Re: [Samba] Can SAMBA use ADS and files for Auth ?
Thanks Volker. Regards Andy -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: 22 October 2009 15:23 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] Can SAMBA use ADS and files for Auth ? On Thu, Oct 22, 2009 at 03:13:10PM +0100, andy.m...@bt.com wrote: Cheers Volker I think I mean share level; The server is currently setup with security=share , using smbpasswd and assoicated files. I would like to keep those users but also join an AD and allow AD users also. That's not possible, sorry. You might want to play with virtual IP addresses and a second instance of the Samba server using security=ads or security=domain. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can SAMBA use ADS and files for Auth ?
Hi All I'm running SAMBA 3.0.33 on Solaris 10 Sparc. Can anyone tell me if I can use ADS and share level (local files) for authentication at the same time ? I have a server that contains share level users , but would like to be in AD domain for any new users. Cheers Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can SAMBA use ADS and files for Auth ?
Cheers Volker I think I mean share level; The server is currently setup with security=share , using smbpasswd and assoicated files. I would like to keep those users but also join an AD and allow AD users also. Regards Andy -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: 22 October 2009 15:10 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] Can SAMBA use ADS and files for Auth ? On Thu, Oct 22, 2009 at 02:56:11PM +0100, andy.m...@bt.com wrote: I'm running SAMBA 3.0.33 on Solaris 10 Sparc. Can anyone tell me if I can use ADS and share level (local files) for authentication at the same time ? I have a server that contains share level users , but would like to be in AD domain for any new users. Not on the same IP. You are sure that you mean share level? This is really, really weird these days. If you want no-password access for certain shares, for a certain group of hosts or so, there are other ways to achieve that. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not permitted to access this share [Solved]
Turned out to be Require Ntlmv2 and 128Bit encryption was set via Group Policy Object on the clients. Once these were turn off the shares could be mounted no problem. Not had chance to try Samba 3.4.x , its assumed that 3.0.33 doesn't work with the client settings mentioned above. Thanks To all who replied. Andy -Original Message- From: Marr,A,Andy,DGE62 C Sent: 30 September 2009 13:39 To: samba@lists.samba.org Subject: RE: [Samba] not permitted to access this share It seems the SMBclient software on the SAMBA server has no issues mounting a share using ADS for authentication , but the PC Clients in the AD are unable to mount the share. Can anyone point in the right direction to look ? -Original Message- From: Eero Volotinen [mailto:eero.voloti...@iki.fi] Sent: 29 September 2009 17:44 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] not permitted to access this share andy.m...@bt.com kirjoitti: Update if anyone's reading. I've turn off winbind and removed winbind from nsswitch.conf on the samba server. I can now get a connection using smbclient on the samba server - using the users AD password. /usr/sfw/bin/smbclient //fgukshppay001/lsww -U admandymarr Password: Domain=[FIRSTGROUP] OS=[Unix] Server=[Samba 3.0.33] smb: \ But I still cannot get a connection via the PC's in the domain. P:\net use * \\FGUKSHPPAY001\LSWW System error 64 has occurred. The specified network name is no longer available. Can you ping FGUKSHPPAY001 from cmd.exe on windows machine ? If not, maybe it is wins (dns) name resolving issue? Try using \\full.dns.name\LSWW on windows machine? -- Eero, RHCE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba NTLMv2 128bit encryption - does it work ?
Hi all I've has issue with widows clients connection to my samba 3.0.33 server running on Solaris 10. The SAMBA server has security set as ADS and It works perfectly in the domain , except for clients which have a GPO set with the following enabled. Require NTMLv2 - needs to be set to enabled. Require 128bit encryption - needs to be set to enabled. Once my Windows admin turns these settings off the clients can connect to the SAMBA server no problem. With the settings turned on, the clients get error 59 unexpected network error has occurred. The samba logs show client has disconnected 1. Its it possible to connect SAMBA to clients which have these settings on. 2. If so are there extra config settings do I need in my smb.conf ? My smb.conf [global] workgroup = STGROUP netbios name = FGUKSHPPAY001 realm = STGROUP.COM preferred master = no server string = CARD DR Samba Server security = ADS encrypt passwords = yes allow trusted domains = yes client ntlmv2 auth = yes lanman auth = No log level = 3 log file = /var/samba/log/log.%m max log size = 250 printcap name = /dev/null load printers = no idmap uid = 62000-73000 idmap gid = 6200-7300 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes allow trusted domains = yes template homedir = /export/home/%U template shell = /bin/bash # Share Definitions ==# [lsww] comment = lsww path = /mirror/livesww/list valid users = STGROUP\admandy STGROUP\admtim STGROUP\smythe public = yes browseable = yes read only = yes I have tried with and without client ntlmv2 auth = yes lanman auth = No Thanks for looking. Any Ideas much appreciated. Regards Andy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not permitted to access this share
It seems the SMBclient software on the SAMBA server has no issues mounting a share using ADS for authentication , but the PC Clients in the AD are unable to mount the share. Can anyone point in the right direction to look ? -Original Message- From: Eero Volotinen [mailto:eero.voloti...@iki.fi] Sent: 29 September 2009 17:44 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] not permitted to access this share andy.m...@bt.com kirjoitti: Update if anyone's reading. I've turn off winbind and removed winbind from nsswitch.conf on the samba server. I can now get a connection using smbclient on the samba server - using the users AD password. /usr/sfw/bin/smbclient //fgukshppay001/lsww -U admandymarr Password: Domain=[FIRSTGROUP] OS=[Unix] Server=[Samba 3.0.33] smb: \ But I still cannot get a connection via the PC's in the domain. P:\net use * \\FGUKSHPPAY001\LSWW System error 64 has occurred. The specified network name is no longer available. Can you ping FGUKSHPPAY001 from cmd.exe on windows machine ? If not, maybe it is wins (dns) name resolving issue? Try using \\full.dns.name\LSWW on windows machine? -- Eero, RHCE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] not permitted to access this share
Hi all I've a SAMBA 3.0.33 server running on Solaris 10 sparc. The server is joined to a Windows ADS. I'm getting the following error when trying to access the share as an AD user from a windows machine. [2009/09/29 10:48:05, 2] smbd/service.c:(616) user 'FIRSTGROUP\admandymarr' (from session setup) not permitted to access thi s share (lsww) [2009/09/29 10:48:05, 3] smbd/error.c:(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED ) I setup a temp share with an empty valid users list , but I get the same issue. I'm not sure if the user should have the domain\user when trying to access the share ? I'm so close :-) Any pointers would be great ? Smb.conf [global] workgroup = FIRSTGROUP netbios name = FGUKSHPPAY001 realm = FIRSTGROUP.COM preferred master = no server string = DR Samba Server security = ADS encrypt passwords = yes allow trusted domains = yes log level = 5 log file = /var/samba/log/log.%m max log size = 250 printcap name = /dev/null load printers = no idmap uid = 62000-73000 idmap gid = 6200-7300 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /export/home/%U template shell = /bin/bash password server = fgukcbpadc001.firstgroup.com # Share Definitions == [temp] comment = lsww path = /tmp valid users = public = yes browseable = yes read only = yes [lsww] comment = lsww path = /mirror/livesww/list valid users = admandymarr public = yes browseable = yes read only = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not permitted to access this share
I've checked the wbinfo all returns as expected . I've checked the user on the UNIX server can access the files and dir - no problem. I don't understand if SAMBA is actually try to map FIRSTGROUP\admandymarr on to the share ? If it is then it wont work, as the share only specifies the username not the domain and username. I'm not using PAM for these shares , is it needed ? Am I missing a trick ? Anything would be a help Regards Andy -Original Message- From: Marr,A,Andy,DGE62 C Sent: 29 September 2009 11:01 To: samba@lists.samba.org Subject: not permitted to access this share Hi all I've a SAMBA 3.0.33 server running on Solaris 10 sparc. The server is joined to a Windows ADS. I'm getting the following error when trying to access the share as an AD user from a windows machine. [2009/09/29 10:48:05, 2] smbd/service.c:(616) user 'FIRSTGROUP\admandymarr' (from session setup) not permitted to access thi s share (lsww) [2009/09/29 10:48:05, 3] smbd/error.c:(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED ) I setup a temp share with an empty valid users list , but I get the same issue. I'm not sure if the user should have the domain\user when trying to access the share ? I'm so close :-) Any pointers would be great ? Smb.conf [global] workgroup = FIRSTGROUP netbios name = FGUKSHPPAY001 realm = FIRSTGROUP.COM preferred master = no server string = DR Samba Server security = ADS encrypt passwords = yes allow trusted domains = yes log level = 5 log file = /var/samba/log/log.%m max log size = 250 printcap name = /dev/null load printers = no idmap uid = 62000-73000 idmap gid = 6200-7300 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /export/home/%U template shell = /bin/bash password server = fgukcbpadc001.firstgroup.com # Share Definitions == [temp] comment = lsww path = /tmp valid users = public = yes browseable = yes read only = yes [lsww] comment = lsww path = /mirror/livesww/list valid users = admandymarr public = yes browseable = yes read only = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not permitted to access this share
Update if anyone's reading. I've turn off winbind and removed winbind from nsswitch.conf on the samba server. I can now get a connection using smbclient on the samba server - using the users AD password. /usr/sfw/bin/smbclient //fgukshppay001/lsww -U admandymarr Password: Domain=[FIRSTGROUP] OS=[Unix] Server=[Samba 3.0.33] smb: \ But I still cannot get a connection via the PC's in the domain. P:\net use * \\FGUKSHPPAY001\LSWW System error 64 has occurred. The specified network name is no longer available. P:\ Any ideas ? -Original Message- From: Marr,A,Andy,DGE62 C Sent: 29 September 2009 14:38 To: samba@lists.samba.org Cc: Marr,A,Andy,DGE62 C Subject: RE: not permitted to access this share I've checked the wbinfo all returns as expected . I've checked the user on the UNIX server can access the files and dir - no problem. I don't understand if SAMBA is actually try to map FIRSTGROUP\admandymarr on to the share ? If it is then it wont work, as the share only specifies the username not the domain and username. I'm not using PAM for these shares , is it needed ? Am I missing a trick ? Anything would be a help Regards Andy -Original Message- From: Marr,A,Andy,DGE62 C Sent: 29 September 2009 11:01 To: samba@lists.samba.org Subject: not permitted to access this share Hi all I've a SAMBA 3.0.33 server running on Solaris 10 sparc. The server is joined to a Windows ADS. I'm getting the following error when trying to access the share as an AD user from a windows machine. [2009/09/29 10:48:05, 2] smbd/service.c:(616) user 'FIRSTGROUP\admandymarr' (from session setup) not permitted to access thi s share (lsww) [2009/09/29 10:48:05, 3] smbd/error.c:(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED ) I setup a temp share with an empty valid users list , but I get the same issue. I'm not sure if the user should have the domain\user when trying to access the share ? I'm so close :-) Any pointers would be great ? Smb.conf [global] workgroup = FIRSTGROUP netbios name = FGUKSHPPAY001 realm = FIRSTGROUP.COM preferred master = no server string = DR Samba Server security = ADS encrypt passwords = yes allow trusted domains = yes log level = 5 log file = /var/samba/log/log.%m max log size = 250 printcap name = /dev/null load printers = no idmap uid = 62000-73000 idmap gid = 6200-7300 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /export/home/%U template shell = /bin/bash password server = fgukcbpadc001.firstgroup.com # Share Definitions == [temp] comment = lsww path = /tmp valid users = public = yes browseable = yes read only = yes [lsww] comment = lsww path = /mirror/livesww/list valid users = admandymarr public = yes browseable = yes read only = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not permitted to access this share
Thanks Eero I've tried , but I get the same error :( still looking ... P:\net use * \\FGUKSHPPAY001.FirstGroup.com\LSWW System error 64 has occurred. The specified network name is no longer available. P:\ping FGUKSHPPAY001.FirstGroup.com Pinging FGUKSHPPAY001.FirstGroup.com [XXX.XXX.XXX.XXX] with 32 bytes of data: Reply from XXX.XXX.XXX.XXX: bytes=32 time1ms TTL=252 Reply from XXX.XXX.XXX.XXX: bytes=32 time1ms TTL=252 Reply from XXX.XXX.XXX.XXX: bytes=32 time1ms TTL=252 Ping statistics for XXX.XXX.XXX.XX: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms -Original Message- From: Eero Volotinen [mailto:eero.voloti...@iki.fi] Sent: 29 September 2009 17:44 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] not permitted to access this share andy.m...@bt.com kirjoitti: Update if anyone's reading. I've turn off winbind and removed winbind from nsswitch.conf on the samba server. I can now get a connection using smbclient on the samba server - using the users AD password. /usr/sfw/bin/smbclient //fgukshppay001/lsww -U admandymarr Password: Domain=[FIRSTGROUP] OS=[Unix] Server=[Samba 3.0.33] smb: \ But I still cannot get a connection via the PC's in the domain. P:\net use * \\FGUKSHPPAY001\LSWW System error 64 has occurred. The specified network name is no longer available. Can you ping FGUKSHPPAY001 from cmd.exe on windows machine ? If not, maybe it is wins (dns) name resolving issue? Try using \\full.dns.name\LSWW on windows machine? -- Eero, RHCE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can I use net ads join without DNS
Thanks Volker ! Yes your suggestion worked. [r...@fgukshppay001] # /usr/sfw/sbin/net ads join -U admandymarr admandymarr's password: The workgroup in /etc/sfw/smb.conf does not match the short domain name obtained from the server. Using the name [FGPREPROD] from the server. You should set workgroup = FGPREPROD in /etc/sfw/smb.conf. Using short domain name -- FGPREPROD Joined 'FGUKSHPPAY001' to realm 'FGPREPROD.COM' If feel a bit dumb mixing the args order - but that's nothing new for me ! To recap I added the password server = xxx.xxx.xxx.xxx option in the smb.conf and made sure the ADS server Was correctly set-up in /etc/hosts. Best Regards Andy -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: 16 September 2009 22:15 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] Can I use net ads join without DNS On Wed, Sep 16, 2009 at 06:01:04PM +0100, andy.m...@bt.com wrote: Cheers Volker I used your option and I've also found the password server option in the smb.conf. Im running both and seem to have got a bit further. But now I'm getting a different error. I'm not sure if the problem is still DNS. The ADS server is not in DNS and in a different domain to my SAMBA server. Here is the error I'm now getting [r...@fgukshppay001] # /usr/sfw/sbin/net join ads -Uadmandymarr -Sfgukcbradc001 admandymarr's password: You might want to try net ads join instead of net join ads. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can I use net ads join without DNS
Hi Samba people
I'm trying to join a Solari10 server using Samba Version 3.0.33 server
to an ADS. But the ADS is not in DNS.
I thought I could get round this by putting the ADS IP in the servers
local hosts file, and telling the krb5.conf not to use dns but it
doesn't seem to work.
1. Can it be done ?
2. If it can how ?
Output of my net join ads, still seems to be using DNS
[r...@fgukshppay001] # /usr/sfw/sbin/net ads join -U admandymarr -d3
[2009/09/16 15:01:42, 3] param/loadparm.c:(5055)
lp_load: refreshing parameters
[2009/09/16 15:01:42, 3] param/loadparm.c:(1440)
Initialising global parameters
[2009/09/16 15:01:42, 3] param/params.c:(572)
params.c:pm_process() - Processing configuration file
/etc/sfw/smb.conf
[2009/09/16 15:01:42, 3] param/loadparm.c:(3794)
Processing section [global]
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=10.193.69.100 bcast=10.193.69.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=10.193.69.101 bcast=10.193.69.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=172.30.61.177 bcast=172.30.61.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=172.30.61.178 bcast=172.30.61.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=10.193.69.102 bcast=10.193.69.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=172.30.61.179 bcast=172.30.61.255
nmask=255.255.255.0
[2009/09/16 15:01:42, 2] lib/interface.c:(81)
added interface ip=192.168.1.2 bcast=192.168.1.255 nmask=255.255.255.0
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:01:42, 3] libads/dns.c:(303)
ads_dns_lookup_srv: Failed to resolve
_ldap._tcp.dc._msdcs.FGPREPROD.COM (Error 0)
[2009/09/16 15:01:42, 3] libads/dns.c:(363)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(966)
resolve_lmhosts: Attempting lmhosts lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(863)
resolve_wins: Attempting wins lookup for name FGPREPROD.COM0x1c
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(866)
resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2009/09/16 15:01:42, 3] libsmb/namequery.c:(805)
name_resolve_bcast: Attempting broadcast lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(966)
resolve_lmhosts: Attempting lmhosts lookup for name FGPREPROD0x1c
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(863)
resolve_wins: Attempting wins lookup for name FGPREPROD0x1c
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(866)
resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2009/09/16 15:01:48, 3] libsmb/namequery.c:(805)
name_resolve_bcast: Attempting broadcast lookup for name
FGPREPROD0x1c
[2009/09/16 15:01:55, 3] libsmb/namequery_dc.c:(162)
Could not look up dc's for domain FGPREPROD
admandymarr's password:
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:02:00, 3] libads/dns.c:(303)
ads_dns_lookup_srv: Failed to resolve
_ldap._tcp.dc._msdcs.FGPREPROD.COM (Error 0)
[2009/09/16 15:02:00, 3] libads/dns.c:(363)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(1495)
get_dc_list: preferred server list: , *
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(966)
resolve_lmhosts: Attempting lmhosts lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(863)
resolve_wins: Attempting wins lookup for name FGPREPROD.COM0x1c
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(866)
resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2009/09/16 15:02:00, 3] libsmb/namequery.c:(805)
name_resolve_bcast: Attempting broadcast lookup for name
FGPREPROD.COM0x1c
[2009/09/16 15:02:06, 0] utils/net_ads.c:(286)
ads_connect: No logon servers
[2009/09/16 15:02:06, 1] utils/net_ads.c:(1470)
error on ads_startup: No logon servers
Failed to join domain: No logon servers
[2009/09/16 15:02:06, 2] utils/net.c:(1075)
return code = -1
My krb5.conf
[libdefaults]
default_realm = FGPREPROD.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
FGPREPROD.COM = {
kdc = fgukcbradc001.XXDOMAINXX.com
admin_server = fgukcbradc001.XXDOMAINXX.com
}
[domain_realm]
.fgpreprod.com = FGPREPROD.COM
.subdomain.fgpreprod.com = FGPREPROD.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
My smb.conf
[global]
workgroup =
Re: [Samba] Can I use net ads join without DNS
Cheers Volker I used your option and I've also found the password server option in the smb.conf. Im running both and seem to have got a bit further. But now I'm getting a different error. I'm not sure if the problem is still DNS. The ADS server is not in DNS and in a different domain to my SAMBA server. Here is the error I'm now getting [r...@fgukshppay001] # /usr/sfw/sbin/net join ads -Uadmandymarr -Sfgukcbradc001 admandymarr's password: Bad option: ads Failed to join domain: Invalid parameter ADS join did not work, falling back to RPC... Could not connect to server fgukcbradc001 The username or password was not correct. [2009/09/16 17:58:00, 0] utils/net_rpc_join.c:(81) net_rpc_join_ok: failed to get schannel session key from server fgukcbradc001 for dom ain FGPREPROD. Error was NT_STATUS_ACCESS_DENIED Unable to join domain FGPREPROD. All is the same as original post except the following added to smb.conf password server = 10.193.33.133 -- which the ip of fgukcbradc001 the ADS server When I run a debug level 3 I can see the following after I enter the password admandymarr's password: [2009/09/16 17:55:14, 3] libads/ldap.c:(394) Connected to LDAP server 10.193.33.133 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2009/09/16 17:55:14, 3] libads/sasl.c:(300) ads_sasl_spnego_bind: got server principal name = fgukcbradc0...@fgpreprod.com [2009/09/16 17:55:14, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2009/09/16 17:55:14, 3] libsmb/clikrb5.c:(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 17 Sep 20 09 03:55:14 BST [2009/09/16 17:55:14, 3] libads/ldap.c:(394) Connected to LDAP server 10.193.33.133 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2009/09/16 17:55:14, 3] libads/sasl.c:(291) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2009/09/16 17:55:14, 3] libads/sasl.c:(300) ads_sasl_spnego_bind: got server principal name = fgukcbradc0...@fgpreprod.com [2009/09/16 17:55:14, 3] libsmb/clikrb5.c:(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 17 Sep 20 09 03:55:14 BST Bad option: ads Failed to join domain: Invalid parameter ADS join did not work, falling back to RPC... -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: 16 September 2009 17:28 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] Can I use net ads join without DNS On Wed, Sep 16, 2009 at 03:10:38PM +0100, andy.m...@bt.com wrote: Hi Samba people I'm trying to join a Solari10 server using Samba Version 3.0.33 server to an ADS. But the ADS is not in DNS. I thought I could get round this by putting the ADS IP in the servers local hosts file, and telling the krb5.conf not to use dns but it doesn't seem to work. 1. Can it be done ? 2. If it can how ? Can you try -S servername as an argument to the net ads join? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can I use net ads join without DNS
Also found in the debug output the following [2009/09/16 18:20:09, 8] libsmb/namequery.c:(1644) get_sorted_dc_list: attempting lookup for name FGPREPROD.COM (sitename NULL) using [ad s] Which I'm guessing is where its getting the: Bad option: ads Failed to join domain: Invalid parameter Error message. Seems to be pointing to DNS again. Cheers Andy -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: 16 September 2009 17:28 To: Marr,A,Andy,DGE62 C Cc: samba@lists.samba.org Subject: Re: [Samba] Can I use net ads join without DNS On Wed, Sep 16, 2009 at 03:10:38PM +0100, andy.m...@bt.com wrote: Hi Samba people I'm trying to join a Solari10 server using Samba Version 3.0.33 server to an ADS. But the ADS is not in DNS. I thought I could get round this by putting the ADS IP in the servers local hosts file, and telling the krb5.conf not to use dns but it doesn't seem to work. 1. Can it be done ? 2. If it can how ? Can you try -S servername as an argument to the net ads join? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
