[Samba] net join fails (No such Object ?)

McNally, Ian Ian.McNally at racq.com.au
Wed Apr 21 03:23:42 GMT 2004

Hi, I am trying to configure winbind on redhat 9, using samba 3.
I would like to join a machine that already has an existing Active Directory account to our Domain.
Unfortunately, the command "net join -U(our Administrator account) fails. 
Text in brackets () has been replaced to hide specific information.
Here is the output of "net join -U (Administrator account)

	[2004/04/21 13:11:55, 0] libads/ldap.c:ads_add_machine_acct(1006)
	  Host account for id010393 already exists - modifying old account
	[2004/04/21 13:11:55, 0] libads/ldap.c:ads_join_realm(1342)
	  ads_add_machine_acct: No such object
	ads_join_realm: No such object
	ADS join did not work, falling back to RPC...
	[2004/04/21 13:11:56, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(286)
	  error setting trust account password: NT_STATUS_ACCESS_DENIED
	Unable to join domain (DOMAIN).
Has anyone experience this before ? I will be happy to document a solution if anyone has one.
	Ian McNally

System Configuration:

I have installed 


I have configured Kerebos such that kinit (Adminstrator account)@(DOMAIN) succeeds.
Klist returns this output :

	Ticket cache: FILE:/tmp/krb5cc_0
	Default principal: (Adminuser)@(DOMAIN)
	Valid starting     Expires            Service principal
	04/21/04 12:36:45  04/21/04 22:36:45  krbtgt/(Domain)@(Domain)

	Kerberos 4 ticket cache: /tmp/tkt0
	klist: You have no tickets cached

Contents of /etc/samba/smb.conf

 workgroup = (DOMAIN)
 encrypt passwords = yes
 smb passwd file = /etc/samba/smbpasswd
 security = ADS
 winbind separator = +
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 winbind enum users = yes
 winbind enum groups = yes
 realm = (DOMAIN)
 password server = (KDC).(DOMAIN)

Contents of /etc/krb5.conf

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 ticket_lifetime = 24000
 default_realm = (DOMAIN)
 dns_lookup_realm = yes 
 dns_lookup_kdc = yes
 default_etypes = des-cbc-crc des-cbc-md5
 default_etypes_des = des-cbc=crc des-cbc-md5 

 (DOMAIN) = {
  kdc = (KDC)
  default_domain = (domain)

 .(domain) = (DOMAIN)
 (domain) = (DOMAIN)

 profile = /var/kerberos/krb5kdc/kdc.conf

 default = FILE:/var/log/krb5.log

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Please Note:

This communication has been sent on behalf of The Royal Automobile Club of
Queensland Limited (RACQ).  The information contained in this communication
may be privileged and confidential.  If you are not the intended recipient,
any use, disclosure or copying of this communication is expressly
prohibited.  If you have received this communication in error, please delete
it immediately.  RACQ and its associated entities do not warrant or
represent that this communication (including any enclosed files) is free
from electronic viruses, faults or defects.

If this is a commercial electronic message within the meaning of the Spam 
Act(2003), you may indicate that you do not wish to receive any further 
commercial electronic messages from RACQ by sending an e-mail to 
unsubscribe at racq.com.au with your details or by contacting RACQ on 131905

More information about the samba mailing list