Created attachment 82638 [details]
When trying to join a domain on my windows 2003 test DC, I'm getting the following error:
! Couldn't set encryption types on computer account: CN=FORNOST,CN=Computers,DC=bigon,DC=be: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece
! Couldn't set service principals on computer account CN=FORNOST,CN=Computers,DC=bigon,DC=be: 00002083: AtrErr: DSID-031510B7, #1:
0: 00002083: DSID-031510B7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName)
Interesting. Are you able to do a bit of debugging on this?
I'm interested in two things:
a) Does commenting out the AES encryption types in
adcli_enroll_get_keytab_enctypes() solve the first warning? Attaching patch
which does this. Could you try it out?
b) What servicePrincipalName attributes are set on the new computer account?
You should be able to use commands like this:
$ kinit Administrator@BIGON.DE
$ ldapsearch -Y GSSAPI -H ldap://bigon-e80ef7e8e.bigon.be/ \
-b CN=FORNOST,CN=Computers,DC=bigon,DC=be -s base
Created attachment 82677 [details] [review]
Test disabling AES
Patch to try out
Created attachment 82702 [details]
Created attachment 82703 [details]
This is with the patch, looks the same
Do you know what the exact version of your DC, and what is the compatibility level of your domain?
Is this a test domain? Am I able to temporarily authenticate against it in order to try to solve this problem?
It's a win server 2003 SP2 standard edition
Well it's a VM running on my machine just for testing purpose
Created attachment 82861 [details] [review]
Don't try to set encryption types on Windows 2003 and earlier
Could you try out this patch?
Created attachment 83522 [details]
Log with patch
Please find here the output of adcli with the patch from comment #7
The first warning about the encryption type is now gone
But the second one about the "service principals" is still present (but I guess this was expected)
Attachment 82861 [details] pushed as 2de8982 - Don't try to set encryption types on Windows 2003 and earlier
are you still waiting for a confirmation that the issue with 2003 is gone or can this ticket be closed?
Yup, I had originally thought to wait on confirmation, but do you think we should just go ahead and merge this? If so, would you have a chance to review?
It is already committed as 2de89825f40352ffdebd1e62ddcd4b74e89596e1 :-)
Nevertheless the patch looks good. I would have used bool as a return value for adcli_conn_server_has_capability() but I guess this is a personal preference :-)
The evaluation is in agreement with https://msdn.microsoft.com/en-us/library/cc223359.aspx and I guess it can be expected that LDAP_CAP_ACTIVE_DIRECTORY_V60_OID will be set in all upcoming Windows versions as well. So ACK to the patch.
> It is already committed as 2de89825f40352ffdebd1e62ddcd4b74e89596e1 :-)
Oh good. Then lets close this.