[Samba] net ads join error message Failed to join domain: failed to connect to AD: Client not found in Kerberos database
hello, I have a wiered issue, some time when I run net ads join -U username, some times I have see this error message, and some time it shows as success. In between the error messages and success result, their are no changes to any configuration, not sure what is causing this issue. # net ads join -U 50483 Enter 50483's password: [2012/05/01 21:41:15.227249, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password 50...@..com failed: Client not found in Kerberos database Failed to join domain: failed to connect to AD: Client not found in Kerberos database # # net ads join -U 50483 Enter 50483's password: Using short domain name -- CTLAB Joined 'HOSTNAME' to realm '.xcom' # before running this command, I have already add hostname object to Active directory manually, can someone suggest, do I have to run this command to see am I joined to AD or not?? What if I have run similar command multiple times ?? Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join disable dns update
We have a couple oracle RAC servers that we install samba/winbind on. These servers require multiple NIC's / IP's. The problem is when we do net ads join it updates windows DNS and really screws us up because seven IP's get put into DNS, all tied to the same host, including the interconnect IP's which oracle insists needs to be 169.254.x.x addresses. Because of the way the company is setup, we cannot disable DNS update on the windows server. The company relies on it for most of the machines. We are using the 3.5.12-44 rpms from ftp.sernet.de. I have Googled this for awhile now, and what I've found is that Samba should be recompiled with the the --with-dnsupdate flag. This really isn't an option for us. I've also seen that if its in an smb cluster auto-update will disable. I've also seen a lot of complaints about this and a reference saying that a command line option was going to be added similar to net ads join --disable-dns-update but that doesn't appear to have been implemented. So, the question is, is there entry that can be put in smb.conf, a command line option, startup option, anything (other then recompiling) that can disable dns auto update? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join disable dns update
Been there: 1. Compile Samba by yourself, remove WITH_DNS_UPDATE flag. 2. Disallow allow insecure update from DNS server. 3. Edit /etc/hosts, use shortname for your Samba server, then upon net ads join it will complain domain name not found hence will not update DNS. Cheers -David 2012/2/4 dalege dalege dal...@live.com We have a couple oracle RAC servers that we install samba/winbind on. These servers require multiple NIC's / IP's. The problem is when we do net ads join it updates windows DNS and really screws us up because seven IP's get put into DNS, all tied to the same host, including the interconnect IP's which oracle insists needs to be 169.254.x.x addresses. Because of the way the company is setup, we cannot disable DNS update on the windows server. The company relies on it for most of the machines. We are using the 3.5.12-44 rpms from ftp.sernet.de. I have Googled this for awhile now, and what I've found is that Samba should be recompiled with the the --with-dnsupdate flag. This really isn't an option for us. I've also seen that if its in an smb cluster auto-update will disable. I've also seen a lot of complaints about this and a reference saying that a command line option was going to be added similar to net ads join --disable-dns-update but that doesn't appear to have been implemented. So, the question is, is there entry that can be put in smb.conf, a command line option, startup option, anything (other then recompiling) that can disable dns auto update? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join losing it mind
I have a couple of Samba servers set up on two systems running Red Hat (samba3x-3.5.4-0.70.el5_6.1). I have samba authenticating against Active Direct, which works fine, when I do net ads join it accepts machine. The problem is, around an hour or so later, the join is dropped and users cannot log in and see the shares. At this point, I don't see anything interesting our logs. Any suggestions about how I go about debugging this problem? Does this sound like a Samba problem, or is it an Active Directory problem? -- Dale Harris rod...@maybe.org rod...@gmail.com /.-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join
Hello, I would like to know where samba takes the computer name to join the AD domain. Is it from classic computer name DNS resolution? regards, Fred -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join
I believe it takes the name from either the, netbios name = or server string = x in the smb.conf file. On 05/27/2011 05:50 AM, fsos...@gmail.com wrote: Hello, I would like to know where samba takes the computer name to join the AD domain. Is it from classic computer name DNS resolution? regards, Fred -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join
From: fsos...@gmail.com fsos...@gmail.com Date: Fri, 27 May 2011 11:50:48 +0200 I would like to know where samba takes the computer name to join the AD domain. Is it from classic computer name DNS resolution? The computer name is taken from classic hostname by default. netbios name parameter precedes the default. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join
thanks a lot On 27 May 2011 16:01, TAKAHASHI Motonobu mo...@monyo.com wrote: From: fsos...@gmail.com fsos...@gmail.com Date: Fri, 27 May 2011 11:50:48 +0200 I would like to know where samba takes the computer name to join the AD domain. Is it from classic computer name DNS resolution? The computer name is taken from classic hostname by default. netbios name parameter precedes the default. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join loses after reboot
Hello, I folowed this tutorial: http://ubuntuforums.org/showthread.php?p=7863547#post7863547 and everything works fine, but sometimes when i restart my machine is necessary to join again using the command net ads join It's possible to fix this? Thanks, Stacker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join gives krb5 error
Does anyone know what produces this error ? Everything seems to work o.k. , but this has introduced itself when the first windows 2008 PDC was installed. net ads join createupn=nfs/hostname.company@company.net -U superuser Enter superuser's password: Using short domain name -- DOMAIN Joined 'HOSTNAME' to realm 'company.net' [2010/06/21 08:47:29, 0] libads/kerberos.c:ads_kinit_password(356) kerberos_kinit_password hostna...@company.net failed: Client not found in Kerberos database Greetings .. Richard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join: Aborted
I'm having trouble getting a host to join an ADS domain/realm. I have smb.conf set correctly, with the workgroup, realm, and security = ads specified. However, when I try to join with the command: net ads join -U Administrator, I simple get the message Aborted and it does not join the domain. If I use the -d flag to enable debugging, I see the following toward the end of the output: [2010/05/27 08:44:33.261144, 3] libads/sasl.c:790(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = not_defined_in_rfc4...@please_ignore [2010/05/27 08:44:33.261484, 3] libsmb/clikrb5.c:698(ads_krb5_mk_req) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2010/05/27 08:44:33.288414, 3] libsmb/clikrb5.c:620(ads_cleanup_expired_creds) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 27 May 2010 18:44:33 MDT [2010/05/27 08:44:33.288453, 3] libsmb/clikrb5.c:743(ads_krb5_mk_req) ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT [2010/05/27 08:44:33.296939, 3] libads/ldap.c:2908(ads_domain_func_level) ads_domain_func_level: 0 [2010/05/27 08:44:33.297755, 2] libads/ldap.c:3363(ads_get_upn) ads_get_upn: No userPrincipalName attribute! [2010/05/27 08:44:33.297787, 3] libads/kerberos.c:445(kerberos_secrets_store_des_salt) kerberos_secrets_store_des_salt: Storing salt host/xenprint.ad.seakr@ad.seakr.com Aborted The output from another system (same O/S, same Samba version, same krb5 version, etc.) contains similar output, except that there's continue output after the Storing salt message. If I use strace, I see the following: write(7, 0c\2\1\10c^\4\25dc=AD,dc=SEAKR,dc=COM\n\1..., 101) = 101 gettimeofday({1274971641, 629786}, NULL) = 0 poll([{fd=7, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 15000) = 1 ([{fd=7, revents=POLLIN}]) read(7, 0\204\0\0\r\271\2\1, 8) = 8 read(7, \10d\204\0\0\r\260\4.CN=xenprint,CN=Computer..., 3511) = 3511 gettimeofday({1274971641, 630532}, NULL) = 0 poll([{fd=7, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 14999) = 1 ([{fd=7, revents=POLLIN}]) read(7, 0\204\0\0\0E\2\1, 8) = 8 read(7, \10s\204\0\0\0\4:ldap://ad.seakr.com/CN=;..., 67) = 67 gettimeofday({1274971641, 630706}, NULL) = 0 poll([{fd=7, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 14999) = 1 ([{fd=7, revents=POLLIN}]) read(7, 0\204\0\0\0\20\2\1, 8)= 8 read(7, \10e\204\0\0\0\7\n\1\0\4\0\4\0, 14) = 14 rt_sigaction(SIGALRM, {0x1, [ALRM], SA_RESTORER, 0x7ffeb08d7560}, {0x7ffeb33135e0, [ALRM], SA_RESTORER, 0x7ffeb08d7560}, 8) = 0 alarm(0)= 15 fcntl(3, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=8, len=1}) = 0 fcntl(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=168, len=0}) = 0 fstat(3, {st_mode=S_IFREG|0600, st_size=45056, ...}) = 0 fcntl(3, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=168, len=0}) = 0 fcntl(3, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=8, len=1}) = 0 fcntl(6, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=552, len=1}) = 0 fcntl(6, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=552, len=1}) = 0 fcntl(5, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=552, len=1}) = 0 fcntl(5, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=552, len=1}) = 0 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 tgkill(5304, 5304, SIGABRT) = 0 --- SIGABRT (Aborted) @ 0 (0) --- +++ killed by SIGABRT +++ Any ideas what would cause a SIGABRT on this process? Thanks, Nick This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join: Aborted
On 2010/05/27 at 08:48, Nick Couchman nick.couch...@seakr.com wrote: I'm having trouble getting a host to join an ADS domain/realm. I have smb.conf set correctly, with the workgroup, realm, and security = ads specified. However, when I try to join with the command: net ads join -U Administrator, I simple get the message Aborted and it does not join the domain. If I use the -d flag to enable debugging, I see the following toward the end of the output: This problem seems to only occur in Samba 3.5.3 on a certain machine. I have two machines, both running Opensuse 11.2 and using the OBS Samba repository. One of them allows me to join the AD domain, the other throws the error in the previous message. No idea what's going on - Samba packages, krb5 packages, nss, etc., are all exactly the same. -Nick This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join DNS update
Hello, I'm just wondering if there is a way to disable the DNS update when doing net ads join. Right now is killing us because the servers have private IPs and its updating our main AD server with those IPs and all the interfaces (adding like 10 or 20 records for the same machine different private IPs). After a few minutes were not able to connect to the server anymore :-) We have NATs on the router to connect to the server (only one way). Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join - strong(er) authentication required
Hi, my windows folks migrated to AD 2008 R2, resulting in the following error message when trying to join the domain: [HOST] /etc $ /opt/csw/bin/net ads join -U USER Enter USER's password: [2009/07/01 11:51:28, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required Failed to join domain: failed to connect to AD: Strong(er) authentication required Any hints ? best regards ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY|Phone: 040-8998-2317* * - IT - | Fax: 040-8998-4060* \* 22603 Hamburg | http://www.desy.de */ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - strong(er) authentication required
On Wed, Jul 01, 2009 at 12:03:28PM +0200, christoph.be...@desy.de wrote: Hi, my windows folks migrated to AD 2008 R2, resulting in the following error message when trying to join the domain: [HOST] /etc $ /opt/csw/bin/net ads join -U USER Enter USER's password: [2009/07/01 11:51:28, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required Failed to join domain: failed to connect to AD: Strong(er) authentication required Any hints ? You might need to set client ldap sasl wrapping in order to make this work. See the manpage for possible settings. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpEWrqEyjqSv.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - strong(er) authentication required
Heyho Guenther, thanks for the fast reply, 'client ldap sasl wrapping = sign' did the trick :D cheers christoph On Wed, 1 Jul 2009, Guenther Deschner wrote: On Wed, Jul 01, 2009 at 12:03:28PM +0200, christoph.be...@desy.de wrote: Hi, my windows folks migrated to AD 2008 R2, resulting in the following error message when trying to join the domain: [HOST] /etc $ /opt/csw/bin/net ads join -U USER Enter USER's password: [2009/07/01 11:51:28, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required Failed to join domain: failed to connect to AD: Strong(er) authentication required Any hints ? You might need to set client ldap sasl wrapping in order to make this work. See the manpage for possible settings. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org best regards ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY|Phone: 040-8998-2317* * - IT - | Fax: 040-8998-4060* \* 22603 Hamburg | http://www.desy.de */ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - strong(er) authentication required
On 7/1/2009, christoph.be...@desy.de (christoph.be...@desy.de) wrote: my windows folks migrated to AD 2008 R2 Interesting... seeing as its not even released yet... -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join fails
Environment: Sun Solaris 9 sparc Software: Samba 3.3.3, KRB5-1.6.3, OpenLDAP-2.4.11 Situation: I've been able to verify that samba is compile corrected by issuing the following commands: Smbd -b|grep LDAP Smbd -b|grep KRB Smbd -b|grep ADS Smbd -b|grep WINBIND I've been able to successfully run kinit in the /usr/local/krb5-1.6.3/bin/ directory. I did discover that just issuing the kinit command was launching the Sun version of KRB. Once I figured that out, I made a backup copy of that version, removed the Sun version and created a sym-link to the 1.6.3 version. Now when I run kinit anywhere on the server, it picks up the 1.6.3 version and launches successfully. I've been able to successfully join our domain by running the following command: lib240:/usr/local/samba/bin#./net ads join -U mcgranj I've modified my nsswitch.conf file and re-started winbindd. However, when I issue the following commands, I get nothing: Wbinfo -u lib240:/usr/local/samba/bin#wbinfo -u Error looking up domain users Wbinfo -g lib240:/usr/local/samba/bin#wbinfo -g Error looking up domain groups Any advice or guidance would be greatly appreciated. Thank you! *** * Jamen McGranahan * Systems Services Librarian * Library Information Technology Services * Vanderbilt University * Suite 700 * 110 21st Avenue South * Nashville, TN 37240 * (615) 343-1614 * (615) 343-8834 (fax) * jamen.mcgrana...@vanderbilt.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join -U syntax
Hello, I try to join a Samba 3.2 server on RHEL 4 to AD using net ads join -d 2 -U myacco...@domain.com It seems that the net utility does not 'like' a full qualified userid any longer. I was able to join using samba v3.09 and v3.025 but with 3.2.8 I'm only able to join submitting a plain userid (without @domain appended), i.e. net ads join -d 2 -U myaccount When joining using the 'full qualified' userid myacco...@domain.com, I get kerberos_kinit_password myacco...@domain.com@SUB1.DOMAIN.COM failed: Malformed representation of principal in the logs. Quite obvious, that the net utility appends the realm entry from smb.conf (SUB1.DOMAIN.COM in my case) to the userid, though it should not, as I already provided it. Does anybody know if this behaviour has been changed on purpose from 3.0 to 3.2? Any workarounds that exist? I tested with Samba 3.3.1 as well, same behaviour. Regards .. Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join -U syntax: use...@domain confuses kerberos
I try to join a Samba 3.2 server on RHEL 4 to AD using net ads join -d 2 -U myacco...@maindom.com The domain to join the samba server should join to is a subdomain of MAINDOM.COM, call it SUB1.MAINDOM.COM. The interesting part of smb.conf is: [global] workgroup = SUB1 security = ADS realm = SUB1.MAINDOM.COM When joining I get kerberos_kinit_password myacco...@maindom.com@SUB1.MAINDOM.COM failed: Malformed representation of principal However, the join is successful if a use a useraccount of the subdomain SUB1 (omitting the @domain syntax!): net ads join -d 2 -U mysub1account Samba 3.2 net utility obviously does not know how to deal with @MAINDOM.COM added to the userid in -U parameter. To join a samba server to a subdomain using a useraccount in the 'maindomain' worked fine in 3.0 versions of samba (3.0.9, 3.025) Does anybody know if this behaviour has been changed on purpose from 3.0 to 3.2? Any workarounds that exist? I tested with Samba 3.3.1 as well, same behaviour. Regards .. Thomas ___ Jetzt 1 Monat kostenlos! WEB.DE FreeDSL - Telefonanschluss + DSL für nur 17,95 EURO/mtl.!* http://dsl.web.de/?ac=OM.AD.AD008K15039B7069a -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads join, machine password non-expiring
Hi, I have a question about the machine account when one does net ads join -U [EMAIL PROTECTED] when I join a machine to the domain, the machine account that gets created has a non-expiring password. This is only a problem for the security team that monitors our domain, they frown on any accountt that has a non-expiring password.. Is there a switch that I can throw that will create the machine with an expiring password? I've used the machine password timeout switch in my smb.conf. I can go back and with an vb-script throw that switch after the fact, but if there was another way, it'd be good to know. Thanks for your help! Kindest regards, Fred . smb.conf [code] [global] workgroup = US realm = MY.DOM.COM netbios name = adc070201-015 server string = Samba Server- Mandriva 2009.0 security = ADS auth methods = winbind password server = pwd1.dom.com pwd2.dom.com pwd3.dom.com log level = 1 log file = /var/log/samba/%m.log max log size = 250 name resolve order = wins bcast host lmhosts server signing = auto client ntlmv2 auth = yes os level = 5 preferred master = No local master = No domain master = No browse list = No enhanced browsing = No wins server = ip1.ip2.ipa.ipb idmap uid = 7-200 idmap gid = 7-200 winbind separator = + valid users = @valid users admin users = @admin users read list = @read users write list = @write users map acl inherit = Yes host msdfs = no machine password timeout = 604800 [burn] path = /data1/burn1 valid users = @valid users admin users = @admin users invalid users = @keepout read list = @read users write list = @write users -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join failed
Hi, I am trying to join a samba server to my AD directory but if fails: [EMAIL PROTECTED] postfix]# net ads join -U [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: [2008/09/04 15:12:45, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm Failed to join domain: Undetermined error [EMAIL PROTECTED] postfix]# net ads join -U [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Using short domain name -- ACME Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'AMSDEV-DV10' in realm 'EU.ACME.COM' Failed to join domain: Type or value exists There is no computer account named amsdev-dv10 in my directory. kinit doesn't return anything [EMAIL PROTECTED] postfix]# kinit apacci Password for [EMAIL PROTECTED]: My resolv.conf is ok.I can ping and resolve hosts in my AD. My /etc/host file is basic: ::1 localhost.localdomain localhost amsdev-dv10 The username is domain admin. My krb5.conf is as follow: [libdefaults] default_realm = EU.ACME.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EU.ACME.COM = { kdc = amsterdam-dc02.eu.acme.com kdc = amsterdam-dc01.eu.acme.com admin_server = amsterdam-dc02.eu.acme.com master_kdc = amsterdam-dc02.eu.acme.com default_domain = eu.acme.com } [domain_realm] eu.acme.com = EU.ACME.COM .eu.acme.com = EU.ACME.COM .acme.com = EU.ACME.COM acme.com = EU.ACME.COM [kdc] profile = /etc/kdc.conf smb.conf [global] workgroup = ACME password server = 10.130.12.100 realm = EU.ACME.COM security = ADS idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = + template shell = /bin/false winbind use default domain = true winbind offline logon = false server string = Samba Server Version %v passdb backend = tdbsam preferred master = No wins server = 10.130.10.100 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes [homes] comment = Home Directories read only = No browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join - DNS Update failed !
Hi, it seems that all is working perfectly, but if start an net ads join i get the message DNS Update failed ! . What is the consequence if i dont care about this message ? Is the Samba Server (ADS member) only not registered in the ADS DNS tree ? Buy, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join - DNS Update failed !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Hi, it seems that all is working perfectly, but if start an net ads join i get the message DNS Update failed ! . What is the consequence if i dont care about this message ? Is the Samba Server (ADS member) only not registered in the ADS DNS tree ? Correct. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIoNQpIR7qMdg1EfYRAlCNAJ0RrzxyVVSH8lJkdUhkjcVTTuEnJACfV4eG Tqttb7GzM5j0SaGMUDJL/Bk= =//Db -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join : ads_connect: No logon servers
I've been able to use security = ads in smb.conf, and connect OK, but it must be falling back to domain. When I run net ads join I get the error (debug trace below): ads_connect: No logon servers Here is my krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BEER [realms] BEER = { kdc = ADC1.AD.BEERU.CA } [domain_realm] beer.ca = BEER .beer.ca = BEER Here is my rpc join status: # net rpc testjoin Join to 'BEER' is OK Here is my attempt to graduate this to ADS levels, with debug: # net ads join -Ubeeruser%beeruserpw -d3 [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033) lp_load: refreshing parameters [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424) Initialising global parameters [2008/01/30 11:06:08, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772) Processing section [global] [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81) added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0 [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81) added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0 [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247) Failed to parse cldap reply [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189) ads_try_connect: CLDAP request 111.111.200.66 failed. [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247) Failed to parse cldap reply [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189) ads_try_connect: CLDAP request 111.111.200.67 failed. [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154) Could not look up dc's for domain BEER [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: No logon servers Failed to join domain: No logon servers [2008/01/30 11:06:08, 2] utils/net.c:main(1032) return code = -1 Can this user achieve such a goal? Here is beeruser's rights via rpc: net rpc rights list -Ubeeruser Password: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares I've had various toggles done to my smb.conf, but here is what the global section of smb.conf looks like at the moment, following the hints of someone else who solved this on the list... [global] netbios name = www2 workgroup = BEER unix charset = LOCALE realm = BEER server string = Web Server security = ADS password server = 111.111.200.67 idmap backend = rid:BEER=5000-1 idmap uid = 1-1000 idmap gid = 1-1000 template shell = /bin/bash winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes allow trusted domains = No log level = 3 log file = /var/log/samba/%m.log max log size = 50 dns proxy = No winbind use default domain = Yes hosts allow = 111.111. encrypt passwords = yes I had great results with the last question I put on the list. I hope someone can help us graduate to ads with kerberos level authentication. It feels like there is something missing on the AD end, but I know nothing about this other than that it is Windows Server 2003 and it has been in production for awhile with good performance. --Donald -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote: I've been able to use security = ads in smb.conf, and connect OK, but it must be falling back to domain. When I run net ads join I get the error (debug trace below): ads_connect: No logon servers Here is my krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BEER [realms] BEER = { kdc = ADC1.AD.BEERU.CA } [domain_realm] beer.ca = BEER .beer.ca = BEER This should be a mapping from DNS domain to Kerberos REALM. Going by the kdc name, what you probably want is: beer.ca = AD.BEERU.CA .beer.ca = AD.BEERU.CA www2.beer.ca = AD.BEERU.CA Here is my rpc join status: # net rpc testjoin Join to 'BEER' is OK Here is my attempt to graduate this to ADS levels, with debug: # net ads join -Ubeeruser%beeruserpw -d3 [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033) lp_load: refreshing parameters [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424) Initialising global parameters [2008/01/30 11:06:08, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772) Processing section [global] [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81) added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0 [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81) added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0 [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247) Failed to parse cldap reply [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189) ads_try_connect: CLDAP request 111.111.200.66 failed. [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247) Failed to parse cldap reply [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189) ads_try_connect: CLDAP request 111.111.200.67 failed. [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154) Could not look up dc's for domain BEER [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ADC2, 111.111.200.67 [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: No logon servers Failed to join domain: No logon servers [2008/01/30 11:06:08, 2] utils/net.c:main(1032) return code = -1 Can this user achieve such a goal? Here is beeruser's rights via rpc: net rpc rights list -Ubeeruser Password: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares I've had various toggles done to my smb.conf, but here is what the global section of smb.conf looks like at the moment, following the hints of someone else who solved this on the list... [global] netbios name = www2 workgroup = BEER unix charset = LOCALE realm = BEER Same here. realm = AD.BEERU.CA server string = Web Server security = ADS password server = 111.111.200.67 idmap backend = rid:BEER=5000-1 idmap uid = 1-1000 idmap gid = 1-1000 template shell = /bin/bash winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes allow trusted domains = No log level = 3 log file = /var/log/samba/%m.log max log size = 50 dns proxy = No winbind use default domain = Yes hosts allow = 111.111. encrypt passwords = yes I had great results with the last question I put on the list. I hope someone can help us graduate to ads with kerberos level authentication. It feels like there is something missing on the AD end, but I know nothing about this other than that it is Windows Server 2003 and it has been in production for awhile with good performance. There may be something else, but the REALM is what jumped out at me. Regards, Doug -- To unsubscribe from this list go to the following URL and read
Re: [Samba] net ads join : ads_connect: No logon servers
Thanks very much, Douglas. That did the trick. I had not understood what realm represented in a dns style domain. It is also confusing that one lists a realm section, defining it... BEER = { kdc = ADC1.AD.BEERU.CA } But then when providing the realm name in smb.conf, the handle isn't BEER, but rather the subdomain in which the AD controller lives. Regards, --Donald On Jan 30, 2008 3:37 PM, Douglas VanLeuven [EMAIL PROTECTED] wrote: Douglas VanLeuven wrote: D G Teed wrote: I've been able to use security = ads in smb.conf, and connect OK, but it must be falling back to domain. When I run net ads join I get the error (debug trace below): ads_connect: No logon servers Here is my krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BEER [realms] BEER = { kdc = ADC1.AD.BEERU.CA } Missed this on the last post. default realm = AD.BEERU.CA Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
Douglas VanLeuven wrote: D G Teed wrote: I've been able to use security = ads in smb.conf, and connect OK, but it must be falling back to domain. When I run net ads join I get the error (debug trace below): ads_connect: No logon servers Here is my krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BEER [realms] BEER = { kdc = ADC1.AD.BEERU.CA } Missed this on the last post. default realm = AD.BEERU.CA Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote: Thanks very much, Douglas. That did the trick. I had not understood what realm represented in a dns style domain. It is also confusing that one lists a realm section, defining it... BEER = { kdc = ADC1.AD.BEERU.CA } Sorry, missed that one too. Should be AD.BEERU.CA = { kdc = ADC1.AD.BEERU.CA } It's just that Kerberos doesn't know anything about workgroups in windows and so there shouldn't be any workgroup names in krb5.conf, only DNS names and REALM names. It worked because samba picked up the Kerberos kdc from SRV records in DNS. BEER defines the .BEER realm which doesn't exist. But then when providing the realm name in smb.conf, the handle isn't BEER, but rather the subdomain in which the AD controller lives. Regards, --Donald On Jan 30, 2008 3:37 PM, Douglas VanLeuven [EMAIL PROTECTED] wrote: Douglas VanLeuven wrote: D G Teed wrote: I've been able to use security = ads in smb.conf, and connect OK, but it must be falling back to domain. When I run net ads join I get the error (debug trace below): ads_connect: No logon servers Here is my krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BEER [realms] BEER = { kdc = ADC1.AD.BEERU.CA } Missed this on the last post. default realm = AD.BEERU.CA Doug Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join must use AD Administrator account ?
Hi all, I want to configure a samba server (3.0.25b) with krb5-1.6.2, openldap-2.3.37 and db-4.6.18 for single sign-on purpose. I have some questions. 1. Is the AD Administrator account for Samba to kinit and net join the AD only ? 2. Can I use a common user with Create Computer Objects permission to kinit and net join AD ? 3. I got Failed to join domain: Strong(er) authentication required error message when I run net ads join using non-administrator user account. Is it the error message of using non-administrator account to net ads join ? Can anyone help ? Thanks, Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join must use AD Administrator account ?
Jeff Lee wrote: Hi all, I want to configure a samba server (3.0.25b) with krb5-1.6.2, openldap-2.3.37 and db-4.6.18 for single sign-on purpose. I have some questions. 1. Is the AD Administrator account for Samba to kinit and net join the AD only ? 2. Can I use a common user with Create Computer Objects permission to kinit and net join AD ? 3. I got Failed to join domain: Strong(er) authentication required error message when I run net ads join using non-administrator user account. Is it the error message of using non-administrator account to net ads join ? Can anyone help ? Thanks, Jeff Read this: http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf I wrote it for HP CIFS Server, but it's the same for Opensource Samba. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join without kerberos
Le Wednesday 04 July 2007 09:30:29 Francesco Tonucci, vous avez écrit : Hello, I'm trying to join a samba server to a w2k domain. Now I have removed all samba and kerberos software from the machine to reset configuration. Then I have executed net ads testjoin to see what happened (I have already joined the machine to the domain). It returned the following messages: [2007/07/04 09:14:44, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password [EMAIL PROTECTED] failed: Client not found in Kerberos database [2007/07/04 09:14:44, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password [EMAIL PROTECTED] failed: Client not found in Kerberos database [2007/07/04 09:14:44, 0] utils/net_ads.c:ads_startup(289) ads_connect: Client not found in Kerberos database Join to domain is not valid Well, if kerberos is not installed, where does it get those informations (machine DEBIANSERVER and domain W2KPS.INTRA.CCIAA.NET names)?? DNS. -- Francis Galiegue, [EMAIL PROTECTED] One2team - 12bis rue de la Pierre Levée - 75011 PARIS +33683877875, +33143381980 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join without kerberos
Hello, I'm trying to join a samba server to a w2k domain. Now I have removed all samba and kerberos software from the machine to reset configuration. Then I have executed net ads testjoin to see what happened (I have already joined the machine to the domain). It returned the following messages: [2007/07/04 09:14:44, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password [EMAIL PROTECTED] failed: Client not found in Kerberos database [2007/07/04 09:14:44, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password [EMAIL PROTECTED] failed: Client not found in Kerberos database [2007/07/04 09:14:44, 0] utils/net_ads.c:ads_startup(289) ads_connect: Client not found in Kerberos database Join to domain is not valid Well, if kerberos is not installed, where does it get those informations (machine DEBIANSERVER and domain W2KPS.INTRA.CCIAA.NET names)?? -- View this message in context: http://www.nabble.com/net-ads-join-without-kerberos-tf4022865.html#a11426182 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join doesn't work with samba 3.0.22
Hi, I have a problem joining my Linux servers to my AD with Samba 3.0.22 I have tested with various distros : Suse 10.2, smb 3.0.23d Debian Etch, smb 3.0.24 but always get the same error message : debian:~# net ads join -U administrateur -S s-dc-acms administrateur's password: [2007/05/30 12:27:15, 0] utils/net_ads.c:ads_startup(289) ads_connect: Aucun fichier ou rÃ(c)pertoire de ce type (last line means No such file or directory) The problem is quite weird. With a Suse 10.1 (smb 3.0.22) I am able to join the server to AD flawlessly. kinit does work, I get a ticket when I do klist debian:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 05/30/07 12:19:43 05/30/07 18:59:43 krbtgt/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Any ideas that might help ? Thanks a lot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join to w2k3 hangs, every encryption type fails
Hi! I'm having the same issue: Linux Box with RedHat 3 joining a windows 2003 AD. When doing net ads join the system reports [2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 failed: KDC has no support for encryption type [2007/03/12 17:27:36, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465) verify_service_password: decrypted message with enctype 1 salt HOST/[EMAIL PROTECTED] [2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465) verify_service_password: decrypted message with enctype 3 salt HOST/[EMAIL PROTECTED] [2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367) but then it ends with Joined 'SAENET01' to realm 'ABC.COM' [2007/03/12 17:27:36, 2] utils/net.c:main(897) return code = 0 and in the windows 2003 the server appears as registered. However, when launching samba, I get the following errors [2007/03/12 17:32:49, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) and when trying to authenticate with a user check_ntlm_password: Authentication for user [e0045146] - [e0045146] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2007/03/12 17:34:08, 3] smbd/error.c:error_packet(129) Any help will be much appreciated!! Arcetrax -- View this message in context: http://www.nabble.com/net-ads-join-to-w2k3-hangs%2C-every-encryption-type-fails-tf3343350.html#a9436885 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join error in debug mode when joining Windows 2003 AD
Hi! I'm having the following issue: Linux Box with RedHat 3 joining a windows 2003 AD. When doing net ads join the system reports [2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 failed: KDC has no support for encryption type [2007/03/12 17:27:36, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465) verify_service_password: decrypted message with enctype 1 salt HOST/[EMAIL PROTECTED] [2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465) verify_service_password: decrypted message with enctype 3 salt HOST/[EMAIL PROTECTED] [2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367) but then it ends with Joined 'SAENET01' to realm 'ABC.COM' [2007/03/12 17:27:36, 2] utils/net.c:main(897) return code = 0 and in the windows 2003 the server appears as registered. However, when launching samba, I get the following errors [2007/03/12 17:32:49, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) and when trying to authenticate with a user check_ntlm_password: Authentication for user [e0045146] - [e0045146] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2007/03/12 17:34:08, 3] smbd/error.c:error_packet(129) krb5.conf and smb.conf are standard as taken from several post on internet which refers to Windows 2003 AD and Samba: I pretty sure there must be some details in the krb5.conf for encryption that I'm missing, but still don't know what. Any help will be much appreciate! Arcetrax _ Telefona con Messenger...Le chiamate ai PC sono Gratis! http://get.live.com/messenger/features -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join to w2k3 hangs, every encryption type fails
I am able to get a kerberos ticket with kinit. When I try to net ads join, it seems to loop. In running net ads join in -d 10, I found that it tries enctypes 18,17,16,and 2 and then repeats, over and over. It does not seem to work on any of these. I'm trying to get it to join a win2k3 domain. Below is the bottom part of the log from net ads join, as well as some of my krb5.conf. Any help would be appreciated, I'm at a loss here. [logging] default = FILE1:/var/log/krb5lib.log [libdefaults] ticket_lifetime = 24000 default_realm = BLANKENSHIP.LOCAL default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 # default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 # default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 clockskew = 300 [2007/03/04 12:21:47, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 18 failed: KDC has no support for encryption type [2007/03/04 12:21:47, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:22:17, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 17 failed: KDC has no support for encryption type [2007/03/04 12:22:17, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:22:47, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 failed: KDC has no support for encryption type [2007/03/04 12:22:47, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:24:17, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 2 failed: KDC has no support for encryption type [2007/03/04 12:24:17, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:24:49, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 18 failed: KDC has no support for encryption type [2007/03/04 12:24:49, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:25:20, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 17 failed: KDC has no support for encryption type [2007/03/04 12:25:20, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:25:50, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 failed: KDC has no support for encryption type [2007/03/04 12:25:50, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:27:22, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 2 failed: KDC has no support for encryption type [2007/03/04 12:27:22, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join segfault (samba 3.0.23c)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I just tried to join my SLES9 (Suese Linux Enterprise Server 9) to my ads. I follow a mixture of the howtos [1], [2], [3]. Everything works fine (kinit gives me a valid kerberos ticket), but the `net ads join -U $DOMAIN\\$USER` command segfaults. Software I have intalled: - - samba 3.0.23c (from ftp.samba.org) - - heimdal 0.6.1rc2 Here a debug 5 of `net -d5 -s /etc/samba/smb.conf.ads -U [EMAIL PROTECTED] ads join`: [2006/10/30 16:21:37, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 [2006/10/30 16:21:37, 3] param/loadparm.c:lp_load(4945) lp_load: refreshing parameters [2006/10/30 16:21:37, 3] param/loadparm.c:init_globals(1410) Initialising global parameters [2006/10/30 16:21:37, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf.ads [2006/10/30 16:21:37, 3] param/loadparm.c:do_section(3687) Processing section [global] doing parameter workgroup = DOMAIN doing parameter netbios name = host [2006/10/30 16:21:37, 4] param/loadparm.c:handle_netbios_name(3045) handle_netbios_name: set global_myname to: HOST doing parameter security = ads doing parameter encrypt passwords = yes doing parameter client use spnego = yes doing parameter realm = REALM.NET doing parameter idmap uid = 1-2 doing parameter idmap gid = 1-2 doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind use default domain = Yes doing parameter template homedir = /home/ads/%D/%U doing parameter template shell = /bin/true [2006/10/30 16:21:37, 4] param/loadparm.c:lp_load(4976) pm_process() returned Yes [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2LE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2LE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16LE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16LE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2BE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2BE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16BE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16BE [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF8 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF8 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-8 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-8 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ASCII [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset ASCII [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset 646 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset 646 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ISO-8859-1 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset ISO-8859-1 [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS2-HEX [2006/10/30 16:21:37, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS2-HEX [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/10/30 16:21:37, 5]
Re: [Samba] net ads join problem
Have you checked if your clock are in sync with the Win2k Server? Due to the kerberos, time out of sync by 5 minutes report errors to connect. On 10/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I'am trying to join ADS an W2K server. This server was already joined, but after chrash i was obliged to reinstall it. When I try net ads join -Uusername the following output appears: [2006/10/25 14:08:46, 6] libads/ldap.c:ads_find_dc(224) ads_find_dc: looking for realm 'SLZOVA.CZ' [2006/10/25 14:08:46, 8] libsmb/namequery.c:get_sorted_dc_list(1551) get_sorted_dc_list: attempting lookup using [ads] [2006/10/25 14:08:46, 5] lib/gencache.c:gencache_init(60) Opening cache file at /var/db/samba/gencache.tdb [2006/10/25 14:08:46, 10] lib/gencache.c:gencache_get(312) Cache entry with key = SAF/DOMAIN/SLZOVA.CZ couldn't be found [2006/10/25 14:08:46, 5] libsmb/namequery.c:saf_fetch(105) saf_fetch: failed to find server for SLZOVA.CZ domain [2006/10/25 14:08:46, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: , 172.17.2.10 [2006/10/25 14:08:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(408) remove_duplicate_addrs2: looking for duplicate address/port pairs [2006/10/25 14:08:46, 4] libsmb/namequery.c:get_dc_list(1529) get_dc_list: returning 1 ip addresses in an ordered list [2006/10/25 14:08:46, 4] libsmb/namequery.c:get_dc_list(1530) get_dc_list: 172.17.2.10:389 [2006/10/25 14:08:46, 5] libads/ldap.c:ads_try_connect(127) ads_try_connect: sending CLDAP request to 172.17.2.10 (realm: SLZOVA.CZ) [2006/10/25 14:08:46, 10] libsmb/namequery.c:saf_store(71) saf_store: domain = [SLZOVA], server = [172.17.2.10], expire = [1161779026] [2006/10/25 14:08:46, 10] lib/gencache.c:gencache_set(131) Adding cache entry with key = SAF/DOMAIN/SLZOVA; value = 172.17.2.10 and timeout = Wed Oct 25 14:23:46 2006 (900 seconds ahead) [2006/10/25 14:08:46, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 172.17.2.10 [2006/10/25 14:08:46, 0] utils/net_ads.c:ads_startup(281) ads_connect: Operations error [2006/10/25 14:08:46, 2] utils/net.c:main(988) return code = -1 samba Version 3.0.23c OS FreeBSD 6.1 Does anyone know? Thanx for help V. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- *** Cleber P. de Souza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join help
I'm not sure that the problem is with net ads join but I'm in desperate need of help either way. Using smb Version 3.0.23a-1.fc4.1 I do a net ads join I get the below error: [EMAIL PROTECTED] tmp]# net ads join -U [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Using short domain name -- MVP Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'MUSTANG' in realm 'MACHINEVISIONPRODUCTS.COM' [EMAIL PROTECTED] tmp]# However, after doing a kinit I can then do a smbclient //server/c$ -k and I'm right in. My problem is that Windows clients can't access shares on the Unix Samba server. This is a critical network down issue; please help asap!!! Thanks! :b! Brian D. McGrew { [EMAIL PROTECTED] || [EMAIL PROTECTED] } -- This is a test. This is only a test! Had this been an actual emergency, you would have been told to cancel this test and seek professional assistance! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian D. McGrew wrote: I'm not sure that the problem is with net ads join but I'm in desperate need of help either way. Using smb Version 3.0.23a-1.fc4.1 I do a net ads join I get the below error: [EMAIL PROTECTED] tmp]# net ads join -U [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Using short domain name -- MVP Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'MUSTANG' in realm 'MACHINEVISIONPRODUCTS.COM' [EMAIL PROTECTED] tmp]# Make sure that `hostname -f` returns the correct fqdn. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7cRVIR7qMdg1EfYRAtIcAKDKaUSxM4v/WmZoGFcXwFzCop/PDACgomaM mi/d48h2nLUlzqQSTciLsy8= =uUHd -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NET ADS JOIN error
Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NET ADS JOIN error
I get the same error either way. -Original Message- From: Howard Wilkinson [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 11:16 AM To: Trimble, Ronald D; samba@lists.samba.org Subject: RE: [Samba] NET ADS JOIN error Check that the backslashes are not being interpolated by the shell you may want to try. net ads join United States\\Tredyffrin\\Resource\\Servers -U trimblrd Howard. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL, United Kingdom Telephone: +44 20 76907075 Fax: +44 20 79230110 Mobile: +44 7980 639379 Company Email: [EMAIL PROTECTED] Website: http://www.cohtech.com http://www.cohtech.com/ From: [EMAIL PROTECTED] on behalf of Trimble, Ronald D Sent: Fri 2006-07-14 16:06 To: samba@lists.samba.org Subject: [Samba] NET ADS JOIN error Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NET ADS JOIN error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. If the account already exists, you don't need to specify the OU when joining. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEt71UIR7qMdg1EfYRAsVjAJ9kzvriagkMjRdCmVn3sn62gihXDACfU08V GHzyqKrVL1FkU+gD5RH+Jls= =tG/f -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NET ADS JOIN error
Check that the backslashes are not being interpolated by the shell you may want to try. net ads join United States\\Tredyffrin\\Resource\\Servers -U trimblrd Howard. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL, United Kingdom Telephone: +44 20 76907075 Fax: +44 20 79230110 Mobile: +44 7980 639379 Company Email: [EMAIL PROTECTED] Website: http://www.cohtech.com http://www.cohtech.com/ From: [EMAIL PROTECTED] on behalf of Trimble, Ronald D Sent: Fri 2006-07-14 16:06 To: samba@lists.samba.org Subject: [Samba] NET ADS JOIN error Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join segmentation fault
For the purpose of the archive: I believe I fixed the problem. When I compiled FreeBSD 6.0-RELEASE-p1 kerberos was installed. When I compiled 6.0-RELEASE-p2 I had kerberos disabled. I'm pretty confident I was using old binaries. When I rebuilt the binaries, kerberos gave me a message about the ticket's lifetime, when prior to rebuilding it was silent. Nevertheless samba still wasn't working. After rebuilding kerberos and getting the same error messages from samba I figured that maybe I had some old samba data lying around somewhere, from when I was using DOMAIN mode. So I uninstalled samba, removed the directories that the pkg_deinstall (part of the portupgrade port) told me to remove and reinstalled samba from scratch. I didn't touch my smb.conf. I was then able to use net ads join without any problems. -rcollins -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert J. Collins Sent: Monday, January 23, 2006 2:03 PM To: samba@lists.samba.org Subject: [Samba] net ads join segmentation fault On FreeBSD 6.0-RELEASE-p2 using samba-3.0.21a,1 the net command seg faults. Does anyone know what is going on? Thanks -rcollins - net ads join -Uadministrator -d 10 - [2006/01/23 12:36:59, 5] lib/debug.c:debug_dump_status(368) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 [2006/01/23 12:36:59, 3] param/loadparm.c:lp_load(4195) lp_load: refreshing parameters [2006/01/23 12:36:59, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/01/23 12:36:59, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file /usr/local/etc/smb.conf [2006/01/23 12:36:59, 3] param/loadparm.c:do_section(3657) Processing section [global] doing parameter workgroup = HWI doing parameter security = ADS doing parameter realm = DHCP.HWI.BUFFALO.EDU doing parameter password server = * doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter allow trusted domains = no doing parameter ldapssl = no doing parameter unix charset = LOCALE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ASCII [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset ASCII [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset 646 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset 646 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ISO-8859-1 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset ISO-8859-1 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS2-HEX [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS2-HEX [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81
Re: [Samba] net ads join segmentation fault
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Collins wrote: On FreeBSD 6.0-RELEASE-p2 using samba-3.0.21a,1 the net command seg faults. Does anyone know what is going on? Can you get a backtrace from gdb after building Samba with the --enable-debug option (or just the -g gcc compile flag)? Thanks. cheers, jerry = I live in a Reply-to-All world--- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD17ZAIR7qMdg1EfYRAinYAKDzbHIHzgNkbAYhP0LUjpQa3fwgcACg1dv1 y9bP7gb4sJYxGd9Fmw6rxp8= =zYh7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join segmentation fault
On FreeBSD 6.0-RELEASE-p2 using samba-3.0.21a,1 the net command seg faults. Does anyone know what is going on? Thanks -rcollins - net ads join -Uadministrator -d 10 - [2006/01/23 12:36:59, 5] lib/debug.c:debug_dump_status(368) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 [2006/01/23 12:36:59, 3] param/loadparm.c:lp_load(4195) lp_load: refreshing parameters [2006/01/23 12:36:59, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/01/23 12:36:59, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file /usr/local/etc/smb.conf [2006/01/23 12:36:59, 3] param/loadparm.c:do_section(3657) Processing section [global] doing parameter workgroup = HWI doing parameter security = ADS doing parameter realm = DHCP.HWI.BUFFALO.EDU doing parameter password server = * doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter allow trusted domains = no doing parameter ldapssl = no doing parameter unix charset = LOCALE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ASCII [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset ASCII [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset 646 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset 646 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ISO-8859-1 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset ISO-8859-1 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS2-HEX [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS2-HEX [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE
[Samba] net ads join Core Dumps.
Hi, I have just installed Mandrake linux x84_64 (64 bit version) on my new dell poweredge server (1850 SMP) I am getting core dumps when trying to join the 2003 AD domain. ie. I run net ads join [EMAIL PROTECTED] running kinit worked ok. I am running samba version 3.0.20 samba-client-3.0.20-3mdk samba-server-3.0.20-3mdk samba-common-3.0.20-3mdk samba-winbind-3.0.20-3mdk Anyone help. I wish to user winbind for proxy auth. Chris Welsh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join
Good morning all: When I do a net ads join from FC4 I get the following output and I'm not quite sure what to make of it. Also, after I do a kinit, net ads join and smb restart all my windows clients can connect fine. After I reboot the server, the windows clients can not connect until I do another kinit and net ads join. What am I missing? --- smb.conf file [global] netbios name = madmax realm = MACHINEVISIONPRODUCTS.COM security = ads encrypt passwords = yes wins server = 10.0.0.3 workgroup = MVP password server = * server string = Accounting Server log file = /var/log/samba/smbd.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 username map = /etc/samba/smbusers [premier] comment = MYOB Premier path = /data browseable = yes writable = yes create mask = 0777 --- krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MACHINEVISIONPRODUCTS.COM ticket_lifetime = 24000 dns_lookup_realm = false dns_lookup_kdc = false [realms] MACHINEVISIONPRODUCTS.COM = { kdc = chicken.visionpro.com:88 admin_server = chicken.visionpro.com:749 default_domain = machinevisionproducts.com kdc = * } [domain_realm] .machinevisionproducts.com = MACHINEVISIONPRODUCTS.COM machinevisionproducts.com = MACHINEVISIONPRODUCTS.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --- net ads join output [2005/11/10 08:11:51, 0] libads/ldap.c:ads_add_machine_acct(1405) ads_add_machine_acct: Host account for mustang already exists - modifying old account [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM
[Samba] net ads join problems
Good morning all: When I do a net ads join from FC4 I get the following output and I'm not quite sure what to make of it. Also, after I do a kinit, net ads join and smb restart all my windows clients can connect fine. After I reboot the server, the windows clients can not connect until I do another kinit and net ads join. What am I missing? --- smb.conf file [global] netbios name = madmax realm = MACHINEVISIONPRODUCTS.COM security = ads encrypt passwords = yes wins server = 10.0.0.3 workgroup = MVP password server = * server string = Accounting Server log file = /var/log/samba/smbd.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 username map = /etc/samba/smbusers [premier] comment = MYOB Premier path = /data browseable = yes writable = yes create mask = 0777 --- krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MACHINEVISIONPRODUCTS.COM ticket_lifetime = 24000 dns_lookup_realm = false dns_lookup_kdc = false [realms] MACHINEVISIONPRODUCTS.COM = { kdc = chicken.visionpro.com:88 admin_server = chicken.visionpro.com:749 default_domain = machinevisionproducts.com kdc = * } [domain_realm] .machinevisionproducts.com = MACHINEVISIONPRODUCTS.COM machinevisionproducts.com = MACHINEVISIONPRODUCTS.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --- net ads join output [2005/11/10 08:11:51, 0] libads/ldap.c:ads_add_machine_acct(1405) ads_add_machine_acct: Host account for mustang already exists - modifying old account [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Preauthentication failed [2005/11/10 08:11:54, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM
[Samba] net ads join - working in the morning but not now
Can someone help me because I don't how this ha+ppening without messing it ? /var/log/samba/log.wb-COMPANY cli_rpc_open failed on pipe \NETLOGON to machine SRV01. Error was Write error: Broken pipe [2005/10/27 12:15:01, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \NETLOGON to machine SRV01. Error was Write error: Broken pipe [2005/10/27 12:15:01, 0] nsswitch/winbindd_cm.c:cm_prepare_connection(234) cm_prepare_connection: Socket is not connected $ net ads join -U goliveira goliveira's password: [2005/10/27 17:48:52, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown error -1765328332 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails on ADS 2003
hello, i am wondering, when i try to follow the ADS 2003, samba can't join completly. The join ends with: ads_machine_password:Message stream modified. When i start 'net ads join' with debugging i got an error: [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:parse_setpw_reply(237) Got error packet 0x7e from kpasswd server [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:do_krb5_kpasswd_request(450) parse_setpw_reply failed (Message stream modified) ads_set_machine_password: Message stream modified [2005/09/24 18:51:49, 2] utils/net.c:main(873) return code = -1 --- Surrounding: ADS 2003, no SP, but Services for Unix installed SuSE9.3 Updated MIT-Kerberos5: 1.4.16 Samba: 3.0.20 - Problem: linux11:~ # kinit Administrator Password for [EMAIL PROTECTED]: linux11:~ # klist -5ef Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 09/24/05 18:30:00 09/25/05 04:30:02 krbtgt/[EMAIL PROTECTED] renew until 09/25/05 18:30:00, Flags: RIA Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 linux11:~ # net ads join ads_set_machine_password: Message stream modified linux11:~ # - but there is no complete join - Debugging (Level 3): [2005/09/24 18:51:48, 3] param/loadparm.c:lp_load(4082) lp_load: refreshing parameters [2005/09/24 18:51:48, 3] param/loadparm.c:init_globals(1366) Initialising global parameters [2005/09/24 18:51:48, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2005/09/24 18:51:48, 3] param/loadparm.c:do_section(3542) Processing section [global] [2005/09/24 18:51:48, 2] lib/interface.c:add_interface(81) added interface ip=192.168.99.11 bcast=192.168.99.255 nmask=255.255.255.0 [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_lmhosts(855) resolve_lmhosts: Attempting lmhosts lookup for name dc0001.city.net.ffm0x20 [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_wins(752) resolve_wins: Attempting wins lookup for name dc0001.city.net.ffm0x20 [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_wins(755) resolve_wins: WINS server resolution selected and no WINS servers listed. [2005/09/24 18:51:48, 3] libsmb/namequery.c:resolve_hosts(917) resolve_hosts: Attempting host lookup for name dc0001.city.net.ffm0x20 [2005/09/24 18:51:48, 3] libads/ldap.c:ads_connect(285) Connected to LDAP server 192.168.99.1 [2005/09/24 18:51:49, 3] libads/ldap.c:ads_server_info(2514) got ldap server name [EMAIL PROTECTED], using bind path: dc=CITY,dc=NET,dc=FFM [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2005/09/24 18:51:49, 3] libads/sasl.c:ads_sasl_spnego_bind(215) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2005/09/24 18:51:49, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(321) Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Sun, 25 Sep 2005 04:49:51 GMT [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:parse_setpw_reply(237) Got error packet 0x7e from kpasswd server [2005/09/24 18:51:49, 1] libads/krb5_setpw.c:do_krb5_kpasswd_request(450) parse_setpw_reply failed (Message stream modified) ads_set_machine_password: Message stream modified [2005/09/24 18:51:49, 2] utils/net.c:main(873) return code = -1 linux11:~ # exit /etc/samba/smb.conf: [global] workgroup = CITY server string = Samba Server load printers = no log file = /var/log/samba/%m.log loglevel = 5 max log size = 1000 security = ads password server = dc0001.city.net.ffm realm = CITY.NET.FFM client use spnego = yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no [tmp] comment = Temporary file space path = /tmp read only = no - /etc/krb5.conf [libdefaults] default_realm = CITY.NET.FFM dns_lookup_realm = false dns_lookup_kdc = false [realms] CITY.NET.FFM = { kdc = dc0001.city.net.ffm:88 default_domain = city.net.ffm } [domain_realm] .city.net.ffm = CITY.NET.FFM city.net.ffm = CITY.NET.FFM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --
Re: [Samba] net ads join error
I have seen that reinstalling the samba works for me... dont know why although... I had taken the binaries from the Samba Site.. On 8/27/05, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guille wrote: | Hi, | | You are not alone with regards to this error message joining FC4 to Win2k | ADS. | I got this after I joined. It's bugs in the e2fsprogs + krb5 libs shipped on FC4. You'll have to talk to the Fedora folks to get this fixed. I've confirmed with some RedHat developers that this is not our bug. ... | *** glibc detected *** /usr/bin/net: free(): invalid | pointer: 0x00fe0db0 *** | === Backtrace: = /lib/libc.so.6[0x1a6424] | /lib/libc.so.6(__libc_free+0x77)[0x1a695f] | /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] | /usr/lib/libkrb5.so.3[0xf7e8c4] | /usr/lib/libkrb5.so.3[0xf7e5c7] | /usr/lib/libkrb5.so.3[0xfcf9da] | /lib/ld-linux.so.2[0x82a058] | /lib/libc.so.6(exit+0xc5)[0x16dc69] | /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] | /usr/bin/net[0x8e70f1] | === Memory map: cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDEIm6IR7qMdg1EfYRAritAKDiFU1/vBE/1bG5+XNA+C01iRRXLwCfaGhi F4o8vXRA0kSyjwEWfsbQnRI= =GnaH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Sanjay Upadhyay http://saneax.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join error
I have seen that reinstalling the samba works for me... dont know why although... I take the binaries from the Samba Site.. +++ Gerald (Jerry) Carter [Sat, Aug 27, 2005 at 10:41:46AM -0500]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guille wrote: | Hi, | | You are not alone with regards to this error message joining FC4 to Win2k | ADS. | I got this after I joined. It's bugs in the e2fsprogs + krb5 libs shipped on FC4. You'll have to talk to the Fedora folks to get this fixed. I've confirmed with some RedHat developers that this is not our bug. ... | *** glibc detected *** /usr/bin/net: free(): invalid | pointer: 0x00fe0db0 *** | === Backtrace: = /lib/libc.so.6[0x1a6424] | /lib/libc.so.6(__libc_free+0x77)[0x1a695f] | /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] | /usr/lib/libkrb5.so.3[0xf7e8c4] | /usr/lib/libkrb5.so.3[0xf7e5c7] | /usr/lib/libkrb5.so.3[0xfcf9da] | /lib/ld-linux.so.2[0x82a058] | /lib/libc.so.6(exit+0xc5)[0x16dc69] | /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] | /usr/bin/net[0x8e70f1] | === Memory map: cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDEIm6IR7qMdg1EfYRAritAKDiFU1/vBE/1bG5+XNA+C01iRRXLwCfaGhi F4o8vXRA0kSyjwEWfsbQnRI= =GnaH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- == Warp 7 -- It's a law we can live with. == Sanjay Upadhyay http://supadhyay.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
Hi, You are not alone with regards to this error message joining FC4 to Win2k ADS. I got this after I joined. *** glibc detected *** /usr/bin/net: free(): invalid pointer: 0x00fe0db0 *** === Backtrace: = /lib/libc.so.6[0x1a6424] /lib/libc.so.6(__libc_free+0x77)[0x1a695f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] /usr/lib/libkrb5.so.3[0xf7e8c4] /usr/lib/libkrb5.so.3[0xf7e5c7] /usr/lib/libkrb5.so.3[0xfcf9da] /lib/ld-linux.so.2[0x82a058] /lib/libc.so.6(exit+0xc5)[0x16dc69] /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] /usr/bin/net[0x8e70f1] === Memory map: 00111000-00112000 r-xp 00111000 00:00 0 00112000-00117000 r-xp fd:00 1967449/lib/libcrypt-2.3.5.so 00117000-00118000 r-xp 4000 fd:00 1967449/lib/libcrypt-2.3.5.so 00118000-00119000 rwxp 5000 fd:00 1967449/lib/libcrypt-2.3.5.so 00119000-0014 rwxp 00119000 00:00 0 0014-00142000 r-xp fd:00 1966233/lib/libcom_err.so.2.1 00142000-00143000 rwxp 1000 fd:00 1966233/lib/libcom_err.so.2.1 00143000-00267000 r-xp fd:00 1966174/lib/libc-2.3.5.so 00267000-00269000 r-xp 00124000 fd:00 1966174/lib/libc-2.3.5.so 00269000-0026b000 rwxp 00126000 fd:00 1966174/lib/libc-2.3.5.so 0026b000-0026d000 rwxp 0026b000 00:00 0 0026d000-00282000 r-xp fd:00 3114427/usr/lib/libsasl2.so.2.0.20 00282000-00283000 rwxp 00015000 fd:00 3114427/usr/lib/libsasl2.so.2.0.20 00283000-00295000 r-xp fd:00 3117270/usr/lib/libz.so.1.2.2.2 00295000-00296000 rwxp 00011000 fd:00 3117270/usr/lib/libz.so.1.2.2.2 00297000-002a9000 r-xp fd:00 1966222/lib/libnsl-2.3.5.so 002a9000-002aa000 r-xp 00011000 fd:00 1966222/lib/libnsl-2.3.5.so 002aa000-002ab000 rwxp 00012000 fd:00 1966222/lib/libnsl-2.3.5.so 002ab000-002ad000 rwxp 002ab000 00:00 0 002ad000-002e2000 r-xp fd:00 1966241/lib/libssl.so.0.9.7f 002e2000-002e5000 rwxp 00035000 fd:00 1966241/lib/libssl.so.0.9.7f 002e5000-002e7000 r-xp fd:00 3178771/usr/lib/gconv/UTF-16.so 002e7000-002e9000 rwxp 1000 fd:00 3178771/usr/lib/gconv/UTF-16.so 002e9000-002eb000 r-xp fd:00 3178678/usr/lib/gconv/IBM850.so 002eb000-002ed000 rwxp 1000 fd:00 3178678/usr/lib/gconv/IBM850.so 002ed000-002f6000 r-xp fd:00 1966133/lib/libnss_files-2.3.5.so 002f6000-002f7000 r-xp 8000 fd:00 1966133/lib/libnss_files-2.3.5.so 002f7000-002f8000 rwxp 9000 fd:00 1966133/lib/libnss_files-2.3.5.so 002f8000-00301000 r-xp fd:00 1966216 /lib/libgcc_s-4.0.1-20050727.so .1 00301000-00302000 rwxp 9000 fd:00 1966216 /lib/libgcc_s-4.0.1-20050727.so .1 003a8000-003aa000 r-xp fd:00 1966199/lib/libdl-2.3.5.so 003aa000-003ab000 r-xp 1000 fd:00 1966199/lib/libdl-2.3.5.so 003ab000-003ac000 rwxp 2000 fd:00 1966199/lib/libdl-2.3.5.so 00421000-00438000 r-xp fd:00 3119387 /usr/lib/libgssapi_krb5.so.2.2 00438000-00439000 rwxp 00017000 fd:00 3119387 /usr/lib/libgssapi_krb5.so.2.2 006b8000-006bf000 r-xp fd:00 3113040/usr/lib/libpopt.so.0.0.0 006bf000-006c rwxp 6000 fd:00 3113040/usr/lib/libpopt.so.0.0.0 0076c000-00779000 r-xp fd:00 3126293 /usr/lib/liblber-2.2.so.7.0.16 00779000-0077a000 rwxp c000 fd:00 3126293 /usr/lib/liblber-2.2.so.7.0.16 00782000-007b6000 r-xp fd:00 3126351 /usr/lib/libldap-2.2.so.7.0.16 007b6000-007b8000 rwxp 00033000 fd:00 3126351 /usr/lib/libldap-2.2.so.7.0.16 0081c000-00836000 r-xp fd:00 1966082/lib/ld-2.3.5.so 00836000-00837000 r-xp 00019000 fd:00 1966082/lib/ld-2.3.5.so 00837000-00838000 rwxp 0001a000 fd:00 1966082/lib/ld-2.3.5.so 008ba000-00a7e000 r-xp fd:00 3121195/usr/bin/net 00a7e000-00a8f000 rwxp 001c4000 fd:00 3121195/usr/bin/net 00a8f000-00aa1000 rwxp 00a8f000 00:00 0 00c04000-00cfc000 r-xp fd:00 1966240/lib/libcrypto.so.0.9.7f 00cfc000-00d0e000 rwxp 000f8000 fd:00 1966240/lib/libcrypto.so.0.9.7f 00d0e000-00d11000 rwxp 00d0e000 00:00 0 00d5d000-00d8 r-xp fd:00 31 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Jencks Sent: Friday, August 26, 2005 11:58 AM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error So now it looks like I can join the domain however I get the following output. Seems like there might be an issue with samba-3.0.20 and the new GCC 4 and glibc. Any idea's possibilities? I'm also not quite sure my previous problem went away the only thing I changed was adding my kdc server into the samba lmhosts file. Regards, Theo [EMAIL PROTECTED] samba]# net ads join -U tjencks%PASSWD Using short domain name -- HQ Joined 'THEO' to realm 'HQ.NAVIS.NET' *** glibc detected *** net: free(): invalid pointer: 0x007eedb0 *** === Backtrace: = /lib/libc.so.6[0x415124] /lib/libc.so.6(__libc_free+0x77)[0x41565f] /lib/libcom_err.so.2(remove_error_table+0x4b
Re: [Samba] net ads join error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guille wrote: | Hi, | | You are not alone with regards to this error message joining FC4 to Win2k | ADS. | I got this after I joined. It's bugs in the e2fsprogs + krb5 libs shipped on FC4. You'll have to talk to the Fedora folks to get this fixed. I've confirmed with some RedHat developers that this is not our bug. ... | *** glibc detected *** /usr/bin/net: free(): invalid | pointer: 0x00fe0db0 *** | === Backtrace: = /lib/libc.so.6[0x1a6424] | /lib/libc.so.6(__libc_free+0x77)[0x1a695f] | /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] | /usr/lib/libkrb5.so.3[0xf7e8c4] | /usr/lib/libkrb5.so.3[0xf7e5c7] | /usr/lib/libkrb5.so.3[0xfcf9da] | /lib/ld-linux.so.2[0x82a058] | /lib/libc.so.6(exit+0xc5)[0x16dc69] | /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] | /usr/bin/net[0x8e70f1] | === Memory map: cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDEIm6IR7qMdg1EfYRAritAKDiFU1/vBE/1bG5+XNA+C01iRRXLwCfaGhi F4o8vXRA0kSyjwEWfsbQnRI= =GnaH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join error
Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Best regards, Theo === Theodore A. Jencks Network Systems Administrator 1000 Broadway, Suite 150 Oakland, CA 94607 Phone: (510) 267.5152 Fax:(510) 267.5100 Email: [EMAIL PROTECTED] http://www.navis.com http://www.navis.com/ This e-mail message and any files attached to it are intended only for the recipients named above, and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, or the employee or agent responsible for delivering this message to an intended recipient, you are strictly prohibited from reading, copying, distributing, disclosing or otherwise using this communication. Please immediately notify the sender, either by replying to this message or by telephoning (+1 510 267 5000), and delete all copies of this message from your system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
Where would I find the log for this? How would I set the debug level to 10 on a Redhat system? Regards, Theo -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 10:11 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] net ads join error -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
in smb.conf add line log level = 10 then restart nmb, smb and winbind. -Original Message- From: Theodore Jencks [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 1:03 PM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error Where would I find the log for this? How would I set the debug level to 10 on a Redhat system? Regards, Theo -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 10:11 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] net ads join error -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
If you run this command: net ads join -U admin%pass There is nothing logged in smbd.log. Regards, Theo -Original Message- From: Kevin Wilson [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 11:07 AM To: Theodore Jencks Cc: 'samba@lists.samba.org' Subject: RE: [Samba] net ads join error in smb.conf add line log level = 10 then restart nmb, smb and winbind. -Original Message- From: Theodore Jencks [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 1:03 PM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error Where would I find the log for this? How would I set the debug level to 10 on a Redhat system? Regards, Theo -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 10:11 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] net ads join error -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
So now it looks like I can join the domain however I get the following output. Seems like there might be an issue with samba-3.0.20 and the new GCC 4 and glibc. Any idea's possibilities? I'm also not quite sure my previous problem went away the only thing I changed was adding my kdc server into the samba lmhosts file. Regards, Theo [EMAIL PROTECTED] samba]# net ads join -U tjencks%PASSWD Using short domain name -- HQ Joined 'THEO' to realm 'HQ.NAVIS.NET' *** glibc detected *** net: free(): invalid pointer: 0x007eedb0 *** === Backtrace: = /lib/libc.so.6[0x415124] /lib/libc.so.6(__libc_free+0x77)[0x41565f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x111abb] /usr/lib/libkrb5.so.3[0x78c8c4] /usr/lib/libkrb5.so.3[0x78c5c7] /usr/lib/libkrb5.so.3[0x7dd9da] /lib/ld-linux.so.2[0xb9e2d8] /lib/libc.so.6(exit+0xc5)[0x3dcba9] /lib/libc.so.6(__libc_start_main+0xe7)[0x3c6d67] net[0x1dc941] === Memory map: 00111000-00113000 r-xp 08:02 1653405/lib/libcom_err.so.2.1 00113000-00114000 rw-p 1000 08:02 1653405/lib/libcom_err.so.2.1 00114000-00129000 r-xp 08:05 68293 /usr/lib/libsasl2.so.2.0.20 00129000-0012a000 rw-p 00015000 08:05 68293 /usr/lib/libsasl2.so.2.0.20 0012a000-0013c000 r-xp 08:05 67504 /usr/lib/libz.so.1.2.2.2 0013c000-0013d000 rw-p 00011000 08:05 67504 /usr/lib/libz.so.1.2.2.2 0013d000-0013f000 r-xp 08:05 129857 /usr/lib/gconv/UTF-16.so 0013f000-00141000 rw-p 1000 08:05 129857 /usr/lib/gconv/UTF-16.so 00141000-00143000 r-xp 08:05 129764 /usr/lib/gconv/IBM850.so 00143000-00145000 rw-p 1000 08:05 129764 /usr/lib/gconv/IBM850.so 00145000-0014e000 r-xp 08:02 1653268 /lib/libnss_files-2.3.5.so 0014e000-0014f000 r--p 8000 08:02 1653268 /lib/libnss_files-2.3.5.so 0014f000-0015 rw-p 9000 08:02 1653268 /lib/libnss_files-2.3.5.so 0015-00159000 r-xp 08:02 1653361 /lib/libgcc_s-4.0.1-20050727.so.1 00159000-0015a000 rw-p 9000 08:02 1653361 /lib/libgcc_s-4.0.1-20050727.so.1 001ad000-0039 r-xp 08:05 1945158/usr/bin/net 0039-003a1000 rw-p 001e2000 08:05 1945158/usr/bin/net 003a1000-003b2000 rw-p 003a1000 00:00 0 003b2000-004d5000 r-xp 08:02 1653269/lib/libc-2.3.5.so 004d5000-004d7000 r--p 00123000 08:02 1653269/lib/libc-2.3.5.so 004d7000-004d9000 rw-p 00125000 08:02 1653269/lib/libc-2.3.5.so 004d9000-004db000 rw-p 004d9000 00:00 0 004db000-005d3000 r-xp 08:02 1653406 /lib/libcrypto.so.0.9.7f 005d3000-005e5000 rw-p 000f8000 08:02 1653406 /lib/libcrypto.so.0.9.7f 005e5000-005e8000 rw-p 005e5000 00:00 0 0077d000-007ec000 r-xp 08:05 67813 /usr/lib/libkrb5.so.3.2 007ec000-007ef000 rw-p 0006e000 08:05 67813 /usr/lib/libkrb5.so.3.2 0084b000-0084c000 r-xp 0084b000 00:00 0 00889000-0088b000 r-xp 08:05 67792 /usr/lib/libkrb5support.so.0.0 0088b000-0088c000 rw-p 1000 08:05 67792 /usr/lib/libkrb5support.so.0.0 008a8000-008aa000 r-xp 08:02 1653327/lib/libdl-2.3.5.so 008aa000-008ab000 r--p 1000 08:02 1653327/lib/libdl-2.3.5.so 008ab000-008ac000 rw-p 2000 08:02 1653327/lib/libdl-2.3.5.so 00924000-0092b000 r-xp 08:05 67239 /usr/lib/libpopt.so.0.0.0 0092b000-0092c000 rw-p 6000 08:05 67239 /usr/lib/libpopt.so.0.0.0 009de000-009eb000 r-xp 08:05 67393 /usr/lib/liblber-2.2.so.7.0.16 009eb000-009ec000 rw-p c000 08:05 67393 /usr/lib/liblber-2.2.so.7.0.16 00a79000-00a88000 r-xp 08:02 1653392/lib/libresolv-2.3.5.so 00a88000-00a89000 r--p e000 08:02 1653392/lib/libresolv-2.3.5.so 00a89000-00a8a000 rw-p f000 08:02 1653392/lib/libresolv-2.3.5.so 00a8a000-00a8c000 rw-p 00a8a000 00:00 0 00ad6000-00ae8000 r-xp 08:02 1653234/lib/libnsl-2.3.5.so 00ae8000-00ae9000 r--p 00011000 08:02 1653234/lib/libnsl-2.3.5.so 00ae9000-00aea000 rw-p 00012000 08:02 1653234/lib/libnsl-2.3.5.so 00aea000-00aec000 rw-p 00aea000 00:00 0 00b14000-00b2b000 r-xp 08:05 67850 /usr/lib/libgssapi_krb5.so.2.2 00b2b000-00b2c000 rw-p 00017000 08:05 67850 /usr/lib/libgssapi_krb5.so.2.2 00b9-00baa000 r-xp 08:02 1653266/lib/ld-2.3.5.so 00baa000-00bab000 r--p 00019000 08:02 1653266/lib/ld-2.3.5.so 00bab000-00bac000 rw-p 0001a000 08:02 1653266/lib/ld-2.3.5.so 00c88000-00cab000 r-xp 08:05 67807 /uAborted -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join on AIX 5.2 - Mission Impossible ?
Hi all, is it possible at all to get Samba 3 on AIX 5.2 to join a Win 2003 Domain natively ? All the precompiled versions do not have AD Support and having AIX krb5 installed (let alone using --with-ads)is enough to make a compile run fail - both 3.0.14 and 3.0.20rc2. Might Heimdal solve this ? Has ANYONE got a working installation ? Solving this would make quite a difference to my current life, so any advice would be appreciated. TIA regards Dan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join on AIX 5.2 - Mission Impossible ?
[EMAIL PROTECTED] wrote: Hi all, is it possible at all to get Samba 3 on AIX 5.2 to join a Win 2003 Domain natively ? All the precompiled versions do not have AD Support and having AIX krb5 installed (let alone using --with-ads)is enough to make a compile run fail - both 3.0.14 and 3.0.20rc2. Might Heimdal solve this ? Has ANYONE got a working installation ? Solving this would make quite a difference to my current life, so any advice would be appreciated. Yeah. Been there. Done that. AIX 5.2, samba 3.0.14 I went the route of installing the linux affinity toolkit. Used gcc to compile. Use at least gcc 3.x http://aixpdslib.seas.ucla.edu/index.html has a good gcc. Compiled and installed openldap to /usr/local/openldap just to link against samba. Compiled and installed Kerberos to /usr/local using rpm so if IBM ever got the development files up to speed it would be easy to uninstall switch back. At the time, last year, IBM Kerberos didn't support rc4-hmac either. In configure use CPFLAGS, CPPFLAGS, LDFLAGS to insure the paths picked the homebrew versions. I had a special account to log in where LIBPATH and PATH would pickup the homebrew and linux affinity directories before the system ones. When I was done, not only did samba work in ADS = security mode, but I could use the kerberos utilities natively with the MS AD as the key distribution center. I had to turn off sendfile because, although the test machine worked fine, the production machine ran out of file handles about 3 hours into the workday. Couldn't even reboot cleanly. Total lockup. That was several months ago, maybe rc20 fixes that. I wouldn't know. Never figured how to simulate the load on the development machine. I set winbind trusted domains only = yes because I had NIS and an identical user name correspondence between windows and unix. Used idmap_ad before it was rolled into the distribution for winbindd resolution. Didn't test other modes. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join without an admin account
Dear Samba-Friends, You are my last hope to solve my samba-problem. I read so many manpages and everywhere i see the same to join an ADS-Domain: net ads join -UAdministrator%password All i want, is to join to a Windows2003 ADS Domain WITHOUT knowing the admin passwort of the Windows Domain Controller. Here are the Details: Other People in my Company create for me a computer account in the domain controller. I am not allowed to do this. The kerberos things seems to work very well The net ads join fails. Besides: With security=domain a net rpc join always succeed without any password. Thats what i am doing: W4DEMRCO0010006:~# kinit awm-meier.robert Password for [EMAIL PROTECTED]: ** W4DEMRCO0010006:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 08/05/05 10:11:39 08/05/05 20:11:39 krbtgt/[EMAIL PROTECTED] 08/05/05 10:12:01 08/05/05 20:11:39 [EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached W4DEMRCO0010006:~# W4DEMRCO0010006:~# net ads info LDAP server: 10.175.162.6 LDAP server name: s4de8nsaaax Realm: T-HUGO.COM Bind Path: dc=T-HUGO,dc=COM LDAP port: 389 Server time: Fri, 05 Aug 2005 10:20:34 GMT KDC server: 10.175.162.6 Server time offset: 10 W4DEMRCO0010006:~# W4DEMRCO0010006:~# net ads status objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: W4DEMRCO0010006 distinguishedName: CN=W4DEMRCO0010006,OU=TAComputers,DC=t-HUGO,DC=com instanceType: 4 whenCreated: 2004100348.0Z whenChanged: 20050803095614.0Z uSNCreated: 12291830 uSNChanged: 47883523 name: W4DEMRCO0010006 objectGUID: 4928b1f1-c9cf-41c2-a7bd-d2c2541dfa12 userAccountControl: 4096 badPwdCount: 15 codePage: 0 countryCode: 0 badPasswordTime: 127675468181987325 lastLogon: 127675350239782101 pwdLastSet: 127675344833817539 primaryGroupID: 515 objectSid: S-1-5-21-1524055796-552238918-151151879-30349 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: W4DEMRCO0010006$ sAMAccountType: 805306369 dNSHostName: W4DEMRCO0010006.rsnhm.t-HUGO.com objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ads-komitel,DC=de isCriticalSystemObject: FALSE dSCorePropagationData: 20050503160726.0Z dSCorePropagationData: 1601010101.0Z lastLogonTimestamp: 127673518289512517 W4DEMRCO0010006:~# W4DEMRCO0010006:~# net ads join [2005/08/05 10:15:00, 0] libads/ldap.c:ads_add_machine_acct(1405) ads_add_machine_acct: Host account for w4demrco0010006 already exists - modifying old account [2005/08/05 10:15:00, 0] libads/ldap.c:ads_join_realm(1763) ads_join_realm: ads_add_machine_acct failed (w4demrco0010006): Insufficient access ads_join_realm: Insufficient access W4DEMRCO0010006:~# My smb.conf: ; ; /etc/smb.conf ; ; [global] workgroup = MYNETWORK netbios name = W4DEMRCO0010006 server string = Lotsa Room security = ADS realm = T-HUGO.COM auth methods = winbind password server = 10.175.162.6 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . lanman auth = No ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No syslog = 0 log file = /var/log/samba/log.%m max log size = 1 smb ports = 445 disable netbios = Yes max xmit = 65535 name resolve order = host wins lmhosts bcast #tried both spnego Yes and No same diff. use spnego = Yes # use spnego = No server signing = auto deadtime = 10080 socket options = IPTOS_LOWDELAY TCP_NODELAY logon path = logon home = os level = 49 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 1-4 idmap gid = 1-4 winbind separator = + winbind nested groups = Yes winbind cache time = 20 template homedir = /home/%D/%U invalid users = root ea support = Yes hide special files = Yes hide unreadable = Yes use kerberos keytab = Yes client use spnego = yes Many, many thanks in Advance Robert Machen Sie aus 14 Cent spielend bis zu 100 Euro! Die neue Gaming-Area von Arcor - über 50 Onlinespiele im Angebot. http://www.arcor.de/rd/emf-gaming-1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails on W2K3 server with latest MS patches
Hi All, For the past few months I've been running a SUSE 9.2 server here (mostly as an app server) which was a member of an AD domain (w2k3 domain controller.) I used winbind to enable domain members to log into the box, all was well. This week the w2k3 server had some MS security patches applied and suddenly logins became impossible, because winbind was unable to retrieve user info from the AD. The linux box seemed to have lost some trust relationships. Naturally the w2k3 server was suspected, but as a first check I removed the linux box from the ads domain (net ads leave) and then re-added it. No dice (see logs below) I have updated to 3.0.14a but with exactly the same result. Here's what *is* working: 1) Kerberos authentication works (I can kinit successfully) 2) My account on the ADS domain has privilege to add machines to the domain (I've added several Linux boxes before) 3) smbclient works. 4) The linux box does appear in the AD, but it the process of joining doesn't complete. 5) Yes, I have tried removing old *.tdb files :) Here's the end of the run of net ads join -U xx -d 10 where x is my user name. Various host names are also redacted. log start [2005/06/17 18:41:55, 4] libads/sasl.c:ads_sasl_bind(447) Found SASL mechanism GSS-SPNEGO [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2005/06/17 18:41:55, 3] libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2005/06/17 18:41:55, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Sat, 18 Jun 2005 04:24:29 GMT [2005/06/17 18:41:55, 10] libsmb/clikrb5.c:ads_krb5_mk_req(408) ads_krb5_mk_req: Ticket ([EMAIL PROTECTED]) in ccache (FILE:/tmp/krb5cc_0) is valid until: (Sat, 18 Jun 2005 04:24:29 GMT - 1119065069) [2005/06/17 18:41:55, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(510) Got KRB5 session key of length 16 [2005/06/17 18:41:55, 10] lib/util.c:name_to_fqdn(2623) name_to_fqdn: lookup for yy - yy.xxx.lan. [2005/06/17 18:41:55, 0] libads/ldap.c:ads_add_machine_acct(1512) Warning: ads_set_machine_sd: Unexpected information received [2005/06/17 18:41:55, 5] libads/ldap_utils.c:ads_do_search_retry(56) Search for (objectclass=*) gave 1 replies [2005/06/17 18:41:55, 1] libads/krb5_setpw.c:parse_setpw_reply(237) Got error packet 0x7e from kpasswd server [2005/06/17 18:41:55, 1] libads/krb5_setpw.c:do_krb5_kpasswd_request(450) parse_setpw_reply failed (Message stream modified) [2005/06/17 18:41:55, 10] intl/lang_tdb.c:lang_tdb_init(135) lang_tdb_init: /usr/lib/samba/en_GB.UTF-8.msg: No such file or directory [2005/06/17 18:41:55, 2] utils/net.c:main(902) return code = -1 log end-- The crux of the matter seems to be the (non-fatal) failure on ads_set_machine_sd() but the actual death-knell is the failure of do_krb5_kpasswd_request() - I seem to recall that the Message stream modified is a low-level Kerberos error? Googling around reveals a handful of similar (though not identical problems, most with no published resolution. :-/ I'm happy to run various tests to provide more information, or to co-operate with a developer if it turns out this is another little caltrop thrown under the wheels by Redmond... :) Vince Legal Disclaimer: Any views expressed by the sender of this message are not necessarily those of Application Solutions Ltd. Information in this e-mail may be confidential and is for the use of the intended recipient only, no mistake in transmission is intended to waive or compromise such privilege. Please advise the sender if you receive this e-mail by mistake. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails 3/4's of the time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rex Dieter wrote: | I just wanted to share my frustrations with trying | to use samba to join linux machines to our AD | (so I could use pam_winbind primarily). I'm | using Red Hat Enterprise 4 boxes, with samba-3.0.14a, | krb5-libs-1.3.4-12, kernel-2.6.9-5.0.5.EL (I tried | Fedora Core 3 too, with similar results). I (pre)added | machines to the AD using the Active Directory Users | and Computers tool. | | I initially had clock skew problems (yielding kerberos | errors), but I now have synchronized system clocks. | | Now, I've found that the | $ net ads join | command(*) always says it succeeds joining the domain, | but a subsequent | $ wbinfo -t | about 75% of the time yields an error: | NT_STATUS_ACCESS_DENIED | | If I re-run those 2 commands repeatedly, I *eventually* | will get machine that has successfully joined the | AD domain (where 'wbinfo -t' succeeds | and pam_winbind successfully authenticates users). I doner if you are dealing with a AD replication lag. How many DC's are there in the domain? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCqY1vIR7qMdg1EfYRAo5gAJwLy/LFXX82huhugrXmSp+WPUChCACg5mmz bX2b3k/PvXxwh4jg68jrWDc= =iJfG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails 3/4's of the time
Gerald (Jerry) Carter wrote: Rex Dieter wrote: | Now, I've found that the | $ net ads join | command(*) always says it succeeds joining the domain, | but a subsequent | $ wbinfo -t | about 75% of the time yields an error: | NT_STATUS_ACCESS_DENIED | | If I re-run those 2 commands repeatedly, I *eventually* | will get machine that has successfully joined the | AD domain (where 'wbinfo -t' succeeds | and pam_winbind successfully authenticates users). I doner if you are dealing with a AD replication lag. How many DC's are there in the domain? 3 DC's. If your hunch is right, what should I do? Simply wait longer between the 'net ads join' and 'wbinfo -t' (I'm currently waiting 2 seconds)? -- Rex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails 3/4's of the time
I just wanted to share my frustrations with trying to use samba to join linux machines to our AD (so I could use pam_winbind primarily). I'm using Red Hat Enterprise 4 boxes, with samba-3.0.14a, krb5-libs-1.3.4-12, kernel-2.6.9-5.0.5.EL (I tried Fedora Core 3 too, with similar results). I (pre)added machines to the AD using the Active Directory Users and Computers tool. I initially had clock skew problems (yielding kerberos errors), but I now have synchronized system clocks. Now, I've found that the $ net ads join command(*) always says it succeeds joining the domain, but a subsequent $ wbinfo -t about 75% of the time yields an error: NT_STATUS_ACCESS_DENIED If I re-run those 2 commands repeatedly, I *eventually* will get machine that has successfully joined the AD domain (where 'wbinfo -t' succeeds and pam_winbind successfully authenticates users). Now, I'm mostly content that I've found a solution to my problem, but I'm curious why/how 'net ads join' oftemtimes claims false success (and why is it failing at all in the first place)? -- Rex (*) with -d3 or higher, I see random collections of errors, mostly kerberos related saying pre-authentication failed and encryption type not supported -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join - No such file or directory error ???
On Thursday 26 May 2005 18:50, Rex Dieter wrote: Here's one that's got me baffled. No such file or directory? # net ads join -U'AD-Administrator' AD-Administrator's password: [2005/05/26 08:15:00, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I've been testing 'net ads join' to our AD all week, but I've not seen this error before. I don't even know what it means so I don't know what to do about it. -- Rex Hope you have the /etc/krb5.conf... pgpCdboz6lKOC.pgp Description: signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join - No such file or directory error ???
Here's one that's got me baffled. No such file or directory? # net ads join -U'AD-Administrator' AD-Administrator's password: [2005/05/26 08:15:00, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I've been testing 'net ads join' to our AD all week, but I've not seen this error before. I don't even know what it means so I don't know what to do about it. -- Rex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
No neither /var/kerberos/krb5kdc/ nor /var/log/krb5/ exist is this part of the problem? For Craig White and anyone new to the problem here are the outputs of some files. cat /etc/resolv.conf search ellisonslegal.com domain ellisonslegal.com nameserver 10.0.0.31 cat /etc/krb5.conf [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 dns_lookup_realm = true dns_lookup_kdc = true [domain_realm] ellisonslegal.com = ELLISONSLEGAL.COM .ellisonslegal.com = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET admin_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } kinit Administrator and/or kinit [EMAIL PROTECTED] I do not have the kinit command I am running Samba 3.0.13 on Suse Linux 9.0 Thank you for your help Penny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 11 April 2005 16:57 To: Penny Willisson Subject: RE: [Samba] net ads join fails Try that, it is working for me [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] ticket_lifetime = 24000 default_realm = BLABLA.COM forwardable = true proxiable = true [realms] BLABLA.COM = { kdc = ip_address_of_kdc default_domain = blabla.com } [domain_realm] .blabla.com = BLABLA.COM blabla.com = BLABLA.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false Check if /var/kerberos/krb5kdc/ and /var/log/krb5/ exist , also replace BLABLA.COM and blabla.com with the right value Radu STANUC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Penny Willisson Sent: Monday, April 11, 2005 3:43 PM To: Gordon Hopper; [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads
RE: [Samba] net ads join fails
I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Monday 11 April 2005 09:42 am, you wrote: I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz
FW: [Samba] net ads join fails
Ok I deleted the incorrect conf file and set it up using Yast again here is the amended file. I tried using the IP address of the server this time but I'm still getting the same errors as before. [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 [domain_realm] .ELLNET = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET kpasswd_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Thanks -Original Message- From: Penny Willisson Sent: 11 April 2005 14:43 To: 'Gordon Hopper'; '[EMAIL PROTECTED]' Cc: Dimitri Yioulos; samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password
Re: FW: [Samba] net ads join fails
OK, this is closer. Change [realms] kpasswd_server to admin_server. I also believe that [domain realm] should read: ellisonlegal.com = ELLISONLEGAL.COM .ellisonlegal.com = ELLISONLEGAL.COM I would add to [libdefaults]: dns_lookup_realm = true dns_lookup_kdc = true Try this and report back (like a good IT soldier :-) ) Dimitri On Monday 11 April 2005 10:58 am, you wrote: Ok I deleted the incorrect conf file and set it up using Yast again here is the amended file. I tried using the IP address of the server this time but I'm still getting the same errors as before. [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 [domain_realm] .ELLNET = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET kpasswd_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Thanks -Original Message- From: Penny Willisson Sent: 11 April 2005 14:43 To: 'Gordon Hopper'; '[EMAIL PROTECTED]' Cc: Dimitri Yioulos; samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156
RE: FW: [Samba] net ads join fails
Sorry the same problem is still happening. Thanks -Original Message- From: Dimitri Yioulos [mailto:[EMAIL PROTECTED] Sent: 11 April 2005 16:38 To: Penny Willisson Subject: Re: FW: [Samba] net ads join fails OK, this is closer. Change [realms] kpasswd_server to admin_server. I also believe that [domain realm] should read: ellisonlegal.com = ELLISONLEGAL.COM .ellisonlegal.com = ELLISONLEGAL.COM I would add to [libdefaults]: dns_lookup_realm = true dns_lookup_kdc = true Try this and report back (like a good IT soldier :-) ) Dimitri On Monday 11 April 2005 10:58 am, you wrote: Ok I deleted the incorrect conf file and set it up using Yast again here is the amended file. I tried using the IP address of the server this time but I'm still getting the same errors as before. [libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 [domain_realm] .ELLNET = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET kpasswd_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Thanks -Original Message- From: Penny Willisson Sent: 11 April 2005 14:43 To: 'Gordon Hopper'; '[EMAIL PROTECTED]' Cc: Dimitri Yioulos; samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto: [EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146
RE: FW: [Samba] net ads join fails
On Mon, 2005-04-11 at 16:51 +0100, Penny Willisson wrote: Sorry the same problem is still happening. --- it would probably help if you gave us more info...started over... what is output? cat /etc/resolv.conf cat /etc/krb5.conf terminal output of kinit Administrator and/or kinit [EMAIL PROTECTED] Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 'net ads join' Segmentation fault for one ADS tree but not another?!
The cmd 'net ads join -U username' dies with 'Segmentation fault' for our PROD ADS environment, however works fine in our DEV ADS environment! The only [Linux] configuration change between the two environments is update SAMBA and Kerberos config to read 'ADS' vs 'ADSDEV' and change the domain controller FQDN. The /var/kerberos/krb5kdc directory, samba/secrets.tdb and kerberos database are nuked/recreated between DEV-PROD environments to clear cached info (have I missed clearing anything?) Kerberos config seems OK for both environments, kinit username/password works. Here's the end of 'net ads join -U username -d 10' resulting in the sengmentation fault, plus closest matching portion of our DEV environment for comparison. -- PROD --- [2005/04/11 17:02:36, 3] libads/sasl.c:ads_sasl_spnego_bind(211)^M ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2005/04/11 17:02:36, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)^M ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)^M [2005/04/11 17:02:36, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)^M Ticket in ccache[MEMORY:net_ads] expiration Tue, 12 Apr 2005 03:02:36 GMT^M [2005/04/11 17:02:36, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409)^M ads_krb5_mk_req: Ticket ([EMAIL PROTECTED]) in ccache (MEMORY:net_ads) is valid until: (Tue, 12 Apr 2005 03:02:36 GMT - 1113246156)^M [2005/04/11 17:02:36, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(510)^M Got KRB5 session key of length 16^M [2005/04/11 17:02:36, 10] lib/util.c:name_to_fqdn(2626)^M name_to_fqdn: lookup for banana - banana.ads.ecu.edu.au.^M [2005/04/11 17:02:36, 0] libads/ldap.c:ads_add_machine_acct(1368)^M ads_add_machine_acct: Host account for banana already exists - modifying old account^M [2005/04/11 17:02:36, 5] libads/ldap_utils.c:ads_do_search_retry(56)^M Search for (objectclass=*) gave 1 replies^M [2005/04/11 17:02:41, 10] intl/lang_tdb.c:lang_tdb_init(135)^M lang_tdb_init: /usr/lib/samba/en_AU.UTF-8.msg: No such file or directory^M Using short domain name -- ADS^M [2005/04/11 17:02:41, 0] libads/kerberos.c:get_service_ticket(335)^M get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@ADS.ECU.EDU.AU failed: Preauthentication failed^M Segmentation fault^M --- DEV --- [2005/04/11 16:41:30, 3] libads/ldap.c:ads_workgroup_name(2531)^M Found alternate name 'ADSDEV' for realm 'ADSDEV.ECU.EDU.AU'^M [2005/04/11 16:41:30, 10] intl/lang_tdb.c:lang_tdb_init(135)^M lang_tdb_init: /usr/lib/samba/en_AU.UTF-8.msg: No such file or directory^M Using short domain name -- ADSDEV^M [2005/04/11 16:41:30, 5] libads/kerberos.c:get_service_ticket(366)^M get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 failed: KDC has no support for encryption type^M [2005/04/11 16:41:30, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(551)^M verify_service_password: get_service_ticket failed: KDC has no support for encryption type^M ... repeats, snip ... [2005/04/11 16:41:31, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(551)^M verify_service_password: get_service_ticket failed: Server not found in Kerberos database^M [2005/04/11 16:41:31, 5] libads/kerberos.c:get_service_ticket(366)^M get_service_ticket: krb5_get_credentials for host/[EMAIL PROTECTED] enctype 2 failed: Server not found in Kerberos database^M [2005/04/11 16:41:31, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(551)^M verify_service_password: get_service_ticket failed: Server not found in Kerberos database^M Joined 'BANANA' to realm 'ADSDEV.ECU.EDU.AU'^M [2005/04/11 16:41:31, 2] utils/net.c:main(859)^M return code = 0^M After which point host 'BANANA' appears in ADSDEV tree and behaves as expected for ADSDEV authenticated users. I'm at a loss to explain why 'net ads join' for PROD segment faults yet DEV works with practically identical config. We have some 50,000+ users, 6,000+ computer objects, multiple campuses, numerous domain controllers etc in PROD so difficult to see what the relevant difference is between PROD and DEV :-( Any suggestions on what could cause/resolve the '[EMAIL PROTECTED]@ADS.ECU.EDU.AU' reference and segmentation fault would be appreciated. Re, Chr!s PS: Running RHAS 3 with samba-3.0.9-1.3E.2 delivered via 'up2date' and kernel 2.4.21-27.0.2 (latest certified by EMC SAN matrix): -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: RE: [Samba] net ads join fails
Hi! Check your dns configuration! I had similar problems and found out my dns server wasn't working correctly the reverse resolution. Good luck! Ernesto Pereirinha - Original Message - From: Penny Willisson [EMAIL PROTECTED] Date: Friday, April 8, 2005 3:41 pm Subject: RE: [Samba] net ads join fails Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folder you specified for the machine account does not exist. Regards, Gordon Hopper -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri On Friday 08 April 2005 10:41 am, you wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? You probably don't have Kerberos configured correctly. Check your krb5.conf and kdc.conf files. Refer to the how-to I mentioned earlier, and also http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-install.html, if you're using MIT Kerberos. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails
I am trying to connect to an ADS domain and it is failing all the time. I am running SuSE Linux 9.0 with Samba 3.0.13 and have configured Samba with ldap and heimdal kerberos Attached is my debug level 10 error log created when the join is attempted. I would appreciate any advice on solving this problem. Thanks in advance Penny Willisson DISCLAIMER: The information contained within or attached to this transmission is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution of the message, either in full or in part, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. Although every effort is taken to ensure that all e-mail is scanned for viruses, Ellisons will accept no responsibility for any damage or inconvenience resulting from any virus that may be contained in this e-mail. A list of Partners is available on request. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails
Sorry attachment was removed - I have now pasted log file here. [2005/04/05 15:11:44, 5] lib/debug.c:debug_dump_status(366) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 [2005/04/05 15:11:44, 3] param/loadparm.c:lp_load(3907) lp_load: refreshing parameters [2005/04/05 15:11:44, 3] param/loadparm.c:init_globals(1321) Initialising global parameters [2005/04/05 15:11:44, 3] param/params.c:pm_process(573) params.c:pm_process() - Processing configuration file /usr/local/samba3/lib/smb.conf [2005/04/05 15:11:44, 3] param/loadparm.c:do_section(3409) Processing section [global] doing parameter workgroup = ELLNET doing parameter realm = ellisonslegal.com doing parameter server string = Samba 3.0.13 doing parameter security = ADS doing parameter allow trusted domains = No doing parameter log level = 1 doing parameter syslog = 0 doing parameter log file = /var/log/samba/%m doing parameter max log size = 50 doing parameter printcap name = CUPS doing parameter ldap ssl = no doing parameter idmap backend = idmap_rid:KPAK=500-1 doing parameter idmap uid = 500-1 doing parameter idmap gid = 500-1 doing parameter template shell = /bin/bash doing parameter winbind use default domain = yes doing parameter winbind enum users = No doing parameter winbind enum groups = No doing parameter winbind nested groups = Yes doing parameter deadtime = 30 doing parameter keepalive = 60 doing parameter os level = 2 doing parameter preferred master = No doing parameter wins support = Yes [2005/04/05 15:11:44, 4] param/loadparm.c:lp_load(3938) pm_process() returned Yes [2005/04/05 15:11:44, 7] param/loadparm.c:lp_servicenumber(4048) lp_servicenumber: couldn't find homes [2005/04/05 15:11:44, 10] param/loadparm.c:set_server_role(3856) set_server_role: role = ROLE_DOMAIN_MEMBER [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16LE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16BE [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-8 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ASCII [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset ASCII [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset 646 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset 646 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ISO-8859-1 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset ISO-8859-1 [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS2-HEX [2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS2-HEX [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2005/04/05 15:11:44, 5]
Re: [Samba] net ads join requires full domain admin account?
* [EMAIL PROTECTED] schrieb am 10.02.05 um 21:35 Uhr: Problem: I have an account that allows me to join an AD domain, this works fine from any win box. However it fails with ads_add_machine_acct (client_name): Insufficient access when I do a net ads join from a linux box. To get samba to join the domain, I have to use an account with full domain admin privs. (ie net ads join -Ufull_domain_admin) Is this expected behavior? I just wanted to confirm that. I saw the same while I was trying to add my Samba machine to an AD. -Marc -- °M3rlin- what is the legal age to buy alcoholic in england ? ° ° p5Ds13a06 you cant buy alcoholics ° ° p5Ds13a06 but if you wink the right way, ° ° some of them will follow you home for free ° -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join requires full domain admin account?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Schiffbauer wrote: | Problem: I have an account that allows me to join | an AD domain, this works fine from any win box. However | it fails with ads_add_machine_acct (client_name): | Insufficient access when I do a net ads join from a linux | box. To get samba to join the domain, I have to use | an account with full domain admin privs. (ie net | ads join -Ufull_domain_admin) | | Is this expected behavior? | | I just wanted to confirm that. I saw the same while | I was trying to add my Samba machine to an AD. The acls on you machine object or parent OU in AD are wrong then. I can successfully join Samba boxes to an AD domain without being a domain admin. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCDNnSIR7qMdg1EfYRAm+NAJ4tTHU1ULsnf6VCIBUlUBRFNRFaNACfWDlj IXmrB82nkQ6LYqFxAW9w0IA= =oT/C -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join requires full domain admin account?
Problem: I have an account that allows me to join an AD domain, this works fine from any win box. However it fails with ads_add_machine_acct (client_name): Insufficient access when I do a net ads join from a linux box. To get samba to join the domain, I have to use an account with full domain admin privs. (ie net ads join -Ufull_domain_admin) Is this expected behavior? The linux box is running Fedora Core 3, samba 3.0.10-1, krb 1.3.6-2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join error
This is more than likely a rookie config problem but when I try to add the server to the ADS domain with: $net ads join I get: [*DATESTAMP*] libads/kerberos.c:get_service_tickets(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed Segmentation fault Redhat ES 3. samba-3.0.10 my /etc/krb5.conf was taken from another machine that it works on.. same os.. same samba level... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
Resending, as I used wrong sender and it doesn't seem to have appeared on the list. The problem is sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now the problem with the double realm name seems to be fixed. I still get the same errors joining (just with the correct realm name). Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in the kerberos part of AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf so my domain maps to a realm name (map ift.uib.no to KLIENT.UIB.NO) and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf I also upgraded kerberos and samba to the versions in the yum develop repo for fc3. samba*-3.0.9-2 and krb5*-1.3.5-2 Now, even with the preauthentication failures when joining I have a working server that authenticates as expected. :-) -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
Sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now that problem seems to be fixed, but I still get errors joining. Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger birger wrote: After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
birger wrote: net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** I seem to have solved this part of the problem. Stop everything, move aside /var/cache/samba, create a new empty directory and retry. Worked as it should. Now I'm back to my old problems. :-/ -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails - Preauthetication failed
After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ~ /usr/bin/net ads join -Udennisb dennisb password: [2004/11/02 17:31:56, 0] libads/ldap.c:ads_add_machine_acct(1006) ~ Host account for if-srv-hos1 already exists - modifying old account [2004/11/02 17:31:56, 0] libads/ldap.c:ads_join_realm(1342) ~ ads_add_machine_acct: No such object ads_join_realm: No such object Also: net user | wc -l reports 106000 users, but wbinfo -u | wc -l only reports 5000. Is this because I haven't been able to join sucessfully yet? Also, if I try to change the name to if-srv-hos2, I get an error about insufficient access. Do I need to have the ability to create domain machine accounts to join the machine to a domain? ~ klist seems to work: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 11/02/04 16:37:16 11/03/04 02:37:17 krbtgt/[EMAIL PROTECTED] ~renew until 11/03/04 16:37:16 11/02/04 16:44:12 11/03/04 02:37:17 [EMAIL PROTECTED] ~renew until 11/03/04 16:37:16 11/02/04 17:06:11 11/03/04 02:37:17 [EMAIL PROTECTED] ~renew until 11/03/04 16:37:16 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBiAtn2dxAfYNwANIRAi7pAJ9KIbtLorr1nvJxIrLtyIdurbAhHACgiCwB XRZRdtJDatDArhua6CGap+E= =I2IY -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Tue, 02 Nov 2004 14:34:15 -0800, Tom Dickson [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ~ /usr/bin/net ads join -Udennisb dennisb password: [2004/11/02 17:31:56, 0] libads/ldap.c:ads_add_machine_acct(1006) ~ Host account for if-srv-hos1 already exists - modifying old account [2004/11/02 17:31:56, 0] libads/ldap.c:ads_join_realm(1342) ~ ads_add_machine_acct: No such object ads_join_realm: No such object What version of samba and kerberos are you using? I had problems with the version that comes with redhat. I wasn't able to get ads work with it. samba.3.0.7 and krb1.3.5 worked for me. And make sure on smb.conf , you have 'security=ADS'. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails with Operations error ?
Hi all. I'm having a problem joining an ADS domain with Samba 3.0.5. The machine account has been set up on the server in a similar way to another system which has joined successfully. The error I'm getting is kinda vague, and I have no idea what it means: --- [2004/07/28 16:32:36, 3] libads/sasl.c:ads_sasl_spnego_bind(211) got [EMAIL PROTECTED] [2004/07/28 16:32:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (No credentials cache found) [2004/07/28 16:32:36, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(245) Ticket in ccache[MEMORY:net_ads] expiration Thu, 29 Jul 2004 02:32:36 GMT ads_join_realm: Operations error [2004/07/28 16:32:36, 2] utils/net.c:main(792) return code = -1 --- Does anybody know what Operations error actually means? What have I configured incorrectly? The command I'm running is: # net -d 3 ads join UAT/WISE/Servers -U kimjeo ..and my config looks like this: security = ADS netbios name = SAMBA3DWEB workgroup = xxx realm = xxx.xxx.xx.xxx name resolve order = lmhosts host wins wins server = 10.xx.xx.xx winbind separator = + winbind uid = 65534-65534 winbind gid = 65534-65534 winbind enum users = no winbind enum groups = no winbind cache time = 60 password server = * Any help or advice is appreciated. Regards, Tim. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
Hi Aaron, we've just identified this problem and thought you may be interested if you haven't resolved this already. The bind is failing because the admin account being used to join the domain is a member of too many groups (waiting to hear from M$ what constitutes too many) and as a result the Kerberos TGT is too large and the kpasswd service on the M$ DC just ignores the change password request. To work around this created an admin account with minimal group membership and use this to bind Samba boxes to AD. Of course you may have a different issue with M$ ;-) cheers Andy. Thanks all. At least now I know it's not just me. I'll be watching bugzilla with interest, and in the meantime I suppose standard Kerb will have to do. Aaron Grewell Network Administrator University of Washington Bothell This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
I believe this is a bug as I have posted exactly the same problem to this list already including some debug info, nobody replied though I have contacted Andrew Bartlett on this with some debug information and am waiting for a reply. As its not just me I'll raise a bug in bugzilla, thanks Andy Smith. PS I've replicated the problem on Linux and Solaris and Kerberos is working correctly. Aaron Grewell wrote: | I am trying to join my Linux workstation to my ADS domain. | Unfortunately, I'm not having much success. net ads | join hangs forever (or at least for more than 12 hours) | when run. ... | [2004/05/20 10:08:47, 0] libads/ldap.c:ads_add_machine_acct(1006) | Host account for cygnus already exists - modifying old account | [2004/05/20 10:08:47, 5] libads/ldap_utils.c:ads_do_search_retry(56) | Search for (objectclass=*) gave 1 replies | | * | After the LDAP search it hangs forever. :( | I would start by checking for any kerberos misconfigurations. Just a gut feeling though. Does kinit run ok ? BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba