Isilon: Failed to join domain: LW_ERROR_LDAP_INVALID_DN_SYNTAX

Two questions:

1) what was the exact "isi auth ads create" command you entered?

2) regarding:

OU is:

OU=Hadoop,OU=Groups,OU=ZD,DC=ads,DC=domain,DC=de

Is this is the verbatim output as part of the error message, or did you gather

it from elsewhere to provide some context?

Note that the error code is about the "DN syntax".

A DN (distingiushed name) would usually start with two "CN" (common names), e.g:

CN=Hadoop,CN=Groups,OU=...DC=...

And that would be still a group, not a user as required (Example from CLI Admin manual):

isi auth ads create --name=adserver.company.com --user=administrator --groupnet=groupnet3 

Cheers

-- Peter

Hi Peter,

i used the OneFS GUI and put the string 'OU=Hadoop,OU=Groups,OU=ZD,DC=ads,DC=domain,DC=de'into the "Organizational unit field"

regards
Timo

Timo, have you seen that Organizational Unit is optional -- does it work when you leave it out?

There is also a minor quirk: this field doesn't require LDAP syntax, but a plain style:

Unitname or Unitname/subunitname

Still not quite sure what you want to achieve with specifying the

Hadoop (account-)group as Organizational Unit  though.

-- Peter

You need to specify the string in a different format like "OU_Name/OU_Subname" (valid for Isilon GUI/CLI)

For exampe if your structure looks like

ou=hadoop,ou=groups,ou=zd,dc=ads,dc=domain,dc=de => "zd/groups/hadoop"

or for

ou=Computers,ou=EMC Celerra     =>     "emc celerra/computers"

I've seen this error before when isilon try to join new authentication provider and it was due to user account limited privileges, the user account should have a privilege to create OU in domain controller forest. likely using a DA account to join the DC will help.