[Samba] Samba AD member

Bratukhin Vladimir bravp at swbet.com
Tue May 31 09:29:27 GMT 2005


hello
have such problems with my samba 3.0.12 @ FreeBSD 5.4
we have an Active Directory here. and a domain.
root at freeway# testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[public]"
Processing section "[private]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
         workgroup = DOMAIN
         realm = DOMAIN.COM
         server string = Samba Server
         security = ADS
         log file = /var/log/samba/log.%m
         max log size = 1024
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         preferred master = No
         domain master = No
         idmap uid = 20000-30000
         idmap gid = 20000-30000
         template shell = /usr/sbin/nologin
         winbind use default domain = Yes
         winbind nested groups = Yes
         hosts allow = 192.168.0., 127.
         include = /usr/local/etc/smb-shares.conf

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
SWBET.COM = {
kdc = pdc.domain.com
kdc = bdc.domain.com
admin_server = pdc.domain.com
default_domain = domain.com
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

root at freeway# kinit sysadmin
sysadmin at SWBET.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week

this goes when im entering right password in the win2k event log
event code 675
Pre-authentication failed:
	User Name:		sysadmin
	User ID:		DOMAIN\sysadmin
	Service Name:		krbtgt/DOMAIN.COM
	Pre-Authentication Type:	0x0
	Failure Code:		0x19
	Client Address:		192.168.0.1

according to micro$oft kb - preauth failed can be fixed if you set on  
account flag "Do not require kerberos preauthentication". user Root is set  
with this flag
root at freeway# kinit
root at DOMAIN.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
^^ here goes no error in MS event log
so, kinit goes with noerror
now, joining domain using root

root at freeway# net ads join -U root
root's password:
[2005/05/31 12:28:19, 0] libads/ldap.c:ads_join_realm(1763)
   ads_join_realm: ads_add_machine_acct failed (freeway): Insufficient  
access
ads_join_realm: Insufficient access

thats because of this flag.

joining domain using sysadmin - of course fails because of  
preathentication fail.



what had i done wrong?
thanks for any help.




More information about the samba mailing list