[Samba] Trouble getting past net join ads...

Jason Gerfen jason.gerfen at scl.utah.edu
Thu Jan 28 13:08:55 MST 2010

Have you tried the following?

%> kinit -u DOMAIN\Admistrator
Enter Password: xxxxxx

%>net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX

I think the users you attempting to join the domain with needs a valid 
Kerberos TGT first

Michael Wood wrote:
> On 28 January 2010 21:07, Joel Therrien <Joel_Therrien at uml.edu> wrote:
>> Thanks. Unfortunately that did not appear to do anything.
>> What is even stranger is I tried running net ads info and it returned
>> information on the LDAP server name, the correct IP address,
>> realm, and bindpath. To my uninformed eye, this looks like it is
>> connected to the windows server in some manner. Yet wbinfo -t
>> still cannot check the trust secret.
>> One thing I also don't get is why the net ads testjoin command insists
>> on asking for a password for an account that does not exist. Even specifying
>> a username with the -U command does not work, it is just ignored.
> Here's something to try while waiting for a reply from someone who
> knows more about this stuff:
> The NANOELECFS$ account is a machine account.  As far as I understand
> it, this account is supposed to be created automatically when you join
> the machine to the domain.  The password is randomly generated and the
> client is supposed to change it periodically (every month?)
> automatically.
> I've heard some people on this list say they had to manually create
> the machine account first in order to be able to join the domain, so
> perhaps you should try that.  i.e. just create an account (the same
> way you create a user account) with NANOELECFS$ as the username.  Why
> this might be necessary, I wouldn't know.
> Another thing is that things might work better with a later version of
> Samba.  e.g. 3.3.10 or 3.4.5.
>> Joel
>> On 1/28/2010 11:06 AM, Dale Schroeder wrote:
>>> Joel,
>>> When I've received this error, I've been able to resolve by telling it the
>>> name of the DC.
>>> net ads join -S pdc -U admin_user
>>> See if it works for you.
>>> Dale
>>> On 01/28/2010 9:14 AM, Joel Therrien wrote:
>>>>    I am in the process of getting samba working again with Activer
>>>> Directory. Recently our IT department
>>>> upgraded their windows server to 2008.
>>>>    I am following the approach described here:
>>>> http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/
>>>>    I am able to get kerberos to issue a ticket, but where I am running
>>>> into a wall is with the net join ads part... It appears to work in that
>>>> setting the correct dn and using the username given to me by Jim for
>>>> binding to the windows server passes back a message that looks OK:
>>>>> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
>>>>> Enter XXXXX's password:
>>>>> Got 1 replies
>>>> But if I try to test this by issuing the net ads testjoin command, I am
>>>> always asked this (highlighted in red):
>>>>> nanoelecfs:/home/joel# net ads testjoin
>>>>> Enter NANOELECFS$@FS.UML.EDU's password:
>>>>> [2010/01/25 22:36:17,  0] libads/kerberos.c:ads_kinit_password(356)
>>>>>  kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed:
>>>>> Preauthentication failed
>>>>> Join to domain is not valid: Logon failure
>>>> There is no such account, as kerberos is happy to indicate. This is odd
>>>> because I do not recall getting this
>>>> before the upgrade to 2008. NANOELECFS is the name of the linux box.
>>>>    Trying wbinfo -t gives the following:
>>>>> nanoelecfs:/home/joel# wbinfo -t
>>>>> checking the trust secret via RPC calls failed
>>>>> Could not check secret
>>>> I am running a Debian Lenny system with kernel version 2.6.26-2-amd64
>>>> I am running samba version 2:3.2.5
>>>> Thanks in advance!

Jason Gerfen
Systems Administration/Web application development
jason.gerfen at scl.utah.edu

Marriott Library
Lab Systems PC
295 South 1500 East
Salt Lake City, Utah 84112-0806
Ext 5-9810

More information about the samba mailing list