[Samba] Joining a Linux Machine to a Windows 2003 Active Directory Domain

Chris Peterman c.peterman at gmail.com
Thu Nov 1 02:42:05 GMT 2007

I talked with the AD admin and he realized that ADJoin doesn't have the full 
complement of privileges needed. So he tried his (full admin) account and it 
still doesn't work. He noticed that klist dumped something wierd out...

I dunno if this is the right place to talk about Kerberbos, but since this 
relates to the whole Samba thing. Here is the output from kinit + klist

Script started on Wed 31 Oct 2007 01:26:18 PM EDT
[root at 0-1-3-1d-38-f2 ~]# kinit petermcv at AD.CLARKSON.EDU
mwinscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared 
file: /var/run/pcscd.pub
Password for petermcv at AD.CLARKSON.EDU: 
[root at 0-1-3-1d-38-f2 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: petermcv at AD.CLARKSON.EDU

Valid starting     Expires            Service principal
10/31/07 13:27:10  10/31/07 23:27:13  krbtgt/AD.CLARKSON.EDU at AD.CLARKSON.EDU
	renew until 11/01/07 13:27:10

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at 0-1-3-1d-38-f2 ~]# 
Script done on Wed 31 Oct 2007 01:27:24 PM EDT

He thought it was odd that it was appending AD.CLARKSON.EDU to the domain. The 
krb5.conf is basically what is in the article with appropriate values subbed 

On Monday 29 October 2007 12:05:38 you wrote:
> Chris,
> Does the user "adjoin" have privileges to join the domain?  Usually the
> user "Administrator" is used.
> For clarification see:
> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#id37
> The command "net rpc rights list -U adjoin" must return
> "SeMachineAccountPrivilege".
> I used the same article to set up my systems, and Administrator seems to
> have these rights by default, because it's always worked with no
> intervention on my part.  Once you get this part working, a good
> followup article is:
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
> Good luck,
> Dale
> C.Peterman wrote:
> > Hey all, I'm trying to join a Linux machine running CentOS 5, Samba
> > version 3.0.23 to a Windows 2003 Active Directory. I can authenticate
> > successfully against Kerberos, but I cannot seem to join the domain. I'm
> > using instructions from this article
> > http://www.enterprisenetworkingplanet.com/netos/article.php/3487081<https
> >://mymail.clarkson.edu/exchweb/bin/redir.asp?URL=http://www.enterprisenetw
> >orkingplanet.com/netos/article.php/3487081> but when I get to the join
> > command I get this
> >
> > [root at 0-1-3-1d-38-f2 ~]# net ads join -U adjoin
> > adjoin's password:
> > Failed to set password for machine account (NT_STATUS_ACCESS_DENIED)
> > Failed to join domain!
> >
> > Any help would be most welcome!
> >
> > ~ Chris "Kyral" Peterman
> > Communications & Media Undergraduate
> > Clarkson University Class of 2008

~ Chris "Kyral" Peterman
Communications & Media Undergraduate
Clarkson University
Associate Member of the Free Software Foundation
Member of the Association for Computing Machinery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba/attachments/20071031/bc30b82a/attachment.bin

More information about the samba mailing list