FW: [Samba] net ads join fails

Dimitri Yioulos dyioulos at firstbhph.com
Mon Apr 11 15:43:57 GMT 2005 

OK, this is closer.

Change [realms] kpasswd_server to admin_server.

I also believe that [domain realm] should read: 
ellisonlegal.com = ELLISONLEGAL.COM
.ellisonlegal.com = ELLISONLEGAL.COM

I would add to [libdefaults]:
dns_lookup_realm = true
dns_lookup_kdc = true

Try this and report back (like a good IT soldier :-) )

Dimitri

On Monday 11 April 2005 10:58 am, you wrote:
> Ok I deleted the incorrect conf file and set it up using Yast again here is
> the amended file.  I tried using the IP address of the server this time but
> I'm still getting the same errors as before.
>
> [libdefaults]
>
> default_realm = ELLISONSLEGAL.COM
>
> clockskew = 300
>
> [domain_realm]
>
> .ELLNET = ELLISONSLEGAL.COM
>
> [realms]
>
> ELLISONSLEGAL.COM = {
>
> kdc = 10.0.0.31
>
> default_domain = ELLNET
>
> kpasswd_server = 10.0.0.31
>
> }
>
> [appdefaults]
>
> pam = {
>
> ticket_lifetime = 1d
>
> renew_lifetime = 1d
>
> forwardable = true
>
> proxiable = false
>
> retain_after_close = false
>
> minimum_uid = 0
>
> }
>
>
>
> Thanks
>
> -----Original Message-----
> From: Penny Willisson
> Sent: 11 April 2005 14:43
> To: 'Gordon Hopper'; 'ernesto.pereirinha at atminformatica.pt'
> Cc: Dimitri Yioulos; samba at lists.samba.org
> Subject: RE: [Samba] net ads join fails
>
>
> I have recreated my dns pointers without success and I think my krb5.conf
> file is configured correctly.  First I left this to Yast to set up but that
> didn't work and then I tried to modify it from a article I found.
>
> I have pasted it in below
> [libdefaults]
>
> #default_realm = ellisonslegal.com
>
> clockskew = 300
>
> [realms]
>
> ELLISONSLEGAL.COM = {
>
> kdc = apps.ellisonslegal.com
>
> #default_domain = ELLNET
>
> #kpasswd_server = apps.ellisonslegal.com
>
> }
>
> #ELLISONSLEGAL.COM = {
>
> # kdc = APPS.ELLISONSLEGAL.COM
>
> # admin_server = APPS.ELLISONSLEGAL.COM
>
> # kpasswd_server = APPS.ELLISONSLEGAL.COM
>
> #}
>
> #OTHER.REALM = {
>
> # kdc = OTHER.COMPUTER
>
> #}
>
> [domain_realm]
>
> # .my.domain = MY.REALM
>
> .ellisonslegal.com = ELLISONSLEGAL.COM
>
> [logging]
>
> default = SYSLOG:NOTICE:DAEMON
>
> kdc = FILE:/var/log/kdc.log
>
> kadmind = FILE:/var/log/kadmind.log
>
> [appdefaults]
>
> pam = {
>
> ticket_lifetime = 1d
>
> renew_lifetime = 1d
>
> forwardable = true
>
> proxiable = false
>
> retain_after_close = false
>
> minimum_uid = 0
>
> debug = false
>
> }
>
>
> Dimitri would you be able to repost that link for the HOW-TO please?  I
> tried it but it seems like it is broken, do you have the updated link?
>
> Thanks for your continued help.
>
> Penny
>
> -----Original Message-----
> From: Gordon Hopper [mailto:g.hopper at computer.org]
> Sent: 09 April 2005 00:23
> To: Penny Willisson
> Subject: RE: [Samba] net ads join fails
>
>
> You might need to add some entries to your krb5.conf file.  for example:
>
> [realms]
> ellisonslegal.com = {
>   kdc = domain.controller.ellisonslegal.com:88
> }
>
>
> Where kdc points to a domain controller.  Doesn't need to be the primary
> domain controller, choose one close by for best performance.   (You
> shouldn't need to do this if your DNS for the domain resolves to a domain
> controller.)
>
> Gordon
>
>
>
> On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
>
> Thanks
>
>
>
> When I run 'kinit administrator' I get the following error
>
>
>
> kinit: krb5_get_init_creds: unable to reach any KDC in realm
> ellisonslegal.com
>
>
>
> any ideas???
>
>
>
> -----Original Message-----
>
> From:  samba-bounces+pw=ellisonslegal.com at lists.samba.org
>
> [mailto: samba-bounces+pw=ellisonslegal.com at lists.samba.org]On Behalf Of
>
> Dimitri Yioulos
>
> Sent: 08 April 2005 13:30
>
> To:  samba at lists.samba.org
>
> Subject: Re: [Samba] net ads join fails
>
> On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
> > Hi
> >
> >
> >
> > I have created the machine account on the AD server and did this logged
> > in
> >
> > as Administrator so that should mean that the Administrator account has
> > the
> >
> > correct permissions.
> >
> >
> >
> > I have executed the following command as suggested
> >
> >
> >
> > net ads join  Administrator at apps.ellisonslegal.com -d 2
> >
> >
> >
> > The following was output to the screen:
> >
> >
> >
> > [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
> >
> >
> >
> > added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
> >
> >
> >
> > [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)
> >
> >
> >
> > kerberos_kinit_password  Administrator at APPS.ELLISONSLEGAL.COM failed:
> >
> > Unknown code krb5 156
> >
> >
> >
> > [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)
> >
> >
> >
> > ads_connect: Unknown code krb5 156
> >
> >
> >
> > [2005/04/08 13:33:41, 2] utils/net.c:main(897)
> >
> >
> >
> > return code = -1
> >
> >
> >
> > Thanks
> >
> >
> >
> > Penny
> >
> >
> >
> > -----Original Message-----
> >
> > From: Gordon Hopper [mailto: g.hopper at computer.org]
> >
> > Sent: 06 April 2005 05:28
> >
> > To: Penny Willisson
> >
> > Subject: Re: [Samba] net ads join fails
> >
> >
> >
> >
> >
> >
> >
> > [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
> >
> >
> >
> >   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
> > directory)
> >
> >
> >
> > [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
> >
> >
> >
> >   kerberos_kinit_password   Administrator at ELLISONSLEGAL.COM failed:
> > Unknown
> >
> > code krb5 156
> >
> >
> >
> > [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
> >
> >
> >
> >   ads_connect: Unknown code krb5 156
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > I suggest you post the output of the command you are running to join the
> >
> > domain (including the command), for example, "net ads join -U
> >
> >  username at ds.domain.com -d 2".
> >
> >
> >
> > Also, note that the credentials you use to join the domain are not
> >
> > necessarily the domain Administrator, but they need to be a user who has
> >
> > write privileges to the ads folder where the machine account will be
> >
> > created.  (It worked better for me when the machine account was already
> >
> > created in server manager, but according to the docs, that shouldn't be
> >
> > necessary.)
> >
> >
> >
> > It almost looks like the password failed.  Or perhaps the folde
> >
> > r you
> >
> > specified for the machine account does not exist.
> >
> >
> >
> > Regards,
> >
> >
> >
> > Gordon Hopper
>
> Try the command "kinit Administrator" (or  Administrator at yourdomain.com"). 
> You
>
> should be prompted for a password.  If, after entering the password, you're
>
> returned to a prompt with no further output then, in theory at least, your
>
> Kerberos setup is OK. If you get errors, well ...  Run that first, then try
>
> "net ads join -U  Administrator at yourdomain.com.
>
>
>
> A good how-to can be found at: 
> http://www.ulug.org.nz/ActiveDirectorySamba.
>
>
>
> HTH.
>
>
>
> Dimitri

More information about the samba mailing list