Re: [Samba] kinit works, net join ads fails
On 9/27/07, eric roseme [EMAIL PROTECTED] wrote: I know this sounds a little strange, but I was having the same problem on 3.0.25c, but adding the password to the command line solved it. I have no idea why: net ads join -U administrator%password Looks like that got me past the preauthentication error, but I'm still having an issue joining. Here is the debug log followed by my smb.conf # /usr/sfw/sbin/net ads join -d3 -Umyuser%mypassword [2007/10/03 09:07:37, 3] param/loadparm.c:(5024) lp_load: refreshing parameters [2007/10/03 09:07:37, 3] param/loadparm.c:(1424) Initialising global parameters [2007/10/03 09:07:37, 3] param/params.c:(572) params.c:pm_process() - Processing configuration file /etc/sfw/smb.conf [2007/10/03 09:07:37, 3] param/loadparm.c:(3763) Processing section [global] [2007/10/03 09:07:37, 2] lib/interface.c:(81) added interface ip=192.168.1.245 bcast=192.168.1.255 nmask=255.255.255.0 [2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489) get_dc_list: preferred server list: 192.168.1.240, * [2007/10/03 09:07:37, 3] libads/ldap.c:(394) Connected to LDAP server 192.168.1.240 [2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489) get_dc_list: preferred server list: 192.168.1.240, * [2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489) get_dc_list: preferred server list: 192.168.1.240, * [2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489) get_dc_list: preferred server list: 192.168.1.240, * [2007/10/03 09:07:37, 3] libads/ldap.c:(394) Connected to LDAP server 192.168.1.240 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/10/03 09:07:37, 3] libads/sasl.c:(222) ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED] [2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Wed, 03 Oct 2007 19:07:37 MDT [2007/10/03 09:07:37, 3] libsmb/namequery.c:(1489) get_dc_list: preferred server list: 192.168.1.240, * [2007/10/03 09:07:37, 3] libads/ldap.c:(394) Connected to LDAP server 192.168.1.240 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/10/03 09:07:37, 3] libads/sasl.c:(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/10/03 09:07:37, 3] libads/sasl.c:(222) ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED] [2007/10/03 09:07:37, 3] libsmb/clikrb5.c:(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Wed, 03 Oct 2007 19:07:37 MDT [2007/10/03 09:07:37, 3] libsmb/cliconnect.c:(1509) Connecting to host=mydomain-svr.mydomain.local [2007/10/03 09:07:37, 3] lib/util_sock.c:(874) Connecting to 192.168.1.240 at port 445 [2007/10/03 09:07:37, 3] libsmb/cliconnect.c:(972) cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE [2007/10/03 09:07:37, 1] libsmb/cliconnect.c:(1606) failed session setup with NT_STATUS_LOGON_FAILURE [2007/10/03 09:07:37, 1] utils/net.c:(294) Cannot connect to server using kerberos. Error was NT_STATUS_LOGON_FAILURE [2007/10/03 09:07:37, 1] utils/net_ads.c:(1548) call of net_join_domain failed: Logon failure Failed to join domain: Logon failure [2007/10/03 09:07:37, 2] utils/net.c:(1036) return code = -1 ### smb.conf [global] realm = MYDOMAIN.LOCAL workgroup = MYDOMAIN security = ADS use kerberos keytab = true ; password server = mydomain-svr.mydomain.local encrypt passwords = yes client lanman auth = no client NTLMv2 auth = yes lanman auth = no min protocol = LANMAN2 ntlm auth = no server string = Samba ADS client use spnego = no server signing = auto # winbind configuration: winbind separator = + ; winbind enum users = yes ; template homedir = /samba/pchome/%D/%U idmap domains = MYDOMAIN idmap config MYDOMAIN:default = yes idmap config MYDOMAIN:backend = tdb idmap config MYDOMAIN:range = 1-2 # this tells Samba to use a separate log file for each machine # that connects log file = /var/samba/log/log.%m log level = 10 # Put a capping on the size of the log files (in Kb). max log size = 1024 # Most people will find that this option gives better performance. # See the chapter 'Samba performance issues' in the Samba HOWTO Collection # and the manual pages for details. ; socket options = TCP_NODELAY -- To unsubscribe from this list go
Re: [Samba] kinit works, net join ads fails
I know this sounds a little strange, but I was having the same problem on 3.0.25c, but adding the password to the command line solved it. I have no idea why: net ads join -U administrator%password Eric Roseme Peter Baumgartner wrote: I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see the ticket via klist, but am unable to join the domain. /usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED] gives the following error... [2007/08/29 15:49:24, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2007/08/29 15:49:24, 0] libads/kerberos.c:(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2007/08/29 15:49:24, 1] utils/net_ads.c:(1470) error on ads_startup: Preauthentication failed Failed to join domain: Logon failure [2007/08/29 15:49:24, 2] utils/net.c:(1032) I have synced the time on the Samba box with my domain controller. Any thoughts on what is wrong? On 9/3/07, Necos Secon [EMAIL PROTECTED] wrote: So, just a few things to check: 1.) Typo's in the realm name. 2.) Typo's in the krb5.conf file (I use heimdal) 3.) Try running the net ads join with the administrator account (if you're using another account). 4.) Checking the the AD server to make sure that you don't have an old machine account for the Samba machine. I've tried all this and still am having no luck. I don't believe it is an issue in krb5.conf because kinit and smbclient work properly. I just can't join it to the domain. Any other thoughts? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] kinit works, net join ads fails
eric roseme wrote: I know this sounds a little strange, but I was having the same problem on 3.0.25c, but adding the password to the command line solved it. I have no idea why: net ads join -U administrator%password Eric Roseme Peter Baumgartner wrote: I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see the ticket via klist, but am unable to join the domain. /usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED] Also, I just noticed - [EMAIL PROTECTED] isn't a valid format for a samba username. It's the format of the UPN created in AD using the option arg. Then user+DOMAIN (where + is separator) is valid only after joining. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] kinit works, net join ads fails
I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see the ticket via klist, but am unable to join the domain. /usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED] gives the following error... [2007/08/29 15:49:24, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2007/08/29 15:49:24, 0] libads/kerberos.c:(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2007/08/29 15:49:24, 1] utils/net_ads.c:(1470) error on ads_startup: Preauthentication failed Failed to join domain: Logon failure [2007/08/29 15:49:24, 2] utils/net.c:(1032) I have synced the time on the Samba box with my domain controller. Any thoughts on what is wrong? On 9/3/07, Necos Secon [EMAIL PROTECTED] wrote: So, just a few things to check: 1.) Typo's in the realm name. 2.) Typo's in the krb5.conf file (I use heimdal) 3.) Try running the net ads join with the administrator account (if you're using another account). 4.) Checking the the AD server to make sure that you don't have an old machine account for the Samba machine. I've tried all this and still am having no luck. I don't believe it is an issue in krb5.conf because kinit and smbclient work properly. I just can't join it to the domain. Any other thoughts? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] kinit works, net join ads fails
I actually had this happen to me not too long ago with Samba 3.0.25c. My problem was that I didn't set the ADS mode properly. You're always warned to set workgroup equal to the the pre-windows2000 domain name. So, just a few things to check: 1.) Typo's in the realm name. 2.) Typo's in the krb5.conf file (I use heimdal) 3.) Try running the net ads join with the administrator account (if you're using another account). 4.) Checking the the AD server to make sure that you don't have an old machine account for the Samba machine. Hope that helps. Theodore Charles III Network Administrator Los Angeles Senior High (www.lahigh.org) From: Peter Baumgartner [EMAIL PROTECTED] To: samba@lists.samba.org Subject: [Samba] kinit works, net join ads fails Date: Wed, 29 Aug 2007 15:55:28 -0600 I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see the ticket via klist, but am unable to join the domain. /usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED] gives the following error... [2007/08/29 15:49:24, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2007/08/29 15:49:24, 0] libads/kerberos.c:(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2007/08/29 15:49:24, 1] utils/net_ads.c:(1470) error on ads_startup: Preauthentication failed Failed to join domain: Logon failure [2007/08/29 15:49:24, 2] utils/net.c:(1032) I have synced the time on the Samba box with my domain controller. Any thoughts on what is wrong? -- Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba _ Get a FREE small business Web site and more from Microsoft® Office Live! http://clk.atdmt.com/MRT/go/aub0930003811mrt/direct/01/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] kinit works, net join ads fails
I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see the ticket via klist, but am unable to join the domain. /usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED] gives the following error... [2007/08/29 15:49:24, 3] libsmb/clikrb5.c:(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found) [2007/08/29 15:49:24, 0] libads/kerberos.c:(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2007/08/29 15:49:24, 1] utils/net_ads.c:(1470) error on ads_startup: Preauthentication failed Failed to join domain: Logon failure [2007/08/29 15:49:24, 2] utils/net.c:(1032) I have synced the time on the Samba box with my domain controller. Any thoughts on what is wrong? -- Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba