[Samba] Trouble getting past net join ads...

Joel Therrien Joel_Therrien at uml.edu
Thu Jan 28 08:14:09 MST 2010 

     I am in the process of getting samba working again with Activer 
Directory. Recently our IT department
upgraded their windows server to 2008.

     I am following the approach described here: 
http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/

     I am able to get kerberos to issue a ticket, but where I am running 
into a wall is with the net join ads part... It appears to work in that
setting the correct dn and using the username given to me by Jim for 
binding to the windows server passes back a message that looks OK:

> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
> Enter XXXXX's password:
> Got 1 replies

But if I try to test this by issuing the net ads testjoin command, I am 
always asked this (highlighted in red):

> nanoelecfs:/home/joel# net ads testjoin
> Enter NANOELECFS$@FS.UML.EDU's password:
> [2010/01/25 22:36:17,  0] libads/kerberos.c:ads_kinit_password(356)
>   kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed: 
> Preauthentication failed
> Join to domain is not valid: Logon failure

There is no such account, as kerberos is happy to indicate. This is odd 
because I do not recall getting this
before the upgrade to 2008. NANOELECFS is the name of the linux box.

     Trying wbinfo -t gives the following:

> nanoelecfs:/home/joel# wbinfo -t
> checking the trust secret via RPC calls failed
> Could not check secret


I am running a Debian Lenny system with kernel version 2.6.26-2-amd64

I am running samba version 2:3.2.5

Thanks in advance!

Joel Therrien

My config files are below:

smb.conf
[global]
    workgroup = ad
    realm = FS.UML.EDU
    preferred master = no
    server string = %h server
    dns proxy = no

#### Debugging/Accounting ####

    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d

####### Authentication #######

    security = ADS
    encrypt passwords = true
    passdb backend = tdbsam
    obey pam restrictions = yes
    invalid users = root
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    guest account = nobody
    map to guest = bad user

########## Printing ##########

    load printers = no
    printing = bsd
    printcap name = /dev/null
    show add printer wizard = no
    disable spoolss = yes

############ Misc ############

   idmap backend = hash
   winbind nss info = hash
   winbind use default domain = yes
   winbind separator = +
   winbind enum groups = no
   winbind enum users = no
   winbind nested groups = yes
   template homedir = /ls/users/%U
   template shell = /bin/bash
   winbind refresh tickets = yes
#  kerberos method = system keytab
   winbind offline logon = yes
#  get quota command = /root/sambaquota.sh

krb5.conf

[libdefaults]
         default_realm = FS.UML.EDU

# The following krb5.conf variables are only for MIT Kerberos.
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 }
                 plain = {
                         something = something-else
                 }
         }
         fcc-mit-ticketflags = true

[realms]
         FS.UML.EDU = {
                 kdc = FSDC1.FS.UML.EDU
                 kdc = FSDC2.FS.UML.EDU
                 admin_server = FSDC1.FS.UML.EDU
         }
         STUDENT.UML.EDU = {
                 kdc = STDC1.STUDENT.UML.EDU
                 kdc = STDC2.STUDENT.UML.EDU
         }


[domain_realm]
         .umlfs01.fs.uml.edu = FS.UML.EDU
         umlfs01.fs.uml.edu = FS.UML.EDU

[login]
         krb4_convert = true
         krb4_get_tickets = false

-- 
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical&  Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854

More information about the samba mailing list