[Samba] Problems Joining an ADS domain

Thu Jan 31 15:51:46 GMT 2008

I have tried the following distributions

Xandros 3
Xandros 4
Suse 10
Fedora 7
Ubuntu 7.10

I have tried with the latest versions of Samba.

To reiterate the situation.

I have linux machines that log onto the Win2003 ADS domain and use the
domain to authenticate users from the domain.

I can not add any new linux boxes to the domain, but those that have
already joined, work fine.

Even if I take a working box, remove it from the domain, do a net ads
join command, it stops working and can not rejoin the domain, even
though no settings have been changed.

I do not administrate the domain so I do not control what patches have
been applied to the domain, but I need to know what settings need to be
applied on the 2003 domain in order to have it work with samba.

Please help as this is getting to the point where I will have to pull
all linux boxes off of our networks as they do not meet company security
policies.

best regards

Dalton

On Wed, 2008-01-23 at 12:14 -0500, Dalton Calford wrote:
> As a followup to this issue,
> 
> 
> net ads join -U username at domain yields   ads_join_realm: Operations
> error
> 
>   wbinfo -t yields   checking the trust secret via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
> 
> net ads testjoin   [2008/01/23 11:08:13, 0]
> libads/kerberos.c:ads_kinit_password(146)
>   kerberos_kinit_password "machinename"@DOMAIN failed: Preauthentication
> failed
> [2008/01/23 11:08:14, 0] libads/kerberos.c:ads_kinit_password(146)
>   kerberos_kinit_password "machinename"@DOMAIN failed: Preauthentication
> failed
> [2008/01/23 11:08:14, 0] utils/net_ads.c:ads_startup(191)
>   ads_connect: Preauthentication failed
> Join to domain is not valid
> 
> however kinit username at Domain works   wbinfo -u error looking up domain
> users   wbinfo -g BUILTIN+system operators
> BUILTIN+replicators
> BUILTIN+guests
> BUILTIN+power users
> BUILTIN+print operators
> BUILTIN+administrators
> BUILTIN+account operators
> BUILTIN+backup operators
> BUILTIN+users
> 
> none of which are from domain
> 
> We have another machine, that is identical to the failing machine in all
> accounts except for it's machine name.  This other machine works well.
> The only difference between the machines is that the working machine
> joined the domain months ago when it was first set up and has worked
> perfectly ever since.
> 
> In the meantime, the unix services where patched and we can now no
> longer add any new linux machines to the domain, even when they have the
> identical configuration.
> 
> Is this a known issue?  What can I try next?
> 
> best regards
> 
> Dalton
> 
> 
> 
> 
> 
> 
> 
> On Tue, 2008-01-22 at 14:53 -0500, Dalton Calford wrote:
> > We are having problems joining onto our 2003 server domain.  This is
> > strange in that other linux clients on our network are NOT having
> > problems.
> > 
> > It appears that the domain will not allow new linux machines to join the
> > domain, even when allowing existing machines that have the exact same
> > configuration, to authenticate from the domain.
> > 
> > In order to test this I have taken a stripped down debian box and
> > performed a new install.
> > 
> > I have installed samba 3.0.28 with winbind and krb5
> > I have configured the boxes but when I attempt to perform a kinit, I get
> > the following response
> > 
> > kinit(v5): KDC reply did not match expectations while getting initial
> > credentials
> > 
> > Has anyone else encountered this?
> > 
> > best regards
> > 
> > Dalton
> > 
> 