[Samba] Member Server in Active Directory

Daniel Ramaley daniel.ramaley at DRAKE.EDU
Tue Jun 15 14:31:26 GMT 2004

I have a very similar problem. I just joined the list yesterday with the 
intent of asking about it, after failure to find a solution via Google. 
Here's the info on the problem:

I have Samba 3.0.4 compiled from source running on OpenBSD 3.5. 
Cowles-Admin is the name of a user that has administrative access to an 
OU. I do not have administrator access to the entire Active Directory 
tree. I created a computer account in Active Directory called 
cowl-backup that the Samba server should use.

For now i've been working with a fairly simple smb.conf:
    workgroup = DRAKE
    realm = DRAKE.EDU
    netbios name = cowl-backup
    security = ads
    password server = *
    encrypt passwords = yes
    private dir = /etc/samba/private

I believe i have Kerberos set up correctly since the command
    # /usr/local/kerberos/bin/kinit Cowles-Admin at DRAKE.EDU
runs just fine and after running it i can use smbclient to browse shares 
without bring prompted for a password. For example, this command to 
connect to Cowles-Admin's profile share works correctly:
    # /usr/local/samba/bin/smbclient '\\Cowles-Library\Cowles-Admin' \
      -U Cowles-Admin -k

I've created an account for the computer (cowl-backup) in AD. When i try 
to join i get an error. Here's what happens:
    # /usr/local/samba/bin/net ads join -U Cowles-Admin    
    Cowles-Admin's password: 
    [2004/06/14 09:56:02, 0] libads/ldap.c:ads_add_machine_acct(1006)
      Host account for cowl-backup already exists - modifying old
    [2004/06/14 09:56:02, 0] libads/ldap.c:ads_join_realm(1336)
      ads_add_machine_acct: No such object
    ads_join_realm: No such object
Using Google i was able to find a few others who had this problem, but 
no solution. If anyone here knows how to fix this, i would appreciate 
knowing about it. Thanks in advance.

On Monday 14 June 2004 05:50 pm, M Maki wrote:
>I'm trying to join a  Samba 3.0.4 (compiled from source on Debian) to
> an Active Directory as a member server. I believe Kerberos is
> configured correctly as kinit creates a ticket for the realm.
> Executables appear to have support for Kerberos and LDAP (smbd -b |
> grep KRB and grep LDAP) return OK.
>When I try to join the AD with
>   net ads join -U myadminusername
>I'm prompted for my password but then get:
>   libads/ldap.c:ads_add_machine_acct(1006)
>   Host account for inpsamo-debian already exists - modifying old
> account libads/ldap.c:ads_join_realm(1336)
>   ads_add_machine_acct: No such object
>   ads_join_realm: No such object
>I only have admin rights for an ou of the Active Directory. Here is a
> Windows LDP search of my ou:
>ldap_search_s(ld, "DC=pwr,DC=int,DC=edited,DC=com", 2, "(ou=SAMO)",
> attrList, 0, &msg)
>Result <0>: (null)
>Matched DNs:
>Getting 1 entries:
>>> Dn: OU=SAMO,OU=Mediterranean Coast
>	2> objectClass: top; organizationalUnit;
>	1> ou: SAMO;
>	1> description: SAMO;
>	1> distinguishedName: OU=SAMO,OU=Mediterranean Coast
>	1> name: SAMO;
>	1> canonicalName: pwr.int.edited.com/PWR/Mediterranean Coast
> Network/SAMO;
>I guess my question is could it be how my realm is configured
>(PWR.INT.EDITED.COM) or what else could keep me from joining the
> directory?
>Current smb.conf:
>   unix charset = LOCALE
>   workgroup = PWR
>   realm = PWR.INT.EDITED.COM
>   server string = Samba 3.0.2
>   security = ADS
>   username map = /etc/samba/smbusers
>   log level = 1
>   syslog = 0
>   log file = /var/log/samba/%m
>   max log size = 50
>   printcap name = CUPS
>   ldap ssl = no
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   template primary group = "Domain Users"
>   template shell = /bin/bash
>   winbind separator = +
>   printing = cups
>   comment = Home Directories
>   valid users = %S
>   read only = No
>   browseable = No
>Thanks for any ideas...

Dan Ramaley
Digital Media Library Specialist
(515) 271-1934
Cowles Library 140, Drake University

More information about the samba mailing list