[Samba] net ads join fails

Penny Willisson Penny.Willisson at Ellisonslegal.com
Tue Apr 12 08:31:06 GMT 2005 

No neither /var/kerberos/krb5kdc/ nor /var/log/krb5/ exist is this part of the problem?

For Craig White and anyone new to the problem here are the outputs of some files.

>cat /etc/resolv.conf

search ellisonslegal.com
domain ellisonslegal.com
nameserver 10.0.0.31

>cat /etc/krb5.conf
[libdefaults]
	default_realm = ELLISONSLEGAL.COM
	clockskew = 300
	dns_lookup_realm = true
	dns_lookup_kdc = true

[domain_realm]
	ellisonslegal.com = ELLISONSLEGAL.COM
	.ellisonslegal.com = ELLISONSLEGAL.COM
[realms]
	ELLISONSLEGAL.COM = {
		kdc = 10.0.0.31
		default_domain = ELLNET
		admin_server = 10.0.0.31
	}
[appdefaults]
	pam = {
		ticket_lifetime = 1d
		renew_lifetime = 1d
		forwardable = true
		proxiable = false
		retain_after_close = false
		minimum_uid = 0
	}

>kinit Administrator
>and/or
>kinit Administrator at ellingsonlegal.com

I do not have the kinit command

I am running Samba 3.0.13 on Suse Linux 9.0

Thank you for your help

Penny
-----Original Message-----
From: Radu.STANUC at cec.eu.int [mailto:Radu.STANUC at cec.eu.int]
Sent: 11 April 2005 16:57
To: Penny Willisson
Subject: RE: [Samba] net ads join fails


Try that, it is working for me

[logging]
 default = FILE:/var/log/krb5/libs.log
 kdc = FILE:/var/log/krb5/kdc.log
 admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = BLABLA.COM
forwardable = true
proxiable = true


[realms]
  BLABLA.COM = {
  kdc = ip_address_of_kdc
  default_domain = blabla.com
 }

[domain_realm]
 .blabla.com = BLABLA.COM
 blabla.com = BLABLA.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false


Check if /var/kerberos/krb5kdc/ and /var/log/krb5/ exist , also replace
BLABLA.COM and blabla.com with the right value

Radu STANUC



-----Original Message-----
From: samba-bounces+radu.stanuc=cec.eu.int at lists.samba.org
[mailto:samba-bounces+radu.stanuc=cec.eu.int at lists.samba.org] On Behalf Of
Penny Willisson
Sent: Monday, April 11, 2005 3:43 PM
To: Gordon Hopper; ernesto.pereirinha at atminformatica.pt
Cc: samba at lists.samba.org
Subject: RE: [Samba] net ads join fails


I have recreated my dns pointers without success and I think my krb5.conf
file is configured correctly.  First I left this to Yast to set up but that
didn't work and then I tried to modify it from a article I found.
 
I have pasted it in below
[libdefaults]

#default_realm = ellisonslegal.com

clockskew = 300

[realms]

ELLISONSLEGAL.COM = {

kdc = apps.ellisonslegal.com

#default_domain = ELLNET

#kpasswd_server = apps.ellisonslegal.com

}

#ELLISONSLEGAL.COM = {

# kdc = APPS.ELLISONSLEGAL.COM

# admin_server = APPS.ELLISONSLEGAL.COM

# kpasswd_server = APPS.ELLISONSLEGAL.COM

#}

#OTHER.REALM = {

# kdc = OTHER.COMPUTER

#}

[domain_realm]

# .my.domain = MY.REALM

.ellisonslegal.com = ELLISONSLEGAL.COM

[logging]

default = SYSLOG:NOTICE:DAEMON

kdc = FILE:/var/log/kdc.log

kadmind = FILE:/var/log/kadmind.log

[appdefaults]

pam = {

ticket_lifetime = 1d

renew_lifetime = 1d

forwardable = true

proxiable = false

retain_after_close = false

minimum_uid = 0

debug = false

}

 
Dimitri would you be able to repost that link for the HOW-TO please?  I
tried it but it seems like it is broken, do you have the updated link?
 
Thanks for your continued help.
 
Penny

-----Original Message-----
From: Gordon Hopper [mailto:g.hopper at computer.org]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails


You might need to add some entries to your krb5.conf file.  for example:

[realms]
ellisonslegal.com = {
  kdc = domain.controller.ellisonslegal.com:88
}


Where kdc points to a domain controller.  Doesn't need to be the primary
domain controller, choose one close by for best performance.   (You
shouldn't need to do this if your DNS for the domain resolves to a domain
controller.)

Gordon



On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: 

Thanks



When I run 'kinit administrator' I get the following error



kinit: krb5_get_init_creds: unable to reach any KDC in realm
ellisonslegal.com



any ideas???



-----Original Message-----

From:  samba-bounces+pw=ellisonslegal.com at lists.samba.org

[mailto: samba-bounces+pw=ellisonslegal.com at lists.samba.org]On Behalf Of

Dimitri Yioulos

Sent: 08 April 2005 13:30

To:  samba at lists.samba.org

Subject: Re: [Samba] net ads join fails





On Friday 08 April 2005 07:46 am, Penny Willisson wrote:

> Hi

>

> I have created the machine account on the AD server and did this 
> logged in

> as Administrator so that should mean that the Administrator account 
> has the

> correct permissions.

>

> I have executed the following command as suggested

>

> net ads join  Administrator at apps.ellisonslegal.com -d 2

>

> The following was output to the screen:

>

> [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)

>

> added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0

>

> [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)

>

> kerberos_kinit_password  Administrator at APPS.ELLISONSLEGAL.COM failed:

> Unknown code krb5 156

>

> [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)

>

> ads_connect: Unknown code krb5 156

>

> [2005/04/08 13:33:41, 2] utils/net.c:main(897)

>

> return code = -1

>

> Thanks

>

> Penny

>

> -----Original Message-----

> From: Gordon Hopper [mailto: g.hopper at computer.org]

> Sent: 06 April 2005 05:28

> To: Penny Willisson

> Subject: Re: [Samba] net ads join fails

>

>

>

> [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)

>

>   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or 
> directory)

>

> [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)

>

>   kerberos_kinit_password   Administrator at ELLISONSLEGAL.COM failed:
Unknown

> code krb5 156

>

> [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)

>

>   ads_connect: Unknown code krb5 156

>

>

>

>

> I suggest you post the output of the command you are running to join 
> the

> domain (including the command), for example, "net ads join -U

>  username at ds.domain.com -d 2".

>

> Also, note that the credentials you use to join the domain are not

> necessarily the domain Administrator, but they need to be a user who 
> has

> write privileges to the ads folder where the machine account will be

> created.  (It worked better for me when the machine account was 
> already

> created in server manager, but according to the docs, that shouldn't 
> be

> necessary.)

>

> It almost looks like the password failed.  Or perhaps the folde

> r you

> specified for the machine account does not exist.

>

> Regards,

>

> Gordon Hopper



Try the command "kinit Administrator" (or  Administrator at yourdomain.com").
You 

should be prompted for a password.  If, after entering the password, you're 

returned to a prompt with no further output then, in theory at least, your 

Kerberos setup is OK. If you get errors, well ...  Run that first, then try 

"net ads join -U  Administrator at yourdomain.com.



A good how-to can be found at:  http://www.ulug.org.nz/ActiveDirectorySamba.



HTH.



Dimitri

More information about the samba mailing list