Re: [Samba] net ads join disable dns update
Been there: 1. Compile Samba by yourself, remove WITH_DNS_UPDATE flag. 2. Disallow allow insecure update from DNS server. 3. Edit /etc/hosts, use shortname for your Samba server, then upon net ads join it will complain domain name not found hence will not update DNS. Cheers -David 2012/2/4 dalege dalege dal...@live.com We have a couple oracle RAC servers that we install samba/winbind on. These servers require multiple NIC's / IP's. The problem is when we do net ads join it updates windows DNS and really screws us up because seven IP's get put into DNS, all tied to the same host, including the interconnect IP's which oracle insists needs to be 169.254.x.x addresses. Because of the way the company is setup, we cannot disable DNS update on the windows server. The company relies on it for most of the machines. We are using the 3.5.12-44 rpms from ftp.sernet.de. I have Googled this for awhile now, and what I've found is that Samba should be recompiled with the the --with-dnsupdate flag. This really isn't an option for us. I've also seen that if its in an smb cluster auto-update will disable. I've also seen a lot of complaints about this and a reference saying that a command line option was going to be added similar to net ads join --disable-dns-update but that doesn't appear to have been implemented. So, the question is, is there entry that can be put in smb.conf, a command line option, startup option, anything (other then recompiling) that can disable dns auto update? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join
I believe it takes the name from either the, netbios name = or server string = x in the smb.conf file. On 05/27/2011 05:50 AM, fsos...@gmail.com wrote: Hello, I would like to know where samba takes the computer name to join the AD domain. Is it from classic computer name DNS resolution? regards, Fred -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join
From: fsos...@gmail.com fsos...@gmail.com Date: Fri, 27 May 2011 11:50:48 +0200 I would like to know where samba takes the computer name to join the AD domain. Is it from classic computer name DNS resolution? The computer name is taken from classic hostname by default. netbios name parameter precedes the default. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join
thanks a lot On 27 May 2011 16:01, TAKAHASHI Motonobu mo...@monyo.com wrote: From: fsos...@gmail.com fsos...@gmail.com Date: Fri, 27 May 2011 11:50:48 +0200 I would like to know where samba takes the computer name to join the AD domain. Is it from classic computer name DNS resolution? The computer name is taken from classic hostname by default. netbios name parameter precedes the default. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join: Aborted
On 2010/05/27 at 08:48, Nick Couchman nick.couch...@seakr.com wrote: I'm having trouble getting a host to join an ADS domain/realm. I have smb.conf set correctly, with the workgroup, realm, and security = ads specified. However, when I try to join with the command: net ads join -U Administrator, I simple get the message Aborted and it does not join the domain. If I use the -d flag to enable debugging, I see the following toward the end of the output: This problem seems to only occur in Samba 3.5.3 on a certain machine. I have two machines, both running Opensuse 11.2 and using the OBS Samba repository. One of them allows me to join the AD domain, the other throws the error in the previous message. No idea what's going on - Samba packages, krb5 packages, nss, etc., are all exactly the same. -Nick This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - strong(er) authentication required
On Wed, Jul 01, 2009 at 12:03:28PM +0200, christoph.be...@desy.de wrote: Hi, my windows folks migrated to AD 2008 R2, resulting in the following error message when trying to join the domain: [HOST] /etc $ /opt/csw/bin/net ads join -U USER Enter USER's password: [2009/07/01 11:51:28, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required Failed to join domain: failed to connect to AD: Strong(er) authentication required Any hints ? You might need to set client ldap sasl wrapping in order to make this work. See the manpage for possible settings. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpEWrqEyjqSv.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - strong(er) authentication required
Heyho Guenther, thanks for the fast reply, 'client ldap sasl wrapping = sign' did the trick :D cheers christoph On Wed, 1 Jul 2009, Guenther Deschner wrote: On Wed, Jul 01, 2009 at 12:03:28PM +0200, christoph.be...@desy.de wrote: Hi, my windows folks migrated to AD 2008 R2, resulting in the following error message when trying to join the domain: [HOST] /etc $ /opt/csw/bin/net ads join -U USER Enter USER's password: [2009/07/01 11:51:28, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required Failed to join domain: failed to connect to AD: Strong(er) authentication required Any hints ? You might need to set client ldap sasl wrapping in order to make this work. See the manpage for possible settings. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org best regards ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY|Phone: 040-8998-2317* * - IT - | Fax: 040-8998-4060* \* 22603 Hamburg | http://www.desy.de */ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - strong(er) authentication required
On 7/1/2009, christoph.be...@desy.de (christoph.be...@desy.de) wrote: my windows folks migrated to AD 2008 R2 Interesting... seeing as its not even released yet... -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - DNS Update failed !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Hi, it seems that all is working perfectly, but if start an net ads join i get the message DNS Update failed ! . What is the consequence if i dont care about this message ? Is the Samba Server (ADS member) only not registered in the ADS DNS tree ? Correct. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIoNQpIR7qMdg1EfYRAlCNAJ0RrzxyVVSH8lJkdUhkjcVTTuEnJACfV4eG Tqttb7GzM5j0SaGMUDJL/Bk= =//Db -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
[domain_realm]
beer.ca = BEER
.beer.ca = BEER
This should be a mapping from DNS domain to Kerberos REALM.
Going by the kdc name, what you probably want is:
beer.ca = AD.BEERU.CA
.beer.ca = AD.BEERU.CA
www2.beer.ca = AD.BEERU.CA
Here is my rpc join status:
# net rpc testjoin
Join to 'BEER' is OK
Here is my attempt to graduate this to ADS levels, with debug:
# net ads join -Ubeeruser%beeruserpw -d3
[2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
lp_load: refreshing parameters
[2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
Initialising global parameters
[2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file /etc/samba/smb.conf
[2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
Processing section [global]
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.66 failed.
[2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 111.111.200.67 failed.
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
Could not look up dc's for domain BEER
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ADC2, 111.111.200.67
[2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
[2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: No logon servers
Failed to join domain: No logon servers
[2008/01/30 11:06:08, 2] utils/net.c:main(1032)
return code = -1
Can this user achieve such a goal?
Here is beeruser's rights via rpc:
net rpc rights list -Ubeeruser
Password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
I've had various toggles done to my smb.conf, but here is what the
global section
of smb.conf looks like at the moment, following the hints of someone else who
solved this on the list...
[global]
netbios name = www2
workgroup = BEER
unix charset = LOCALE
realm = BEER
Same here.
realm = AD.BEERU.CA
server string = Web Server
security = ADS
password server = 111.111.200.67
idmap backend = rid:BEER=5000-1
idmap uid = 1-1000
idmap gid = 1-1000
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
allow trusted domains = No
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
winbind use default domain = Yes
hosts allow = 111.111.
encrypt passwords = yes
I had great results with the last question I put on the list. I hope
someone can help us graduate to ads with kerberos level authentication.
It feels like there is something missing on the AD end, but I know
nothing about this
other than that it is Windows Server 2003 and it has been in production for
awhile with good performance.
There may be something else, but the REALM is what jumped out at me.
Regards, Doug
--
To unsubscribe from this list go to the following URL and read
Re: [Samba] net ads join : ads_connect: No logon servers
Thanks very much, Douglas. That did the trick.
I had not understood what realm represented in a dns
style domain.
It is also confusing that one lists a realm section,
defining it...
BEER = {
kdc = ADC1.AD.BEERU.CA
}
But then when providing the realm name in smb.conf, the
handle isn't BEER, but rather the subdomain in
which the AD controller lives.
Regards,
--Donald
On Jan 30, 2008 3:37 PM, Douglas VanLeuven [EMAIL PROTECTED] wrote:
Douglas VanLeuven wrote:
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Missed this on the last post.
default realm = AD.BEERU.CA
Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
Douglas VanLeuven wrote:
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Missed this on the last post.
default realm = AD.BEERU.CA
Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote:
Thanks very much, Douglas. That did the trick.
I had not understood what realm represented in a dns
style domain.
It is also confusing that one lists a realm section,
defining it...
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Sorry, missed that one too. Should be
AD.BEERU.CA = {
kdc = ADC1.AD.BEERU.CA
}
It's just that Kerberos doesn't know anything about workgroups in
windows and so there shouldn't be any workgroup names in krb5.conf,
only DNS names and REALM names. It worked because samba picked up the
Kerberos kdc from SRV records in DNS. BEER defines the .BEER realm
which doesn't exist.
But then when providing the realm name in smb.conf, the
handle isn't BEER, but rather the subdomain in
which the AD controller lives.
Regards,
--Donald
On Jan 30, 2008 3:37 PM, Douglas VanLeuven [EMAIL PROTECTED] wrote:
Douglas VanLeuven wrote:
D G Teed wrote:
I've been able to use security = ads in smb.conf, and connect OK,
but it must be falling back to domain. When I run net ads join
I get the error (debug trace below):
ads_connect: No logon servers
Here is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BEER
[realms]
BEER = {
kdc = ADC1.AD.BEERU.CA
}
Missed this on the last post.
default realm = AD.BEERU.CA
Doug
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join must use AD Administrator account ?
Jeff Lee wrote: Hi all, I want to configure a samba server (3.0.25b) with krb5-1.6.2, openldap-2.3.37 and db-4.6.18 for single sign-on purpose. I have some questions. 1. Is the AD Administrator account for Samba to kinit and net join the AD only ? 2. Can I use a common user with Create Computer Objects permission to kinit and net join AD ? 3. I got Failed to join domain: Strong(er) authentication required error message when I run net ads join using non-administrator user account. Is it the error message of using non-administrator account to net ads join ? Can anyone help ? Thanks, Jeff Read this: http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf I wrote it for HP CIFS Server, but it's the same for Opensource Samba. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join without kerberos
Le Wednesday 04 July 2007 09:30:29 Francesco Tonucci, vous avez écrit : Hello, I'm trying to join a samba server to a w2k domain. Now I have removed all samba and kerberos software from the machine to reset configuration. Then I have executed net ads testjoin to see what happened (I have already joined the machine to the domain). It returned the following messages: [2007/07/04 09:14:44, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password [EMAIL PROTECTED] failed: Client not found in Kerberos database [2007/07/04 09:14:44, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password [EMAIL PROTECTED] failed: Client not found in Kerberos database [2007/07/04 09:14:44, 0] utils/net_ads.c:ads_startup(289) ads_connect: Client not found in Kerberos database Join to domain is not valid Well, if kerberos is not installed, where does it get those informations (machine DEBIANSERVER and domain W2KPS.INTRA.CCIAA.NET names)?? DNS. -- Francis Galiegue, [EMAIL PROTECTED] One2team - 12bis rue de la Pierre Levée - 75011 PARIS +33683877875, +33143381980 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join to w2k3 hangs, every encryption type fails
Hi! I'm having the same issue: Linux Box with RedHat 3 joining a windows 2003 AD. When doing net ads join the system reports [2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 failed: KDC has no support for encryption type [2007/03/12 17:27:36, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465) verify_service_password: decrypted message with enctype 1 salt HOST/[EMAIL PROTECTED] [2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465) verify_service_password: decrypted message with enctype 3 salt HOST/[EMAIL PROTECTED] [2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367) but then it ends with Joined 'SAENET01' to realm 'ABC.COM' [2007/03/12 17:27:36, 2] utils/net.c:main(897) return code = 0 and in the windows 2003 the server appears as registered. However, when launching samba, I get the following errors [2007/03/12 17:32:49, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) and when trying to authenticate with a user check_ntlm_password: Authentication for user [e0045146] - [e0045146] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2007/03/12 17:34:08, 3] smbd/error.c:error_packet(129) Any help will be much appreciated!! Arcetrax -- View this message in context: http://www.nabble.com/net-ads-join-to-w2k3-hangs%2C-every-encryption-type-fails-tf3343350.html#a9436885 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join problem
Have you checked if your clock are in sync with the Win2k Server? Due to the kerberos, time out of sync by 5 minutes report errors to connect. On 10/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I'am trying to join ADS an W2K server. This server was already joined, but after chrash i was obliged to reinstall it. When I try net ads join -Uusername the following output appears: [2006/10/25 14:08:46, 6] libads/ldap.c:ads_find_dc(224) ads_find_dc: looking for realm 'SLZOVA.CZ' [2006/10/25 14:08:46, 8] libsmb/namequery.c:get_sorted_dc_list(1551) get_sorted_dc_list: attempting lookup using [ads] [2006/10/25 14:08:46, 5] lib/gencache.c:gencache_init(60) Opening cache file at /var/db/samba/gencache.tdb [2006/10/25 14:08:46, 10] lib/gencache.c:gencache_get(312) Cache entry with key = SAF/DOMAIN/SLZOVA.CZ couldn't be found [2006/10/25 14:08:46, 5] libsmb/namequery.c:saf_fetch(105) saf_fetch: failed to find server for SLZOVA.CZ domain [2006/10/25 14:08:46, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: , 172.17.2.10 [2006/10/25 14:08:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(408) remove_duplicate_addrs2: looking for duplicate address/port pairs [2006/10/25 14:08:46, 4] libsmb/namequery.c:get_dc_list(1529) get_dc_list: returning 1 ip addresses in an ordered list [2006/10/25 14:08:46, 4] libsmb/namequery.c:get_dc_list(1530) get_dc_list: 172.17.2.10:389 [2006/10/25 14:08:46, 5] libads/ldap.c:ads_try_connect(127) ads_try_connect: sending CLDAP request to 172.17.2.10 (realm: SLZOVA.CZ) [2006/10/25 14:08:46, 10] libsmb/namequery.c:saf_store(71) saf_store: domain = [SLZOVA], server = [172.17.2.10], expire = [1161779026] [2006/10/25 14:08:46, 10] lib/gencache.c:gencache_set(131) Adding cache entry with key = SAF/DOMAIN/SLZOVA; value = 172.17.2.10 and timeout = Wed Oct 25 14:23:46 2006 (900 seconds ahead) [2006/10/25 14:08:46, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 172.17.2.10 [2006/10/25 14:08:46, 0] utils/net_ads.c:ads_startup(281) ads_connect: Operations error [2006/10/25 14:08:46, 2] utils/net.c:main(988) return code = -1 samba Version 3.0.23c OS FreeBSD 6.1 Does anyone know? Thanx for help V. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- *** Cleber P. de Souza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian D. McGrew wrote: I'm not sure that the problem is with net ads join but I'm in desperate need of help either way. Using smb Version 3.0.23a-1.fc4.1 I do a net ads join I get the below error: [EMAIL PROTECTED] tmp]# net ads join -U [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Using short domain name -- MVP Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'MUSTANG' in realm 'MACHINEVISIONPRODUCTS.COM' [EMAIL PROTECTED] tmp]# Make sure that `hostname -f` returns the correct fqdn. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7cRVIR7qMdg1EfYRAtIcAKDKaUSxM4v/WmZoGFcXwFzCop/PDACgomaM mi/d48h2nLUlzqQSTciLsy8= =uUHd -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NET ADS JOIN error
I get the same error either way. -Original Message- From: Howard Wilkinson [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 11:16 AM To: Trimble, Ronald D; samba@lists.samba.org Subject: RE: [Samba] NET ADS JOIN error Check that the backslashes are not being interpolated by the shell you may want to try. net ads join United States\\Tredyffrin\\Resource\\Servers -U trimblrd Howard. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL, United Kingdom Telephone: +44 20 76907075 Fax: +44 20 79230110 Mobile: +44 7980 639379 Company Email: [EMAIL PROTECTED] Website: http://www.cohtech.com http://www.cohtech.com/ From: [EMAIL PROTECTED] on behalf of Trimble, Ronald D Sent: Fri 2006-07-14 16:06 To: samba@lists.samba.org Subject: [Samba] NET ADS JOIN error Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NET ADS JOIN error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. If the account already exists, you don't need to specify the OU when joining. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEt71UIR7qMdg1EfYRAsVjAJ9kzvriagkMjRdCmVn3sn62gihXDACfU08V GHzyqKrVL1FkU+gD5RH+Jls= =tG/f -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NET ADS JOIN error
Check that the backslashes are not being interpolated by the shell you may want to try. net ads join United States\\Tredyffrin\\Resource\\Servers -U trimblrd Howard. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL, United Kingdom Telephone: +44 20 76907075 Fax: +44 20 79230110 Mobile: +44 7980 639379 Company Email: [EMAIL PROTECTED] Website: http://www.cohtech.com http://www.cohtech.com/ From: [EMAIL PROTECTED] on behalf of Trimble, Ronald D Sent: Fri 2006-07-14 16:06 To: samba@lists.samba.org Subject: [Samba] NET ADS JOIN error Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join segmentation fault
For the purpose of the archive: I believe I fixed the problem. When I compiled FreeBSD 6.0-RELEASE-p1 kerberos was installed. When I compiled 6.0-RELEASE-p2 I had kerberos disabled. I'm pretty confident I was using old binaries. When I rebuilt the binaries, kerberos gave me a message about the ticket's lifetime, when prior to rebuilding it was silent. Nevertheless samba still wasn't working. After rebuilding kerberos and getting the same error messages from samba I figured that maybe I had some old samba data lying around somewhere, from when I was using DOMAIN mode. So I uninstalled samba, removed the directories that the pkg_deinstall (part of the portupgrade port) told me to remove and reinstalled samba from scratch. I didn't touch my smb.conf. I was then able to use net ads join without any problems. -rcollins -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert J. Collins Sent: Monday, January 23, 2006 2:03 PM To: samba@lists.samba.org Subject: [Samba] net ads join segmentation fault On FreeBSD 6.0-RELEASE-p2 using samba-3.0.21a,1 the net command seg faults. Does anyone know what is going on? Thanks -rcollins - net ads join -Uadministrator -d 10 - [2006/01/23 12:36:59, 5] lib/debug.c:debug_dump_status(368) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 [2006/01/23 12:36:59, 3] param/loadparm.c:lp_load(4195) lp_load: refreshing parameters [2006/01/23 12:36:59, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/01/23 12:36:59, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file /usr/local/etc/smb.conf [2006/01/23 12:36:59, 3] param/loadparm.c:do_section(3657) Processing section [global] doing parameter workgroup = HWI doing parameter security = ADS doing parameter realm = DHCP.HWI.BUFFALO.EDU doing parameter password server = * doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter allow trusted domains = no doing parameter ldapssl = no doing parameter unix charset = LOCALE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16LE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS-2BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS-2BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-16BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-16BE [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UTF-8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UTF-8 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ASCII [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset ASCII [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset 646 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset 646 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset ISO-8859-1 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset ISO-8859-1 [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(103) Attempting to register new charset UCS2-HEX [2006/01/23 12:36:59, 5] lib/iconv.c:smb_register_charset(111) Registered charset UCS2-HEX [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81) Substituting charset 'US-ASCII' for LOCALE [2006/01/23 12:36:59, 5] lib/charcnv.c:charset_name(81)
Re: [Samba] net ads join segmentation fault
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Collins wrote: On FreeBSD 6.0-RELEASE-p2 using samba-3.0.21a,1 the net command seg faults. Does anyone know what is going on? Can you get a backtrace from gdb after building Samba with the --enable-debug option (or just the -g gcc compile flag)? Thanks. cheers, jerry = I live in a Reply-to-All world--- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD17ZAIR7qMdg1EfYRAinYAKDzbHIHzgNkbAYhP0LUjpQa3fwgcACg1dv1 y9bP7gb4sJYxGd9Fmw6rxp8= =zYh7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join error
I have seen that reinstalling the samba works for me... dont know why although... I had taken the binaries from the Samba Site.. On 8/27/05, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guille wrote: | Hi, | | You are not alone with regards to this error message joining FC4 to Win2k | ADS. | I got this after I joined. It's bugs in the e2fsprogs + krb5 libs shipped on FC4. You'll have to talk to the Fedora folks to get this fixed. I've confirmed with some RedHat developers that this is not our bug. ... | *** glibc detected *** /usr/bin/net: free(): invalid | pointer: 0x00fe0db0 *** | === Backtrace: = /lib/libc.so.6[0x1a6424] | /lib/libc.so.6(__libc_free+0x77)[0x1a695f] | /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] | /usr/lib/libkrb5.so.3[0xf7e8c4] | /usr/lib/libkrb5.so.3[0xf7e5c7] | /usr/lib/libkrb5.so.3[0xfcf9da] | /lib/ld-linux.so.2[0x82a058] | /lib/libc.so.6(exit+0xc5)[0x16dc69] | /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] | /usr/bin/net[0x8e70f1] | === Memory map: cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDEIm6IR7qMdg1EfYRAritAKDiFU1/vBE/1bG5+XNA+C01iRRXLwCfaGhi F4o8vXRA0kSyjwEWfsbQnRI= =GnaH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Sanjay Upadhyay http://saneax.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join error
I have seen that reinstalling the samba works for me... dont know why although... I take the binaries from the Samba Site.. +++ Gerald (Jerry) Carter [Sat, Aug 27, 2005 at 10:41:46AM -0500]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guille wrote: | Hi, | | You are not alone with regards to this error message joining FC4 to Win2k | ADS. | I got this after I joined. It's bugs in the e2fsprogs + krb5 libs shipped on FC4. You'll have to talk to the Fedora folks to get this fixed. I've confirmed with some RedHat developers that this is not our bug. ... | *** glibc detected *** /usr/bin/net: free(): invalid | pointer: 0x00fe0db0 *** | === Backtrace: = /lib/libc.so.6[0x1a6424] | /lib/libc.so.6(__libc_free+0x77)[0x1a695f] | /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] | /usr/lib/libkrb5.so.3[0xf7e8c4] | /usr/lib/libkrb5.so.3[0xf7e5c7] | /usr/lib/libkrb5.so.3[0xfcf9da] | /lib/ld-linux.so.2[0x82a058] | /lib/libc.so.6(exit+0xc5)[0x16dc69] | /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] | /usr/bin/net[0x8e70f1] | === Memory map: cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDEIm6IR7qMdg1EfYRAritAKDiFU1/vBE/1bG5+XNA+C01iRRXLwCfaGhi F4o8vXRA0kSyjwEWfsbQnRI= =GnaH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- == Warp 7 -- It's a law we can live with. == Sanjay Upadhyay http://supadhyay.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
Hi, You are not alone with regards to this error message joining FC4 to Win2k ADS. I got this after I joined. *** glibc detected *** /usr/bin/net: free(): invalid pointer: 0x00fe0db0 *** === Backtrace: = /lib/libc.so.6[0x1a6424] /lib/libc.so.6(__libc_free+0x77)[0x1a695f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] /usr/lib/libkrb5.so.3[0xf7e8c4] /usr/lib/libkrb5.so.3[0xf7e5c7] /usr/lib/libkrb5.so.3[0xfcf9da] /lib/ld-linux.so.2[0x82a058] /lib/libc.so.6(exit+0xc5)[0x16dc69] /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] /usr/bin/net[0x8e70f1] === Memory map: 00111000-00112000 r-xp 00111000 00:00 0 00112000-00117000 r-xp fd:00 1967449/lib/libcrypt-2.3.5.so 00117000-00118000 r-xp 4000 fd:00 1967449/lib/libcrypt-2.3.5.so 00118000-00119000 rwxp 5000 fd:00 1967449/lib/libcrypt-2.3.5.so 00119000-0014 rwxp 00119000 00:00 0 0014-00142000 r-xp fd:00 1966233/lib/libcom_err.so.2.1 00142000-00143000 rwxp 1000 fd:00 1966233/lib/libcom_err.so.2.1 00143000-00267000 r-xp fd:00 1966174/lib/libc-2.3.5.so 00267000-00269000 r-xp 00124000 fd:00 1966174/lib/libc-2.3.5.so 00269000-0026b000 rwxp 00126000 fd:00 1966174/lib/libc-2.3.5.so 0026b000-0026d000 rwxp 0026b000 00:00 0 0026d000-00282000 r-xp fd:00 3114427/usr/lib/libsasl2.so.2.0.20 00282000-00283000 rwxp 00015000 fd:00 3114427/usr/lib/libsasl2.so.2.0.20 00283000-00295000 r-xp fd:00 3117270/usr/lib/libz.so.1.2.2.2 00295000-00296000 rwxp 00011000 fd:00 3117270/usr/lib/libz.so.1.2.2.2 00297000-002a9000 r-xp fd:00 1966222/lib/libnsl-2.3.5.so 002a9000-002aa000 r-xp 00011000 fd:00 1966222/lib/libnsl-2.3.5.so 002aa000-002ab000 rwxp 00012000 fd:00 1966222/lib/libnsl-2.3.5.so 002ab000-002ad000 rwxp 002ab000 00:00 0 002ad000-002e2000 r-xp fd:00 1966241/lib/libssl.so.0.9.7f 002e2000-002e5000 rwxp 00035000 fd:00 1966241/lib/libssl.so.0.9.7f 002e5000-002e7000 r-xp fd:00 3178771/usr/lib/gconv/UTF-16.so 002e7000-002e9000 rwxp 1000 fd:00 3178771/usr/lib/gconv/UTF-16.so 002e9000-002eb000 r-xp fd:00 3178678/usr/lib/gconv/IBM850.so 002eb000-002ed000 rwxp 1000 fd:00 3178678/usr/lib/gconv/IBM850.so 002ed000-002f6000 r-xp fd:00 1966133/lib/libnss_files-2.3.5.so 002f6000-002f7000 r-xp 8000 fd:00 1966133/lib/libnss_files-2.3.5.so 002f7000-002f8000 rwxp 9000 fd:00 1966133/lib/libnss_files-2.3.5.so 002f8000-00301000 r-xp fd:00 1966216 /lib/libgcc_s-4.0.1-20050727.so .1 00301000-00302000 rwxp 9000 fd:00 1966216 /lib/libgcc_s-4.0.1-20050727.so .1 003a8000-003aa000 r-xp fd:00 1966199/lib/libdl-2.3.5.so 003aa000-003ab000 r-xp 1000 fd:00 1966199/lib/libdl-2.3.5.so 003ab000-003ac000 rwxp 2000 fd:00 1966199/lib/libdl-2.3.5.so 00421000-00438000 r-xp fd:00 3119387 /usr/lib/libgssapi_krb5.so.2.2 00438000-00439000 rwxp 00017000 fd:00 3119387 /usr/lib/libgssapi_krb5.so.2.2 006b8000-006bf000 r-xp fd:00 3113040/usr/lib/libpopt.so.0.0.0 006bf000-006c rwxp 6000 fd:00 3113040/usr/lib/libpopt.so.0.0.0 0076c000-00779000 r-xp fd:00 3126293 /usr/lib/liblber-2.2.so.7.0.16 00779000-0077a000 rwxp c000 fd:00 3126293 /usr/lib/liblber-2.2.so.7.0.16 00782000-007b6000 r-xp fd:00 3126351 /usr/lib/libldap-2.2.so.7.0.16 007b6000-007b8000 rwxp 00033000 fd:00 3126351 /usr/lib/libldap-2.2.so.7.0.16 0081c000-00836000 r-xp fd:00 1966082/lib/ld-2.3.5.so 00836000-00837000 r-xp 00019000 fd:00 1966082/lib/ld-2.3.5.so 00837000-00838000 rwxp 0001a000 fd:00 1966082/lib/ld-2.3.5.so 008ba000-00a7e000 r-xp fd:00 3121195/usr/bin/net 00a7e000-00a8f000 rwxp 001c4000 fd:00 3121195/usr/bin/net 00a8f000-00aa1000 rwxp 00a8f000 00:00 0 00c04000-00cfc000 r-xp fd:00 1966240/lib/libcrypto.so.0.9.7f 00cfc000-00d0e000 rwxp 000f8000 fd:00 1966240/lib/libcrypto.so.0.9.7f 00d0e000-00d11000 rwxp 00d0e000 00:00 0 00d5d000-00d8 r-xp fd:00 31 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Jencks Sent: Friday, August 26, 2005 11:58 AM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error So now it looks like I can join the domain however I get the following output. Seems like there might be an issue with samba-3.0.20 and the new GCC 4 and glibc. Any idea's possibilities? I'm also not quite sure my previous problem went away the only thing I changed was adding my kdc server into the samba lmhosts file. Regards, Theo [EMAIL PROTECTED] samba]# net ads join -U tjencks%PASSWD Using short domain name -- HQ Joined 'THEO' to realm 'HQ.NAVIS.NET' *** glibc detected *** net: free(): invalid pointer: 0x007eedb0 *** === Backtrace: = /lib/libc.so.6[0x415124] /lib/libc.so.6(__libc_free+0x77)[0x41565f] /lib/libcom_err.so.2(remove_error_table+0x4b
Re: [Samba] net ads join error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guille wrote: | Hi, | | You are not alone with regards to this error message joining FC4 to Win2k | ADS. | I got this after I joined. It's bugs in the e2fsprogs + krb5 libs shipped on FC4. You'll have to talk to the Fedora folks to get this fixed. I've confirmed with some RedHat developers that this is not our bug. ... | *** glibc detected *** /usr/bin/net: free(): invalid | pointer: 0x00fe0db0 *** | === Backtrace: = /lib/libc.so.6[0x1a6424] | /lib/libc.so.6(__libc_free+0x77)[0x1a695f] | /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] | /usr/lib/libkrb5.so.3[0xf7e8c4] | /usr/lib/libkrb5.so.3[0xf7e5c7] | /usr/lib/libkrb5.so.3[0xfcf9da] | /lib/ld-linux.so.2[0x82a058] | /lib/libc.so.6(exit+0xc5)[0x16dc69] | /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] | /usr/bin/net[0x8e70f1] | === Memory map: cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDEIm6IR7qMdg1EfYRAritAKDiFU1/vBE/1bG5+XNA+C01iRRXLwCfaGhi F4o8vXRA0kSyjwEWfsbQnRI= =GnaH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
Where would I find the log for this? How would I set the debug level to 10 on a Redhat system? Regards, Theo -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 10:11 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] net ads join error -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
in smb.conf add line log level = 10 then restart nmb, smb and winbind. -Original Message- From: Theodore Jencks [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 1:03 PM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error Where would I find the log for this? How would I set the debug level to 10 on a Redhat system? Regards, Theo -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 10:11 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] net ads join error -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
If you run this command: net ads join -U admin%pass There is nothing logged in smbd.log. Regards, Theo -Original Message- From: Kevin Wilson [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 11:07 AM To: Theodore Jencks Cc: 'samba@lists.samba.org' Subject: RE: [Samba] net ads join error in smb.conf add line log level = 10 then restart nmb, smb and winbind. -Original Message- From: Theodore Jencks [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 1:03 PM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error Where would I find the log for this? How would I set the debug level to 10 on a Redhat system? Regards, Theo -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 10:11 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] net ads join error -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
So now it looks like I can join the domain however I get the following output. Seems like there might be an issue with samba-3.0.20 and the new GCC 4 and glibc. Any idea's possibilities? I'm also not quite sure my previous problem went away the only thing I changed was adding my kdc server into the samba lmhosts file. Regards, Theo [EMAIL PROTECTED] samba]# net ads join -U tjencks%PASSWD Using short domain name -- HQ Joined 'THEO' to realm 'HQ.NAVIS.NET' *** glibc detected *** net: free(): invalid pointer: 0x007eedb0 *** === Backtrace: = /lib/libc.so.6[0x415124] /lib/libc.so.6(__libc_free+0x77)[0x41565f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x111abb] /usr/lib/libkrb5.so.3[0x78c8c4] /usr/lib/libkrb5.so.3[0x78c5c7] /usr/lib/libkrb5.so.3[0x7dd9da] /lib/ld-linux.so.2[0xb9e2d8] /lib/libc.so.6(exit+0xc5)[0x3dcba9] /lib/libc.so.6(__libc_start_main+0xe7)[0x3c6d67] net[0x1dc941] === Memory map: 00111000-00113000 r-xp 08:02 1653405/lib/libcom_err.so.2.1 00113000-00114000 rw-p 1000 08:02 1653405/lib/libcom_err.so.2.1 00114000-00129000 r-xp 08:05 68293 /usr/lib/libsasl2.so.2.0.20 00129000-0012a000 rw-p 00015000 08:05 68293 /usr/lib/libsasl2.so.2.0.20 0012a000-0013c000 r-xp 08:05 67504 /usr/lib/libz.so.1.2.2.2 0013c000-0013d000 rw-p 00011000 08:05 67504 /usr/lib/libz.so.1.2.2.2 0013d000-0013f000 r-xp 08:05 129857 /usr/lib/gconv/UTF-16.so 0013f000-00141000 rw-p 1000 08:05 129857 /usr/lib/gconv/UTF-16.so 00141000-00143000 r-xp 08:05 129764 /usr/lib/gconv/IBM850.so 00143000-00145000 rw-p 1000 08:05 129764 /usr/lib/gconv/IBM850.so 00145000-0014e000 r-xp 08:02 1653268 /lib/libnss_files-2.3.5.so 0014e000-0014f000 r--p 8000 08:02 1653268 /lib/libnss_files-2.3.5.so 0014f000-0015 rw-p 9000 08:02 1653268 /lib/libnss_files-2.3.5.so 0015-00159000 r-xp 08:02 1653361 /lib/libgcc_s-4.0.1-20050727.so.1 00159000-0015a000 rw-p 9000 08:02 1653361 /lib/libgcc_s-4.0.1-20050727.so.1 001ad000-0039 r-xp 08:05 1945158/usr/bin/net 0039-003a1000 rw-p 001e2000 08:05 1945158/usr/bin/net 003a1000-003b2000 rw-p 003a1000 00:00 0 003b2000-004d5000 r-xp 08:02 1653269/lib/libc-2.3.5.so 004d5000-004d7000 r--p 00123000 08:02 1653269/lib/libc-2.3.5.so 004d7000-004d9000 rw-p 00125000 08:02 1653269/lib/libc-2.3.5.so 004d9000-004db000 rw-p 004d9000 00:00 0 004db000-005d3000 r-xp 08:02 1653406 /lib/libcrypto.so.0.9.7f 005d3000-005e5000 rw-p 000f8000 08:02 1653406 /lib/libcrypto.so.0.9.7f 005e5000-005e8000 rw-p 005e5000 00:00 0 0077d000-007ec000 r-xp 08:05 67813 /usr/lib/libkrb5.so.3.2 007ec000-007ef000 rw-p 0006e000 08:05 67813 /usr/lib/libkrb5.so.3.2 0084b000-0084c000 r-xp 0084b000 00:00 0 00889000-0088b000 r-xp 08:05 67792 /usr/lib/libkrb5support.so.0.0 0088b000-0088c000 rw-p 1000 08:05 67792 /usr/lib/libkrb5support.so.0.0 008a8000-008aa000 r-xp 08:02 1653327/lib/libdl-2.3.5.so 008aa000-008ab000 r--p 1000 08:02 1653327/lib/libdl-2.3.5.so 008ab000-008ac000 rw-p 2000 08:02 1653327/lib/libdl-2.3.5.so 00924000-0092b000 r-xp 08:05 67239 /usr/lib/libpopt.so.0.0.0 0092b000-0092c000 rw-p 6000 08:05 67239 /usr/lib/libpopt.so.0.0.0 009de000-009eb000 r-xp 08:05 67393 /usr/lib/liblber-2.2.so.7.0.16 009eb000-009ec000 rw-p c000 08:05 67393 /usr/lib/liblber-2.2.so.7.0.16 00a79000-00a88000 r-xp 08:02 1653392/lib/libresolv-2.3.5.so 00a88000-00a89000 r--p e000 08:02 1653392/lib/libresolv-2.3.5.so 00a89000-00a8a000 rw-p f000 08:02 1653392/lib/libresolv-2.3.5.so 00a8a000-00a8c000 rw-p 00a8a000 00:00 0 00ad6000-00ae8000 r-xp 08:02 1653234/lib/libnsl-2.3.5.so 00ae8000-00ae9000 r--p 00011000 08:02 1653234/lib/libnsl-2.3.5.so 00ae9000-00aea000 rw-p 00012000 08:02 1653234/lib/libnsl-2.3.5.so 00aea000-00aec000 rw-p 00aea000 00:00 0 00b14000-00b2b000 r-xp 08:05 67850 /usr/lib/libgssapi_krb5.so.2.2 00b2b000-00b2c000 rw-p 00017000 08:05 67850 /usr/lib/libgssapi_krb5.so.2.2 00b9-00baa000 r-xp 08:02 1653266/lib/ld-2.3.5.so 00baa000-00bab000 r--p 00019000 08:02 1653266/lib/ld-2.3.5.so 00bab000-00bac000 rw-p 0001a000 08:02 1653266/lib/ld-2.3.5.so 00c88000-00cab000 r-xp 08:05 67807 /uAborted -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join on AIX 5.2 - Mission Impossible ?
[EMAIL PROTECTED] wrote: Hi all, is it possible at all to get Samba 3 on AIX 5.2 to join a Win 2003 Domain natively ? All the precompiled versions do not have AD Support and having AIX krb5 installed (let alone using --with-ads)is enough to make a compile run fail - both 3.0.14 and 3.0.20rc2. Might Heimdal solve this ? Has ANYONE got a working installation ? Solving this would make quite a difference to my current life, so any advice would be appreciated. Yeah. Been there. Done that. AIX 5.2, samba 3.0.14 I went the route of installing the linux affinity toolkit. Used gcc to compile. Use at least gcc 3.x http://aixpdslib.seas.ucla.edu/index.html has a good gcc. Compiled and installed openldap to /usr/local/openldap just to link against samba. Compiled and installed Kerberos to /usr/local using rpm so if IBM ever got the development files up to speed it would be easy to uninstall switch back. At the time, last year, IBM Kerberos didn't support rc4-hmac either. In configure use CPFLAGS, CPPFLAGS, LDFLAGS to insure the paths picked the homebrew versions. I had a special account to log in where LIBPATH and PATH would pickup the homebrew and linux affinity directories before the system ones. When I was done, not only did samba work in ADS = security mode, but I could use the kerberos utilities natively with the MS AD as the key distribution center. I had to turn off sendfile because, although the test machine worked fine, the production machine ran out of file handles about 3 hours into the workday. Couldn't even reboot cleanly. Total lockup. That was several months ago, maybe rc20 fixes that. I wouldn't know. Never figured how to simulate the load on the development machine. I set winbind trusted domains only = yes because I had NIS and an identical user name correspondence between windows and unix. Used idmap_ad before it was rolled into the distribution for winbindd resolution. Didn't test other modes. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails 3/4's of the time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rex Dieter wrote: | I just wanted to share my frustrations with trying | to use samba to join linux machines to our AD | (so I could use pam_winbind primarily). I'm | using Red Hat Enterprise 4 boxes, with samba-3.0.14a, | krb5-libs-1.3.4-12, kernel-2.6.9-5.0.5.EL (I tried | Fedora Core 3 too, with similar results). I (pre)added | machines to the AD using the Active Directory Users | and Computers tool. | | I initially had clock skew problems (yielding kerberos | errors), but I now have synchronized system clocks. | | Now, I've found that the | $ net ads join | command(*) always says it succeeds joining the domain, | but a subsequent | $ wbinfo -t | about 75% of the time yields an error: | NT_STATUS_ACCESS_DENIED | | If I re-run those 2 commands repeatedly, I *eventually* | will get machine that has successfully joined the | AD domain (where 'wbinfo -t' succeeds | and pam_winbind successfully authenticates users). I doner if you are dealing with a AD replication lag. How many DC's are there in the domain? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCqY1vIR7qMdg1EfYRAo5gAJwLy/LFXX82huhugrXmSp+WPUChCACg5mmz bX2b3k/PvXxwh4jg68jrWDc= =iJfG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails 3/4's of the time
Gerald (Jerry) Carter wrote: Rex Dieter wrote: | Now, I've found that the | $ net ads join | command(*) always says it succeeds joining the domain, | but a subsequent | $ wbinfo -t | about 75% of the time yields an error: | NT_STATUS_ACCESS_DENIED | | If I re-run those 2 commands repeatedly, I *eventually* | will get machine that has successfully joined the | AD domain (where 'wbinfo -t' succeeds | and pam_winbind successfully authenticates users). I doner if you are dealing with a AD replication lag. How many DC's are there in the domain? 3 DC's. If your hunch is right, what should I do? Simply wait longer between the 'net ads join' and 'wbinfo -t' (I'm currently waiting 2 seconds)? -- Rex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join - No such file or directory error ???
On Thursday 26 May 2005 18:50, Rex Dieter wrote: Here's one that's got me baffled. No such file or directory? # net ads join -U'AD-Administrator' AD-Administrator's password: [2005/05/26 08:15:00, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I've been testing 'net ads join' to our AD all week, but I've not seen this error before. I don't even know what it means so I don't know what to do about it. -- Rex Hope you have the /etc/krb5.conf... pgpCdboz6lKOC.pgp Description: signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
No neither /var/kerberos/krb5kdc/ nor /var/log/krb5/ exist is this part of the
problem?
For Craig White and anyone new to the problem here are the outputs of some
files.
cat /etc/resolv.conf
search ellisonslegal.com
domain ellisonslegal.com
nameserver 10.0.0.31
cat /etc/krb5.conf
[libdefaults]
default_realm = ELLISONSLEGAL.COM
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true
[domain_realm]
ellisonslegal.com = ELLISONSLEGAL.COM
.ellisonslegal.com = ELLISONSLEGAL.COM
[realms]
ELLISONSLEGAL.COM = {
kdc = 10.0.0.31
default_domain = ELLNET
admin_server = 10.0.0.31
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
kinit Administrator
and/or
kinit [EMAIL PROTECTED]
I do not have the kinit command
I am running Samba 3.0.13 on Suse Linux 9.0
Thank you for your help
Penny
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 11 April 2005 16:57
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
Try that, it is working for me
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = BLABLA.COM
forwardable = true
proxiable = true
[realms]
BLABLA.COM = {
kdc = ip_address_of_kdc
default_domain = blabla.com
}
[domain_realm]
.blabla.com = BLABLA.COM
blabla.com = BLABLA.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
Check if /var/kerberos/krb5kdc/ and /var/log/krb5/ exist , also replace
BLABLA.COM and blabla.com with the right value
Radu STANUC
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Penny Willisson
Sent: Monday, April 11, 2005 3:43 PM
To: Gordon Hopper; [EMAIL PROTECTED]
Cc: samba@lists.samba.org
Subject: RE: [Samba] net ads join fails
I have recreated my dns pointers without success and I think my krb5.conf
file is configured correctly. First I left this to Yast to set up but that
didn't work and then I tried to modify it from a article I found.
I have pasted it in below
[libdefaults]
#default_realm = ellisonslegal.com
clockskew = 300
[realms]
ELLISONSLEGAL.COM = {
kdc = apps.ellisonslegal.com
#default_domain = ELLNET
#kpasswd_server = apps.ellisonslegal.com
}
#ELLISONSLEGAL.COM = {
# kdc = APPS.ELLISONSLEGAL.COM
# admin_server = APPS.ELLISONSLEGAL.COM
# kpasswd_server = APPS.ELLISONSLEGAL.COM
#}
#OTHER.REALM = {
# kdc = OTHER.COMPUTER
#}
[domain_realm]
# .my.domain = MY.REALM
.ellisonslegal.com = ELLISONSLEGAL.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Dimitri would you be able to repost that link for the HOW-TO please? I
tried it but it seems like it is broken, do you have the updated link?
Thanks for your continued help.
Penny
-Original Message-
From: Gordon Hopper [mailto:[EMAIL PROTECTED]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
You might need to add some entries to your krb5.conf file. for example:
[realms]
ellisonslegal.com = {
kdc = domain.controller.ellisonslegal.com:88
}
Where kdc points to a domain controller. Doesn't need to be the primary
domain controller, choose one close by for best performance. (You
shouldn't need to do this if your DNS for the domain resolves to a domain
controller.)
Gordon
On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
Thanks
When I run 'kinit administrator' I get the following error
kinit: krb5_get_init_creds: unable to reach any KDC in realm
ellisonslegal.com
any ideas???
-Original Message-
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED] Behalf Of
Dimitri Yioulos
Sent: 08 April 2005 13:30
To: samba@lists.samba.org
Subject: Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
Hi
I have created the machine account on the AD server and did this
logged in
as Administrator so that should mean that the Administrator account
has the
correct permissions.
I have executed the following command as suggested
net ads join [EMAIL PROTECTED] -d 2
The following was output to the screen:
[2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
[2005/04/08 13:33:41, 0] libads
RE: [Samba] net ads join fails
I have recreated my dns pointers without success and I think my krb5.conf file
is configured correctly. First I left this to Yast to set up but that didn't
work and then I tried to modify it from a article I found.
I have pasted it in below
[libdefaults]
#default_realm = ellisonslegal.com
clockskew = 300
[realms]
ELLISONSLEGAL.COM = {
kdc = apps.ellisonslegal.com
#default_domain = ELLNET
#kpasswd_server = apps.ellisonslegal.com
}
#ELLISONSLEGAL.COM = {
# kdc = APPS.ELLISONSLEGAL.COM
# admin_server = APPS.ELLISONSLEGAL.COM
# kpasswd_server = APPS.ELLISONSLEGAL.COM
#}
#OTHER.REALM = {
# kdc = OTHER.COMPUTER
#}
[domain_realm]
# .my.domain = MY.REALM
.ellisonslegal.com = ELLISONSLEGAL.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Dimitri would you be able to repost that link for the HOW-TO please? I tried
it but it seems like it is broken, do you have the updated link?
Thanks for your continued help.
Penny
-Original Message-
From: Gordon Hopper [mailto:[EMAIL PROTECTED]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
You might need to add some entries to your krb5.conf file. for example:
[realms]
ellisonslegal.com = {
kdc = domain.controller.ellisonslegal.com:88
}
Where kdc points to a domain controller. Doesn't need to be the primary domain
controller, choose one close by for best performance. (You shouldn't need to
do this if your DNS for the domain resolves to a domain controller.)
Gordon
On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
Thanks
When I run 'kinit administrator' I get the following error
kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com
any ideas???
-Original Message-
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED] Behalf Of
Dimitri Yioulos
Sent: 08 April 2005 13:30
To: samba@lists.samba.org
Subject: Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
Hi
I have created the machine account on the AD server and did this logged in
as Administrator so that should mean that the Administrator account has the
correct permissions.
I have executed the following command as suggested
net ads join [EMAIL PROTECTED] -d 2
The following was output to the screen:
[2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
[2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed:
Unknown code krb5 156
[2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
[2005/04/08 13:33:41, 2] utils/net.c:main(897)
return code = -1
Thanks
Penny
-Original Message-
From: Gordon Hopper [mailto: [EMAIL PROTECTED]
Sent: 06 April 2005 05:28
To: Penny Willisson
Subject: Re: [Samba] net ads join fails
[2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown
code krb5 156
[2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
I suggest you post the output of the command you are running to join the
domain (including the command), for example, net ads join -U
[EMAIL PROTECTED] -d 2.
Also, note that the credentials you use to join the domain are not
necessarily the domain Administrator, but they need to be a user who has
write privileges to the ads folder where the machine account will be
created. (It worked better for me when the machine account was already
created in server manager, but according to the docs, that shouldn't be
necessary.)
It almost looks like the password failed. Or perhaps the folde
r you
specified for the machine account does not exist.
Regards,
Gordon Hopper
Try the command kinit Administrator (or [EMAIL PROTECTED]). You
should be prompted for a password. If, after entering the password, you're
returned to a prompt with no further output then, in theory at least, your
Kerberos setup is OK. If you get errors, well ... Run that first, then try
net ads join -U [EMAIL PROTECTED]
A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba.
HTH.
Dimitri
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Monday 11 April 2005 09:42 am, you wrote:
I have recreated my dns pointers without success and I think my krb5.conf
file is configured correctly. First I left this to Yast to set up but that
didn't work and then I tried to modify it from a article I found.
I have pasted it in below
[libdefaults]
#default_realm = ellisonslegal.com
clockskew = 300
[realms]
ELLISONSLEGAL.COM = {
kdc = apps.ellisonslegal.com
#default_domain = ELLNET
#kpasswd_server = apps.ellisonslegal.com
}
#ELLISONSLEGAL.COM = {
# kdc = APPS.ELLISONSLEGAL.COM
# admin_server = APPS.ELLISONSLEGAL.COM
# kpasswd_server = APPS.ELLISONSLEGAL.COM
#}
#OTHER.REALM = {
# kdc = OTHER.COMPUTER
#}
[domain_realm]
# .my.domain = MY.REALM
.ellisonslegal.com = ELLISONSLEGAL.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Dimitri would you be able to repost that link for the HOW-TO please? I
tried it but it seems like it is broken, do you have the updated link?
Thanks for your continued help.
Penny
-Original Message-
From: Gordon Hopper [mailto:[EMAIL PROTECTED]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
You might need to add some entries to your krb5.conf file. for example:
[realms]
ellisonslegal.com = {
kdc = domain.controller.ellisonslegal.com:88
}
Where kdc points to a domain controller. Doesn't need to be the primary
domain controller, choose one close by for best performance. (You
shouldn't need to do this if your DNS for the domain resolves to a domain
controller.)
Gordon
On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
Thanks
When I run 'kinit administrator' I get the following error
kinit: krb5_get_init_creds: unable to reach any KDC in realm
ellisonslegal.com
any ideas???
-Original Message-
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED] Behalf Of
Dimitri Yioulos
Sent: 08 April 2005 13:30
To: samba@lists.samba.org
Subject: Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
Hi
I have created the machine account on the AD server and did this logged
in
as Administrator so that should mean that the Administrator account has
the
correct permissions.
I have executed the following command as suggested
net ads join [EMAIL PROTECTED] -d 2
The following was output to the screen:
[2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
[2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed:
Unknown code krb5 156
[2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
[2005/04/08 13:33:41, 2] utils/net.c:main(897)
return code = -1
Thanks
Penny
-Original Message-
From: Gordon Hopper [mailto: [EMAIL PROTECTED]
Sent: 06 April 2005 05:28
To: Penny Willisson
Subject: Re: [Samba] net ads join fails
[2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
directory)
[2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed:
Unknown
code krb5 156
[2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
I suggest you post the output of the command you are running to join the
domain (including the command), for example, net ads join -U
[EMAIL PROTECTED] -d 2.
Also, note that the credentials you use to join the domain are not
necessarily the domain Administrator, but they need to be a user who has
write privileges to the ads folder where the machine account will be
created. (It worked better for me when the machine account was already
created in server manager, but according to the docs, that shouldn't be
necessary.)
It almost looks like the password failed. Or perhaps the folde
r you
specified for the machine account does not exist.
Regards,
Gordon Hopper
Try the command kinit Administrator (or [EMAIL PROTECTED]).
You
should be prompted for a password. If, after entering the password, you're
returned to a prompt with no further output then, in theory at least, your
Kerberos setup is OK. If you get errors, well ... Run that first, then try
net ads join -U [EMAIL PROTECTED]
A good how-to can be found at:
http://www.ulug.org.nz
Re: RE: [Samba] net ads join fails
Hi! Check your dns configuration! I had similar problems and found out my dns server wasn't working correctly the reverse resolution. Good luck! Ernesto Pereirinha - Original Message - From: Penny Willisson [EMAIL PROTECTED] Date: Friday, April 8, 2005 3:41 pm Subject: RE: [Samba] net ads join fails Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folder you specified for the machine account does not exist. Regards, Gordon Hopper -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join fails
Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri On Friday 08 April 2005 10:41 am, you wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? You probably don't have Kerberos configured correctly. Check your krb5.conf and kdc.conf files. Refer to the how-to I mentioned earlier, and also http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-install.html, if you're using MIT Kerberos. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join requires full domain admin account?
* [EMAIL PROTECTED] schrieb am 10.02.05 um 21:35 Uhr: Problem: I have an account that allows me to join an AD domain, this works fine from any win box. However it fails with ads_add_machine_acct (client_name): Insufficient access when I do a net ads join from a linux box. To get samba to join the domain, I have to use an account with full domain admin privs. (ie net ads join -Ufull_domain_admin) Is this expected behavior? I just wanted to confirm that. I saw the same while I was trying to add my Samba machine to an AD. -Marc -- °M3rlin- what is the legal age to buy alcoholic in england ? ° ° p5Ds13a06 you cant buy alcoholics ° ° p5Ds13a06 but if you wink the right way, ° ° some of them will follow you home for free ° -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join requires full domain admin account?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Schiffbauer wrote: | Problem: I have an account that allows me to join | an AD domain, this works fine from any win box. However | it fails with ads_add_machine_acct (client_name): | Insufficient access when I do a net ads join from a linux | box. To get samba to join the domain, I have to use | an account with full domain admin privs. (ie net | ads join -Ufull_domain_admin) | | Is this expected behavior? | | I just wanted to confirm that. I saw the same while | I was trying to add my Samba machine to an AD. The acls on you machine object or parent OU in AD are wrong then. I can successfully join Samba boxes to an AD domain without being a domain admin. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCDNnSIR7qMdg1EfYRAm+NAJ4tTHU1ULsnf6VCIBUlUBRFNRFaNACfWDlj IXmrB82nkQ6LYqFxAW9w0IA= =oT/C -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
Resending, as I used wrong sender and it doesn't seem to have appeared on the list. The problem is sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now the problem with the double realm name seems to be fixed. I still get the same errors joining (just with the correct realm name). Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in the kerberos part of AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf so my domain maps to a realm name (map ift.uib.no to KLIENT.UIB.NO) and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf I also upgraded kerberos and samba to the versions in the yum develop repo for fc3. samba*-3.0.9-2 and krb5*-1.3.5-2 Now, even with the preauthentication failures when joining I have a working server that authenticates as expected. :-) -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
Sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now that problem seems to be fixed, but I still get errors joining. Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger birger wrote: After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - Preauthetication failed
birger wrote: net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** I seem to have solved this part of the problem. Stop everything, move aside /var/cache/samba, create a new empty directory and retry. Worked as it should. Now I'm back to my old problems. :-/ -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Tue, 02 Nov 2004 14:34:15 -0800, Tom Dickson [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ~ /usr/bin/net ads join -Udennisb dennisb password: [2004/11/02 17:31:56, 0] libads/ldap.c:ads_add_machine_acct(1006) ~ Host account for if-srv-hos1 already exists - modifying old account [2004/11/02 17:31:56, 0] libads/ldap.c:ads_join_realm(1342) ~ ads_add_machine_acct: No such object ads_join_realm: No such object What version of samba and kerberos are you using? I had problems with the version that comes with redhat. I wasn't able to get ads work with it. samba.3.0.7 and krb1.3.5 worked for me. And make sure on smb.conf , you have 'security=ADS'. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
Hi Aaron, we've just identified this problem and thought you may be interested if you haven't resolved this already. The bind is failing because the admin account being used to join the domain is a member of too many groups (waiting to hear from M$ what constitutes too many) and as a result the Kerberos TGT is too large and the kpasswd service on the M$ DC just ignores the change password request. To work around this created an admin account with minimal group membership and use this to bind Samba boxes to AD. Of course you may have a different issue with M$ ;-) cheers Andy. Thanks all. At least now I know it's not just me. I'll be watching bugzilla with interest, and in the meantime I suppose standard Kerb will have to do. Aaron Grewell Network Administrator University of Washington Bothell This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
I believe this is a bug as I have posted exactly the same problem to this list already including some debug info, nobody replied though I have contacted Andrew Bartlett on this with some debug information and am waiting for a reply. As its not just me I'll raise a bug in bugzilla, thanks Andy Smith. PS I've replicated the problem on Linux and Solaris and Kerberos is working correctly. Aaron Grewell wrote: | I am trying to join my Linux workstation to my ADS domain. | Unfortunately, I'm not having much success. net ads | join hangs forever (or at least for more than 12 hours) | when run. ... | [2004/05/20 10:08:47, 0] libads/ldap.c:ads_add_machine_acct(1006) | Host account for cygnus already exists - modifying old account | [2004/05/20 10:08:47, 5] libads/ldap_utils.c:ads_do_search_retry(56) | Search for (objectclass=*) gave 1 replies | | * | After the LDAP search it hangs forever. :( | I would start by checking for any kerberos misconfigurations. Just a gut feeling though. Does kinit run ok ? BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
logged on bugzilla, id 1370 thanks Andy. I believe this is a bug as I have posted exactly the same problem to this list already including some debug info, nobody replied though I have contacted Andrew Bartlett on this with some debug information and am waiting for a reply. As its not just me I'll raise a bug in bugzilla, thanks Andy Smith. PS I've replicated the problem on Linux and Solaris and Kerberos is working correctly. Aaron Grewell wrote: | I am trying to join my Linux workstation to my ADS domain. | Unfortunately, I'm not having much success. net ads | join hangs forever (or at least for more than 12 hours) | when run. ... | [2004/05/20 10:08:47, 0] libads/ldap.c:ads_add_machine_acct(1006) | Host account for cygnus already exists - modifying old account | [2004/05/20 10:08:47, 5] libads/ldap_utils.c:ads_do_search_retry(56) | Search for (objectclass=*) gave 1 replies | | * | After the LDAP search it hangs forever. :( | I would start by checking for any kerberos misconfigurations. Just a gut feeling though. Does kinit run ok ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
On Fri, 2004-05-21 at 19:43, ww m-pubsyssamba wrote: I believe this is a bug as I have posted exactly the same problem to this list already including some debug info, nobody replied though I have contacted Andrew Bartlett on this with some debug information and am waiting for a reply. As its not just me I'll raise a bug in bugzilla, Sorry about the delay, and thanks for keeping on it. thanks Andy Smith. PS I've replicated the problem on Linux and Solaris and Kerberos is working correctly. Did you manage to valgrind it? Aaron Grewell wrote: | I am trying to join my Linux workstation to my ADS domain. | Unfortunately, I'm not having much success. net ads | join hangs forever (or at least for more than 12 hours) | when run. ... | [2004/05/20 10:08:47, 0] libads/ldap.c:ads_add_machine_acct(1006) | Host account for cygnus already exists - modifying old account | [2004/05/20 10:08:47, 5] libads/ldap_utils.c:ads_do_search_retry(56) | Search for (objectclass=*) gave 1 replies | | * | After the LDAP search it hangs forever. :( | I would start by checking for any kerberos misconfigurations. Just a gut feeling though. Does kinit run ok ? In the trace, it appears that the server just never replies to the 'set password' request. We sit around forever, waiting for the reply, rather than resending it (it is a UDP based request) or timing out. This is krb5_setpw.c:do_krb5_kpasswd_request() Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
Did you manage to valgrind it? ## ##Yes, I've sent it through to you last week, didn't you recieve it? ##If not I've attached all the out put to the bugzilla bug 1370 ## thanks Andy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
Thanks all. At least now I know it's not just me. I'll be watching bugzilla with interest, and in the meantime I suppose standard Kerb will have to do. Aaron Grewell Network Administrator University of Washington Bothell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ww m-pubsyssamba Sent: Friday, May 21, 2004 6:28 AM To: Andrew Bartlett Cc: [EMAIL PROTECTED]; Gerald (Jerry) Carter; Andrew Bartlett Subject: RE: [Samba] net ads join hangs forever Did you manage to valgrind it? ## ##Yes, I've sent it through to you last week, didn't you recieve it? ##If not I've attached all the out put to the bugzilla bug 1370 ## thanks Andy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join hangs forever
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aaron Grewell wrote: | I am trying to join my Linux workstation to my ADS domain. | Unfortunately, I'm not having much success. net ads | join hangs forever (or at least for more than 12 hours) | when run. ... | [2004/05/20 10:08:47, 0] libads/ldap.c:ads_add_machine_acct(1006) | Host account for cygnus already exists - modifying old account | [2004/05/20 10:08:47, 5] libads/ldap_utils.c:ads_do_search_retry(56) | Search for (objectclass=*) gave 1 replies | | * | After the LDAP search it hangs forever. :( | I would start by checking for any kerberos misconfigurations. Just a gut feeling though. Does kinit run ok ? cheers, jerry - -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ...a hundred billion castaways looking for a home. --- Sting -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFArR+zIR7qMdg1EfYRApA9AJ9eRPJY0epCgihSOXboJ+Ja6+6vcgCbBcvR BYuR207X5GEeLtZAp+BV7Pk= =mbOD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join hangs forever
I would start by checking for any kerberos misconfigurations. Just a gut feeling though. Does kinit run ok ? Kinit runs fine. I started with a standard Kerb config that I've used a number of times with good success. I also tried removing /etc/krb5.conf altogether. Kinit ran fine in either case. Using kinit -V [EMAIL PROTECTED] returns Authenticated to Kerberos V5 once I've entered my password so I'm pretty sure it's working. The user I'm authenticating as is a Domain Admin, and so should have the rights to do what is needed. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Net ads join
Have you done any kerberos setup? Whatever steps you have taken there would be helpful as well. Also, take a look at TOSHARG chapter 6: http://us2.samba.org/samba/docs/man/howto/domain-member.html#ads-member Tom Skeren wrote: O.K. well no one has responded to any requests for help yet. Maybe I'll get lucky this time. Switched to the Red Hat web server. Configured 3.0.3 --with-ads. Do net ads testjoin, system response: LINUX@'s password: (type pass) (response) [2004/05/07 09:49:11, 0] libads/kerberos.c:ads_kinit_password (135) kerberos_kinit_password LINUX$@ failed: Malformed representation of principal Join to domain is not valid. What have I got wrong? Any suggestions would be appreciated. TMS III -- Paul Gienger Office:701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.commailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Net ads join
Thanks for asking Paul. I decided to see the error message of a net ads join -U admin would be and got: can't find realm. Edited krb5.conf changing kdc = server.fsklaw.net to kerberos.fsklaw.net. I then joined the domain, and in Windows 2000 the computer Linux is their with Opereating system 3.0.3. However, krb5kdc.log says: Cannot find/read stored master key - while fetching master key K/M for realm fsklaw.net. Also, it appears that winbindd will not start. I'm very new to Redhat, so while I have a modest UNIX (BSD) background, I'm a bit of a fish out of water on the Redhat box, so be gentle ;-). Thanks again Paul TMS III Paul Gienger wrote: Have you done any kerberos setup? Whatever steps you have taken there would be helpful as well. Also, take a look at TOSHARG chapter 6: http://us2.samba.org/samba/docs/man/howto/domain-member.html#ads-member Tom Skeren wrote: O.K. well no one has responded to any requests for help yet. Maybe I'll get lucky this time. Switched to the Red Hat web server. Configured 3.0.3 --with-ads. Do net ads testjoin, system response: LINUX@'s password: (type pass) (response) [2004/05/07 09:49:11, 0] libads/kerberos.c:ads_kinit_password (135) kerberos_kinit_password LINUX$@ failed: Malformed representation of principal Join to domain is not valid. What have I got wrong? Any suggestions would be appreciated. TMS III -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Net ads join
I'm going to have to defer to someone with superiour knowledge here, I've only set up ADS membership once, and that was on a test environment. Two things though, are you specifying your realm as lower case or upper case? I believe you need to it uppercase: FSKLAW.NETAlso, what do you get when you run the kinit command from the document? Tom Skeren wrote: Thanks for asking Paul. I decided to see the error message of a net ads join -U admin would be and got: can't find realm. Edited krb5.conf changing kdc = server.fsklaw.net to kerberos.fsklaw.net. I then joined the domain, and in Windows 2000 the computer Linux is their with Opereating system 3.0.3. However, krb5kdc.log says: Cannot find/read stored master key - while fetching master key K/M for realm fsklaw.net. Also, it appears that winbindd will not start. I'm very new to Redhat, so while I have a modest UNIX (BSD) background, I'm a bit of a fish out of water on the Redhat box, so be gentle ;-). Thanks again Paul TMS III Paul Gienger wrote: Have you done any kerberos setup? Whatever steps you have taken there would be helpful as well. Also, take a look at TOSHARG chapter 6: http://us2.samba.org/samba/docs/man/howto/domain-member.html#ads-member Tom Skeren wrote: O.K. well no one has responded to any requests for help yet. Maybe I'll get lucky this time. Switched to the Red Hat web server. Configured 3.0.3 --with-ads. Do net ads testjoin, system response: LINUX@'s password: (type pass) (response) [2004/05/07 09:49:11, 0] libads/kerberos.c:ads_kinit_password (135) kerberos_kinit_password LINUX$@ failed: Malformed representation of principal Join to domain is not valid. What have I got wrong? Any suggestions would be appreciated. TMS III -- Paul Gienger Office:701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.commailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Net ads join
Thanks again Paul, I got the Redhat box working, mostly, except that all users only have user rights on the samba share. Can't seem to get ADS users to have the permisions on Samba shares they have on the 2000 shares. But a huge leap forward for me today. I've been spinning my wheels all week. The article link was most helpful. Now it's onto the FreeBSD boxes, and configuring bind9 to mimic well enough 2000DNS so that the sattelite offices samba servers can authenticate too. The BSD boxes under kinit are behaving oddly. The laptop keeps responding back with clock skew too great. The FreeBSD server is running bind so, it's not even getting to kerberos, yet. Thanks again. Paul Gienger wrote: I'm going to have to defer to someone with superiour knowledge here, I've only set up ADS membership once, and that was on a test environment. Two things though, are you specifying your realm as lower case or upper case? I believe you need to it uppercase: FSKLAW.NETAlso, what do you get when you run the kinit command from the document? Tom Skeren wrote: Thanks for asking Paul. I decided to see the error message of a net ads join -U admin would be and got: can't find realm. Edited krb5.conf changing kdc = server.fsklaw.net to kerberos.fsklaw.net. I then joined the domain, and in Windows 2000 the computer Linux is their with Opereating system 3.0.3. However, krb5kdc.log says: Cannot find/read stored master key - while fetching master key K/M for realm fsklaw.net. Also, it appears that winbindd will not start. I'm very new to Redhat, so while I have a modest UNIX (BSD) background, I'm a bit of a fish out of water on the Redhat box, so be gentle ;-). Thanks again Paul TMS III Paul Gienger wrote: Have you done any kerberos setup? Whatever steps you have taken there would be helpful as well. Also, take a look at TOSHARG chapter 6: http://us2.samba.org/samba/docs/man/howto/domain-member.html#ads-member Tom Skeren wrote: O.K. well no one has responded to any requests for help yet. Maybe I'll get lucky this time. Switched to the Red Hat web server. Configured 3.0.3 --with-ads. Do net ads testjoin, system response: LINUX@'s password: (type pass) (response) [2004/05/07 09:49:11, 0] libads/kerberos.c:ads_kinit_password (135) kerberos_kinit_password LINUX$@ failed: Malformed representation of principal Join to domain is not valid. What have I got wrong? Any suggestions would be appreciated. TMS III -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join / kinit /.conf syntax
-- Behalf Of Michael Brown -- Sent: Friday, February 20, 2004 1:37 AM -- The path I got was /root/krb5-1.3.1/src/configure, but no -- mater. In order to -- -- Sorry, I should have said - -- # cd krb5-1.3.1/src -- # configure --prefix=/usr -- # make make install -- # ls /usr/bin/kinit -- kinit Ran the configure --prefix=/usr again (as I'd removed and reinstalled all the Samba packages) just to make sure and it worked fine. The make make install worked much better with this syntax. Still no kinit though! And the net ads join still fails the same way, although I tried many variations on it. At one point a new domain showed up in the Windows Network Neighborhood, but with no computers in it, a tweak/correction of /etc/smb.conf fixed that. testparm doesn't seem to find any errors with /etc/smb.conf. I tried with the default 'example' /etc/krb5.conf and also with one with my specific settings. Based on the error message it would seem that my Kerberos client is not working, right? [EMAIL PROTECTED] root]# ls /usr/bin/kinit ls: /usr/bin/kinit: No such file or directory [EMAIL PROTECTED] root]# cd /usr/bin [EMAIL PROTECTED] bin]# ls k* kban kbdrate kermit kill killall krb524init ktest [EMAIL PROTECTED] bin]# locate kinit /root/krb5-1.3.1/doc/kinit.html /root/krb5-1.3.1/src/clients/kinit /root/krb5-1.3.1/src/clients/kinit/Makefile.in /root/krb5-1.3.1/src/clients/kinit/ChangeLog /root/krb5-1.3.1/src/clients/kinit/kinit.M /root/krb5-1.3.1/src/clients/kinit/kinit.c /root/krb5-1.3.1/src/clients/kinit/Makefile /root/krb5-1.3.1/src/clients/kinit/TV /usr/share/man/man8/mkinitrd.8.gz /usr/share/ghostscript/7.07/vflib/kinit.ps /sbin/mkinitrd [EMAIL PROTECTED] bin]# cd [EMAIL PROTECTED] root]# net ads join -U adminzas adminzas password: [2004/02/21 11:21:45, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find KDC for requested realm [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# ping imediamsft PING imediamsft.imedia.example.com (10.1.1.42) 56(84) bytes of data. 64 bytes from imediamsft.imedia.example.com (10.1.1.42): icmp_seq=0 ttl=128 time=0.162 ms 64 bytes from imediamsft.imedia.example.com (10.1.1.42): icmp_seq=1 ttl=128 time=0.200 ms 64 bytes from imediamsft.imedia.example.com (10.1.1.42): icmp_seq=2 ttl=128 time=0.199 ms --- imediamsft.imedia.example.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.162/0.187/0.200/0.017 ms, pipe 2 [EMAIL PROTECTED] root]# /etc/krb5.conf specifies imediamsft.imedia.example.com as the KDC, and this machine can see it, and actually has for it's DNS1 and DNS2 the two AD integrated LAN DNS servers. The machine ImediaArchive shows up in the Windows Network Neighborhood as a domain/workgroup member (due to the /etc/smb.conf file?) but when clicked on gets an error I guess is due to it not having a machine account in AD. Why doesn't the kerberos-workstation rpm work? Do I need a /etc/krb5.conf if using the MIT Kerberos client? I do have valid looking DNS records for the Microsoft Kerberos servers. Do I need to compile of 'make' something in the /root/krb5-1.3.1/src/clients/kinit directory to get the kinit command? -- It would be prudent to then install a recent version of -- cyrus-sasl to insure an -- gss-api layer for auth when trying against ms-ad. Hopefully I will move forward enough to get to this stuff later... -- Hope this helps. -- -- Michael Brown -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join / kinit /.conf syntax
-- From: Gary Hostetler [mailto:[EMAIL PROTECTED] -- Sent: Thursday, February 19, 2004 6:06 AM -- To: kaze -- Subject: RE: [Samba] net ads join / kinit /.conf syntax -- -- -- I'd be happy if my net command worked. It tells me unknown -- command. Where do -- I find net. -- thanks -- Gary Install samba-client-3.0.0-15 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join / kinit /.conf syntax
-- From: Michael Brown [mailto:[EMAIL PROTECTED] -- Sent: Thursday, February 19, 2004 2:50 AM ... -- Eliminate your krb5 rpm installation. -- Download the MIT krb5 source tarball from here: -- http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.1.tar -- -- Extract the tarball/signature: -- $ tar xvf krb5-1.3.1.tar -- krb5-1.3.1.tar.gz.asc -- krb5-1.3.1.tar.gz -- -- Check the sig however you want (this assumes OpenSSL): -- $ openssl md5 krb5-1.3.1.tar.gz.asc -- MD5(krb5-1.3.1.tar.gz.asc)= 06905cdf473cd677e1eabc3bebe9c506 -- -- This better be the sig! Yup. -- $ tar xvfz krb5-1.3.1.tar.gz -- $ cd krb5-1.3.1 -- $ ./configure --prefix=/usr The path I got was /root/krb5-1.3.1/src/configure, but no mater. In order to getting that script working I installed: glibc-kernheaders-2.4-8.36.i386.rpm glibc-headers-2.3.2-101.i386.rpm glibc-devel-2.3.2-101.i386.rpm cpp-3.3.2-1.i386.rpm binutils-2.14.90.0.6-3.i386.rpm gcc-3.3.2-1.i386.rpm It appeared to run without errors. -- $ make make install This got some errors and complained about missing some things. -- kinit klist should now be found under /usr/ Still no kinit and net ads join ... returns failed: Cannot find KDC for requested realm. Interestingly: [EMAIL PROTECTED] root]# locate kinit /usr/share/doc/krb5-workstation-1.3.1/kinit.html /usr/share/man/man8/mkinitrd.8.gz /usr/share/ghostscript/7.07/vflib/kinit.ps /usr/kerberos/bin/kinit /usr/kerberos/man/man1/kinit.1.gz /sbin/mkinitrd [EMAIL PROTECTED] root]# cd /usr/kerberos/bin -bash: cd: /usr/kerberos/bin: No such file or directory [EMAIL PROTECTED] root]# kinit -bash: kinit: command not found [EMAIL PROTECTED] root]# http://www.samba.org/samba/docs/man/domain-member.html#ads-member under Possible Errors details: ADS support not compiled in Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the Kerberos libraries and headers files are installed. rpm -e-ed all of Samba, then installed, and then configured via SWAT again. [EMAIL PROTECTED] root]# net ads join -U Administrator Administrator password: [2004/02/20 00:52:01, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find KDC for requested realm [EMAIL PROTECTED] root]# -- Good lucc! -- -- Michael Brown D'oh - kaze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join / kinit /.conf syntax
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 20 Feb 2004 01:04:24 -0500 kaze [EMAIL PROTECTED] wrote: The path I got was /root/krb5-1.3.1/src/configure, but no mater. In order to Sorry, I should have said - # cd krb5-1.3.1/src # configure --prefix=/usr # make make install # ls /usr/bin/kinit kinit It would be prudent to then install a recent version of cyrus-sasl to insure an gss-api layer for auth when trying against ms-ad. Hope this helps. Michael Brown -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFANasKyEfMczxaHdsRAq83AJ0Zb/kIyT6qtBFZ3paj0ye0dFlVcQCfQtJO GTlwevAYeBgvsxKa7qIIyxk= =W8qg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join / kinit /.conf syntax
-- From: Michael Brown [mailto:[EMAIL PROTECTED] -- Sent: Wednesday, February 18, 2004 7:50 PM ... -- On Wed, 18 Feb 2004 18:38:44 -0500 -- kaze [EMAIL PROTECTED] wrote: -- [EMAIL PROTECTED] root]# kinit -- -bash: kinit: command not found -- [EMAIL PROTECTED] root]# -- [EMAIL PROTECTED] root]# klist -- -bash: klist: command not found -- -- You have to install kerberos first (either MIT or Heimdal); it -- seems you don't -- have it on your system. -- You can find the source tarball for MIT Kerberos here: -- -- http://web.mit.edu/kerberos/dist/index.html -- -- Hope this helps. -- -- Michael Brown Yeah! I feel farther along, but it still doesn't work. I installed the krb5-workstation-1.3.1-6.i386.rpm and after re-reading http://www.samba.org/samba/docs/man/domain-member.html#ads-member restored /etc/krb5.conf to its original state. [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# rpm -qa | egrep krb5 krb5-libs-1.3.1-6 pam_krb5-2.0.4-1 krb5-workstation-1.3.1-6 [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# kinit -bash: kinit: command not found [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# ls -laF /usr/local/bin total 8 drwxr-xr-x2 root root 4096 Oct 7 07:16 ./ drwxr-xr-x 11 root root 4096 Feb 11 11:33 ../ [EMAIL PROTECTED] root]# /usr/local/bin is where the Installing and Configuring UNIX Client Machines section of http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1/doc/krb5-install.html says kinit and the rest will be. Is there some other package I need to install or some script to run? Of course net ads join ... still returns failed: Cannot find KDC for requested realm What to do? - kaze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join / kinit /.conf syntax
On Thu, 19 Feb 2004, kaze wrote: Yeah! I feel farther along, but it still doesn't work. I installed the krb5-workstation-1.3.1-6.i386.rpm and after re-reading http://www.samba.org/samba/docs/man/domain-member.html#ads-member restored /etc/krb5.conf to its original state. [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# rpm -qa | egrep krb5 krb5-libs-1.3.1-6 pam_krb5-2.0.4-1 krb5-workstation-1.3.1-6 [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# kinit -bash: kinit: command not found [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# ls -laF /usr/local/bin total 8 drwxr-xr-x2 root root 4096 Oct 7 07:16 ./ drwxr-xr-x 11 root root 4096 Feb 11 11:33 ../ [EMAIL PROTECTED] root]# /usr/local/bin is where the Installing and Configuring UNIX Client Machines section of http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1/doc/krb5-install.html says kinit and the rest will be. Is there some other package I need to install or some script to run? Of course net ads join ... still returns failed: Cannot find KDC for requested realm Hmmm. ... What to do? Did the Samba-HOWTO-Collection.pdf help in any way? What part of Section 7.4 does not work for you? If you can help me to find the problem I can help to fix the documentation. See: http://www.samba.org/docs/Samba-HOWTO-Collection.pdf cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join Kerberos credentials only after kinit?
The purpose of net ads join -U Administrator%password (password is required) is not to obtain a Kerberos ticket but to create a computer account in the AD thereby setting up the trust required for other clients to authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any client system, after doing the net ads join on the Samba server, to get your TGT and I think you'll find everything works as intended, thanks Andy. -Original Message- From: Axel Suppantschitsch [mailto:[EMAIL PROTECTED] Sent: 02 October 2003 10:29 To: [EMAIL PROTECTED] Subject: [Samba] net ads join Kerberos credentials only after kinit? According to the latest version of the Samba Documentation there are three major steps to add a samba server as member server to an ADS: 1.) Configure samba correctly to use ADS (smb.conf). 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf). 3.) Join the samba server with net ads join -U Administrator. Well, all this sounds good, but it definetly doesn't work, you won't have any kerberos tickets in your credentials cache after this process. So either the samba documentation is incomplete, or there is a bug in samba. Anyway, it seems that I found a workable solution: I use Samba 3.0.0 release. I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal). I tested this with Windows 2000 and Windows 2003 Servers. It worked on both. 1.) Do a kinit [EMAIL PROTECTED]. This will get you initial kerberos credentials. It is essential to get credentials _BEFORE_ step #2! 2.) Do a net ads join. This will use your kerberos credentials from step #1 and add the samba server to your ADS domain without the need to specify a username or a password. 3.) Do a klist and you will see three different tickets in your kerberos credentials cache. 4.) Do a smbclient -k \\windowsserver\share and it should connect you without enterning username and password. At this point I ask you guys, whether this is a bug or a feature: 1.)If it is a feature the samba documentation needs to be changed in order to require valid Administrator kerberos credentials _BEFORE_ doing a net ads join. This needs to be explicitely mentioned! 2.)If it is a bug, you know what you have to do... ;) Hope this helps all the guys out there struggeling with the same problem and asking me for help... ;) Regards, Axel. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join Kerberos credentials only after kinit?
You might be right, but the use of kinit is only mentioned for testing purposes, but not as an essential part of the implementation... My process generates following credentials: [EMAIL PROTECTED] root]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/01/03 14:24:47 10/02/03 00:25:36 krbtgt/[EMAIL PROTECTED] renew until 10/02/03 14:24:47 10/01/03 14:25:57 10/02/03 00:25:36 [EMAIL PROTECTED] renew until 10/02/03 14:24:47 10/01/03 14:25:57 10/01/03 14:27:57 kadmin/[EMAIL PROTECTED] renew until 10/01/03 14:27:57 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] root]# Your process generates following credentials: [EMAIL PROTECTED] root]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/02/03 13:16:21 10/02/03 23:17:10 krbtgt/[EMAIL PROTECTED] renew until 10/03/03 13:16:21 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] root]# Any suggestions? Regards, Axel. Quoting Andrew Smith-MAGAZINES [EMAIL PROTECTED]: The purpose of net ads join -U Administrator%password (password is required) is not to obtain a Kerberos ticket but to create a computer account in the AD thereby setting up the trust required for other clients to authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any client system, after doing the net ads join on the Samba server, to get your TGT and I think you'll find everything works as intended, thanks Andy. -Original Message- From: Axel Suppantschitsch [mailto:[EMAIL PROTECTED] Sent: 02 October 2003 10:29 To: [EMAIL PROTECTED] Subject: [Samba] net ads join Kerberos credentials only after kinit? According to the latest version of the Samba Documentation there are three major steps to add a samba server as member server to an ADS: 1.) Configure samba correctly to use ADS (smb.conf). 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf). 3.) Join the samba server with net ads join -U Administrator. Well, all this sounds good, but it definetly doesn't work, you won't have any kerberos tickets in your credentials cache after this process. So either the samba documentation is incomplete, or there is a bug in samba. Anyway, it seems that I found a workable solution: I use Samba 3.0.0 release. I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal). I tested this with Windows 2000 and Windows 2003 Servers. It worked on both. 1.) Do a kinit [EMAIL PROTECTED]. This will get you initial kerberos credentials. It is essential to get credentials _BEFORE_ step #2! 2.) Do a net ads join. This will use your kerberos credentials from step #1 and add the samba server to your ADS domain without the need to specify a username or a password. 3.) Do a klist and you will see three different tickets in your kerberos credentials cache. 4.) Do a smbclient -k \\windowsserver\share and it should connect you without enterning username and password. At this point I ask you guys, whether this is a bug or a feature: 1.)If it is a feature the samba documentation needs to be changed in order to require valid Administrator kerberos credentials _BEFORE_ doing a net ads join. This needs to be explicitely mentioned! 2.)If it is a bug, you know what you have to do... ;) Hope this helps all the guys out there struggeling with the same problem and asking me for help... ;) Regards, Axel. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join - tells me ADS support not compiled in buti did configure it!!
On Fri, 2003-06-27 at 01:42, stefan sokoll wrote: hi i'm using suse8.2 i compiled and installed heimdal-0.6 i configured samba3.0.0beta1 with: configure --with-winbind --with-pam-winbind --with-smbmount --with-ads --with-pam --with-ldap i did make without options and make install kinit [EMAIL PROTECTED] did work net ads join told me ADS support not compiled in how can this be? - the configure file tells ads support is inluded by default and additionally i added it as parameter to the configure script can somebody help my? i can see at the make output that he doesn't compile the ads files! Current Samba 3.0 CVS does a much better job of 'failing' configure if you ask for --with-ads and you don't have the krb5.h, for example. Previous versions would just ignore your request, and just disable it if it was not available. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Net ADS JOIN error
hello alessandro, On Thu, Feb 06, 2003 at 04:37:24PM +0100, [EMAIL PROTECTED] wrote: Hi all, After having spend 2 days to resolve my problem to configure Samba 3.0 (the path to the libgcc_s was wrong) I've finally installed it and I'm trying to join the W2K AD domain with the command: 1. kinit [EMAIL PROTECTED] (asking password and getting the ticket from the W2K) 2. net ads join [EMAIL PROTECTED] (doesn't work) error message : ... [2003/02/06 15:09:08, 1] libsmb/clikrb5.c:krb5_mk_req2(234) krb5_get_credentials failed for s-tnet1luxdc01$@OUR.DOMAIN.INT (No credentials found with supported encryption types) can you post your krb5.conf and tell us what flavour of kerberos you use (mit or heimdal), sorry if you have posted these infos before but i did not follow the whole thread. on my host (samba3cvs, SuSE Linux 8.1, heimdal) you need: [libdefaults] default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 with mit you should have (at least i guess that): default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc can you possibly try that? and you did change the password of [EMAIL PROTECTED] once after your win2k dcs was set up? bye, guenther -- Guenther Deschner [EMAIL PROTECTED] SuSE Linux AGGnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778 D-13507 Berlin fax: +49 (0) 30 / 43732804 msg13860/pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
FWD: Re: [Samba] net ads join hangs
-- Original Message --
From: Errol Neal [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 29 Nov 2002 17:13:39 -0800
Hello,
In my further investigation, it seems that winbindd cannot locate my kerberos ticket.
Or, at least this is what this log output from winbindd
[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for JCNTV
[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
Am I correct? But I do have a kerberos ticket...
isaiah:/usr# /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
11/29/02 17:11:59 11/30/02 03:11:45 [EMAIL PROTECTED]
Help would be appreciated...
Best Regards,
Errol U. Neal
-- Original Message --
From: Errol Neal [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 29 Nov 2002 07:21:23 -0800
Hello,
I am using samba-3.0alpha21 on a out of the box debian-3.0 box trying to join a
native windows 2000 (active directory) domain. I have used alpha18,19,and 20 in the
past with alot of success on red hat and linux from scratch systems with minimum
challenges. However I cannot seem join the domain in this instance. I am using
openldap 2.1.8 and mit kerberos 1.2.7. The result of net ads join using alpha19 is
that the command hangs after scrolling about 5 pages of text. Alpha20 segfaults for a
reason unapparent to me and alpha21 hangs, as alpha19 did but only after the first
line. The funny thing is that net ads status shows that my system is a member of
the domain, but in starting winbindd, winbindd reports this:
winbindd version 3.0alpha21 started.
Copyright The Samba Team 2000-2001
[2002/11/29 07:04:07, 1] nsswitch/winbindd_util.c:add_trusted_domain(140)
Added domain JCNTV
[2002/11/29 07:04:07, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for JCNTV
[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
I compiled samba like so..
./configure --prefix=/usr/local/samba3 --with-pam
Here is a copy of my smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2002/09/20 13:46:38
# Global parameters
[global]
workgroup = JCNTV
realm = JCNTV.PRIVATE
ADS server = 192.168.0.2
netbios name = ISAIAH
interfaces = **.**.**.**
bind interfaces only = Yes
security = ADS
wins server = 192.168.0.2
encrypt passwords = yes
host msdfs = Yes
msdfs root = Yes
winbind gid = 1000-65000
winbind uid = 1000-65000
winbind separator = +
[docroot]
path = /home/var/www
follow symlinks = no
browsable = yes
force create mode = 0664
force directory mode = 0755
My krb5.conf ..
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
#default_tags_enctypes = des-cbc-crc
#default_tkt_enctypes = des-cbc-crc
default_realm = JCNTV.PRIVATE
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
JCNTV.PRIVATE = {
kdc = server2.jcntv.private:88
default_domain = jcntv.private
}
[domain_realm]
.jcntv.private = JCNTV.PRIVATE
jcntv.private = JCNTV.PRIVATE
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
and finally, my ldap.conf..
# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.0.2
# The distinguished name of the search base.
base dc=jcntv,dc=private
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Use SSL
# ssl yes
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,dc=jcntv,dc=private
bindpw JxZ#!@//
#URI ldaps://192.168.0.2:636
# The credentials to bind with.
# Optional: default is no credential.
# The port.
#port 636
port 389
# The search scope.
scope sub
nss_base_passwd cn=Users,DC=jcntv,DC=private?one
nss_base_shadow cn=Users,DC=jcntv,DC=private?one
nss_base_group cn=Group,DC=jcntv,DC=private?one
FWD: Re: [Samba] net ads join hangs
-- Original Message --
From: Errol Neal [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 29 Nov 2002 17:13:39 -0800
Hello,
In my further investigation, it seems that winbindd cannot locate my kerberos ticket.
Or, at least this is what this log output from winbindd
[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for JCNTV
[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
Am I correct? But I do have a kerberos ticket...
isaiah:/usr# /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
11/29/02 17:11:59 11/30/02 03:11:45 [EMAIL PROTECTED]
Help would be appreciated...
Best Regards,
Errol U. Neal
-- Original Message --
From: Errol Neal [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 29 Nov 2002 07:21:23 -0800
Hello,
I am using samba-3.0alpha21 on a out of the box debian-3.0 box trying to join a
native windows 2000 (active directory) domain. I have used alpha18,19,and 20 in the
past with alot of success on red hat and linux from scratch systems with minimum
challenges. However I cannot seem join the domain in this instance. I am using
openldap 2.1.8 and mit kerberos 1.2.7. The result of net ads join using alpha19 is
that the command hangs after scrolling about 5 pages of text. Alpha20 segfaults for a
reason unapparent to me and alpha21 hangs, as alpha19 did but only after the first
line. The funny thing is that net ads status shows that my system is a member of
the domain, but in starting winbindd, winbindd reports this:
winbindd version 3.0alpha21 started.
Copyright The Samba Team 2000-2001
[2002/11/29 07:04:07, 1] nsswitch/winbindd_util.c:add_trusted_domain(140)
Added domain JCNTV
[2002/11/29 07:04:07, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for JCNTV
[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
I compiled samba like so..
./configure --prefix=/usr/local/samba3 --with-pam
Here is a copy of my smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2002/09/20 13:46:38
# Global parameters
[global]
workgroup = JCNTV
realm = JCNTV.PRIVATE
ADS server = 192.168.0.2
netbios name = ISAIAH
interfaces = **.**.**.**
bind interfaces only = Yes
security = ADS
wins server = 192.168.0.2
encrypt passwords = yes
host msdfs = Yes
msdfs root = Yes
winbind gid = 1000-65000
winbind uid = 1000-65000
winbind separator = +
[docroot]
path = /home/var/www
follow symlinks = no
browsable = yes
force create mode = 0664
force directory mode = 0755
My krb5.conf ..
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
#default_tags_enctypes = des-cbc-crc
#default_tkt_enctypes = des-cbc-crc
default_realm = JCNTV.PRIVATE
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
JCNTV.PRIVATE = {
kdc = server2.jcntv.private:88
default_domain = jcntv.private
}
[domain_realm]
.jcntv.private = JCNTV.PRIVATE
jcntv.private = JCNTV.PRIVATE
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
and finally, my ldap.conf..
# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.0.2
# The distinguished name of the search base.
base dc=jcntv,dc=private
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Use SSL
# ssl yes
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,dc=jcntv,dc=private
bindpw JxZ#!@//
#URI ldaps://192.168.0.2:636
# The credentials to bind with.
# Optional: default is no credential.
# The port.
#port 636
port 389
# The search scope.
scope sub
nss_base_passwd cn=Users,DC=jcntv,DC=private?one
nss_base_shadow cn=Users,DC=jcntv,DC=private?one
nss_base_group cn=Group,DC=jcntv,DC=private?one
