So I reverted back to an old snapshot and gave this a quick test. Without any kerberos configuration I get the following error-message when I try to join the domain:
[r...@presidio3 ~]# net ads join -U Administrator Enter Administrator's password: [2009/09/23 23:58:48, 0] libads/kerberos.c:ads_kinit_password(362) kerberos_kinit_password [email protected] failed: Cannot find KDC for requested realm Failed to join domain: failed to connect to AD: Cannot find KDC for requested realm Any idea why this is? Thanks /Jonathan On Wed, Sep 23, 2009 at 11:53 PM, Jonathan Petersson <[email protected]> wrote: > Going to try this a bit more tomorrow with a fresh install, please see > inline responses. > > I'm thinking that I may have some kerberos stuff hanging around, I > noticed that there's a smb_krb5 directory with kdc data in > /var/lib/samba. > > On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen <[email protected]> wrote: >>> Thanks for the input Adam, >>> >>> In my case I've full control of the AD domain and just run net ads >>> join which is successful, shows up in AD. >>> >>> Here's my current config, can you see anything in it that I should >>> consider adding or removing? >>> >>> [global] >>> workgroup = PRESIDIO >>> password server = pdc.garnser.se >>> realm = garnser.se >> >> I would remove the password server, and (not being that familiar with >> the set up side of AD) shouldn't the workgroup be GARNSER? Or the realm >> be presidio.garnser.se? Mind you if you can join the domain it would >> seem these values are correct. > > I named my workgroup differently from the domain/realm, I can > successfully join the domain. > >> >> Just to confirm these values are correct, on a Windows PC, go Control >> Panel, System, Computer Name (where you can rename the PC) and on that >> page it should list the domain - is that garnser.se? That domain should >> be what is put in the realm. > > The domain is equal to the realm. > >> >> Likewise when you log in to a Windows PC, you can choose the domain you >> want to log in to from a drop-down list. Is that PRESIDIO? The value >> there should be the same as what you put in workgroup. > > This is the same. > >> >>> template shell = /bin/bash >> >> This will allow your AD users to SSH into your machine (just checking!) > > Yes that's intentional. > >> >>> netbios name = presidio3 >> >> Is presidio3.garnser.se the full DNS name of your machine? Not sure if >> it makes a difference but it can't hurt to make the NetBIOS and DNS >> names match. > > It's identical. > >> >>> use kerberos keytab = yes >>> client use spnego = yes >> >> I don't have either of these two options set. >> >>> auth methods = winbind >> >> I don't have "auth methods" set, and the manpage recommends against >> setting it. >> >> Otherwise it looks fine. After updating these options you could try >> erasing all Samba's .tdb files to make it forget it belongs to a domain, >> then add it again fresh. I would be very surprised if that didn't work. > > Thanks again! > > /Jonathan > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
