When I try that command from within an SSH session I get this error:

i get command not found how you running this.

There's a typo in the command its  domainjoin-cli

I just ran it and it worked perfectly.

illiterate poster can't spell.. :smileysilly:

It should be domainjoin-cli  Were you able to get it to work?

I was able to correct the typo on my own, but I still get the odd error.  I think I should probably open a case with VMware about this one.

Just for grins, double check your DNS settings.  It might not be able to find the Domain Controller.

Just for everyones benefit I got my problem solved. With the help of vmware support we made two changes and got my problem solved.  I am running IPv6 on our LAN.  First there was not IPv6 DNS entry for the vCSA so we set a static IPv6 address and added a DNS entry, also we added entries for my DNS/AD servers in the HOSTS file on the vCSA.  Its hard to say which was the fix since we did it at the same time. 

Win2008 R2 AD

I get this error:

Error: Lsass Error [code 0x00080047]

0x3B - Unknown error

Which logfile could i check?

thx, P.

Added:

Verbose logging reports this:

20111130134202:INFO:File /tmp/centeristmpUH00UC/etc/krb5.conf modified
20111130134202:INFO:Finishing krb5.conf configuration

Error: Lsass Error [code 0x00080047]

0x3B - Unknown error
20111130134244:ERROR:Lsass Error [CENTERROR_DOMAINJOIN_LSASS_ERROR]

0x3B - Unknown error

Stack Trace:
main.c:921
main.c:465
djmodule.c:323
djauthinfo.c:872
djauthinfo.c:1218

krb5.conf is gone when program finishes.

Hi, i just figured out that the AD service does not support SSL/TLS. Is there a way to run without SSL/TLS?

thx,Peter

From my expirience try to look in your AD if there is a Computer registered with this name already. Delete it first. Then try

using  /opt/likewise/bin/domainjoin-cli --loglevel verbose --log . join  <domain>  <account> <password>.

If necessary take a look at

http://www.virtuallyghetto.com/2010/06/how-to-configure-likewise-open-ad.html

Also check your connectivity to AD. The domainjoin script has a parameter --firewall which can help you by checking connectivity to the AD.

good luck others...

Radomil

The cmd to join worked perfect! Wonder what stops the web interface from working.

Let me describe this in detail. There seems to be a "well known behaviour" of the linux appliance of Vcenter 5.0 that's causing trouble.

Once there is a machine in the Active Diretory that is out of time sync it causes the authentivation to fail completely for all Vcenter 5 appliances.

This can cause problems at the time of joining the domain or after you've successfully joined the domain and you run for some time.

In both of these cases if any of the windows domain controllers detects a server with time skew - the integrated authentication of the Vcenter stops working.

Symptom: your web interface tells you you've joined the domain, but you can't use it. Once you log in via ssh to the appliance you can use the command

/opt/likewise/bin/lw-get-status

If it tells you -> local provider only           you are having issues with the domain. I can't speak for all reasons arround the world, but here my expirience:

You have to go through your whole acive directory. Make sure all your servers are synchronized. The easiest way is to run this command on your domain controller: w32tm /monitor    this should tell you if all servers are in sync.

Also make sure all servers in your trusted zones are synchonized. For this just use w32tm /monitor /domain xxxx.xxx

In some cases this might be a pain. It is not unusual to have 20 trusted domains and in many cases you don''t have priviledges to check the time synchonization. Now what can you do?

Deactivate your domain membership in the linux vcenter appliance. Delete your server from windows active directory users and computers.

Login to the vcenter appliance via ssh and make yourself ready for doing the whole join procedure again.

Before you do that you need to start a sinffer in background to log all activity. Run this command on the vcenter appliance

tcpdump -s 1514 -i eth0 -w /tmp/join.cap not host <notebook>        change the address <notebook> to whatever you are logged in from, to the appliance

Keep this program running untill you finish the join procedure. Now try to join the windows domain again. It will produce the same output and it won't

work the same way as before. Once the web server stops and tells you to restart, stop the sniffer tcpdump command ctrl c.

The sniffer produced the file /tmp/join.cap    . Now download this file to your PC and open this file in wireshark (free program).

Go through all packets and look for a packet containing an error message krb5krb_ap_err_skew.

Analyze the packets and the server sending this message most likely causes the trouble.

Synchonize this server and try again. You need to repeat this whole procedure untill you get it done.

I asked vmware people to fix this. There are multiple ways how they could do it. Upgrade likewise, use an option to ignore trusts etc.

This has been ignored although it is well known.

regards Radomil   in Prague