[Samba] Unable to join ADS domain
Joe Howell
jhowell_tsm at yahoo.com
Thu Feb 12 14:11:32 GMT 2004
Nope.
Something odd here? I'm not getting any messages out
of Kerberos - I've set the logging to STDERR or
CONSOLE and don't see anything at all. Also, when I
run "klist tickets" on the KDC I notice that what
tickets are listed use rc4-hmac encryption; I added
that to the list of enctypes but it didn't seem to
make any difference. Yet I still see a ticket on my
Linux system when I run klist.
--- TBrown at neurology.ahsc.arizona.edu wrote:
>
>
>
>
> okay, try this:
>
> Linux:
> $> kdestroy
> $> kinit Administrator
>
> Windows:
> (1) C:/where/ever/klist purge -- [default place is
> c:/program
> files/resource kit/klist.exe]
> (You'll need to download this from microsoft:
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/klist-o.asp)
>
> (2) Clear the NetBIOS cache again (I'm
> superstitious): nbtstat -R
>
> --
>
> Linux:
>
> $> vi /etc/hosts -> add: xxx.xxx.xxx.xxx
> host.domain.name netbios_name
> [of your ADS/KDC server]
> $> net join ads
> - if you get "Administrator password" you're good
> to go.
> - if you get "root password" you're encryption
> settings are wrong (or at
> least that was my problem).
>
>
> Let's see what we get.
>
>
> Tracy Steven Brown
> University of Arizona
> Dept. Neurology
> (520) 626-4660
>
>
>
>
>
> Joe Howell
>
> <jhowell_tsm at yaho
>
> o.com>
> To
>
> TBrown at neurology.ahsc.arizona.edu
> 02/11/2004 01:04
> cc
> PM
>
>
> Subject
> Re: [Samba]
> Unable to join ADS
> domain
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> No bueno. I changed the enctypes and took the
> "encrypt passwords=yes" out,
> but still no reply and no computer account.....
>
> TBrown at neurology.ahsc.arizona.edu wrote:
>
>
>
>
>
> [libdefaults]
> default_realm =MYDOMAIN.COM
> clockskew = 300
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
>
>
> Change the enctypes to: des-cbc-crc as shown above.
> Also, if you do a
> testparam I'll bet that the encrypt passwords = yes
> entry is going to give
> you grief. Besides kerberos is encrypted anyway.
> Another thing to consider
> is flushing the NetBIOS cache on your wins and kdc
> server - don't know if
> this does anything, but it makes me feel better
> (nbtstat -R).
>
> Tracy Steven Brown
> University of Arizona
> Dept. Neurology
> (520) 626-4660
>
>
>
>
> Joe Howell
> o.com> To
> Sent by: samba at lists.samba.org
> samba-bounces+tsb cc
> =u.arizona.edu at li
> sts.samba.org Subject
> [Samba] Unable to join ADS domain
>
> 02/11/2004 12:05
> PM
>
>
>
>
>
>
>
> I've installed Samba 3.0.2 (from the source) on a
> SuSE
> 8.2 system with MIT Kerberos 1.3.1 (I uninstalled
> the
> Heimdal code) and the OpenLDAP 2.1.27 development
> libraries installed on it. I want to make this
> system
> a domain member of a Win2K native-mode ADS domain
> but
> can't get "net ads join" to work. I've run "kinit
> myid at MYDOMAIN.COM" and I get at ticket, but when I
> do
> "net ads join -Umyid%mypswd" I get no output from
> the
> command and I don't get a machine account in the
> domain.
>
> My /etc/krb5.conf looks like:
> logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm =MYDOMAIN.COM
> clockskew = 300
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
> default_tgs_enctypes = des-cbc-crc des-cbc-md5
>
> [realms]
> MYDOMAIN.COM = {
> kdc = DCSRV1.MYDOMAIN.COM:88
> admin_server = dcsrv1.mydomain.com:749
> default_domain = mydomain.com
> }
> [domain_realm]
> .mydomain.com = MYDOMAIN.COM
> mydomain.com = MYDOMAIN.COM
>
>
> My /usr/local/samba/lib/smb.conf looks like:
>
> [global]
> realm = MYDOMAIN.COM
> security = ads
> password server = 10.4.1.13
> workgroup = MYDOMAIN
> netbios name = susesrv
> server string = SAMBA SERVER
> encrypt passwords = yes
>
> printcap name = /etc/printcap
> load printers = yes
> printing = cups
>
> log file = /var/log/samba/%m.log
> max log size = 10000
>
> socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>
> local master = no
> domain master = no
> preferred master = no
> wins server = 10.4.1.60
> dns proxy = no
>
> #===============SHARE
> DEFINITIONS=======================
>
> [public]
> path = /usr/public
> browseable = yes
> writeable = yes
> guest ok = no
>
> [printers]
> path = /var/spool/samba
> browseable = yes
> writeable = no
> guest ok = yes
> printable = yes
>
> .COM
> security = ads
> password server = 10.4.1.13
> workgroup = COLUMBIA
> netbios name = susesrv
> server string = IBM Aptiva in Joe's cube
> encrypt passwords = yes
>
> printcap name = /etc/printcap
> load printers = yes
> printing = cups
>
> log file = /var/log/samba/%m.log
> max log size = 10000
>
> socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>
> local master = no
> domain master = no
> preferred master = no
> wins server = 10.4.1.60
> dns proxy = no
>
> #===============SHARE
> DEFINITIONS=======================
>
> [public]
> path = /usr/public
> browseable = yes
> writeable = yes
> guest ok = no
>
> [printers]
> path = /var/spool/samba
> browseable = yes
> writeable = no
> guest ok = yes
> printable = yes
>
>
>
> =====
> Joe Howell
> Shelter Insurance Companies
> Columbia, MO
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing
> online.
> http://taxes.yahoo.com/filing.html
> --
> To unsubscribe from this list go to the following
> URL and read the
> instructions:
> http://lists.samba.org/mailman/listinfo/samba
>
>
>
> Joe Howell
> Shelter Insurance Companies
> Columbia, MO
>
>
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing
> online
>
>
>
=====
Joe Howell
Shelter Insurance Companies
Columbia, MO
__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html
More information about the samba
mailing list