[Samba] Trouble getting past net join ads...
Joel Therrien
Joel_Therrien at uml.edu
Thu Jan 28 08:14:09 MST 2010
I am in the process of getting samba working again with Activer
Directory. Recently our IT department
upgraded their windows server to 2008.
I am following the approach described here:
http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/
I am able to get kerberos to issue a ticket, but where I am running
into a wall is with the net join ads part... It appears to work in that
setting the correct dn and using the username given to me by Jim for
binding to the windows server passes back a message that looks OK:
> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
> Enter XXXXX's password:
> Got 1 replies
But if I try to test this by issuing the net ads testjoin command, I am
always asked this (highlighted in red):
> nanoelecfs:/home/joel# net ads testjoin
> Enter NANOELECFS$@FS.UML.EDU's password:
> [2010/01/25 22:36:17, 0] libads/kerberos.c:ads_kinit_password(356)
> kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed:
> Preauthentication failed
> Join to domain is not valid: Logon failure
There is no such account, as kerberos is happy to indicate. This is odd
because I do not recall getting this
before the upgrade to 2008. NANOELECFS is the name of the linux box.
Trying wbinfo -t gives the following:
> nanoelecfs:/home/joel# wbinfo -t
> checking the trust secret via RPC calls failed
> Could not check secret
I am running a Debian Lenny system with kernel version 2.6.26-2-amd64
I am running samba version 2:3.2.5
Thanks in advance!
Joel Therrien
My config files are below:
smb.conf
[global]
workgroup = ad
realm = FS.UML.EDU
preferred master = no
server string = %h server
dns proxy = no
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = ADS
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
guest account = nobody
map to guest = bad user
########## Printing ##########
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
############ Misc ############
idmap backend = hash
winbind nss info = hash
winbind use default domain = yes
winbind separator = +
winbind enum groups = no
winbind enum users = no
winbind nested groups = yes
template homedir = /ls/users/%U
template shell = /bin/bash
winbind refresh tickets = yes
# kerberos method = system keytab
winbind offline logon = yes
# get quota command = /root/sambaquota.sh
krb5.conf
[libdefaults]
default_realm = FS.UML.EDU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
FS.UML.EDU = {
kdc = FSDC1.FS.UML.EDU
kdc = FSDC2.FS.UML.EDU
admin_server = FSDC1.FS.UML.EDU
}
STUDENT.UML.EDU = {
kdc = STDC1.STUDENT.UML.EDU
kdc = STDC2.STUDENT.UML.EDU
}
[domain_realm]
.umlfs01.fs.uml.edu = FS.UML.EDU
umlfs01.fs.uml.edu = FS.UML.EDU
[login]
krb4_convert = true
krb4_get_tickets = false
--
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical& Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854
More information about the samba
mailing list