[Samba] Unable to join AD

Roberto Navarro - TusProfesionales.es rnavarro at tusprofesionales.es
Tue Jun 20 16:02:47 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everybody,

I'm getting crazy trying to get my Linux box work with Active
Directory.

It's a Fedora Core 4, and these are the installed rpm's

[root at desarrollo ~]# cat /etc/redhat-release 
Fedora Core release 4 (Stentz)
[root at desarrollo ~]# rpm -qa|grep samba
samba-3.0.14a-2
samba-common-3.0.14a-2
[root at desarrollo ~]# rpm -qa|grep krb  
krb5-libs-1.4.1-5
krb5-workstation-1.4.1-5
krb5-devel-1.4.1-5
pam_krb5-2.1.15-2
krb5-server-1.4.1-5
[root at desarrollo ~]#

Kerberos auth seems to work ok. This is the kerberos config:

[root at desarrollo ~]# cat /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = OUR.DOMAIN.COM
 dns_lookup_realm = yes
 dns_lookup_kdc = yes
 ticket_lifetime = 24h
 forwardable = yes
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 noaddresses = false

[realms]
 OUR.DOMAIN.COM = {
  kdc = 192.168.0.206:88
  admin_server = 192.168.0.206:749
  default_domain = OUR.DOMAIN.COM
 }

[domain_realm]
 .our.domain.com = OUR.DOMAIN.COM
 our.domain.com = OUR.DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


[root at desarrollo ~]# cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 OUR.DOMAIN.COM = {
  master_key_type = des-cbc-crc
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
 }

And the output of kinit and klist:

[root at desarrollo ~]# kinit Administrador at OUR.DOMAIN.COM   
Password for Administrador at OUR.DOMAIN.COM: 
[root at desarrollo ~]# 

[root at desarrollo ~]# klist 
klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrador at OUR.DOMAIN.COM

Valid starting     Expires            Service principal
06/20/06 17:50:10  06/21/06 03:50:07 
krbtgt/OUR.DOMAIN.COM at OUR.DOMAIN.COM
        renew until 06/21/06 17:50:10


Kerberos 4 ticket cache: /tmp/tkt0

Also, we have tested kpasswd, and it changes the Administrador
password as expected.


This is our samba config:

[root at desarrollo ~]# cat /etc/samba/smb.conf

[global]
workgroup = OURWORKGROUP
netbios name = DESARROLLO
realm = OUR.DOMAIN.COM
security = ADS
template shell = /bin/bash
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = Yes
winbind nested groups = Yes

And this is what happen when we try to test the domain joining:

[root at desarrollo ~]# net ads --debuglevel=2 testjoin
[2006/06/20 17:56:57, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.0.32 bcast=192.168.0.255
nmask=255.255.255.0
[2006/06/20 17:56:57, 2] lib/interface.c:add_interface(81)
  added interface ip=86.109.160.35 bcast=86.109.160.255
nmask=255.255.255.0
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_server_info(2454)
  ads_server_info: returned ldap server name
(host/terminal-server.our.domain.com at OUR.DOMAIN.COM) does not contain
'$@' so was deemed invalid
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_connect(289)
  Failed to get ldap server info
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_server_info(2454)
  ads_server_info: returned ldap server name
(host/terminal-server.our.domain.com at OUR.DOMAIN.COM) does not contain
'$@' so was deemed invalid
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_connect(289)
  Failed to get ldap server info
[2006/06/20 17:56:57, 0] utils/net_ads.c:ads_startup(191)
  ads_connect: Decoding error
Join to domain is not valid
[2006/06/20 17:56:57, 2] utils/net.c:main(897)
  return code = -1


Thanks in advance for any kind of help

______________
Regards,
Roberto Navarro
SysAdmin - TusProfesionales, SL

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRJgcJMhDftHeZF7JEQJXrgCg0lWmMKuSJR9O2XSjnX249fLDOwoAniBM
MjPupHyPVBRSnyEgUnhAqk9g
=Exjg
-----END PGP SIGNATURE-----


More information about the samba mailing list