[Samba] net ads join fails

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 10 13:20:02 MDT 2015 

On 10/03/15 19:01, Roman Dilken wrote:
> On 10.03.2015 19:25, Rowland Penny wrote:
>
>> Hi, what are you trying to join to?
>>
>> Remove this line 'idmap_ldp:use rfc2307 = yes'
>>
>> one) it should be 'idmap_ldb:use rfc2307 = yes' two) it is only
>> used on a DC.
>>
>> How are you trying to do the join ?
>>
>> Rowland
>>
>>
> Hi,
>
> I commented it out but it didn't change the behaviour.
>
> I tried the following commands:
>
> 1.) samba-tool domain join ad.dilken.eu MEMBER -UAdministrator
> --realm=AD.DILKEN.EU --site=Neuoetting -d 10
>
>
> Result (last lines): Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 291
> Received smb_krb5 packet of length 1293
> Received smb_krb5 packet of length 1310
> Received smb_krb5 packet of length 1288
> gensec_gssapi: credentials were delegated
> GSSAPI Connection will have no cryptographic protection
>
>
>
> 2.)  net ads join -UAdministrator -d 10 -k
>
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
> ccache and config [(null)]
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> cli_session_setup_spnego: guessed server
> principal=cifs/dc2.ad.dilken.eu at AD.DILKEN.EU
> Doing kerberos session setup
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Mi, 11 Mär 2015 05:58:30 CET
> ads_krb5_mk_req: Ticket (cifs/dc2.ad.dilken.eu at AD.DILKEN.EU) in ccache
> (MEMORY:cliconnect) is valid until: (Mi, 11 Mär 2015 05:58:30 CET -
> 1426049910)
> Got KRB5 session key of length 16
>
>
> I want to join the freebsd-machine as member-server for winbind. It's
> my workstation.
>
> Greetings,
>
> Roman

OK, the first will not work (well not yet), the second should, I take it 
you ran 'kinit Administrator at AD.DILKEN.EU' as root before the join ?

You could try 'net ads join -U Administrator' and enter the password 
when prompted, I personally have never seen the point in using kerberos 
during the join, either way you have to enter the Administrator password 
:-)

Rowland

More information about the samba mailing list