[Samba] Strong(er) authentication required when joining Active Directory (Samba 3.0.28)

Naadir Jeewa naadir at randomvariable.co.uk
Tue Apr 1 15:07:20 GMT 2008 

Hello all,

I'm having problems getting Samba to join a Windows AD. I am delegated
OU admin, and have no direct access to the domain controller. We have 3
DCs in one domain where my OU exists. The users I wish to authenticate
are in a different domain.

I have set up Kerberos and can receive tickets correctly.

I run

net -d 4 ads join createcomputer=[Delegated OU] -U [account with join
permissions]

After filling in a password, I get the following:

[2008/04/01 16:06:01, 4] libsmb/namequery_dc.c:ads_dc_name(139)
  ads_dc_name: using server= dc_server' IP=dc_ip
ccspmed's password:
[2008/04/01 16:06:03, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: ", *"
[2008/04/01 16:06:03, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 3 ip addresses in an ordered list
[2008/04/01 16:06:03, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.10.250.17:389 10.10.250.3:389 10.10.250.1:389
[2008/04/01 16:06:03, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.10.250.17
[2008/04/01 16:06:03, 4] libads/ldap.c:ads_current_time(2414)
  time offset is -5 seconds
[2008/04/01 16:06:03, 4] libads/sasl.c:ads_sasl_bind(521)
  Found SASL mechanism GSS-SPNEGO
[2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = dc_server
[2008/04/01 16:06:03, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2008/04/01 16:06:03, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Wed, 02 Apr 2008 02:05:58 BST
[2008/04/01 16:06:03, 1] utils/net_ads.c:net_ads_join(1470)
  error on ads_startup: Strong(er) authentication required
Failed to join domain: Strong(er) authentication required
[2008/04/01 16:06:03, 2] utils/net.c:main(1036)
  return code = -1

Any help appreciated.

Yours,

Naadir Jeewa

More information about the samba mailing list