[Samba] net ads join / kinit /.conf syntax

kaze kaze at voicenet.com
Sat Feb 21 17:00:22 GMT 2004

--> Behalf Of Michael Brown
--> Sent: Friday, February 20, 2004 1:37 AM
--> > The path I got was /root/krb5-1.3.1/src/configure, but no
--> > mater. In order to
--> Sorry, I should have said ->
--> # cd krb5-1.3.1/src
--> # configure --prefix=/usr
--> # make & make install
--> # ls /usr/bin/kinit
--> kinit

Ran the "configure --prefix=/usr" again (as I'd removed and reinstalled all
the Samba packages) just to make sure and it worked fine.

The "make & make install" worked much better with this syntax.

Still no kinit though! And the "net ads join" still fails the same way,
although I tried many variations on it. At one point a new domain showed up
in the Windows Network Neighborhood, but with no computers in it, a
tweak/correction of "/etc/smb.conf" fixed that. "testparm" doesn't seem to
find any errors with "/etc/smb.conf". I tried with the default 'example'
"/etc/krb5.conf" and also with one with my specific settings. Based on the
error message it would seem that my Kerberos client is not working, right?

[root at ImediaArchive root]# ls /usr/bin/kinit
ls: /usr/bin/kinit: No such file or directory
[root at ImediaArchive root]# cd /usr/bin
[root at ImediaArchive bin]# ls k*
kban  kbdrate  kermit  kill  killall  krb524init  ktest
[root at ImediaArchive bin]# locate kinit
[root at ImediaArchive bin]# cd
[root at ImediaArchive root]# net ads join -U adminzas
adminzas password:
[2004/02/21 11:21:45, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password adminzas at IMEDIA.EXAMPLE.COM failed: Cannot find
KDC for requested realm
[root at ImediaArchive root]#
[root at ImediaArchive root]# ping imediamsft
PING imediamsft.imedia.example.com ( 56(84) bytes of data.
64 bytes from imediamsft.imedia.example.com ( icmp_seq=0 ttl=128
time=0.162 ms
64 bytes from imediamsft.imedia.example.com ( icmp_seq=1 ttl=128
time=0.200 ms
64 bytes from imediamsft.imedia.example.com ( icmp_seq=2 ttl=128
time=0.199 ms

--- imediamsft.imedia.example.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.162/0.187/0.200/0.017 ms, pipe 2
[root at ImediaArchive root]#

"/etc/krb5.conf" specifies imediamsft.imedia.example.com as the KDC, and
this machine can see it, and actually has for it's DNS1 and DNS2 the two AD
integrated LAN DNS servers.

The machine ImediaArchive shows up in the Windows Network Neighborhood as a
domain/workgroup member (due to the "/etc/smb.conf" file?) but when clicked
on gets an error I guess is due to it not having a machine account in AD.

Why doesn't the kerberos-workstation rpm work?

Do I need a "/etc/krb5.conf" if using the MIT Kerberos client? I do have
valid looking DNS records for the Microsoft Kerberos servers.

Do I need to compile of 'make' something in the
"/root/krb5-1.3.1/src/clients/kinit" directory to get the "kinit" command?

--> It would be prudent to then install a recent version of
--> cyrus-sasl to insure an
--> gss-api layer for auth when trying against ms-ad.

Hopefully I will move forward enough to get to this stuff later...

--> Hope this helps.
--> Michael Brown

More information about the samba mailing list