[Samba] Trouble getting past net join ads...

Dale Schroeder dale at BriannasSaladDressing.com
Thu Jan 28 09:06:36 MST 2010 

Joel,

When I've received this error, I've been able to resolve by telling it 
the name of the DC.
net ads join -S pdc -U admin_user

See if it works for you.

Dale


On 01/28/2010 9:14 AM, Joel Therrien wrote:
>     I am in the process of getting samba working again with Activer 
> Directory. Recently our IT department
> upgraded their windows server to 2008.
>
>     I am following the approach described here: 
> http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/ 
>
>
>     I am able to get kerberos to issue a ticket, but where I am 
> running into a wall is with the net join ads part... It appears to 
> work in that
> setting the correct dn and using the username given to me by Jim for 
> binding to the windows server passes back a message that looks OK:
>
>> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
>> Enter XXXXX's password:
>> Got 1 replies
>
> But if I try to test this by issuing the net ads testjoin command, I 
> am always asked this (highlighted in red):
>
>> nanoelecfs:/home/joel# net ads testjoin
>> Enter NANOELECFS$@FS.UML.EDU's password:
>> [2010/01/25 22:36:17,  0] libads/kerberos.c:ads_kinit_password(356)
>>   kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed: 
>> Preauthentication failed
>> Join to domain is not valid: Logon failure
>
> There is no such account, as kerberos is happy to indicate. This is 
> odd because I do not recall getting this
> before the upgrade to 2008. NANOELECFS is the name of the linux box.
>
>     Trying wbinfo -t gives the following:
>
>> nanoelecfs:/home/joel# wbinfo -t
>> checking the trust secret via RPC calls failed
>> Could not check secret
>
>
> I am running a Debian Lenny system with kernel version 2.6.26-2-amd64
>
> I am running samba version 2:3.2.5
>
> Thanks in advance!
>
> Joel Therrien
>
> My config files are below:
>
> smb.conf
> [global]
>    workgroup = ad
>    realm = FS.UML.EDU
>    preferred master = no
>    server string = %h server
>    dns proxy = no
>
> #### Debugging/Accounting ####
>
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
>    security = ADS
>    encrypt passwords = true
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    invalid users = root
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    guest account = nobody
>    map to guest = bad user
>
> ########## Printing ##########
>
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    show add printer wizard = no
>    disable spoolss = yes
>
> ############ Misc ############
>
>   idmap backend = hash
>   winbind nss info = hash
>   winbind use default domain = yes
>   winbind separator = +
>   winbind enum groups = no
>   winbind enum users = no
>   winbind nested groups = yes
>   template homedir = /ls/users/%U
>   template shell = /bin/bash
>   winbind refresh tickets = yes
> #  kerberos method = system keytab
>   winbind offline logon = yes
> #  get quota command = /root/sambaquota.sh
>
> krb5.conf
>
> [libdefaults]
>         default_realm = FS.UML.EDU
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>
> # The following encryption type specification will be used by MIT 
> Kerberos
> # if uncommented.  In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # Thie only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about 
> (such as
> # old versions of Sun Java).
>
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
> [realms]
>         FS.UML.EDU = {
>                 kdc = FSDC1.FS.UML.EDU
>                 kdc = FSDC2.FS.UML.EDU
>                 admin_server = FSDC1.FS.UML.EDU
>         }
>         STUDENT.UML.EDU = {
>                 kdc = STDC1.STUDENT.UML.EDU
>                 kdc = STDC2.STUDENT.UML.EDU
>         }
>
>
> [domain_realm]
>         .umlfs01.fs.uml.edu = FS.UML.EDU
>         umlfs01.fs.uml.edu = FS.UML.EDU
>
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>

More information about the samba mailing list