[Samba] Trouble getting past net join ads...
Joel Therrien
Joel_Therrien at uml.edu
Thu Jan 28 12:07:08 MST 2010
Thanks. Unfortunately that did not appear to do anything.
What is even stranger is I tried running net ads info and it returned
information on the LDAP server name, the correct IP address,
realm, and bindpath. To my uninformed eye, this looks like it is
connected to the windows server in some manner. Yet wbinfo -t
still cannot check the trust secret.
One thing I also don't get is why the net ads testjoin command insists
on asking for a password for an account that does not exist. Even specifying
a username with the -U command does not work, it is just ignored.
Joel
On 1/28/2010 11:06 AM, Dale Schroeder wrote:
> Joel,
>
> When I've received this error, I've been able to resolve by telling it
> the name of the DC.
> net ads join -S pdc -U admin_user
>
> See if it works for you.
>
> Dale
>
>
> On 01/28/2010 9:14 AM, Joel Therrien wrote:
>> I am in the process of getting samba working again with Activer
>> Directory. Recently our IT department
>> upgraded their windows server to 2008.
>>
>> I am following the approach described here:
>> http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/
>>
>>
>> I am able to get kerberos to issue a ticket, but where I am
>> running into a wall is with the net join ads part... It appears to
>> work in that
>> setting the correct dn and using the username given to me by Jim for
>> binding to the windows server passes back a message that looks OK:
>>
>>> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
>>> Enter XXXXX's password:
>>> Got 1 replies
>>
>> But if I try to test this by issuing the net ads testjoin command, I
>> am always asked this (highlighted in red):
>>
>>> nanoelecfs:/home/joel# net ads testjoin
>>> Enter NANOELECFS$@FS.UML.EDU's password:
>>> [2010/01/25 22:36:17, 0] libads/kerberos.c:ads_kinit_password(356)
>>> kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed:
>>> Preauthentication failed
>>> Join to domain is not valid: Logon failure
>>
>> There is no such account, as kerberos is happy to indicate. This is
>> odd because I do not recall getting this
>> before the upgrade to 2008. NANOELECFS is the name of the linux box.
>>
>> Trying wbinfo -t gives the following:
>>
>>> nanoelecfs:/home/joel# wbinfo -t
>>> checking the trust secret via RPC calls failed
>>> Could not check secret
>>
>>
>> I am running a Debian Lenny system with kernel version 2.6.26-2-amd64
>>
>> I am running samba version 2:3.2.5
>>
>> Thanks in advance!
>>
>> Joel Therrien
>>
>> My config files are below:
>>
>> smb.conf
>> [global]
>> workgroup = ad
>> realm = FS.UML.EDU
>> preferred master = no
>> server string = %h server
>> dns proxy = no
>>
>> #### Debugging/Accounting ####
>>
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>>
>> ####### Authentication #######
>>
>> security = ADS
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> invalid users = root
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> pam password change = yes
>> guest account = nobody
>> map to guest = bad user
>>
>> ########## Printing ##########
>>
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> show add printer wizard = no
>> disable spoolss = yes
>>
>> ############ Misc ############
>>
>> idmap backend = hash
>> winbind nss info = hash
>> winbind use default domain = yes
>> winbind separator = +
>> winbind enum groups = no
>> winbind enum users = no
>> winbind nested groups = yes
>> template homedir = /ls/users/%U
>> template shell = /bin/bash
>> winbind refresh tickets = yes
>> # kerberos method = system keytab
>> winbind offline logon = yes
>> # get quota command = /root/sambaquota.sh
>>
>> krb5.conf
>>
>> [libdefaults]
>> default_realm = FS.UML.EDU
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>>
>> # The following encryption type specification will be used by MIT
>> Kerberos
>> # if uncommented. In general, the defaults in the MIT Kerberos code are
>> # correct and overriding these specifications only serves to disable new
>> # encryption types as they are added, creating interoperability
>> problems.
>> #
>> # Thie only time when you might need to uncomment these lines and change
>> # the enctypes is if you have local software that will break on ticket
>> # caches containing ticket encryption types it doesn't know about
>> (such as
>> # old versions of Sun Java).
>>
>> # default_tgs_enctypes = des3-hmac-sha1
>> # default_tkt_enctypes = des3-hmac-sha1
>> # permitted_enctypes = des3-hmac-sha1
>>
>> # The following libdefaults parameters are only for Heimdal Kerberos.
>> v4_instance_resolve = false
>> v4_name_convert = {
>> host = {
>> rcmd = host
>> ftp = ftp
>> }
>> plain = {
>> something = something-else
>> }
>> }
>> fcc-mit-ticketflags = true
>>
>> [realms]
>> FS.UML.EDU = {
>> kdc = FSDC1.FS.UML.EDU
>> kdc = FSDC2.FS.UML.EDU
>> admin_server = FSDC1.FS.UML.EDU
>> }
>> STUDENT.UML.EDU = {
>> kdc = STDC1.STUDENT.UML.EDU
>> kdc = STDC2.STUDENT.UML.EDU
>> }
>>
>>
>> [domain_realm]
>> .umlfs01.fs.uml.edu = FS.UML.EDU
>> umlfs01.fs.uml.edu = FS.UML.EDU
>>
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>>
--
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical& Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854
More information about the samba
mailing list