Unable to join to AD - no errors in AD server - please help

Hello Everyone,

I'm unable to join our Readynas NV= 4.17 firmware device to our 2003 AD domain.

The NAS returns the unable to join a domain message, which is rather generic.

I've verified NTP and DNS works and specified them explicitly.
I've tried precreating computer accounts matching the host name, which didn't work.
I've verified the hostname matches the domain name in format: ex: MY-NAS.MYDOMAIN.CA
I've looked at the logs in the domain controller, and the only mesages related to its join attempt is Succesfull anonymous logon's from IP of the NAS. ; though this wasn't always the case, first it gave this message: "0x19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required". I solved this problem by following instructions as follows at the end of this post (see APPENDIX A).

But for now I'm still stuck. Any tips?

I'm posting logs to help.

Thank you.


winbind.log
2011/07/20 17:03:15, 1] nsswitch/winbindd.c:main(1019)
winbindd version 3.0.37 started.
Copyright Andrew Tridgell and the Samba Team 1992-2009
[2011/07/20 17:03:16, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2229)
initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2011/07/20 17:03:16, 0] nsswitch/winbindd_util.c:init_domain_list(506)
Could not fetch our SID - did we join?
[2011/07/20 17:03:16, 0] nsswitch/winbindd.c:main(1120)
unable to initalize domain list

domain_join.log
[2011/07/20 17:03:09, 2] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2011/07/20 17:03:12, 2] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/frontview/samba/smb.conf.UNKNOWN"
[2011/07/20 17:03:12, 2] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/frontview/samba/Shares.conf"
[2011/07/20 17:03:12, 2] param/loadparm.c:handle_include(3244)
Can't find include file /etc/frontview/samba/Shares.conf.
[2011/07/20 17:03:12, 2] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/frontview/samba/addons/addons.conf"
[2011/07/20 17:03:12, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.106.3 bcast=192.168.106.255 nmask=255.255.255.0
[2011/07/20 17:03:15, 0] libsmb/cliconnect.c:cli_session_setup_spnego(879)
Kinit failed: KDC reply did not match expectations
[2011/07/20 17:03:15, 1] libsmb/cliconnect.c:cli_full_connection(1680)
failed session setup with NT_STATUS_UNSUCCESSFUL
[2011/07/20 17:03:15, 1] utils/net.c:connect_to_ipc_krb5(299)
Cannot connect to server using kerberos. Error was NT_STATUS_UNSUCCESSFUL
[2011/07/20 17:03:15, 1] utils/net_ads.c:net_ads_join(1548)
call of net_join_domain failed: Undetermined error
[2011/07/20 17:03:15, 2] utils/net.c:main(1079)
return code = -1
Failed to join domain: Undetermined error


Windows event logs:
Successful Network Logon:
User Name: backupadmin
Domain: MYDOMAIN.CA
Logon ID: (0x0,0x14AA6874)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {105e92d3-d5e8-4af4-2c45-1bf26ffc9d6f}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.106.3
Source Port: 3107

APPENDIX A:
The error event 675 with 0X19 error code indicates:

0x19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required

In domain environment, Kerberos is the default authentication protocol. In
Kerberos Authentication protocol implemented in Windows, Pre-authentication
is required by default. However, sometimes, clients may not include the
pre-authentication data in first communication with KDC (the AS_REQ). As a
result, KDC returns an error to inform client that Pre-Authentication
is required, and then an event ID 675 with the error 0x19 is recorded on
KDC.


Meanwhile, please set the flag "Do not require pre-authentication" for the
problematic account EXC$, to configure the system to not require
pre-authentication. For user accounts, we can enable this flag in User
Properties. For computer account, we should modify the attribute
UserAccountControl via the following steps:

1. On the domain controller, click Start, click Run, type in "adsiedit.msc"
(without the quotation marks) and press ENTER to launch ADSI Edit tool.
This tool is included with the Windows 2003 Support Tools. To install the
Support Tools, run Suptools.msi from the Support\Tools folder on the
Windows 2003 Server CD-ROM.
2. Locate the computer accounts DOMAIN\EXC$ under the Domain partition.
3. Right-click on "DOMAIN\EXC$", click Properties.
4. Then locate the attribute "UserAccountControl" in the Attributes list.
Click Edit.
5. Modify the value to original value plus 4194304. For example, if the
original value is 512, the new value should be 512+4194304=4194816
6. Click OK, click Apply, and click OK.
7. Quit ADSI Edit. Then you can check if the event 675 stops for these
accounts.