thr3ads.net - samba - [Samba] Can not join via ADS using administrator account, succeeded using another account [May 2007]

If this information is useful, please help other people find it:
Share via:

Frans Haarman

2007-May-31 13:05 UTC

[Samba] Can not join via ADS using administrator account, succeeded using another account

Hello,

Yesterday I have used Samba to help me authenticate Windows uses
within the Squid Proxy server. ( FreeBSD-6.1 + Samba 3.0.25 )

The Kerberos setup went fine. However I got the
NT_STATUS_PROTOCOL_UNREACHABLE error code when trying to "net join"
the domain.

It seems this is Kerberos related. On the net some emails suggest
using "kdc = tcp/server.name"  syntax to deal with big packets. This
had no effect.

I was able to join the domain using the Administrator account and "net
rpc". The "net ads" would fail each time. Another user was able
to
join the domain
via net ads without any problems! I do not understand why that is. Do you ?


After joining the domain wbinfo still didnt do what I hoped it would.

What did work was:
#wbinfo -u
#wbinfo -g
#wbinfo -n
#wbinfo --user-sids

What did not work was:
#wbinfo -r
#wbinfo -i

proxy# wbinfo -r administrator
proxy# wbinfo -r administrator2
Could not get groups for user administrator2

proxy# wbinfo -i administrator
Could not get info for user administrator

proxy# winbindd -V
Version 3.0.25
proxy# wbinfo -V
Version 3.0.25

proxy# net ads status -U administrator
administrator's password:
proxy#
proxy# net ads status -U administrator
administrator's password:
[2007/05/31 13:00:12, 0] libads/kerberos.c:ads_kinit_password(227)
  kerberos_kinit_password administrator@SNIP failed: Preauthentication failed
[2007/05/31 13:00:12, 0] libads/kerberos.c:ads_kinit_password(227)
  kerberos_kinit_password administrator@SNIP failed: Preauthentication failed
proxy#

So above we see here that when I enter the wrong password I get kerberos errors.

proxy# clear
proxy# net ads status -U giessen
giessen's password:
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
[ SNIP ]

With the above username/password I do get a reply! This might be
because I joined the domain using that account ? I have no clue, do
you ?



If someone has an idea what is causing this I'd like to hear. If more
info is needed please tell me and I will see if I can provide mode details.

Thanks,

Frans

Possibly Parallel Threads

Search for more possibly parallel threads

samba - May 2007 - Can not join via ADS using administrator account, succeeded using another account

[Samba] Can not join via ADS using administrator account, succeeded using another account

Possibly Parallel Threads

Wisdom of the Ancients