Re: [Samba] Join AD domain using security = domain ?
Ah excellent ! Thanks for your help Jerry. I came right. My only problem is that when a client connects to my Samba, Samba first attempts to connect to the AD DC on port 445 to authenticate the user - this times out after some seconds and then successfully goes through on port 139. Must be something on the AD DC that is stopping this ? Is there any way I can try forcing Samba to only use port 139 in that request to the AD DC ? I've tried 'smb ports = 139' - this of course seems to be only for the 'server' side of Samba. Any ideas ? Kind regards David Wilson D c D a t a CNS, CLS, Linux+ T: 0860-1-LINUX F: 0866878971 M: 0824147413 E: [EMAIL PROTECTED] W: http://www.dcdata.co.za - Original Message - From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: David Wilson [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Wednesday, February 22, 2006 3:58 PM Subject: Re: [Samba] Join AD domain using security = domain ? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 22 Feb 2006, David Wilson wrote: Hi guys, Is it possible to join an AD domain using NT style authentication ? i.e. security = domain in smb.conf and use 'net join rpc -W [MYADDOMAIN] When I tried this I get the following error: [2006/02/22 11:56:42, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641) cli_rpc_pipe_open_schannel: failed to get schannel session key from server msu adserver for domain MYADDOMAIN. [2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61) Error connecting to NETLOGON pipe. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Unable to join domain MYADDOMAIN. Schannel is on RPC connections so you will see the same processing regardless of how winbindd is configured. You can set 'client schannel = no' in smb.conf. What version of Samba is this.? cheers, jerry = I live in a Reply-to-All world. --- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFD/G4kIR7qMdg1EfYRApKAAKDYZ7xjn8/mY7Ume7nVnH8mtkShCgCgifz1 0rf30YyqVzKveX3UHvTdnC0= =zQy/ -END PGP SIGNATURE- -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join AD domain using security = domain ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Wilson wrote: Ah excellent ! Thanks for your help Jerry. I came right. My only problem is that when a client connects to my Samba, Samba first attempts to connect to the AD DC on port 445 to authenticate the user - this times out after some seconds and then successfully goes through on port 139. Must be something on the AD DC that is stopping this ? Is there any way I can try forcing Samba to only use port 139 in thatrequest to the AD DC ? I've tried 'smb ports = 139' - this of course seems to be only for the 'server' side of Samba. If an AD server is rejecting connections on port 445, then something is wrong with the DC. Are you sure it's really an AD DC? Is this perhaps a mixed mode domain with NT4 BDCs? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD/dyRIR7qMdg1EfYRAvkFAKCKwFjNHOzE3wtVfFT8JMe+1eP6mgCg3Gy/ 3QO/QnqSFXI98fv6XDQUbRo= =UjFn -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join AD domain using security = domain ?
Thanks Jerry. I thought the same too. I don't get a connection refused, it times out. Perhaps something on the LAN. It's a new AD setup running on HP blades for 1000+ users. I'll need to check with the MS admins. Thanks for your help. Greatly appreciated ! Keep well. Kind regards David Wilson D c D a t a CNS, CLS, Linux+ T: 0860-1-LINUX F: 0866878971 M: 0824147413 E: [EMAIL PROTECTED] W: http://www.dcdata.co.za - Original Message - From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: David Wilson [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Thursday, February 23, 2006 6:02 PM Subject: Re: [Samba] Join AD domain using security = domain ? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Wilson wrote: Ah excellent ! Thanks for your help Jerry. I came right. My only problem is that when a client connects to my Samba, Samba first attempts to connect to the AD DC on port 445 to authenticate the user - this times out after some seconds and then successfully goes through on port 139. Must be something on the AD DC that is stopping this ? Is there any way I can try forcing Samba to only use port 139 in thatrequest to the AD DC ? I've tried 'smb ports = 139' - this of course seems to be only for the 'server' side of Samba. If an AD server is rejecting connections on port 445, then something is wrong with the DC. Are you sure it's really an AD DC? Is this perhaps a mixed mode domain with NT4 BDCs? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD/dyRIR7qMdg1EfYRAvkFAKCKwFjNHOzE3wtVfFT8JMe+1eP6mgCg3Gy/ 3QO/QnqSFXI98fv6XDQUbRo= =UjFn -END PGP SIGNATURE- -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join AD domain using security = domain ?
David Wilson wrote: Is it possible to join an AD domain using NT style authentication ? i.e. security = domain in smb.conf and use 'net join rpc -W [MYADDOMAIN] Been there. Done that. When I tried this I get the following error: [2006/02/22 11:56:42, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641) cli_rpc_pipe_open_schannel: failed to get schannel session key from server msu adserver for domain MYADDOMAIN. [2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61) Error connecting to NETLOGON pipe. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Unable to join domain MYADDOMAIN. You didn't post your Samba version and smb.conf, so we need to wild-guess. Try adding client schannel = No in [global]. -TL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join AD domain using security = domain ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 22 Feb 2006, David Wilson wrote: Hi guys, Is it possible to join an AD domain using NT style authentication ? i.e. security = domain in smb.conf and use 'net join rpc -W [MYADDOMAIN] When I tried this I get the following error: [2006/02/22 11:56:42, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641) cli_rpc_pipe_open_schannel: failed to get schannel session key from server msu adserver for domain MYADDOMAIN. [2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61) Error connecting to NETLOGON pipe. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Unable to join domain MYADDOMAIN. Schannel is on RPC connections so you will see the same processing regardless of how winbindd is configured. You can set 'client schannel = no' in smb.conf. What version of Samba is this.? cheers, jerry = I live in a Reply-to-All world. --- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFD/G4kIR7qMdg1EfYRApKAAKDYZ7xjn8/mY7Ume7nVnH8mtkShCgCgifz1 0rf30YyqVzKveX3UHvTdnC0= =zQy/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join AD domain using security = domain ?
Hi Jerry, Thanks for your reply. Cool. So I can just try 'client schannel = no' in the smb.conf and it should join ? This is samba-3.0.21b on Solaris 9 (SunOS5.9). Kind regards David Wilson D c D a t a CNS, CLS, Linux+ T: 0860-1-LINUX F: 0866878971 M: 0824147413 E: [EMAIL PROTECTED] W: http://www.dcdata.co.za - Original Message - From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: David Wilson [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Wednesday, February 22, 2006 3:58 PM Subject: Re: [Samba] Join AD domain using security = domain ? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 22 Feb 2006, David Wilson wrote: Hi guys, Is it possible to join an AD domain using NT style authentication ? i.e. security = domain in smb.conf and use 'net join rpc -W [MYADDOMAIN] When I tried this I get the following error: [2006/02/22 11:56:42, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641) cli_rpc_pipe_open_schannel: failed to get schannel session key from server msu adserver for domain MYADDOMAIN. [2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61) Error connecting to NETLOGON pipe. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Unable to join domain MYADDOMAIN. Schannel is on RPC connections so you will see the same processing regardless of how winbindd is configured. You can set 'client schannel = no' in smb.conf. What version of Samba is this.? cheers, jerry = I live in a Reply-to-All world. --- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFD/G4kIR7qMdg1EfYRApKAAKDYZ7xjn8/mY7Ume7nVnH8mtkShCgCgifz1 0rf30YyqVzKveX3UHvTdnC0= =zQy/ -END PGP SIGNATURE- -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join AD domain using security = domain ?
Thanks Thomas. Samba-3.0.21b. My smb.conf is off-site. I'll send it if disabling the client schannel still does not work. Thanks for your help so far ! Kind regards David Wilson D c D a t a CNS, CLS, Linux+ T: 0860-1-LINUX F: 0866878971 M: 0824147413 E: [EMAIL PROTECTED] W: http://www.dcdata.co.za - Original Message - From: Thomas Limoncelli [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Wednesday, February 22, 2006 3:48 PM Subject: Re: [Samba] Join AD domain using security = domain ? David Wilson wrote: Is it possible to join an AD domain using NT style authentication ? i.e. security = domain in smb.conf and use 'net join rpc -W [MYADDOMAIN] Been there. Done that. When I tried this I get the following error: [2006/02/22 11:56:42, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641) cli_rpc_pipe_open_schannel: failed to get schannel session key from server msu adserver for domain MYADDOMAIN. [2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61) Error connecting to NETLOGON pipe. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Unable to join domain MYADDOMAIN. You didn't post your Samba version and smb.conf, so we need to wild-guess. Try adding client schannel = No in [global]. -TL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba