Thanks to Senthil Kumar Ramamurthy I was able to get my joining of the
samba server to Win2k3 domain fixed. He worked with me via email off the
list and it turned out my problem was the order in which I had entries
in the /etc/hosts file. The freebsd hosts file by default uses the
format of 'xxx.xxx.xxx.xxx alias FQDN' which DOES NOT WORK with
samba when joining to a win2k3 domain. Samba requires host entries which
are relevant to the KDC etc to be in the format 'xxx.xxx.xxx.xxx
FQDN alias'. So, I hope this helps some others out there.
Again, a big thanks to Senthil Kumar Ramamurthy for his help and patience!
Elvar wrote:
Hello, I've managed to join four other samba servers to win2k3 domains
in the past but I am stuck doing so with samba-3.0.23c_2,1. I've
verified hosts / domain forward and reverse lookups succeed. Below are
my configurations. I'm running FreeBSD 6.1-stable cvsupped as of Nov
17. I've built Samba with the following options...
WITH_LDAP=true
WITH_ADS=true
WITHOUT_CUPS=true
WITH_WINBIND=true
WITHOUT_ACL_SUPPORT=true
WITHOUT_AIO_SUPPORT=true
WITHOUT_FAM_SUPPORT=true
WITHOUT_SYSLOG=true
WITHOUT_QUOTAS=true
WITH_UTMP=true
WITHOUT_MSDFS=true
WITHOUT_SMBSH=true
WITHOUT_PAM_SMBPASS=true
WITHOUT_EXP_MODULES=true
WITH_POPT=true
Below are other relavent configs.
----- BEGIN /etc/krb5.conf -----
[realms]
TEST.K12.IN.US = {
kdc = tcp/10.0.15.205
}
----- END /etc/krb5.conf -----
----- BEGIN /usr/local/etc/smb.conf -----
[global]
workgroup = TEST
realm = TEST.K12.IN.US
netbios name = FIREWALL
winbind separator = +
winbind cache time = 10
winbind nested groups = Yes
winbind use default domain = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
security = ADS
password server = 10.0.15.205
allow trusted domains = No
use spnego = Yes
interfaces = 172.30.1.2/32 127.0.0.1/32
----- END /usr/local/etc/smb.conf -----
----- BEGIN /etc/nsswitch.conf -----
group: files winbind
group_compat: nis
hosts: files dns winbind
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
----- END /etc/nsswitch.conf -----
Now, when I try and join the domain, I get the following...
<[EMAIL PROTECTED]:namedb>net ads join -U administrator
administrators's password:
Using short domain name -- TEST
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'FIREWALL' in realm 'TEST.K12.IN.US'
Can someone please help me get around this? I'm using the same
configuration templates I used on the other four machines that I had
no problems with. One of those four samba boxes is on the same domain
and working just fine. The only difference is that it's samba version
samba-3.0.21b,1.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
