[Samba] RE: Problem getting Solaris 8 server to join an AD Domain
Cowan, Christopher O SRA GARRISON-FSHTX
Christopher.Cowan at samhouston.army.mil
Mon May 16 18:23:24 GMT 2005
A little more time using Google, and I found the following:
On Thu, 21 Oct 2004 12:47:17 -0400, Jeremy Naylor <jnaylor at gmail.com
<http://lists.samba.org/mailman/listinfo/samba-technical> > wrote:
> Hello!
>
> In trying to get a linux machine to join a Win2k3 AD domain, I kept
> getting this error message when I ran "net join -U admin":
>
> [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183)
> ads_connect: Strong(er) authentication required
>
> After much googling and experimentation, I discovered that this was
> caused by having this set in the Security Policy on the DC:
>
> Domain Controller: LDAP server signing requirements = Require Signing
>
> Changing this to "None" got it working. I assume this is because the
> openldap code doesn't support signing? I couldn't find anything about
> that.
>
> I've attached a patch that enables TLS in the libads code. The
> "Require Signing" setting allows for SSL/TLS instead of signing..
> There needs to be a certificate installed on the domain controller for
> TLS to work, but that's better than signing anyway. You also need the
> CA certificate to verify the server cert, adding "TLS_CACERT
> /etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the
> CA cert and saving it in testca.cer) got that working.
>
> I've only tested this on Fedora Core 2 with a DC that has "Require
> Signing" set and has a certificate installed, but setting "ldap ssl =
> off" should disable it.
>
> Can someone let me know if there's anything else I need to do to get
> this feature integrated in the trunk?
>
> Thanks!
>
> -Jeremy
>
>
>
Unfortunately, I will not be able to have the LDAP signing disabled and most
likely will not be able to have a cert installed on our KDC.
Is there a technique for manually creating a machine account on both ends
(using the same password) and then generating a keytab file?
Otherwise, it appears that I am S.O.L.
_____
From: Cowan, Christopher O SRA GARRISON-FSHTX
Sent: Friday, May 06, 2005 4:30 PM
To: 'samba at lists.samba.org'
Subject: Problem getting Solaris 8 server to join an AD Domain
I went out and compiled the latest MIT krb5-1.4, openldap-2.2.23, and Samba
3.0.14a. I am able to authenticate fine using kinit, and use smbclient -k
with no problems.
I can not get the server to join the domain with net ads join -U xxxxx. I
am getting the error
ads_connect: Strong(er) authentication required
The AD server is running Win2003, and we do not have administrative access
to the domain. Some of my coworkers have admin access limited to specific
OUs. I am wondering whether this message may be related to the fact that
we are running with NTLMCompatibility Mode 3.
I used AFS and DCE/DFS for years, so I know my way around Kerb4 and 5. Not
being a Windows AD guru, I'm not sure if the NTLMCompat setting applies to
Kerberos (I thought this basically shutoff the older, non-Kerberized
authentication methods). I also saw some blurbs in the list archive about
having to reset user passwords at least once on Win2003 AD servers in order
to get the password encoded correctly. Perhaps the machine principal needs
to manually set in a similar fashion. We also tried enabling delegation,
but discovered that top-level policy prevents use from enabling it.
My question is, will I be able to get this server to join the domain?
More information about the samba
mailing list