[Samba] Unable to join ADS domain

TBrown at neurology.ahsc.arizona.edu TBrown at neurology.ahsc.arizona.edu
Wed Feb 11 21:49:56 GMT 2004 




okay, try this:

Linux:
$> kdestroy
$> kinit Administrator

Windows:
(1) C:/where/ever/klist purge -- [default place is c:/program
files/resource kit/klist.exe]
(You'll need to download this from microsoft:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/klist-o.asp)

(2) Clear the NetBIOS cache again (I'm superstitious): nbtstat -R

--

Linux:

$> vi /etc/hosts -> add: xxx.xxx.xxx.xxx  host.domain.name  netbios_name
[of your ADS/KDC server]
$> net join ads
   - if you get "Administrator password" you're good to go.
   - if you get "root password" you're encryption settings are wrong (or at
least that was my problem).


Let's see what we get.


Tracy Steven Brown
University of Arizona
Dept. Neurology
(520) 626-4660



                                                                           
             Joe Howell                                                    
             <jhowell_tsm at yaho                                             
             o.com>                                                     To 
                                       TBrown at neurology.ahsc.arizona.edu   
             02/11/2004 01:04                                           cc 
             PM                                                            
                                                                   Subject 
                                       Re: [Samba] Unable to join ADS      
                                       domain                              
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




No bueno.  I changed the enctypes and took the "encrypt passwords=yes" out,
but still no reply and no computer account.....

TBrown at neurology.ahsc.arizona.edu wrote:





 [libdefaults]
 default_realm =MYDOMAIN.COM
 clockskew = 300
 default_tkt_enctypes = des-cbc-crc
 default_tgs_enctypes = des-cbc-crc


 Change the enctypes to: des-cbc-crc as shown above. Also, if you do a
 testparam I'll bet that the encrypt passwords = yes entry is going to give
 you grief. Besides kerberos is encrypted anyway. Another thing to consider
 is flushing the NetBIOS cache on your wins and kdc server - don't know if
 this does anything, but it makes me feel better (nbtstat -R).

 Tracy Steven Brown
 University of Arizona
 Dept. Neurology
 (520) 626-4660




 Joe Howell
 o.com> To
 Sent by: samba at lists.samba.org
 samba-bounces+tsb cc
 =u.arizona.edu at li
 sts.samba.org Subject
 [Samba] Unable to join ADS domain

 02/11/2004 12:05
 PM







 I've installed Samba 3.0.2 (from the source) on a SuSE
 8.2 system with MIT Kerberos 1.3.1 (I uninstalled the
 Heimdal code) and the OpenLDAP 2.1.27 development
 libraries installed on it. I want to make this system
 a domain member of a Win2K native-mode ADS domain but
 can't get "net ads join" to work. I've run "kinit
 myid at MYDOMAIN.COM" and I get at ticket, but when I do
 "net ads join -Umyid%mypswd" I get no output from the
 command and I don't get a machine account in the
 domain.

 My /etc/krb5.conf looks like:
 logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
 default_realm =MYDOMAIN.COM
 clockskew = 300
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc des-cbc-md5

 [realms]
 MYDOMAIN.COM = {
 kdc = DCSRV1.MYDOMAIN.COM:88
 admin_server = dcsrv1.mydomain.com:749
 default_domain = mydomain.com
 }
 [domain_realm]
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM


 My /usr/local/samba/lib/smb.conf looks like:

 [global]
 realm = MYDOMAIN.COM
 security = ads
 password server = 10.4.1.13
 workgroup = MYDOMAIN
 netbios name = susesrv
 server string = SAMBA SERVER
 encrypt passwords = yes

 printcap name = /etc/printcap
 load printers = yes
 printing = cups

 log file = /var/log/samba/%m.log
 max log size = 10000

 socket options = TCP_NODELAY SO_RCVBUF=8192
 SO_SNDBUF=8192

 local master = no
 domain master = no
 preferred master = no
 wins server = 10.4.1.60
 dns proxy = no

 #===============SHARE
 DEFINITIONS=======================

 [public]
 path = /usr/public
 browseable = yes
 writeable = yes
 guest ok = no

 [printers]
 path = /var/spool/samba
 browseable = yes
 writeable = no
 guest ok = yes
 printable = yes

 .COM
 security = ads
 password server = 10.4.1.13
 workgroup = COLUMBIA
 netbios name = susesrv
 server string = IBM Aptiva in Joe's cube
 encrypt passwords = yes

 printcap name = /etc/printcap
 load printers = yes
 printing = cups

 log file = /var/log/samba/%m.log
 max log size = 10000

 socket options = TCP_NODELAY SO_RCVBUF=8192
 SO_SNDBUF=8192

 local master = no
 domain master = no
 preferred master = no
 wins server = 10.4.1.60
 dns proxy = no

 #===============SHARE
 DEFINITIONS=======================

 [public]
 path = /usr/public
 browseable = yes
 writeable = yes
 guest ok = no

 [printers]
 path = /var/spool/samba
 browseable = yes
 writeable = no
 guest ok = yes
 printable = yes



 =====
 Joe Howell
 Shelter Insurance Companies
 Columbia, MO

 __________________________________
 Do you Yahoo!?
 Yahoo! Finance: Get your refund fast by filing online.
 http://taxes.yahoo.com/filing.html
 --
 To unsubscribe from this list go to the following URL and read the
 instructions: http://lists.samba.org/mailman/listinfo/samba



Joe Howell
Shelter Insurance Companies
Columbia, MO


Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online

More information about the samba mailing list