[Samba] Problem getting Solaris 8 server to join an AD Domain

[Cowan, Christopher O SRA GARRISON-FSHTX]

I went out and compiled the latest MIT krb5-1.4, openldap-2.2.23, and Samba
3.0.14a.    I am able to authenticate fine using kinit, and use smbclient -k
with no problems.

 

I can not get the server to join the domain with net ads join -U xxxxx.   I
am getting the error 

 

ads_connect: Strong(er) authentication required

 

The AD server is running Win2003, and we do not have administrative access
to the domain.   Some of my coworkers have admin access limited to specific
OUs.   I am wondering whether this message may be related to the fact that
we are running with NTLMCompatibility Mode 3.  

 

I used AFS and DCE/DFS for years, so I know my way around Kerb4 and 5.   Not
being a Windows AD guru, I'm not sure if the NTLMCompat setting applies to
Kerberos (I thought this basically shutoff the older, non-Kerberized
authentication methods).   I also saw some blurbs in the list archive about
having to reset user passwords at least once on Win2003 AD servers in order
to get the password encoded correctly.   Perhaps the machine principal needs
to manually set in a similar fashion.    We also tried enabling delegation,
but discovered that top-level policy prevents use from enabling it.

 

My question is, will I be able to get this server to join the domain?