Hi, I also run FreeBSD 6.1 (and also experience a lot of trouble with version 3.0.23c...)
For your problem you should check your /etc/hosts. It must have the "CHILD1.AD.WGA" as fqdn for your IP like this: xxx.xxx.xxx.xxx CHILD1.AD.WGA CHILD1 alias1 alias2 ... aliasN Le Tue, Nov 07, 2006 at 02:56:29PM -0800, Raj Pagaku a écrit : > Hello, > > We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba > system and the AD belong to the same domain, I am able to perform a 'net > ads join' by supplying either a 'Domain Admins' or a 'Domain Users' > credential. > > However if the Samba system and the AD belong to different domain, I can > perform the 'net ads join' by supplying a 'Domain Admins' credential but > not a user belonging to 'Domain Users'. If the user belongs only to the > 'Domain Users', I get the 'Failed to set servicePrincipalNames' error. > > Samba System domain = WGA > AD Server domain = CHILD1.AD.WGA > > wsa29:] winbindd -V > Version 3.0.23c > > wsa29:] hostname > wsa29.wga > > wsa29:] klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: [EMAIL PROTECTED] > > Issued Expires Principal > Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/[EMAIL PROTECTED] > Nov 7 14:32:07 Nov 8 00:31:19 [EMAIL PROTECTED] > > wsa29:] cat smb.conf > [global] > workgroup = CHILD1 > server string = Samba Server > load printers = yes > log file = /var/log/samba.log.%m > lock directory = /var/run/locks > pid directory = /var/run/locks > max log size = 100 > security = ads > password server = child1-server.child1.ad.wga > realm = CHILD1.AD.WGA > encrypt passwords = yes > smb passwd file = /usr/local/samba/lib/smbpasswd > socket options = TCP_NODELAY > dns proxy = no > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > > wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator > administrator's password: > Using short domain name -- CHILD1 > Joined 'WSA29' to realm 'CHILD1.AD.WGA' > > wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus > olympus's password: > Using short domain name -- CHILD1 > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' > > Here the user 'administrator' belongs to 'Domain Admins' and the user > 'olympus' belongs to 'Domain Users'. > > Shouldn't I be able to use a 'Domain Users' account to perform the 'net > ads join' operation in 3.0.23c? Or is this restricted to both Samba > system and AD server being on the same domain? > > Thanks in advance > > -Raj > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- *************************************************************************** * Jean-Vincent BAYARRI Ingénieur système & réseau * * Service Informatique Laboratoire Central des Ponts et Chaussées * * 58, boulevard Lefebvre 75732 PARIS CEDEX 15 * * Tel 01 40 43 51 70 Fax 01 56 56 16 99 * *************************************************************************** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
