get-dc-name mydomain.domain

I get:
Printing LWNET_DC_INFO fields:
===============================
dwDomainControllerAddressType = 23
dwFlags = 13309
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = SERVER-DC1.mydomain.domain
pszDomainControllerAddress = 10.1.67.51
pucDomainGUID(hex) = D2 32 2B 75 EA 46 E0 41 A2 9B 0D 39 E3 06 BA 92
pszNetBIOSDomainName = MYDOMAIN
pszFullyQualifiedDomainName = mydomain.domain
pszDnsForestName = mydomain.domain
pszDCSiteName = Default-First-Site-Name
pszClientSiteName = Default-First-Site-Name
pszNetBIOSHostName = SERVER-DC1
pszUserName = <EMPTY>

Do you see anything fishy here? It looks good to me.

The error I get when trying to leave or join is:
Lsass Error
1225 (0x4C9) ERROR_CONNECTION_REFUSED - Unkown error

Details:
Error code: CENTERROR_DOMAINJOIN_LSASS_ERROR (0x00080047)
Backtrace:
main.c:368
djmodule.c:323
djauthinfo.c:925
djauthinfo.c:1238

One more clue. My likewise-open-gui currently shows that I am joined even though I got this error. It gives me there error again if I try to unjoin. If I try to login with my domain credentials it gives me the following:
MYDOMAIN\username -> correct password (No User Account)
MYDOMAIN\username -> wrong password (Authentication Error)

This is really peculiar. I can tell it is talking to someone out there and getting something back.

Any help would be really appreciated.

Revision history for this message
Paul Webster (pwebster) wrote :

After wrestling with this for a while I did the following, per Gerald's suggestion here or in another thread:
sudo apt-get remove likewise-open
sudo dpkg --purge likewise-open
rebooted
sudo apt-get install likewise-open

I don't know whether it matters or not but I did use the domainjoin-cli instead of the gui this time. It worked. I got joined. I don't think it was the gui. I think there was an underlying setting that didn't get updated in likewise-open until I completely removed it and started over.

I can authenticate now on my domain BUT I cannot get in to GDM. It gives me an errror with two things, maybe related to ownership.
"Could not update ICEauthority file /home/likewise-open/MYDOMAIN/username/.ICEauthority
also
Problem configuring server (/usr/lib/libgconf2-4/gconf-sanity-check-2 exited with status 256)

Based on googling I think it is an ownership issue for these files. I have tried changing ownership. None of the posts I have seen are dealing with domain users, so that extra level of the domain in the username makes it a bit more complicated.

Any brilliant ideas?

Revision history for this message
Tim Rush (rusht) wrote :

I got passed this by editing the HOSTS file and adding my servers.
Also verify your resolv.conf points to the correct DNS. The default may not be correct for your system.

Revision history for this message
Carlos Barbet (cabz-list) wrote :

I'm just another person confirming that modifying the /etc/hosts with the IP address and name of the DCs seems to be correcting this.

Is it because our PTR records are misconfigured (saying Windows is providing name resolution)? just checked; nope. Curious but fixed.. thanks.

Revision history for this message
Ryan Tam (ryanch-tam) wrote :

after i remove and reinstall again, it works!! Thank you very much Paul!!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers