[Samba] net ads join fails
Environment: Sun Solaris 9 sparc Software: Samba 3.3.3, KRB5-1.6.3, OpenLDAP-2.4.11 Situation: I've been able to verify that samba is compile corrected by issuing the following commands: Smbd -b|grep LDAP Smbd -b|grep KRB Smbd -b|grep ADS Smbd -b|grep WINBIND I've been able to successfully run kinit in the /usr/local/krb5-1.6.3/bin/ directory. I did discover that just issuing the kinit command was launching the Sun version of KRB. Once I figured that out, I made a backup copy of that version, removed the Sun version and created a sym-link to the 1.6.3 version. Now when I run kinit anywhere on the server, it picks up the 1.6.3 version and launches successfully. I've been able to successfully join our domain by running the following command: lib240:/usr/local/samba/bin#./net ads join -U mcgranj I've modified my nsswitch.conf file and re-started winbindd. However, when I issue the following commands, I get nothing: Wbinfo -u lib240:/usr/local/samba/bin#wbinfo -u Error looking up domain users Wbinfo -g lib240:/usr/local/samba/bin#wbinfo -g Error looking up domain groups Any advice or guidance would be greatly appreciated. Thank you! *** * Jamen McGranahan * Systems Services Librarian * Library Information Technology Services * Vanderbilt University * Suite 700 * 110 21st Avenue South * Nashville, TN 37240 * (615) 343-1614 * (615) 343-8834 (fax) * jamen.mcgrana...@vanderbilt.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join fails on ADS 2003
hello, i am wondering, when i try to follow the ADS 2003, samba can't join completly. The join ends with: ads_machine_password:Message stream modified. When i start 'net ads join' with debugging i got an error: [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:parse_setpw_reply(237) Got error packet 0x7e from kpasswd server [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:do_krb5_kpasswd_request(450) parse_setpw_reply failed (Message stream modified) ads_set_machine_password: Message stream modified [2005/09/24 18:51:49, 2] utils/net.c:main(873) return code = -1 --- Surrounding: ADS 2003, no SP, but Services for Unix installed SuSE9.3 Updated MIT-Kerberos5: 1.4.16 Samba: 3.0.20 - Problem: linux11:~ # kinit Administrator Password for [EMAIL PROTECTED]: linux11:~ # klist -5ef Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 09/24/05 18:30:00 09/25/05 04:30:02 krbtgt/[EMAIL PROTECTED] renew until 09/25/05 18:30:00, Flags: RIA Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 linux11:~ # net ads join ads_set_machine_password: Message stream modified linux11:~ # - but there is no complete join - Debugging (Level 3): [2005/09/24 18:51:48, 3] param/loadparm.c:lp_load(4082) lp_load: refreshing parameters [2005/09/24 18:51:48, 3] param/loadparm.c:init_globals(1366) Initialising global parameters [2005/09/24 18:51:48, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2005/09/24 18:51:48, 3] param/loadparm.c:do_section(3542) Processing section [global] [2005/09/24 18:51:48, 2] lib/interface.c:add_interface(81) added interface ip=192.168.99.11 bcast=192.168.99.255 nmask=255.255.255.0 [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_lmhosts(855) resolve_lmhosts: Attempting lmhosts lookup for name dc0001.city.net.ffm0x20 [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_wins(752) resolve_wins: Attempting wins lookup for name dc0001.city.net.ffm0x20 [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_wins(755) resolve_wins: WINS server resolution selected and no WINS servers listed. [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_hosts(917) resolve_hosts: Attempting host lookup for name dc0001.city.net.ffm0x20 [2005/09/24 18:51:48, 3] libads/ldap.c:ads_connect(285) Connected to LDAP server 192.168.99.1 [2005/09/24 18:51:49, 3] libads/ldap.c:ads_server_info(2514) got ldap server name [EMAIL PROTECTED], using bind path: dc=CITY,dc=NET,dc=FFM [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(215) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2005/09/24 18:51:49, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(321) Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Sun, 25 Sep 2005 04:49:51 GMT [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:parse_setpw_reply(237) Got error packet 0x7e from kpasswd server [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:do_krb5_kpasswd_request(450) parse_setpw_reply failed (Message stream modified) ads_set_machine_password: Message stream modified [2005/09/24 18:51:49, 2] utils/net.c:main(873) return code = -1 linux11:~ # exit /etc/samba/smb.conf: [global] workgroup = CITY server string = Samba Server load printers = no log file = /var/log/samba/%m.log loglevel = 5 max log size = 1000 security = ads password server = dc0001.city.net.ffm realm = CITY.NET.FFM client use spnego = yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no [tmp] comment = Temporary file space path = /tmp read only = no - /etc/krb5.conf [libdefaults] default_realm = CITY.NET.FFM dns_lookup_realm = false dns_lookup_kdc = false [realms] CITY.NET.FFM = { kdc = dc0001.city.net.ffm:88 default_domain = city.net.ffm } [domain_realm] .city.net.ffm = CITY.NET.FFM city.net.ffm = CITY.NET.FFM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --
[Samba] net ads join fails on W2K3 server with latest MS patches
Hi All, For the past few months I've been running a SUSE 9.2 server here (mostly as an app server) which was a member of an AD domain (w2k3 domain controller.) I used winbind to enable domain members to log into the box, all was well. This week the w2k3 server had some MS security patches applied and suddenly logins became impossible, because winbind was unable to retrieve user info from the AD. The linux box seemed to have lost some trust relationships. Naturally the w2k3 server was suspected, but as a first check I removed the linux box from the ads domain (net ads leave) and then re-added it. No dice (see logs below) I have updated to 3.0.14a but with exactly the same result. Here's what *is* working: 1) Kerberos authentication works (I can kinit successfully) 2) My account on the ADS domain has privilege to add machines to the domain (I've added several Linux boxes before) 3) smbclient works. 4) The linux box does appear in the AD, but it the process of joining doesn't complete. 5) Yes, I have tried removing old *.tdb files :) Here's the end of the run of net ads join -U xx -d 10 where x is my user name. Various host names are also redacted. log start [2005/06/17 18:41:55, 4] libads/sasl.c:ads_sasl_bind(447) Found SASL mechanism GSS-SPNEGO [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2005/06/17 18:41:55, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Sat, 18 Jun 2005 04:24:29 GMT [2005/06/17 18:41:55, 10] libsmb/clikrb5.c:ads_krb5_mk_req(408) ads_krb5_mk_req: Ticket ([EMAIL PROTECTED]) in ccache (FILE:/tmp/krb5cc_0) is valid until: (Sat, 18 Jun 2005 04:24:29 GMT - 1119065069) [2005/06/17 18:41:55, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(510) Got KRB5 session key of length 16 [2005/06/17 18:41:55, 10] lib/util.c:name_to_fqdn(2623) name_to_fqdn: lookup for yy - yy.xxx.lan. [2005/06/17 18:41:55, 0] libads/ldap.c:ads_add_machine_acct(1512) Warning: ads_set_machine_sd: Unexpected information received [2005/06/17 18:41:55, 5] libads/ldap_utils.c:ads_do_search_retry(56) Search for (objectclass=*) gave 1 replies [2005/06/17 18:41:55, 1] libads/krb5_setpw.c:parse_setpw_reply(237) Got error packet 0x7e from kpasswd server [2005/06/17 18:41:55, 1] libads/krb5_setpw.c:do_krb5_kpasswd_request(450) parse_setpw_reply failed (Message stream modified) [2005/06/17 18:41:55, 10] intl/lang_tdb.c:lang_tdb_init(135) lang_tdb_init: /usr/lib/samba/en_GB.UTF-8.msg: No such file or directory [2005/06/17 18:41:55, 2] utils/net.c:main(902) return code = -1 log end-- The crux of the matter seems to be the (non-fatal) failure on ads_set_machine_sd() but the actual death-knell is the failure of do_krb5_kpasswd_request() - I seem to recall that the Message stream modified is a low-level Kerberos error? Googling around reveals a handful of similar (though not identical problems, most with no published resolution. :-/ I'm happy to run various tests to provide more information, or to co-operate with a developer if it turns out this is another little caltrop thrown under the wheels by Redmond... :) Vince Legal Disclaimer: Any views expressed by the sender of this message are not necessarily those of Application Solutions Ltd. Information in this e-mail may be confidential and is for the use of the intended recipient only, no mistake in transmission is intended to waive or compromise such privilege. Please advise the sender if you receive this e-mail by mistake. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails 3/4's of the time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rex Dieter wrote: | I just wanted to share my frustrations with trying | to use samba to join linux machines to our AD | (so I could use pam_winbind primarily). I'm | using Red Hat Enterprise 4 boxes, with samba-3.0.14a, | krb5-libs-1.3.4-12, kernel-2.6.9-5.0.5.EL (I tried | Fedora Core 3 too, with similar results). I (pre)added | machines to the AD using the Active Directory Users | and Computers tool. | | I initially had clock skew problems (yielding kerberos | errors), but I now have synchronized system clocks. | | Now, I've found that the | $ net ads join | command(*) always says it succeeds joining the domain, | but a subsequent | $ wbinfo -t | about 75% of the time yields an error: | NT_STATUS_ACCESS_DENIED | | If I re-run those 2 commands repeatedly, I *eventually* | will get machine that has successfully joined the | AD domain (where 'wbinfo -t' succeeds | and pam_winbind successfully authenticates users). I doner if you are dealing with a AD replication lag. How many DC's are there in the domain? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCqY1vIR7qMdg1EfYRAo5gAJwLy/LFXX82huhugrXmSp+WPUChCACg5mmz bX2b3k/PvXxwh4jg68jrWDc= =iJfG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails 3/4's of the time
Gerald (Jerry) Carter wrote: Rex Dieter wrote: | Now, I've found that the | $ net ads join | command(*) always says it succeeds joining the domain, | but a subsequent | $ wbinfo -t | about 75% of the time yields an error: | NT_STATUS_ACCESS_DENIED | | If I re-run those 2 commands repeatedly, I *eventually* | will get machine that has successfully joined the | AD domain (where 'wbinfo -t' succeeds | and pam_winbind successfully authenticates users). I doner if you are dealing with a AD replication lag. How many DC's are there in the domain? 3 DC's. If your hunch is right, what should I do? Simply wait longer between the 'net ads join' and 'wbinfo -t' (I'm currently waiting 2 seconds)? -- Rex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails 3/4's of the time
I just wanted to share my frustrations with trying to use samba to join linux machines to our AD (so I could use pam_winbind primarily). I'm using Red Hat Enterprise 4 boxes, with samba-3.0.14a, krb5-libs-1.3.4-12, kernel-2.6.9-5.0.5.EL (I tried Fedora Core 3 too, with similar results). I (pre)added machines to the AD using the Active Directory Users and Computers tool. I initially had clock skew problems (yielding kerberos errors), but I now have synchronized system clocks. Now, I've found that the $ net ads join command(*) always says it succeeds joining the domain, but a subsequent $ wbinfo -t about 75% of the time yields an error: NT_STATUS_ACCESS_DENIED If I re-run those 2 commands repeatedly, I *eventually* will get machine that has successfully joined the AD domain (where 'wbinfo -t' succeeds and pam_winbind successfully authenticates users). Now, I'm mostly content that I've found a solution to my problem, but I'm curious why/how 'net ads join' oftemtimes claims false success (and why is it failing at all in the first place)? -- Rex (*) with -d3 or higher, I see random collections of errors, mostly kerberos related saying pre-authentication failed and encryption type not supported -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
No neither /var/kerberos/krb5kdc/ nor /var/log/krb5/ exist is this part of the problem? For Craig White and anyone new to the problem here are the outputs of some files. cat /etc/resolv.conf search ellisonslegal.com domain ellisonslegal.com nameserver 10.0.0.31 cat /etc/krb5.conf [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 dns_lookup_realm = true dns_lookup_kdc = true [domain_realm] ellisonslegal.com = ELLISONSLEGAL.COM .ellisonslegal.com = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET admin_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } kinit Administrator and/or kinit [EMAIL PROTECTED] I do not have the kinit command I am running Samba 3.0.13 on Suse Linux 9.0 Thank you for your help Penny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 11 April 2005 16:57 To: Penny Willisson Subject: RE: [Samba] net ads join fails Try that, it is working for me [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] ticket_lifetime = 24000 default_realm = BLABLA.COM forwardable = true proxiable = true [realms] BLABLA.COM = { kdc = ip_address_of_kdc default_domain = blabla.com } [domain_realm] .blabla.com = BLABLA.COM blabla.com = BLABLA.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false Check if /var/kerberos/krb5kdc/ and /var/log/krb5/ exist , also replace BLABLA.COM and blabla.com with the right value Radu STANUC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Penny Willisson Sent: Monday, April 11, 2005 3:43 PM To: Gordon Hopper; [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads
RE: [Samba] net ads join fails
I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Monday 11 April 2005 09:42 am, you wrote: I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz
FW: [Samba] net ads join fails
Ok I deleted the incorrect conf file and set it up using Yast again here is the amended file. I tried using the IP address of the server this time but I'm still getting the same errors as before. [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 [domain_realm] .ELLNET = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET kpasswd_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Thanks -Original Message- From: Penny Willisson Sent: 11 April 2005 14:43 To: 'Gordon Hopper'; '[EMAIL PROTECTED]' Cc: Dimitri Yioulos; samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password
Re: FW: [Samba] net ads join fails
OK, this is closer. Change [realms] kpasswd_server to admin_server. I also believe that [domain realm] should read: ellisonlegal.com = ELLISONLEGAL.COM .ellisonlegal.com = ELLISONLEGAL.COM I would add to [libdefaults]: dns_lookup_realm = true dns_lookup_kdc = true Try this and report back (like a good IT soldier :-) ) Dimitri On Monday 11 April 2005 10:58 am, you wrote: Ok I deleted the incorrect conf file and set it up using Yast again here is the amended file. I tried using the IP address of the server this time but I'm still getting the same errors as before. [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 [domain_realm] .ELLNET = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET kpasswd_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Thanks -Original Message- From: Penny Willisson Sent: 11 April 2005 14:43 To: 'Gordon Hopper'; '[EMAIL PROTECTED]' Cc: Dimitri Yioulos; samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156
RE: FW: [Samba] net ads join fails
Sorry the same problem is still happening. Thanks -Original Message- From: Dimitri Yioulos [mailto:[EMAIL PROTECTED] Sent: 11 April 2005 16:38 To: Penny Willisson Subject: Re: FW: [Samba] net ads join fails OK, this is closer. Change [realms] kpasswd_server to admin_server. I also believe that [domain realm] should read: ellisonlegal.com = ELLISONLEGAL.COM .ellisonlegal.com = ELLISONLEGAL.COM I would add to [libdefaults]: dns_lookup_realm = true dns_lookup_kdc = true Try this and report back (like a good IT soldier :-) ) Dimitri On Monday 11 April 2005 10:58 am, you wrote: Ok I deleted the incorrect conf file and set it up using Yast again here is the amended file. I tried using the IP address of the server this time but I'm still getting the same errors as before. [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 [domain_realm] .ELLNET = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET kpasswd_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Thanks -Original Message- From: Penny Willisson Sent: 11 April 2005 14:43 To: 'Gordon Hopper'; '[EMAIL PROTECTED]' Cc: Dimitri Yioulos; samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146
RE: FW: [Samba] net ads join fails
On Mon, 2005-04-11 at 16:51 +0100, Penny Willisson wrote: Sorry the same problem is still happening. --- it would probably help if you gave us more info...started over... what is output? cat /etc/resolv.conf cat /etc/krb5.conf terminal output of kinit Administrator and/or kinit [EMAIL PROTECTED] Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: RE: [Samba] net ads join fails
Hi! Check your dns configuration! I had similar problems and found out my dns server wasn't working correctly the reverse resolution. Good luck! Ernesto Pereirinha - Original Message - From: Penny Willisson [EMAIL PROTECTED] Date: Friday, April 8, 2005 3:41 pm Subject: RE: [Samba] net ads join fails Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folder you specified for the machine account does not exist. Regards, Gordon Hopper -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri On Friday 08 April 2005 10:41 am, you wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? You probably don't have Kerberos configured correctly. Check your krb5.conf and kdc.conf files. Refer to the how-to I mentioned earlier, and also http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-install.html, if you're using MIT Kerberos. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails
I am trying to connect to an ADS domain and it is failing all the time. I am running SuSE Linux 9.0 with Samba 3.0.13 and have configured Samba with ldap and heimdal kerberos Attached is my debug level 10 error log created when the join is attempted. I would appreciate any advice on solving this problem. Thanks in advance Penny Willisson DISCLAIMER: The information contained within or attached to this transmission is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution of the message, either in full or in part, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. Although every effort is taken to ensure that all e-mail is scanned for viruses, Ellisons will accept no responsibility for any damage or inconvenience resulting from any virus that may be contained in this e-mail. A list of Partners is available on request. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails
Sorry attachment was removed - I have now pasted log file here. [2005/04/05 15:11:44, 5] lib/debug.c:debug_dump_status(366) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 [2005/04/05 15:11:44, 3] param/loadparm.c:lp_load(3907) lp_load: refreshing parameters [2005/04/05 15:11:44, 3] param/loadparm.c:init_globals(1321) Initialising global parameters [2005/04/05 15:11:44, 3] param/params.c:pm_process(573) params.c:pm_process() - Processing configuration file /usr/local/samba3/lib/smb.conf [2005/04/05 15:11:44, 3] param/loadparm.c:do_section(3409) Processing section [global] doing parameter workgroup = ELLNET doing parameter realm = ellisonslegal.com doing parameter server string = Samba 3.0.13 doing parameter security = ADS doing parameter allow trusted domains = No doing parameter log level = 1 doing parameter syslog = 0 doing parameter log file = /var/log/samba/%m doing parameter max log size = 50 doing parameter printcap name = CUPS doing parameter ldap ssl = no doing parameter idmap backend = idmap_rid:KPAK=500-1 doing parameter idmap uid = 500-1 doing parameter idmap gid = 500-1 doing parameter template shell = /bin/bash doing parameter winbind use default domain = yes doing parameter winbind enum users = No doing parameter winbind enum groups = No doing parameter winbind nested groups = Yes doing parameter deadtime = 30 doing parameter keepalive = 60 doing parameter os level = 2 doing parameter preferred master = No doing parameter wins support = Yes [2005/04/05 15:11:44, 4] param/loadparm.c:lp_load(3938) pm_process() returned Yes [2005/04/05 15:11:44, 7] param/loadparm.c:lp_servicenumber(4048) lp_servicenumber: couldn't find homes [2005/04/05 15:11:44, 10] param/loadparm.c:set_server_role(3856) set_server_role: role = ROLE_DOMAIN_MEMBER [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ASCII [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset ASCII [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset 646 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset 646 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ISO-8859-1 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset ISO-8859-1 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS2-HEX [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS2-HEX [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5]
Re: [Samba] net ads join fails - Preauthetication failed
Resending, as I used wrong sender and it doesn't seem to have appeared on the list. The problem is sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now the problem with the double realm name seems to be fixed. I still get the same errors joining (just with the correct realm name). Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in the kerberos part of AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf so my domain maps to a realm name (map ift.uib.no to KLIENT.UIB.NO) and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf I also upgraded kerberos and samba to the versions in the yum develop repo for fc3. samba*-3.0.9-2 and krb5*-1.3.5-2 Now, even with the preauthentication failures when joining I have a working server that authenticates as expected. :-) -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
Sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now that problem seems to be fixed, but I still get errors joining. Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger birger wrote: After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
birger wrote: net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** I seem to have solved this part of the problem. Stop everything, move aside /var/cache/samba, create a new empty directory and retry. Worked as it should. Now I'm back to my old problems. :-/ -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails - Preauthetication failed
After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ~ /usr/bin/net ads join -Udennisb dennisb password: [2004/11/02 17:31:56, 0] libads/ldap.c:ads_add_machine_acct(1006) ~ Host account for if-srv-hos1 already exists - modifying old account [2004/11/02 17:31:56, 0] libads/ldap.c:ads_join_realm(1342) ~ ads_add_machine_acct: No such object ads_join_realm: No such object Also: net user | wc -l reports 106000 users, but wbinfo -u | wc -l only reports 5000. Is this because I haven't been able to join sucessfully yet? Also, if I try to change the name to if-srv-hos2, I get an error about insufficient access. Do I need to have the ability to create domain machine accounts to join the machine to a domain? ~ klist seems to work: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 11/02/04 16:37:16 11/03/04 02:37:17 krbtgt/[EMAIL PROTECTED] ~renew until 11/03/04 16:37:16 11/02/04 16:44:12 11/03/04 02:37:17 [EMAIL PROTECTED] ~renew until 11/03/04 16:37:16 11/02/04 17:06:11 11/03/04 02:37:17 [EMAIL PROTECTED] ~renew until 11/03/04 16:37:16 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBiAtn2dxAfYNwANIRAi7pAJ9KIbtLorr1nvJxIrLtyIdurbAhHACgiCwB XRZRdtJDatDArhua6CGap+E= =I2IY -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Tue, 02 Nov 2004 14:34:15 -0800, Tom Dickson [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ~ /usr/bin/net ads join -Udennisb dennisb password: [2004/11/02 17:31:56, 0] libads/ldap.c:ads_add_machine_acct(1006) ~ Host account for if-srv-hos1 already exists - modifying old account [2004/11/02 17:31:56, 0] libads/ldap.c:ads_join_realm(1342) ~ ads_add_machine_acct: No such object ads_join_realm: No such object What version of samba and kerberos are you using? I had problems with the version that comes with redhat. I wasn't able to get ads work with it. samba.3.0.7 and krb1.3.5 worked for me. And make sure on smb.conf , you have 'security=ADS'. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails with Operations error ?
Hi all. I'm having a problem joining an ADS domain with Samba 3.0.5. The machine account has been set up on the server in a similar way to another system which has joined successfully. The error I'm getting is kinda vague, and I have no idea what it means: --- [2004/07/28 16:32:36, 3] libads/sasl.c:ads_sasl_spnego_bind(211) got [EMAIL PROTECTED] [2004/07/28 16:32:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (No credentials cache found) [2004/07/28 16:32:36, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(245) Ticket in ccache[MEMORY:net_ads] expiration Thu, 29 Jul 2004 02:32:36 GMT ads_join_realm: Operations error [2004/07/28 16:32:36, 2] utils/net.c:main(792) return code = -1 --- Does anybody know what Operations error actually means? What have I configured incorrectly? The command I'm running is: # net -d 3 ads join UAT/WISE/Servers -U kimjeo ..and my config looks like this: security = ADS netbios name = SAMBA3DWEB workgroup = xxx realm = xxx.xxx.xx.xxx name resolve order = lmhosts host wins wins server = 10.xx.xx.xx winbind separator = + winbind uid = 65534-65534 winbind gid = 65534-65534 winbind enum users = no winbind enum groups = no winbind cache time = 60 password server = * Any help or advice is appreciated. Regards, Tim. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba