Unable to join AD
- From: "Roberto Navarro - TusProfesionales.es" <rnavarro (at) tusprofesionales.es>
- Date: Tue, 20 Jun 2006 18:02:47 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello everybody,
I'm getting crazy trying to get my Linux box work with Active
Directory.
It's a Fedora Core 4, and these are the installed rpm's
[root (at) desarrollo ~]# cat /etc/redhat-release
Fedora Core release 4 (Stentz)
[root (at) desarrollo ~]# rpm -qa|grep samba
samba-3.0.14a-2
samba-common-3.0.14a-2
[root (at) desarrollo ~]# rpm -qa|grep krb
krb5-libs-1.4.1-5
krb5-workstation-1.4.1-5
krb5-devel-1.4.1-5
pam_krb5-2.1.15-2
krb5-server-1.4.1-5
[root (at) desarrollo ~]#
Kerberos auth seems to work ok. This is the kerberos config:
[root (at) desarrollo ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = OUR.DOMAIN.COM
dns_lookup_realm = yes
dns_lookup_kdc = yes
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
noaddresses = false
[realms]
OUR.DOMAIN.COM = {
kdc = 192.168.0.206:88
admin_server = 192.168.0.206:749
default_domain = OUR.DOMAIN.COM
}
[domain_realm]
.our.domain.com = OUR.DOMAIN.COM
our.domain.com = OUR.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root (at) desarrollo ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
OUR.DOMAIN.COM = {
master_key_type = des-cbc-crc
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
}
And the output of kinit and klist:
[root (at) desarrollo ~]# kinit Administrador (at) OUR.DOMAIN.COM
Password for Administrador (at) OUR.DOMAIN.COM:
[root (at) desarrollo ~]#
[root (at) desarrollo ~]# klist
klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrador (at) OUR.DOMAIN.COM
Valid starting Expires Service principal
06/20/06 17:50:10 06/21/06 03:50:07
krbtgt/OUR.DOMAIN.COM (at) OUR.DOMAIN.COM
renew until 06/21/06 17:50:10
Kerberos 4 ticket cache: /tmp/tkt0
Also, we have tested kpasswd, and it changes the Administrador
password as expected.
This is our samba config:
[root (at) desarrollo ~]# cat /etc/samba/smb.conf
[global]
workgroup = OURWORKGROUP
netbios name = DESARROLLO
realm = OUR.DOMAIN.COM
security = ADS
template shell = /bin/bash
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = Yes
winbind nested groups = Yes
And this is what happen when we try to test the domain joining:
[root (at) desarrollo ~]# net ads --debuglevel=2 testjoin
[2006/06/20 17:56:57, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.0.32 bcast=192.168.0.255
nmask=255.255.255.0
[2006/06/20 17:56:57, 2] lib/interface.c:add_interface(81)
added interface ip=86.109.160.35 bcast=86.109.160.255
nmask=255.255.255.0
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_server_info(2454)
ads_server_info: returned ldap server name
(host/terminal-server.our.domain.com (at) OUR.DOMAIN.COM) does not contain
'$ (at) ' so was deemed invalid
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_connect(289)
Failed to get ldap server info
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_server_info(2454)
ads_server_info: returned ldap server name
(host/terminal-server.our.domain.com (at) OUR.DOMAIN.COM) does not contain
'$ (at) ' so was deemed invalid
[2006/06/20 17:56:57, 1] libads/ldap.c:ads_connect(289)
Failed to get ldap server info
[2006/06/20 17:56:57, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Decoding error
Join to domain is not valid
[2006/06/20 17:56:57, 2] utils/net.c:main(897)
return code = -1
Thanks in advance for any kind of help
______________
Regards,
Roberto Navarro
SysAdmin - TusProfesionales, SL
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBRJgcJMhDftHeZF7JEQJXrgCg0lWmMKuSJR9O2XSjnX249fLDOwoAniBM
MjPupHyPVBRSnyEgUnhAqk9g
=Exjg
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba