[Samba] Trouble getting past net join ads...
Michael Wood
esiotrot at gmail.com
Thu Jan 28 13:02:29 MST 2010
On 28 January 2010 21:07, Joel Therrien <Joel_Therrien at uml.edu> wrote:
> Thanks. Unfortunately that did not appear to do anything.
>
> What is even stranger is I tried running net ads info and it returned
> information on the LDAP server name, the correct IP address,
> realm, and bindpath. To my uninformed eye, this looks like it is
> connected to the windows server in some manner. Yet wbinfo -t
> still cannot check the trust secret.
>
> One thing I also don't get is why the net ads testjoin command insists
> on asking for a password for an account that does not exist. Even specifying
> a username with the -U command does not work, it is just ignored.
Here's something to try while waiting for a reply from someone who
knows more about this stuff:
The NANOELECFS$ account is a machine account. As far as I understand
it, this account is supposed to be created automatically when you join
the machine to the domain. The password is randomly generated and the
client is supposed to change it periodically (every month?)
automatically.
I've heard some people on this list say they had to manually create
the machine account first in order to be able to join the domain, so
perhaps you should try that. i.e. just create an account (the same
way you create a user account) with NANOELECFS$ as the username. Why
this might be necessary, I wouldn't know.
Another thing is that things might work better with a later version of
Samba. e.g. 3.3.10 or 3.4.5.
> Joel
>
> On 1/28/2010 11:06 AM, Dale Schroeder wrote:
>>
>> Joel,
>>
>> When I've received this error, I've been able to resolve by telling it the
>> name of the DC.
>> net ads join -S pdc -U admin_user
>>
>> See if it works for you.
>>
>> Dale
>>
>>
>> On 01/28/2010 9:14 AM, Joel Therrien wrote:
>>>
>>> I am in the process of getting samba working again with Activer
>>> Directory. Recently our IT department
>>> upgraded their windows server to 2008.
>>>
>>> I am following the approach described here:
>>> http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/
>>>
>>> I am able to get kerberos to issue a ticket, but where I am running
>>> into a wall is with the net join ads part... It appears to work in that
>>> setting the correct dn and using the username given to me by Jim for
>>> binding to the windows server passes back a message that looks OK:
>>>
>>>> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
>>>> Enter XXXXX's password:
>>>> Got 1 replies
>>>
>>> But if I try to test this by issuing the net ads testjoin command, I am
>>> always asked this (highlighted in red):
>>>
>>>> nanoelecfs:/home/joel# net ads testjoin
>>>> Enter NANOELECFS$@FS.UML.EDU's password:
>>>> [2010/01/25 22:36:17, 0] libads/kerberos.c:ads_kinit_password(356)
>>>> kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed:
>>>> Preauthentication failed
>>>> Join to domain is not valid: Logon failure
>>>
>>> There is no such account, as kerberos is happy to indicate. This is odd
>>> because I do not recall getting this
>>> before the upgrade to 2008. NANOELECFS is the name of the linux box.
>>>
>>> Trying wbinfo -t gives the following:
>>>
>>>> nanoelecfs:/home/joel# wbinfo -t
>>>> checking the trust secret via RPC calls failed
>>>> Could not check secret
>>>
>>>
>>> I am running a Debian Lenny system with kernel version 2.6.26-2-amd64
>>>
>>> I am running samba version 2:3.2.5
>>>
>>> Thanks in advance!
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list