[Samba] Problems Joining an ADS domain

Dalton Calford dcalford at distributel.ca
Wed Jan 23 17:14:17 GMT 2008 

As a followup to this issue,


net ads join -U username at domain yields   ads_join_realm: Operations
error

  wbinfo -t yields   checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret

net ads testjoin   [2008/01/23 11:08:13, 0]
libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password "machinename"@DOMAIN failed: Preauthentication
failed
[2008/01/23 11:08:14, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password "machinename"@DOMAIN failed: Preauthentication
failed
[2008/01/23 11:08:14, 0] utils/net_ads.c:ads_startup(191)
  ads_connect: Preauthentication failed
Join to domain is not valid

however kinit username at Domain works   wbinfo -u error looking up domain
users   wbinfo -g BUILTIN+system operators
BUILTIN+replicators
BUILTIN+guests
BUILTIN+power users
BUILTIN+print operators
BUILTIN+administrators
BUILTIN+account operators
BUILTIN+backup operators
BUILTIN+users

none of which are from domain

We have another machine, that is identical to the failing machine in all
accounts except for it's machine name.  This other machine works well.
The only difference between the machines is that the working machine
joined the domain months ago when it was first set up and has worked
perfectly ever since.

In the meantime, the unix services where patched and we can now no
longer add any new linux machines to the domain, even when they have the
identical configuration.

Is this a known issue?  What can I try next?

best regards

Dalton







On Tue, 2008-01-22 at 14:53 -0500, Dalton Calford wrote:
> We are having problems joining onto our 2003 server domain.  This is
> strange in that other linux clients on our network are NOT having
> problems.
> 
> It appears that the domain will not allow new linux machines to join the
> domain, even when allowing existing machines that have the exact same
> configuration, to authenticate from the domain.
> 
> In order to test this I have taken a stripped down debian box and
> performed a new install.
> 
> I have installed samba 3.0.28 with winbind and krb5
> I have configured the boxes but when I attempt to perform a kinit, I get
> the following response
> 
> kinit(v5): KDC reply did not match expectations while getting initial
> credentials
> 
> Has anyone else encountered this?
> 
> best regards
> 
> Dalton
>

More information about the samba mailing list