[Samba] Managed to make some progress, stuck again.

Simon Renshaw simon at castortech.com
Tue Apr 18 19:14:02 GMT 2006


An update on my work to integrate my Linux server (CentOS 4.3) in AD

Sorry about the long post :)

Found this page
and followed the instructions on it.

First, I made sure that the Samba installation is supporting Kerberos,
LDAP, AD and Windbind. That was OK.

I made sure that /etc/hosts contain the name of the AD server

Then I edited /etc/krb5.conf to include the following:

 default_realm = CASTORTECH.COM

  kdc = castor-srvr1.castortech.com

 .kerberos.server = CASTORTECH.COM

I got the default realm name when I ran ksetup on the AD server.

I then tried to connect using kinit administrator at CASTORTECH.COM. It
asks for a password and it return an error (krb_error 14 KDC has no
support for encryption type). If I use another user (simon, my account
with domain admin rights), it connects and create a new ticket. To be
sure, I tested with a user that don't exist and got a  "krb_error 24
Pre-authentication information was invalid". Any idea why administrator
won't connect?

I modified /etc/samba/smb.conf with the info in chapter 13 on the Samba

The pre-Windows 2000 name of the domain is MONTREAL.

	  workgroup = MONTREAL
        realm = CASTORTECH.COM
        preferred master = no
        security = ADS
        template shell = /bin/bash
        idmap uid = 500-10000000
        idmap gid = 500-10000000
        winbind use default domain = yes
        winbind nested groups = yes
        encrypt passwords = yes
        log level = 3
	  server string = Linux
        wins server =
	  dns proxy = no
        password server = None
        username map = /etc/samba/smbusers

        comment = Home Directories
        browseable = no
        writeable = yes

        path = /
        writeable = yes
        guest ok = yes

Password server was at none by default. Do I need to put the AD server

Not sure if the workgroup needs to be the NetBIOS name of the domain
(MONTREAL) or the AD server name.

[root] is the share I created on my Linux box. Missing anything for

If I run testparm with that config:

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[root]"
Loaded services file OK.

To join the domain, the site says to run net ads join -U Administrator.
Of course, that didn't work (ads_connect: No such file or directory). I
ran net ads join -U administrator --server=castor-srvr1. And got:

[2006/04/18 13:52:13, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for castor-srvr4 already exists -
modifying old account
Using short domain name -- MONTREAL

If I open ADUC I can see the server under Computers. So far so good. I

Now I need to configure Winbind. I edited /etc/nsswitch.conf:

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns wins

Then I restarted the services.

I ran a few wbinfo commands to test it.

Wbinfo -g

BUILTIN\System Operators
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Account Operators
BUILTIN\Backup Operators

Look like BUILTIN is on the Linux box instead of AD.

But wbinfo --domain=MONTREAL -g

Error looking up domain groups

Same thing with -u.

I tried net ads info --server=castor-srvr1

LDAP server:
LDAP server name: castor-srvr1
Bind Path: dc=CASTORTECH,dc=COM
LDAP port: 389
Server time: Tue, 18 Apr 2006 14:35:24 GMT
KDC server:
Server time offset: 187

Net ads testjoin --server=castor-srvr1

Join is OK

So according to this, the Linux box is in the domain but there is a
problem with Windbind. Or something.

I can't access the Linux box from Windows.

This is where I'm stuck and would appreciate some help.


More information about the samba mailing list