Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1869
Views
0
Helpful
2
Replies

Can't join S300v to domain

keithsauer507
Level 5
Level 5

‎11-14-2017 05:50 AM - edited ‎03-08-2019 07:42 PM

We noticed that our hostname for this new S300v was ironport.example.com (shown in the web gui upper right, or in SSH session at the prompt).  So we used sethostname command to set it to wsa.domain.com (where domain is our company name).

People were getting authentication prompts now, but we instructed them to use their windows sign in credentials and that worked.  

 

So I thought about trying to test the domain.  It failed, so I go to rejoin the domain and I get this:

 

Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. The workgroup in /tmp/smbMBzVcw.conf does not match the short domain name obtained from the server.

You should set "workgroup = DOMAIN" in /tmp/smbMBzVcw.conf.

 

How can I edit /tmp/smbMBzVcw.conf ?  I am SSH in and I tried vi and its not a recognized command. I also tried more to see if I could view it and that does not work either.  Why are they telling me to modify an operating system file that I do not have access to?

 

Help is very much appreciated!

 

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎11-14-2017 07:34 AM

Are you using 1 interface for management and proxying (M1), 2, one for management (M1) and one for proxying (P1)

 

Set the host name to whatever is appropriate to your internal AD dns name.

Eg. If you use company.local, set it to wsa.company.local

Create a dns entry for that name with the IP on M1

 

Go to Network/Authentication, at the bottom click on Edit Global settings and set the “Redirect hostname” based on if you’re using 2 interface or 2.

    • If you use one interface for both management and proxy, then set it to “wsa” (without the domain name)
    • If you use the M1 interface for management, and P1 for proxying, set it to something like “wsaproxy” and create a DNS entry for wsaproxy.company.local with the IP that you put on P1

Make sure time on the WSA matches time on AD.

NOW join it to the domain.

 

0 Helpful

keithsauer507
Level 5
Level 5
In response to Ken Stieers

‎11-14-2017 08:54 AM - edited ‎11-14-2017 08:55 AM

I was just on with Cisco TAC for 2 hours an 27 minutes.

 

It just will not join the domain if the hostname is wsa.domain.com.  We had to run the sethostname command and change it back to ironport.example.com.  It joins the domain fine then.  Then we had loads of trouble with the proxy service transparently identifying users.  After 4 restarts it was still not working.  He added in the access logs a field to determine if SSO TUI (transparent user identification) was being used along with a human readable timestamp.  When this was completed it asked for proxy restart and that was completed.  Now for some reason people are authenticating properly.

 

Oh 

To alter emails coming from ironport.example.com we found where to set alert emails from address (which is a command line only option), and the report emails from address (which can be done in the GUI).  So the weekly support config file names are still ironport.example.com, but at least the email comes from wsa.domain.com now.

All in all its a bandaid.  The hostname is truely ironport.example.com, although everywhere in its gui and in DNS, its wsa.  The only way for it to join AD is if it joins as AD computer account ironport$ which is seen in the XML config in the <prox_config_auth_realm_ad_username> property.  This is strange because our S170 this property is webfilter$ and in Active Directory under Computers the computer account WEBFILTER exists (as well as IRONPORT now).

So what I'm seeing if we set the hostname to wsa.domain.com and try to join the domain, it does create the AD account, sets the computer account password, modifies it, but then it deletes the account (we have AD logging email us ANY change to AD).

 

 

To summarize, were back up and running, however the hostname is ironport.example.com but everything appears to be working.

 

To answer your question, its just one interface that sits at 10.1.0.71 and our ASA firewall pair uses WCCP and its run as a transparent proxy.

0 Helpful
Top