mtu

Domain join and ‘Sasl protocol violation’

Recently I had an issue with EMC VNX. I have a cifs_server on Data Mover and when I tried to add the NetBIOS Name to the Domain I was facing the issue:

Brief Description:  DomainJoin::connect:: Unable to connect to the LDAP service on Domain Controller ‘domain_controller.mydomain.net’ (@IP) for compname ‘compname’. Result code is ‘Sasl protocol violation’. Error message is Sasl protocol violation.
Full Description:  DomainJoin::connect:: Unable to connect to the LDAP service on Domain Controller ‘domain_controller.mydomain.nett’ (@IP) for compname ‘compname’. Result code is ‘Sasl protocol violation’. Error message is Sasl protocol violation.
Recommended Action:  Refer to your Customer Service Knowledgebase. Contact your Customer Service.
Message ID:  13157007706 

That was a message shown in EMC Unisphere. My first idea was: go to CLI i try from command line

[nasadmin@VNX ~]$ server_cifs vdm-name -Join compname=vnxname,domain=mydomain.net,admin=useradmin
vdm-name : Enter Password:************

Error 13157007706: vdm-name : DomainJoin::connect:: Unable to connect to the LDAP service on Domain Controller ‘dc.mydomain.net’ (@IP) for compname ‘vnxname’.
Result code is ‘Sasl protocol violation’. Error message is Sasl protocol violation.

OK, let’s try the logs:

[nasadmin@VNX ~]$ server_log vdm-name
2013-11-07 19:26:35: KERBEROS: 4:[vdm-name] WARNING: no response from KDC ip1
2013-11-07 19:26:40: KERBEROS: 4:[vdm-name] WARNING: no response from KDC ip1
2013-11-07 19:26:45: KERBEROS: 4:[vdm-name] WARNING: no response from KDC ip3
2013-11-07 19:26:50: KERBEROS: 4:[vdm-name] WARNING: no response from KDC ip4
2013-11-07 19:26:55: KERBEROS: 4:[vdm-name] WARNING: no response from KDC ip5
2013-11-07 19:26:55: LDAP: 3:[vdm-name] LDAP authentication: GSS initate security context for target: ldap/dc.mydomain.net@mydomain.net – principal: useradmin@mydomain.net failed                    – GSS-API major error: Miscellaneous failure
2013-11-07 19:26:55: LDAP: 3:[vdm-name] LDAP authentication: GSS initate security context for target: ldap/dc.mydomain.net@mydomain.net – principal: useradmin@mydomain.net failed                    – GSS-API minor error: Cannot contact any KDC for requested realm
2013-11-07 19:26:55: LDAP: 3:[vdm-name] LdapClient::connect: error message: Sasl protocol violation, (error code 99)
2013-11-07 19:26:55: SMB: 3:[vdm-name] DomainJoin::connect:: Unable to connect to the LDAP service on Domain Controller ‘dc.mydomain.net’ (@ip1) for compname ‘vnxname’. Result code is ‘Sasl protocol violation’. Error message is Sasl protocol violation.
2013-11-07 19:26:55: SMB: 3:[vdm-name] DomainJoin compname=vnxname domain=mydomain.net DC=dc.mydomain.net IP=ip1 failed
2013-11-07 19:26:55: ADMIN: 3:[vdm-name] Command failed:  :2 domjoin compname=vnxname domain=mydomain.net admin=useradmin password=************************ init

No idea. I tried google it, I checked the timezones, all domain controllers were pingable from the data_mover.. And what was the issue?

The issue was the MTU of the network interface. For some reason MTU=1500 caused the issue, and when I changed it to MTU=900 I was again able to add and/or delete the cifs_server from the domain.