[Samba] Problem joining a domain using ads
Jochen Kaechelin
manikawa at gissmoh.de
Sat Jun 11 09:24:17 GMT 2005
server: ms 2003 with ads
client: debian 3.1/samba 3.0.14
smb.conf:
..
[global]
workgroup = SP-GRUPPE
password server = 10.85.117.150
realm = SP-GRUPPE.DE
encrypt passwords = no
server string = %h server (Samba %v)
obey pam restrictions = yes
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
server signing = Auto
printcap name = cups
preferred master = no
domain master = no
dns proxy = no
ldap ssl = No
panic action = /usr/share/samba/panic-action %d
invalid users = root
printing = cups
print command =
lpq command =
lprm command =
security = ads
restrict anonymous = no
local master = no
template shell = /bin/bash
winbind uid = 10000-20000
winbind gid = 10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/ads/%U
max protocol = NT
use spnego = yes
.
.
.
krb5.conf:
[libdefaults]
default_realm = SP-GRUPPE.DE
[realms]
SP-GRUPPE.DE = {
kdc = 10.85.117.150
admin_server = 10.85.117.150
default_domain = SP-GRUPPE.DE
kpasswd_server = 10.85.117.150
}
"kinit jkt at SP-GRUPPE.DE" works with no error messages.
"smbd -b | grep KRB" shows:
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
HAVE_KRB5_C_ENCTYPE_COMPARE
HAVE_KRB5_ENCRYPT_BLOCK
HAVE_KRB5_ENCRYPT_DATA
HAVE_KRB5_FREE_DATA_CONTENTS
HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS
HAVE_KRB5_FREE_KTYPES
HAVE_KRB5_FREE_UNPARSED_NAME
HAVE_KRB5_GET_PERMITTED_ENCTYPES
HAVE_KRB5_KEYBLOCK_IN_CREDS
HAVE_KRB5_KEYTAB_ENTRY_KEY
HAVE_KRB5_KT_FREE_ENTRY
HAVE_KRB5_LOCATE_KDC
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL2SALT
HAVE_KRB5_PRINC_COMPONENT
HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
HAVE_KRB5_SET_REAL_TIME
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_TKT_ENC_PART2
HAVE_KRB5_USE_ENCTYPE
HAVE_LIBGSSAPI_KRB5
HAVE_LIBKRB5
"net ads info" shows:
LDAP server: 10.85.117.150
LDAP server name: sp-ad01
Realm: SP-GRUPPE.DE
Bind Path: dc=SP-GRUPPE,dc=DE
LDAP port: 389
Server time: Sat, 11 Jun 2005 11:22:45 GMT
KDC server: 10.85.117.150
Server time offset: 22
"net ads status -Ujkt" shows:
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: laptopjkt
distinguishedName: CN=laptopjkt,CN=Computers,DC=SP-GRUPPE,DC=DE
instanceType: 4
whenCreated: 20050611063806.0Z
whenChanged: 20050611085635.0Z
uSNCreated: 2705148
uSNChanged: 2705928
name: laptopjkt
objectGUID: 0fbb166e-29a2-4458-928f-e9fa32c2d6b8
userAccountControl: 4096
badPwdCount: 5
codePage: 0
countryCode: 0
badPasswordTime: 127629552317795000
lastLogoff: 0
lastLogon: 127629537953576250
localPolicyFlags: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid: S-1-5-21-854245398-287218729-1801674531-2647
accountExpires: 9223372036854775807
logonCount: 33
sAMAccountName: laptopjkt$
sAMAccountType: 805306369
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=SP-GRUPPE,DC=DE
isCriticalSystemObject: FALSE
mS-DS-CreatorSID:
"net ads join -U jkt" shows:
[2005/06/11 11:04:44, 0] libads/ldap.c:ads_add_machine_acct(1405)
ads_add_machine_acct: Host account for laptopjkt already exists -
modifying old account
[2005/06/11 11:04:44, 0] libads/ldap.c:ads_join_realm(1763)
ads_join_realm: ads_add_machine_acct failed (laptopjkt):
Insufficient access
ads_join_realm: Insufficient access
what's wrong???
--
_ _ _
__ _(_)___ ___ _ __ ___ ___ | |__ __| | ___
/ _` | / __/ __| '_ ` _ \ / _ \| '_ \ / _` |/ _ \
| (_| | \__ \__ \ | | | | | (_) | | | || (_| | __/
\__, |_|___/___/_| |_| |_|\___/|_| |_(_)__,_|\___|
|___/
More information about the samba
mailing list