[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS
jpetersson at garnser.se
Thu Sep 24 01:00:07 MDT 2009
So I reverted back to an old snapshot and gave this a quick test.
Without any kerberos configuration I get the following error-message
when I try to join the domain:
[root at presidio3 ~]# net ads join -U Administrator
Enter Administrator's password:
[2009/09/23 23:58:48, 0] libads/kerberos.c:ads_kinit_password(362)
kerberos_kinit_password Administrator at GARNSER.SE failed: Cannot find
KDC for requested realm
Failed to join domain: failed to connect to AD: Cannot find KDC for
Any idea why this is?
On Wed, Sep 23, 2009 at 11:53 PM, Jonathan Petersson
<jpetersson at garnser.se> wrote:
> Going to try this a bit more tomorrow with a fresh install, please see
> inline responses.
> I'm thinking that I may have some kerberos stuff hanging around, I
> noticed that there's a smb_krb5 directory with kdc data in
> On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen <adam.nielsen at uq.edu.au> wrote:
>>> Thanks for the input Adam,
>>> In my case I've full control of the AD domain and just run net ads
>>> join which is successful, shows up in AD.
>>> Here's my current config, can you see anything in it that I should
>>> consider adding or removing?
>>> workgroup = PRESIDIO
>>> password server = pdc.garnser.se
>>> realm = garnser.se
>> I would remove the password server, and (not being that familiar with
>> the set up side of AD) shouldn't the workgroup be GARNSER? Or the realm
>> be presidio.garnser.se? Mind you if you can join the domain it would
>> seem these values are correct.
> I named my workgroup differently from the domain/realm, I can
> successfully join the domain.
>> Just to confirm these values are correct, on a Windows PC, go Control
>> Panel, System, Computer Name (where you can rename the PC) and on that
>> page it should list the domain - is that garnser.se? That domain should
>> be what is put in the realm.
> The domain is equal to the realm.
>> Likewise when you log in to a Windows PC, you can choose the domain you
>> want to log in to from a drop-down list. Is that PRESIDIO? The value
>> there should be the same as what you put in workgroup.
> This is the same.
>>> template shell = /bin/bash
>> This will allow your AD users to SSH into your machine (just checking!)
> Yes that's intentional.
>>> netbios name = presidio3
>> Is presidio3.garnser.se the full DNS name of your machine? Not sure if
>> it makes a difference but it can't hurt to make the NetBIOS and DNS
>> names match.
> It's identical.
>>> use kerberos keytab = yes
>>> client use spnego = yes
>> I don't have either of these two options set.
>>> auth methods = winbind
>> I don't have "auth methods" set, and the manpage recommends against
>> setting it.
>> Otherwise it looks fine. After updating these options you could try
>> erasing all Samba's .tdb files to make it forget it belongs to a domain,
>> then add it again fresh. I would be very surprised if that didn't work.
> Thanks again!
More information about the samba