[Samba] Unable to join ADS domain

Joe Howell jhowell_tsm at yahoo.com
Fri Feb 13 14:35:03 GMT 2004


I tried "net ads join" and was prompted for root's
password; other than that I got the same blank stare
that I get trying it any other way.  I thought about
the keytab trick but being the stubborn, hardheaded
type I would prefer to figure out what it is that I've
got misconfigured.  My next step is to whip out the
trusty sniffer and see exactly what the two machines
are discussing behind my back....I'm starting to
suspect that (this being a test LAN) the DC may not be
working exactly the way I think it should be.  I am
probably going to rebuild it in the next couple of
weeks as part of a DR practice run, so we'll see what
happens after that.

Thanks for your help.  

--- TBrown at neurology.ahsc.arizona.edu wrote:
> 
> 
> 
> 
> 
> Windows 200x will use RC4-HMAC for itself and other
> windows (200x) clients.
> However, it is compatible with des-cbc-crc and
> des-cbc-md5. My experience
> has been that seeting the enctypes to anything other
> than des-cbc-crc gives
> the same behavior as what you're seeing. I am
> curious as to what your "net
> ads join" command returns when you only issue "net
> ads join" without any
> arguments after "kinit Administrator".
> 
> The only other thing I can think of off the top of
> my head is that I have
> an Administrator account on my Linux machine with
> the same password as the
> Windows Administrator account. I suspect that this
> doesn't much matter.
> 
> Post the output to "net ads join" (no arguments) -
> if all else fails, we
> can create a keytab file in windows and move it over
> to Linux.
> 
>  Cheers,
> 
> Tracy Steven Brown
> University of Arizona
> Dept. Neurology
> (520) 626-4660
> 
> 
> 
>                                                     
>                       
>              Joe Howell                             
>                       
>              <jhowell_tsm at yaho                      
>                       
>              o.com>                                 
>                    To 
>              Sent by:                 
> samba at lists.samba.org               
>              samba-bounces+tsb                      
>                    cc 
>              =u.arizona.edu at li                      
>                       
>              sts.samba.org                          
>               Subject 
>                                        Re: [Samba]
> Unable to join ADS      
>                                        domain       
>                       
>              02/12/2004 07:11                       
>                       
>              AM                                     
>                       
>                                                     
>                       
>                                                     
>                       
>                                                     
>                       
>                                                     
>                       
> 
> 
> 
> 
> Nope.
> 
> Something odd here?  I'm not getting any messages
> out
> of Kerberos - I've set the logging to STDERR or
> CONSOLE and don't see anything at all.  Also, when I
> run "klist tickets" on the KDC I notice that what
> tickets are listed use rc4-hmac encryption; I added
> that to the list of enctypes but it didn't seem to
> make any difference.  Yet I still see a ticket on my
> Linux system when I run klist.
> 
> --- TBrown at neurology.ahsc.arizona.edu wrote:
> >
> >
> >
> >
> > okay, try this:
> >
> > Linux:
> > $> kdestroy
> > $> kinit Administrator
> >
> > Windows:
> > (1) C:/where/ever/klist purge -- [default place is
> > c:/program
> > files/resource kit/klist.exe]
> > (You'll need to download this from microsoft:
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/klist-o.asp
> )
> >
> > (2) Clear the NetBIOS cache again (I'm
> > superstitious): nbtstat -R
> >
> > --
> >
> > Linux:
> >
> > $> vi /etc/hosts -> add: xxx.xxx.xxx.xxx
> > host.domain.name  netbios_name
> > [of your ADS/KDC server]
> > $> net join ads
> >    - if you get "Administrator password" you're
> good
> > to go.
> >    - if you get "root password" you're encryption
> > settings are wrong (or at
> > least that was my problem).
> >
> >
> > Let's see what we get.
> >
> >
> > Tracy Steven Brown
> > University of Arizona
> > Dept. Neurology
> > (520) 626-4660
> >
> >
> >
> >
> >
> >              Joe Howell
> >
> >              <jhowell_tsm at yaho
> >
> >              o.com>
> >                    To
> >
> > TBrown at neurology.ahsc.arizona.edu
> >              02/11/2004 01:04
> >                    cc
> >              PM
> >
> >
> >               Subject
> >                                        Re: [Samba]
> > Unable to join ADS
> >                                        domain
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > No bueno.  I changed the enctypes and took the
> > "encrypt passwords=yes" out,
> > but still no reply and no computer account.....
> >
> > TBrown at neurology.ahsc.arizona.edu wrote:
> >
> >
> >
> >
> >
> >  [libdefaults]
> >  default_realm =MYDOMAIN.COM
> >  clockskew = 300
> >  default_tkt_enctypes = des-cbc-crc
> >  default_tgs_enctypes = des-cbc-crc
> >
> >
> >  Change the enctypes to: des-cbc-crc as shown
> above.
> > Also, if you do a
> >  testparam I'll bet that the encrypt passwords =
> yes
> > entry is going to give
> >  you grief. Besides kerberos is encrypted anyway.
> > Another thing to consider
> >  is flushing the NetBIOS cache on your wins and
> kdc
> > server - don't know if
> >  this does anything, but it makes me feel better
> > (nbtstat -R).
> >
> >  Tracy Steven Brown
> >  University of Arizona
> >  Dept. Neurology
> >  (520) 626-4660
> >
> >
> >
> >
> >  Joe Howell
> >  o.com> To
> >  Sent by: samba at lists.samba.org
> >  samba-bounces+tsb cc
> >  =u.arizona.edu at li
> >  sts.samba.org Subject
> >  [Samba] Unable to join ADS domain
> >
> >  02/11/2004 12:05
> >  PM
> >
> >
> >
> >
> >
> >
> >
> >  I've installed Samba 3.0.2 (from the source) on a
> > SuSE
> >  8.2 system with MIT Kerberos 1.3.1 (I uninstalled
> > the
> >  Heimdal code) and the OpenLDAP 2.1.27 development
> >  libraries installed on it. I want to make this
> > system
> >  a domain member of a Win2K native-mode ADS domain
> > but
> >  can't get "net ads join" to work. I've run "kinit
> >  myid at MYDOMAIN.COM" and I get at ticket, but when
> I
> > do
> >  "net ads join -Umyid%mypswd" I get no output from
> > the
> >  command and I don't get a machine account in the
> >  domain.
> >
> >  My /etc/krb5.conf looks like:
> >  logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> >
> >  [libdefaults]
> >  default_realm =MYDOMAIN.COM
> >  clockskew = 300
> >  default_tkt_enctypes = des-cbc-crc des-cbc-md5
> >  default_tgs_enctypes = des-cbc-crc des-cbc-md5
> >
> >  [realms]
> >  MYDOMAIN.COM = {
> >  kdc = DCSRV1.MYDOMAIN.COM:88
> >  admin_server = dcsrv1.mydomain.com:749
> >  default_domain = mydomain.com
> >  }
> >  [domain_realm]
> >  .mydomain.com = MYDOMAIN.COM
> >  mydomain.com = MYDOMAIN.COM
> >
> >
> >  My /usr/local/samba/lib/smb.conf looks like:
> >
> >  [global]
> >  realm = MYDOMAIN.COM
> >  security = ads
> >  password server = 10.4.1.13
> >  workgroup = MYDOMAIN
> >  netbios name = susesrv
> >  server string = SAMBA SERVER
> >  encrypt passwords = yes
> >
> >  printcap name = /etc/printcap
> >  load printers = yes
> >  printing = cups
> >
> >  log file = /var/log/samba/%m.log
> >  max log size = 10000
> >
> >  socket options = TCP_NODELAY SO_RCVBUF=8192
> >  SO_SNDBUF=8192
> >
> >  local master = no
> >  domain master = no
> >  preferred master = no
> >  wins server = 10.4.1.60
> >  dns proxy = no
> >
> >  #===============SHARE
> >  DEFINITIONS=======================
> >
> >  [public]
> >  path = /usr/public
> >  browseable = yes
> >  writeable = yes
> >  guest ok = no
> >
> >  [printers]
> >  path = /var/spool/samba
> >  browseable = yes
> >  writeable = no
> >  guest ok = yes
> >  printable = yes
> >
> >  .COM
> >  security = ads
> >  password server = 10.4.1.13
> >  workgroup = COLUMBIA
> >  netbios name = susesrv
> >  server string = IBM Aptiva in Joe's cube
> >  encrypt passwords = yes
> >
> >  printcap name = /etc/printcap
> >  load printers = yes
> >  printing = cups
> >
> >  log file = /var/log/samba/%m.log
> >  max log size = 10000
> >
> >  socket options = TCP_NODELAY SO_RCVBUF=8192
> >  SO_SNDBUF=8192
> >
> >  local master = no
> >  domain master = no
> >  preferred master = no
> >  wins server = 10.4.1.60
> >  dns proxy = no
> >
> >  #===============SHARE
> >  DEFINITIONS=======================
> >
> >  [public]
> >  path = /usr/public
> >  browseable = yes
> >  writeable = yes
> >  guest ok = no
> >
> >  [printers]
> >  path = /var/spool/samba
> >  browseable = yes
> >  writeable = no
> >  guest ok = yes
> >  printable = yes
> >
> >
> >
> >  =====
> >  Joe Howell
> >  Shelter Insurance Companies
> >  Columbia, MO
> >
> >  __________________________________
> >  Do you Yahoo!?
> >  Yahoo! Finance: Get your refund fast by filing
> > online.
> >  http://taxes.yahoo.com/filing.html
> >  --
> >  To unsubscribe from this list go to the following
> > URL and read the
> >  instructions:
> > http://lists.samba.org/mailman/listinfo/samba
> >
> >
> >
> > Joe Howell
> > Shelter Insurance Companies
> > Columbia, MO
> >
> >
> > Do you Yahoo!?
> > Yahoo! Finance: Get your refund fast by filing
> > online
> >
> >
> >
> 
> =====
> Joe Howell
> Shelter Insurance Companies
> Columbia, MO
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing
> online.
> http://taxes.yahoo.com/filing.html
> --
> To unsubscribe from this list go to the following
> URL and read the
> instructions: 
> http://lists.samba.org/mailman/listinfo/samba
> 
> 

=====
Joe Howell
Shelter Insurance Companies
Columbia, MO

__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html


More information about the samba mailing list