[Samba] Joining an ADS domain - issue with the netlogon pipe (anonymous access required)
I have a problem joining Samba to a Windows 2003 sp1 ADS domain. I'm running Samba 3.0.28 on Solaris 10 with MIT Kerberos 1.6.3 and OpenLDAP 2.3.38. When I run 'net ads join' i get the following error. ./net ads join -S domaincontroller.mynet.mydomain.com -U Administrator -d10 .. ... 2008/01/22 12:06:09, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open() cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine domaincontroller.mynet.mydomain.com. Error was NT_STATUS_ACCESS_DENIED [2008/01/22 12:06:09, 0] utils/net_rpc_join.c:net_rpc_join_ok(70) net_rpc_join_ok: failed to get schannel session key from server domaincontroller.mynet.mydomain.com for domain mynet.mydomain.com. Error was NT_STATUS_ACCESS_DENIED Failed to verify membership in domain! Failed to join domain: Success [2008/01/22 12:06:09, 2] utils/net.c:main(1036) return code = -1 A temporary work around for this is to add "netlogon" to the group policy under "named pipes that can be accessed anonymously" on the PDC. Once the Windows SA's changed this the 'net ads join' worked fine. The Windows SA's will not open this on the production domain. Is there a way to get Samba to join an ADS domain correctly without having to enable anonymous access to the netlogon pipe? Thanks, Paddy - This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining an ADS domain...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nanni X wrote: > Ok Jerry, > > now the Last Question: my LinuxSambaBox has joined > the domain or not?? if 'net ads testjoin' reports success it has joined, although you might have some problems with DES session keys. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEq7z3IR7qMdg1EfYRAv+eAJ9tOry/5qRmSv3ahaWAhbef4qHi/QCgr9xD 6Q23dIjZU1z4zjJaNtZfdjg= =dlRj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining an ADS domain...
Ok Jerry, now the Last Question: my LinuxSambaBox has joined the domain or not?? Thanks again NanniX - Original Message - From: "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> To: "Nanni X" <[EMAIL PROTECTED]> Cc: "Samba" Sent: Wednesday, June 28, 2006 2:17 PM Subject: Re: [Samba] Joining an ADS domain... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nanni X wrote: Hi people, I'm trying to join a linux SuSE 10.0+samba 3.0.20 box to an ADS-Win2003 domain. As I configured /etc/krb5.conf, /etc/nsswitch.conf and /etc/samba/smb.conf, I try to join the ADS with: root # net ads join -U Administrator% the system replays: Using short domain name -- then freezes, i.e. no prompt returns. Use ethereal and get a network sniff. My guess is that you will see a lot of Krb5 traffic and 'net' is trying to derive the salting principal for the DES keys. I'm about to clean up some things in that code path post 3.0.23. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEonNkIR7qMdg1EfYRAsAuAKDf9yJbtH9kvvBR3AQ8K6yOGq0oswCggkGL Qn+LIb+mH2zrmNBgXBiAIbw= =yj/j -END PGP SIGNATURE- -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da ViveLaVie S.p.a., ed e' risultato non infetto. -- Nessun virus nel messaggio in arrivo. Controllato da AVG Antivirus. Versione: 7.1.394 / Database dei virus: 268.9.5/377 - Data di rilascio: 27/06/06 -- Nessun virus nel messaggio in uscita. Controllato da AVG Antivirus. Versione: 7.1.394 / Database dei virus: 268.9.5/377 - Data di rilascio: 27/06/06 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining an ADS domain...
can u copy the present configuration files... i think u have to edit pam also.. /etc/pam.d/gdm /etc/pam.d/login /etc/pam.d/systemauth if u can attach all the configuration files.. i can try to help.. regards jerrynikky On 6/27/06, Nanni X <[EMAIL PROTECTED]> wrote: Hi people, I'm trying to join a linux SuSE 10.0+samba 3.0.20 box to an ADS-Win2003 domain. As I configured /etc/krb5.conf, /etc/nsswitch.conf and /etc/samba/smb.conf, I try to join the ADS with: root # net ads join -U Administrator% the system replays: Using short domain name -- then freezes, i.e. no prompt returns. I wait several minutes, then from another console I typed: root # net ads testjoin and system replays: Join is OK. at this point I breaked (Ctrl-C) the freezed prompt. Again, net ads testjoin replays Join is OK. All this appears to me something wrong Any ideas? what's wrong? Thanks NanniX -- Nessun virus nel messaggio in uscita. Controllato da AVG Antivirus. Versione: 7.1.394 / Database dei virus: 268.9.5/376 - Data di rilascio: 26/06/06 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining an ADS domain...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nanni X wrote: > Hi people, > I'm trying to join a linux SuSE 10.0+samba 3.0.20 box to an ADS-Win2003 > domain. > > As I configured /etc/krb5.conf, /etc/nsswitch.conf and > /etc/samba/smb.conf, I try to join the ADS with: > > root # net ads join -U Administrator% > > the system replays: > > Using short domain name -- > > then freezes, i.e. no prompt returns. Use ethereal and get a network sniff. My guess is that you will see a lot of Krb5 traffic and 'net' is trying to derive the salting principal for the DES keys. I'm about to clean up some things in that code path post 3.0.23. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEonNkIR7qMdg1EfYRAsAuAKDf9yJbtH9kvvBR3AQ8K6yOGq0oswCggkGL Qn+LIb+mH2zrmNBgXBiAIbw= =yj/j -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Joining an ADS domain...
Hi people, I'm trying to join a linux SuSE 10.0+samba 3.0.20 box to an ADS-Win2003 domain. As I configured /etc/krb5.conf, /etc/nsswitch.conf and /etc/samba/smb.conf, I try to join the ADS with: root # net ads join -U Administrator% the system replays: Using short domain name -- then freezes, i.e. no prompt returns. I wait several minutes, then from another console I typed: root # net ads testjoin and system replays: Join is OK. at this point I breaked (Ctrl-C) the freezed prompt. Again, net ads testjoin replays Join is OK. All this appears to me something wrong Any ideas? what's wrong? Thanks NanniX -- Nessun virus nel messaggio in uscita. Controllato da AVG Antivirus. Versione: 7.1.394 / Database dei virus: 268.9.5/376 - Data di rilascio: 26/06/06 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
