[Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requ

Doug VanLeuven roamdad at sonic.net
Fri Feb 3 02:03:44 GMT 2006 

David Shapiro wrote:
> /etc/host, resolv.conf are fine.  nsswitch.conf does not exist on aix
> systems, but I did add the winbindd entry where aix expects it.    I
> guess we will see if people respond, but I noticed nobody answered this
> type of question in the past...

Not that many people using AIX.

> 
>>>>Dimitri Yioulos <dyioulos at firstbhph.com> 2/2/2006 10:18 AM >>>
> 
> 
> On Thursday February 02 2006 8:49 am, David Shapiro wrote:
> 
>>Is there no fix for thi?  Nobody answers this for me or other people
>>asking this question.
>>
>>I really need help with this.  Is there anything I can be looking
> 
> at?
> 
>>I would am not getting past doing a simple kinit
>>Administrator at MYREALM.COM.  It gives me the Cannot resolve network
>>address for KDC as well.  Does ads not like krb5?  Does it need
> 
> krb4?
> 
>>Why doesn't kerberos provide any messages in the logs?  Any
> 
> suggestions
> 
>>on ways to figure out what is going on?  I tried truss, but that
> 
> does
> 
>>not show much other than I do see it looking in /etc/krb5.conf and
>>/usr/local/etc/krb5.conf.  I can use tcpdump, but I am not sure what

AIX wants krb5.conf in /etc/krb5/krb5.conf.
Doesn't hurt to use a symbolic link:
cd /etc
mkdir krb5
cd /etc/krb5.conf
ln -s krb5.conf ../krb5.conf

> 
> to
> 
>>be looking for?
>>
>>
>>>>>Dimitri Yioulos <dyioulos at firstbhph.com> 2/1/2006 10:15:49 AM
>>>>
>>On Wednesday February 01 2006 9:41 am, David Shapiro wrote:
>>
>>>Hello,
>>>
>>>I am having a problem getting my server to join our realm as a
>>
>>domain
>>
>>
>>>member server.   I have read through google, yahoo, and this list,
>>
>>but I
>>
>>
>>>cannot find the answer yet.
>>>
>>>When I run: net join ads -Uadministrator and try to login it gives
>>
>>the
>>
>>
>>>following error:
>>>
>>> kerberos_kinit_password Administrator at MYREALM.COM failed: Cannot
>>>resolve network address for KDC in requested realm
>>>[2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191)
>>>  ads_connect: Cannot resolve network address for KDC in requested
>>>realm
>>>
>>>The details of my setup are:
>>>
>>>aix 5.2.0.7
>>>libiconv-1.9.1
>>>autoconf-2.59
>>>libiodbc-3.52.4
>>>bison-2.0
>>>m4-1.4.3
>>>db-4.4.20
>>>mysql-connector-odbc-3.51.12
>>>krb

Not good enough.  You need to specify what version Kerberos.
Also it looks like you may be using the linux affinity
toolkit.  Did you compile your own Kerberos?

>>>samba-3.0.21a
>>>
>>>../configure --prefix=/usr/local/samba --with-ads --with-ldap
>>>--with-winbind --with-acl-support --with-utmp --with-quotas
>>>--with-sendfile-support
>>>
>>>openldap-2.3.19
>>>
>>>./configure --enable-crypt --without-cyrus-sasl
>>>
>>>
>>>unixODBC-2.2.11
>>>gcc 3.3.2
>>>
>>>/etc/krb5.conf:
>>>
>>>[libdefaults]
>>>        default_realm = MYREALM.COM
>>>        default_etypes = des-cbc-crc des-cbc-md5
>>>        default_etypes_des = des-cbc-crc des-cbc-md5

The way it works is this.
If you override the defaults
   if your version of Kerberos doesn't support rc4-hmac (<1.3.4),
     you must not specify it (doh).
   else if your version of Kerberos supports rc4-hmac (>=1.3.4),
     you must specify rc4-hmac as one of the allowable enctypes
   else userAccountControl in ldap doesn't get set up in
        agreement with your manual krb5 spec on net join.

My current 1.3.6 and previous versions of Kerberos use these parameters
default_tgs_enctypes
default_tkt_enctypes
permitted_enctypes

"enctypes" not "etypes"

>>>        ticket_lifetime = 24000
>>>        clockskew = 300
>>>        dns_lookup_realm = false
>>>        dns_lookup_kdc = false
>>>
>>>[realms]
>>>        MYREALM.COM = {
>>>                kdc = myadsserver.mydomain.com
>>>                default_domain = mydomain.com
>>>        }
>>>
>>>[domain_realm]
>>>        .mydomain.com = MYREALM.COM

While it's not be impossible to have a different REALM
than domain name, MS doesn't do it and you're asking
for extra problems.  MS sometimes makes assumptions that
have to be worked around.  For a first time test, try
[libdefaults]
   default_realm = MYDOMAIN.COM
   ...
{realms]
   MYDOMAIN.COM = {
   ...

Probably already too late.

>>
>>In krb5.conf, try this:
>>
>>[realms]
>>  YOURDOMAIN.COM = {
>>       default_domain = yourdomain.com
>>       kdc = xxx.xxx.xxx.xxx   (my note - use ip address of AD
> 
> server)
> 
>>       admin_server = xxx.xxx.xxx.xxx  (my note - use ip address of
> 
> AD
> 
>>server)
>>}
>>
>>HTH.
>>
>>Dimitri
>>
> 
> David,
> 
> Firstly, be mindful that the list is made up of volunteers who do their
> best 
> to provide answers as quickly as possible.  Sometimes you may have to
> wait a 
> bit longer, but I've always found these folks to be most kind and
> helpful.  
> Give 'em a chance.

I've come up on deadlines,
come to the end of my rope,
and not had the budget for paid assistance,
and asked the same question out of desperation.
Always punish myself afterwards.
Bad Doug Bad Dog.

> 
> Now, after that mild rebuke:  I have little experience with AIX; my
> responses 
> are based on my work with Samba on Linux.  That said, I believe that
> you 
> should have nsswitch.conf and resolv.conf files on the system.  Are
> these 
> configured correctly?  Is pam.d/login configured correctly?
> 
> Dimitri
> 

Regards, Doug

More information about the samba mailing list