VMware Modern Apps Community
6C756B61
Contributor
Contributor
‎04-01-2022 08:57 AM

Photon OS joining domain - Error: LW_ERROR_UNKNOWN [code 0x00009cfc]

Hello all, 

I'm having problems with joining the PhotonOS (only PhotonOS appliance, not a vcenter) to a AD domain. 

The machines is running 4.0 Photon OS with all updates installed.The likewise-open and lightwave-client packages are installed

NAME="VMware Photon OS"
VERSION="4.0"
ID=photon
VERSION_ID=4.0
PRETTY_NAME="VMware Photon OS/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://vmware.github.io/photon/"
BUG_REPORT_URL="https://github.com/vmware/photon/issues"

 

 

I tried multiple work instruction - always ending with the same results:

root@pht-01 [ ~ ]# /opt/likewise/bin/domainjoin-cli setname PHT-01 && /opt/likewise/bin/domainjoin-cli join --enable hostname DOMENA.LOCAL luka
Joining to AD Domain: DOMENA.LOCAL
With Computer DNS Name: pht-01.DOMENA.LOCAL

luka@DOMENA.LOCAL's password:

Error: LW_ERROR_UNKNOWN [code 0x00009cfc]


I've tried increase the logging level - and there is no error at all. Tail of the log is following:

20220329124045:INFO:Writing krb5 file /tmp/likewisetmpTA1Y6E/etc/krb5.conf
20220329124045:INFO:File /tmp/likewisetmpTA1Y6E/etc/krb5.conf modified
20220329124045:INFO:Finishing krb5.conf configuration
20220329124046:ERROR:LW_ERROR_UNKNOWN [LW_ERROR_UNKNOWN]

No luck as well with joindomain.sh

Just to summarize all the steps, settings:

  • The account I'm using (tried couple of different accounts) is a domain admin
  • Password is correct (when I put the wrong one - I get the "wrong password" error message, so the authentication works fine)
  • DNS works correctly - nslookup domena.local gives correct results. The same with checking ldap records etc.
  • during the testing I've turned off iptables
  • routes are set correctly - the same setup like on RedHat on the same network. I see on the FW (the next hop) that the traffic is going through correct interface and it is not blocked
  • NTP is working fine
  • I've tried to create the computer account in the domain, I've tried to join the domain without the computer account.... no difference
  • I've tried to create the DNS record in advance - no difference...
  • I've tried to manually populate /etc/krb5.conf before running to domainjoin-cli - no difference
  • I've tried different setup of /etc/hosts (pointing the hostname and FQDN to the 127.0.0.1 or to the NIC IP, keeping it clear...) - no difference

 

Any suggestion is very appreciated.


Thank you

 

Luka

Labels (3)
0 Kudos
6 Replies
DCasota
Expert
Expert
‎04-02-2022 12:41 PM

Try this

modify /etc/hosts with your network setup
192.168.0.99 dc.domain.local domain
192.168.0.118 photon.domain.local photon
127.0.0.1 localhost

modify /etc/resolv.conf with your network setup. The example assumes an installed DNS server on your MS domain controller.
domain domain.local
search domain.local
nameserver 192.168.0.99

add in /etc/likewise/likewise-krb5-ad.conf the domaincontroller fqdn in default_realm
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
dns_lookup_kdc = true
default_realm = dc.domain.local


check if ldapsearch works:
ldapsearch -x -LLL -H ldap://192.168.0.99 -b "dc=domain,dc=local" -D "cn=administrator,cn=users,dc=domain,dc=local" -w "<password>"

Afterwards this should work, too.
/opt/likewise/bin/domainjoin-cli join --assumeDefaultDomain --userDomainPrefix domain dc.domain.local administrator

Setup environment:
- MS Windows Server 2016 with domain controller and DNS server role
- Photon OS 4.0 rev2 aarch64 on rpi4
  tdnf update -y
  tdnf install likewise-open -y

Hope this helps.
-Daniel

6C756B61
Contributor
Contributor
‎04-05-2022 08:42 AM

Hi Daniel, 

I tried updating the hosts, resolv.conf and likewise-krb5-ad.conf like you suggested, but I'm still getting the same error

Error: LW_ERROR_UNKNOWN [code 0x00009cfc]

I tried to replicate the same problem on my lab (simple setup with one AD and one PhotonOS VM and everything works fine).

 

I would like to blame the AD infrastructure, but I'm completely blind and no idea where to start with the error not saying anything

Error: LW_ERROR_UNKNOWN [code 0x00009cfc]

and in the log - 20220405152637:ERROR:LW_ERROR_UNKNOWN [LW_ERROR_UNKNOWN]

 

 

So far I've tested everything I could imagine and everything works fine

  • DNS resolution
  • NTP settings
  • all ports needed to communicate with domain are open
  • all routing is correct
  • credentials used

 

Thank you for you help

 

Luka

Tags (1)
0 Kudos
DCasota
Expert
Expert
‎04-05-2022 10:44 AM

Hi Luka,

The recipe with configuring default_realm in /etc/likewise/likewise-krb5-ad.conf and using --assumeDefaultDomain is a workaround as domainjoin-cli join on a specific ou doesn't seem to work. Hence, yes, it works in a lab setup.
I haven't found so far a working set when specifying an ou.
Afaik, the likewise open source package in Photon OS is similar to github.com/BeyondTrust/pbis-open, and that source doesn't receive further updates. The Photon OS source is here.
The vendor there www.beyondtrust.com/docs/release-notes/ad-bridge/index.htm describes enhancements in their product, and from a release notes perspective there were some domainjoin-cli bugfixes, too.

Nevertheless gathering more information in your use case might help.

get domain controller(s) information should work.
/opt/likewise/bin/lw-get-dc-list <fqdn>

ntp comparison domain time and local time should be fine.
/opt/likewise/bin/lw-get-dc-time <fqdn> && timedatectl

ldapsearch from above should work.

Display all supported SASL options. A user account with joindomain privleges should be sufficient.
ldapsearch -x -LLL supportedSASLMechanisms -H ldap://<ip/dns domain controller> -s base -D "cn=joindomuser,cn=users,dc=domain,dc=local" -w <password>

Gather information from domainjoin-cli log
/opt/likewise/bin/domainjoin-cli --loglevel verbose --logfile /var/log/domain.log join --assumeDefaultDomain --userDomainPrefix <domainshort> <fqdn domain> <username>

Parse kernel messages eg.
dmesg |grep lsassd

Imho it has nothing to do with smb. Nevertheless you could check the settings
  /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1
  /opt/likewise/bin/lwsm restart lwio

and on the domain controller. smb1=false, smb2=true.
  Get-SmbServerConfiguration | Select EnableSMB1Protocol
  Get-SmbServerConfiguration | Select EnableSMB2Protocol

 

Some additional and helpful findings would be nice.
edited:
With a predefined default_realm, specifying an ou in/opt/likewise/bin/domainjoin-cli setname photon && /opt/likewise/bin/domainjoin-cli join --enable hostname --ou "CN=Computers,DC=domain,DC=local" domain.local joindom@domain.local seems to work though, also, for non-built-in ou's.
btw. do you use one AD or two (MS AD + Lightwave server)?

 

Regards,
Daniel

 

 

6C756B61
Contributor
Contributor
‎04-05-2022 11:57 PM

Thanks a lot Daniel for your help - I knew that I should not blame PhotonOS 😉

With your hint I was able to find out some mismatch in DC list that DomainControllers have and the list of DCs propagated to DNS.

With fully populated /etc/hosts file with correct records I was able to join the VM to domain. 
Now it's time to fix the AD, but that's something not for me and for this forum.

 

Once again - thank you very much for your help! You saved me with your ideas.

anilspp
Enthusiast
Enthusiast
‎05-22-2022 10:15 AM

Thanks for sharing.

BigMike23
Enthusiast
Enthusiast
‎05-24-2022 11:44 AM

Thanks for sharing