[Samba] Re: Authentication against AD?

Dimitri Yioulos dyioulos at firstbhph.com
Thu Sep 15 21:33:28 GMT 2005


On Thursday 15 September 2005 4:17 pm, you wrote:
> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >></snip>
> >>
> >>Ok I think I have found my problem.  I need to find a way to map Samba
> >>to an active directory common name:
> >>
> >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  (example,
> >>I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine to
> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >
> >Uh, I must be missing something here. This is a pretty straightforward
> > set-up, right?  You want to join this Samba box to a Win2k3 server for
> > file- or print-serving purposes?  I've always felt that you get a basic
> > set-up working first, then start to get fancy.
> >
> >AFAIK:
> >
> >1. kinit Administrator at MYDOMAIN.COM
> >(You'll be prompted for a password.  My systems simply return me to a
> > prompt if I'm successful.)
> >2. net ads join -U Administrator at MYDOMAIN.COM
> >(Again, you'll be prompted for a password. Info about the machine joining
> > the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
>
> Yeah this works, I can get my krb creds:
>
> jason at odin-newb:~> kinit Admin at DOMAIN.COM
> Password for Admin at DOMAIN.COM:
> jason at odin-newb:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Admin at DOMAIN.COM
>
> Valid starting     Expires            Service principal
> 09/15/05 14:12:30  09/16/05 00:11:16  krbtgt/DOMAIN.COM at DOMAIN.COM
>         renew until 09/16/05 14:12:30
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> And this works as well:
>
> Admin at DOMAIN.COM's password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
>   ads_add_machine_acct: Host account for odin-newb already exists -
> modifying old account
> Using short domain name -- DOMAIN.COM
> Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'
>
> But when testing, using wbinfo -u or getent I am getting only the local
> passwd accounts.
>
> jason at odin-newb:~> wbinfo -u
> Error looking up domain users
>
> And here is where my accounts need to be authenticted from
>
> LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com
>
> Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I can
> get more info on this.

So, you're not authenticating against ADS?  If you are, are you sure the 
winbind daemon is running?

Dimitri


More information about the samba mailing list