[Samba] Unable to join AD domain

Alfredo Ramos ralf at rice.edu
Fri Jul 6 22:09:31 GMT 2007

I have a problem joining the AD domain. And this problem has kept us 
from upgrading to any other release of samba since 3.0.14a. That is the 
release we're running on our production server. That release was the 
last one to successfully join the domain.

The short version of the problem:

   The samba server refuses to use 'TCP' when running the 'net' command 
to join the domain. And the DC refuses to use UDP to answer to the samba 

The long version now:

  On the 3.0.14a release, we can force the communication with the DC to 
go over TCP by specifying  'tcp' on the "kdc = ..." entry on the 
krb5.conf file. Every other release since then, promptly ignores the 
krb5.conf file so, all communication with the DC goes over UDP. I have 
snooped the traffic from the samba server to the DC, and every time I 
see the miscommunication taking place.

  What seems even more confusing is the fact that, if I trace the 'net 
ads status' command, I see where the krb5.conf file is read and 
communication with the DC takes place using TCP. But if I trace the 'net 
ads join' command, the krb5.conf is never even considered. I don't see 
the process stating/opening it at all. It seems as if the 'net join' 
command doesn't need to read any kerberos config file. It seems to 
assume it knows what to do automagically.

  The samba server is running Red Hat 4 Eterprise Level. The samba 
package was built with the latest packages; heimdal-0.8.1, 
openldap-2.3.36, sasl-2.1.22, openssl-0.9.8e. The krb5.conf, and the 
smb.conf files look as follows:

   default_realm = AD.RICE.EDU
   #      default_tkt_enctypes = rc4-hmac
#      default_tgs_enctypes = rc4-hmac
   default_etypes = des-cbc-crc
   large_msg_size = 1
#   default_etypes = des-cbc-crc                "Have tried all these 
combinations to no avail"
#   default_etypes_des = des-cbc-crc
#   default_tkt_enctypes = des-cbc-md5
#   default_tgs_enctypes = des-cbc-md5
#      default_tkt_enctypes = rc4-hmac
#      default_tgs_enctypes = rc4-hmac
   AD.RICE.EDU = {
      kdc = tcp/support-dc6......
      admin_server = support-dc6.......

   RICE.EDU  = {
      kdc = kerberos.rice.edu.
      kdc = cerberos.rice.edu.
      admin_server = kerberos.rice.edu.

     .ad.rice.edu = AD.RICE.EDU
     .rice.edu = RICE.EDU

unix charset = LOCALE
workgroup = ADRICE
server string = Samba RN2
security = ADS
realm = AD.RICE.EDU
allow trusted domains = No
encrypt passwords = yes
username map = /etc/samba/smbusers
ldap ssl = no
idmap uid = 500-10000000
idmap gid = 500-10000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
password server = support-dc6.......
wins server = 128.X.X.X


Please help.



More information about the samba mailing list