Have you tried the following?
%> kinit -u DOMAIN\Admistrator
Enter Password: xxxxxx
%>net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
I think the users you attempting to join the domain with needs a valid
Kerberos TGT first
Michael Wood wrote:
On 28 January 2010 21:07, Joel Therrien <[email protected]> wrote:
Thanks. Unfortunately that did not appear to do anything.
What is even stranger is I tried running net ads info and it returned
information on the LDAP server name, the correct IP address,
realm, and bindpath. To my uninformed eye, this looks like it is
connected to the windows server in some manner. Yet wbinfo -t
still cannot check the trust secret.
One thing I also don't get is why the net ads testjoin command insists
on asking for a password for an account that does not exist. Even specifying
a username with the -U command does not work, it is just ignored.
Here's something to try while waiting for a reply from someone who
knows more about this stuff:
The NANOELECFS$ account is a machine account. As far as I understand
it, this account is supposed to be created automatically when you join
the machine to the domain. The password is randomly generated and the
client is supposed to change it periodically (every month?)
automatically.
I've heard some people on this list say they had to manually create
the machine account first in order to be able to join the domain, so
perhaps you should try that. i.e. just create an account (the same
way you create a user account) with NANOELECFS$ as the username. Why
this might be necessary, I wouldn't know.
Another thing is that things might work better with a later version of
Samba. e.g. 3.3.10 or 3.4.5.
Joel
On 1/28/2010 11:06 AM, Dale Schroeder wrote:
Joel,
When I've received this error, I've been able to resolve by telling it the
name of the DC.
net ads join -S pdc -U admin_user
See if it works for you.
Dale
On 01/28/2010 9:14 AM, Joel Therrien wrote:
I am in the process of getting samba working again with Activer
Directory. Recently our IT department
upgraded their windows server to 2008.
I am following the approach described here:
http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/
I am able to get kerberos to issue a ticket, but where I am running
into a wall is with the net join ads part... It appears to work in that
setting the correct dn and using the username given to me by Jim for
binding to the windows server passes back a message that looks OK:
nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U XXXXX
Enter XXXXX's password:
Got 1 replies
But if I try to test this by issuing the net ads testjoin command, I am
always asked this (highlighted in red):
nanoelecfs:/home/joel# net ads testjoin
Enter [email protected]'s password:
[2010/01/25 22:36:17, 0] libads/kerberos.c:ads_kinit_password(356)
kerberos_kinit_password [email protected] failed:
Preauthentication failed
Join to domain is not valid: Logon failure
There is no such account, as kerberos is happy to indicate. This is odd
because I do not recall getting this
before the upgrade to 2008. NANOELECFS is the name of the linux box.
Trying wbinfo -t gives the following:
nanoelecfs:/home/joel# wbinfo -t
checking the trust secret via RPC calls failed
Could not check secret
I am running a Debian Lenny system with kernel version 2.6.26-2-amd64
I am running samba version 2:3.2.5
Thanks in advance!
--
Jason Gerfen
Systems Administration/Web application development
[email protected]
Marriott Library
Lab Systems PC
295 South 1500 East
Salt Lake City, Utah 84112-0806
Ext 5-9810
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
