[Samba] net ads leave / join desperation

sbl soundbastlerlive at gmx.at
Wed Mar 16 02:47:31 GMT 2005

hi everyone! 

i'm desperate. all i was supposed to do, was leave the current ADS (w2k DC)
in which samba 
has been working flawlessly (except for the excel sharing bug and permission
problems) for 
1,5 years and integrate it into the new w2k3 DC. 

now for versions and misc data: 
gds-2.6.11-r3 SMP 
samba-3.0.11 something (latest ~x86 as of Mar14) 
mit-krb5 (latest ~x86 as of Mar14) 
old domain: ABC.com 
new domain: DEF.local 
(well not ABC and DEF but you get the point) 
old DC (w2k) 
new DC (w2k3) 
local IP 

unfortuneatly i forgot the net ads leave command and edited all files like
smb.conf krb5.conf resolv.conf 
anyways i couldn't join, because it somehow remembered the old domain name
and it still does 

see 3

1) what files to clean??? i removed all .tdb files (/etc/samba/private and
/var/lib/samba/private) and removed 
all /var/cache/samba/files and somehow it remembers ABC.com - that was
driving me crazy 

2) because i couldn't join, i undoed all config stuff and tried leaving the
old domain, didn't work either. 
the problem was that i always was asked for the machine account password
(fileserver$)?! nobody can 
know this one, as it's random garbage i thought (stored somewhere in some
options like -U are ignored for the leave command and i have never seen it
ask for the machine account password, 
doesn't make any sense to my simple mind at least... 

3) i tried harder cleaning up and joining the new domain, but to no avail 
i rebooted enough times and times were always checked to be within <60s of
each other (because of krb5) 

now this is as far as i can get 

fileserver # net ads join -UAdministrator at DEF%desperation 
[2005/03/15 01:07:40, 0] libads/kerberos.c:ads_kinit_password(146) 
kerberos_kinit_password Administrator at DEF failed: KDC reply did not match
[2005/03/15 01:07:40, 0] utils/net_ads.c:ads_startup(186) 
ads_connect: KDC reply did not match expectations 

before that i had pre-auth errors or other stuff. 
IF i use the wrong pass i get pre-auth error, so at least SOMETHING must be
if i leave out the @DEF it appends @ABC.COM driving me crazy because i
already did a 
"grep ABC -iR *" in /etc a zillion times, but there's no trace left, must be
some binary 
storage somewhere. 

i tried resetting the machine account in the old domain, i deleted it, i
created one in the new domain in advance (and 
set it to allow older stuff, i think this means older protocols) etc.etc. 
kdestroy, etc.

please cc to soundbastlerlive {blah at- blah} gmx [d o t] at if you reply!
(no typo, not s.blaster)

many thanks, 
regards from austria 

p.s.: also during winbind startup i get "Could not fetch sid for our domain
DEF" in the logfile. do i need winbind anyways? 
i thought i did when i setup this server ~1,5 years ago and never bothered
again, as it was working.

More information about the samba mailing list