[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

Jonathan Petersson jpetersson at garnser.se
Thu Sep 24 01:00:07 MDT 2009


So I reverted back to an old snapshot and gave this a quick test.
Without any kerberos configuration I get the following error-message
when I try to join the domain:

[root at presidio3 ~]# net ads join -U Administrator
Enter Administrator's password:
[2009/09/23 23:58:48,  0] libads/kerberos.c:ads_kinit_password(362)
  kerberos_kinit_password Administrator at GARNSER.SE failed: Cannot find
KDC for requested realm
Failed to join domain: failed to connect to AD: Cannot find KDC for
requested realm

Any idea why this is?

Thanks

/Jonathan

On Wed, Sep 23, 2009 at 11:53 PM, Jonathan Petersson
<jpetersson at garnser.se> wrote:
> Going to try this a bit more tomorrow with a fresh install, please see
> inline responses.
>
> I'm thinking that I may have some kerberos stuff hanging around, I
> noticed that there's a smb_krb5 directory with kdc data in
> /var/lib/samba.
>
> On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen <adam.nielsen at uq.edu.au> wrote:
>>> Thanks for the input Adam,
>>>
>>> In my case I've full control of the AD domain and just run net ads
>>> join which is successful, shows up in AD.
>>>
>>> Here's my current config, can you see anything in it that I should
>>> consider adding or removing?
>>>
>>> [global]
>>>    workgroup = PRESIDIO
>>>    password server = pdc.garnser.se
>>>    realm = garnser.se
>>
>> I would remove the password server, and (not being that familiar with
>> the set up side of AD) shouldn't the workgroup be GARNSER?  Or the realm
>> be presidio.garnser.se?  Mind you if you can join the domain it would
>> seem these values are correct.
>
> I named my workgroup differently from the domain/realm, I can
> successfully join the domain.
>
>>
>> Just to confirm these values are correct, on a Windows PC, go Control
>> Panel, System, Computer Name (where you can rename the PC) and on that
>> page it should list the domain - is that garnser.se?  That domain should
>> be what is put in the realm.
>
> The domain is equal to the realm.
>
>>
>> Likewise when you log in to a Windows PC, you can choose the domain you
>> want to log in to from a drop-down list.  Is that PRESIDIO?  The value
>> there should be the same as what you put in workgroup.
>
> This is the same.
>
>>
>>>    template shell = /bin/bash
>>
>> This will allow your AD users to SSH into your machine (just checking!)
>
> Yes that's intentional.
>
>>
>>>    netbios name = presidio3
>>
>> Is presidio3.garnser.se the full DNS name of your machine?  Not sure if
>> it makes a difference but it can't hurt to make the NetBIOS and DNS
>> names match.
>
> It's identical.
>
>>
>>>    use kerberos keytab = yes
>>>    client use spnego = yes
>>
>> I don't have either of these two options set.
>>
>>>    auth methods = winbind
>>
>> I don't have "auth methods" set, and the manpage recommends against
>> setting it.
>>
>> Otherwise it looks fine.  After updating these options you could try
>> erasing all Samba's .tdb files to make it forget it belongs to a domain,
>> then add it again fresh.  I would be very surprised if that didn't work.
>
> Thanks again!
>
> /Jonathan
>


More information about the samba mailing list