[Samba] Unable to join ADS domain

Joe Howell jhowell_tsm at yahoo.com
Thu Feb 12 14:11:32 GMT 2004


Nope.

Something odd here?  I'm not getting any messages out
of Kerberos - I've set the logging to STDERR or
CONSOLE and don't see anything at all.  Also, when I
run "klist tickets" on the KDC I notice that what
tickets are listed use rc4-hmac encryption; I added
that to the list of enctypes but it didn't seem to
make any difference.  Yet I still see a ticket on my
Linux system when I run klist.

--- TBrown at neurology.ahsc.arizona.edu wrote:
> 
> 
> 
> 
> okay, try this:
> 
> Linux:
> $> kdestroy
> $> kinit Administrator
> 
> Windows:
> (1) C:/where/ever/klist purge -- [default place is
> c:/program
> files/resource kit/klist.exe]
> (You'll need to download this from microsoft:
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/klist-o.asp)
> 
> (2) Clear the NetBIOS cache again (I'm
> superstitious): nbtstat -R
> 
> --
> 
> Linux:
> 
> $> vi /etc/hosts -> add: xxx.xxx.xxx.xxx 
> host.domain.name  netbios_name
> [of your ADS/KDC server]
> $> net join ads
>    - if you get "Administrator password" you're good
> to go.
>    - if you get "root password" you're encryption
> settings are wrong (or at
> least that was my problem).
> 
> 
> Let's see what we get.
> 
> 
> Tracy Steven Brown
> University of Arizona
> Dept. Neurology
> (520) 626-4660
> 
> 
> 
>                                                     
>                       
>              Joe Howell                             
>                       
>              <jhowell_tsm at yaho                      
>                       
>              o.com>                                 
>                    To 
>                                       
> TBrown at neurology.ahsc.arizona.edu   
>              02/11/2004 01:04                       
>                    cc 
>              PM                                     
>                       
>                                                     
>               Subject 
>                                        Re: [Samba]
> Unable to join ADS      
>                                        domain       
>                       
>                                                     
>                       
>                                                     
>                       
>                                                     
>                       
>                                                     
>                       
>                                                     
>                       
>                                                     
>                       
> 
> 
> 
> 
> No bueno.  I changed the enctypes and took the
> "encrypt passwords=yes" out,
> but still no reply and no computer account.....
> 
> TBrown at neurology.ahsc.arizona.edu wrote:
> 
> 
> 
> 
> 
>  [libdefaults]
>  default_realm =MYDOMAIN.COM
>  clockskew = 300
>  default_tkt_enctypes = des-cbc-crc
>  default_tgs_enctypes = des-cbc-crc
> 
> 
>  Change the enctypes to: des-cbc-crc as shown above.
> Also, if you do a
>  testparam I'll bet that the encrypt passwords = yes
> entry is going to give
>  you grief. Besides kerberos is encrypted anyway.
> Another thing to consider
>  is flushing the NetBIOS cache on your wins and kdc
> server - don't know if
>  this does anything, but it makes me feel better
> (nbtstat -R).
> 
>  Tracy Steven Brown
>  University of Arizona
>  Dept. Neurology
>  (520) 626-4660
> 
> 
> 
> 
>  Joe Howell
>  o.com> To
>  Sent by: samba at lists.samba.org
>  samba-bounces+tsb cc
>  =u.arizona.edu at li
>  sts.samba.org Subject
>  [Samba] Unable to join ADS domain
> 
>  02/11/2004 12:05
>  PM
> 
> 
> 
> 
> 
> 
> 
>  I've installed Samba 3.0.2 (from the source) on a
> SuSE
>  8.2 system with MIT Kerberos 1.3.1 (I uninstalled
> the
>  Heimdal code) and the OpenLDAP 2.1.27 development
>  libraries installed on it. I want to make this
> system
>  a domain member of a Win2K native-mode ADS domain
> but
>  can't get "net ads join" to work. I've run "kinit
>  myid at MYDOMAIN.COM" and I get at ticket, but when I
> do
>  "net ads join -Umyid%mypswd" I get no output from
> the
>  command and I don't get a machine account in the
>  domain.
> 
>  My /etc/krb5.conf looks like:
>  logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
>  [libdefaults]
>  default_realm =MYDOMAIN.COM
>  clockskew = 300
>  default_tkt_enctypes = des-cbc-crc des-cbc-md5
>  default_tgs_enctypes = des-cbc-crc des-cbc-md5
> 
>  [realms]
>  MYDOMAIN.COM = {
>  kdc = DCSRV1.MYDOMAIN.COM:88
>  admin_server = dcsrv1.mydomain.com:749
>  default_domain = mydomain.com
>  }
>  [domain_realm]
>  .mydomain.com = MYDOMAIN.COM
>  mydomain.com = MYDOMAIN.COM
> 
> 
>  My /usr/local/samba/lib/smb.conf looks like:
> 
>  [global]
>  realm = MYDOMAIN.COM
>  security = ads
>  password server = 10.4.1.13
>  workgroup = MYDOMAIN
>  netbios name = susesrv
>  server string = SAMBA SERVER
>  encrypt passwords = yes
> 
>  printcap name = /etc/printcap
>  load printers = yes
>  printing = cups
> 
>  log file = /var/log/samba/%m.log
>  max log size = 10000
> 
>  socket options = TCP_NODELAY SO_RCVBUF=8192
>  SO_SNDBUF=8192
> 
>  local master = no
>  domain master = no
>  preferred master = no
>  wins server = 10.4.1.60
>  dns proxy = no
> 
>  #===============SHARE
>  DEFINITIONS=======================
> 
>  [public]
>  path = /usr/public
>  browseable = yes
>  writeable = yes
>  guest ok = no
> 
>  [printers]
>  path = /var/spool/samba
>  browseable = yes
>  writeable = no
>  guest ok = yes
>  printable = yes
> 
>  .COM
>  security = ads
>  password server = 10.4.1.13
>  workgroup = COLUMBIA
>  netbios name = susesrv
>  server string = IBM Aptiva in Joe's cube
>  encrypt passwords = yes
> 
>  printcap name = /etc/printcap
>  load printers = yes
>  printing = cups
> 
>  log file = /var/log/samba/%m.log
>  max log size = 10000
> 
>  socket options = TCP_NODELAY SO_RCVBUF=8192
>  SO_SNDBUF=8192
> 
>  local master = no
>  domain master = no
>  preferred master = no
>  wins server = 10.4.1.60
>  dns proxy = no
> 
>  #===============SHARE
>  DEFINITIONS=======================
> 
>  [public]
>  path = /usr/public
>  browseable = yes
>  writeable = yes
>  guest ok = no
> 
>  [printers]
>  path = /var/spool/samba
>  browseable = yes
>  writeable = no
>  guest ok = yes
>  printable = yes
> 
> 
> 
>  =====
>  Joe Howell
>  Shelter Insurance Companies
>  Columbia, MO
> 
>  __________________________________
>  Do you Yahoo!?
>  Yahoo! Finance: Get your refund fast by filing
> online.
>  http://taxes.yahoo.com/filing.html
>  --
>  To unsubscribe from this list go to the following
> URL and read the
>  instructions:
> http://lists.samba.org/mailman/listinfo/samba
> 
> 
> 
> Joe Howell
> Shelter Insurance Companies
> Columbia, MO
> 
> 
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing
> online
> 
> 
> 

=====
Joe Howell
Shelter Insurance Companies
Columbia, MO

__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html


More information about the samba mailing list