Hello,
I am trying to join a Samba 3.0.24 server into an ADS domain, which is
served by two Windows 2003 servers (let's say srv1.domain.local
(192.168.1.1)
and srv2.domain.local (192.168.1.4)). I am running Samba on a FreeBSD 6.2
machine and I have established an OpenVPN connection to the ADS network
(tunneling). I have this in my resolv.conf:
------------------------------------------------------------------------
search domain.local
nameserver 192.168.1.1
nameserver 192.168.1.4
------------------------------------------------------------------------
I also have this in my /etc/hosts:
------------------------------------------------------------------------
127.0.0.1 localhost localhost.my.domain
192.168.1.1 srv1.domain.local srv1
192.168.1.4 srv2.domain.local srv2
------------------------------------------------------------------------
and I have this in my krb5.conf:
------------------------------------------------------------------------
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = srv1.domain.local
}
[domain_realms]
.domain.local = DOMAIN.LOCAL
------------------------------------------------------------------------
And these are the relevant parameters in smb.conf:
------------------------------------------------------------------------
security = ADS
netbios name = BONAPARTE
server string = BONAPARTE Samba server
workgroup = INFRAX
realm = DOMAIN.LOCAL
local master = yes
preferred master = yes
wins server = 192.168.1.1 192.168.1.4
password server = srv1
------------------------------------------------------------------------
However, when I try to "kinit", I get this:
root@Bonaparte:~# kinit Administrator@DOMAIN.LOCAL
Administrator@DOMAIN.LOCAL's Password:
kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
and when I try to "net ads join" into the domain, I get this:
root@Bonaparte:~# net ads join -U Administrator%password
[2007/07/10 08:54:38, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password Administrator@DOMAIN.LOCAL failed: Response too big
for UDP, retry with TCP
[2007/07/10 08:54:38, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Response too big for UDP, retry with TCP
I am really stumped here. I have tried to change the kdc entry in krb5.conf
like this:
[realms]
DOMAIN.LOCAL = {
kdc = tcp/srv1.domain.local
}
but no luck either. FreeBSD 6.2 has Heimdal Kerberos 0.6.3 in it's base
system, I guess this is OK.
Let me also tell you also this: we firstly had a Windows 2000 server and
a Windows 2003 servers as srv1 and srv2, but then we replaced the
2000 with another 2003. This BSD box is a new server as well, previously
I had FreeBSD 5.4 (Samba 3.0.22) and I was ABLE to join it into the ADS
(via the Win2000 server). There is no computer account in the ADS for the
BSD box anymore, so I am trying to create it again (by joining it into the
domain).
Any ideas?
Thanks,
Nejc
Hello! You could either use an administrative account which is not a member of so many groups (causing the "packet too big" error), or use a more recent version of samba. In any version <= 3.0.22 the tcp fallback is not implemented during the kpasswd request. The krb5.conf kdc line is not taken into account at this place. Greets, Martin Nejc ?koberne schrieb:> Hello, > > I am trying to join a Samba 3.0.24 server into an ADS domain, which is > served by two Windows 2003 servers (let's say srv1.domain.local > (192.168.1.1) > and srv2.domain.local (192.168.1.4)). I am running Samba on a FreeBSD 6.2 > machine and I have established an OpenVPN connection to the ADS network > (tunneling). I have this in my resolv.conf:[...]> However, when I try to "kinit", I get this: > > root@Bonaparte:~# kinit Administrator@DOMAIN.LOCAL > Administrator@DOMAIN.LOCAL's Password: > kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP >[...]> Any ideas? > > Thanks, > Nejc-- Martin Zielinski mz@seh.de Software Development SEH Computertechnik GmbH www.seh.de
Hey Martin, thanks for your quick reply.> You could either use an administrative account which is not a member of > so many groups (causing the "packet too big" error), or use a more > recent version of samba.I tried the first option first: created a new account, put it into "Administrators" and "Domain Admins" groups (so it is in three groups now) but I still get "packet too big" error.> In any version <= 3.0.22 the tcp fallback is not implemented during the > kpasswd request. The krb5.conf kdc line is not taken into account at > this place.I am running Samba 3.0.24 - so this version supports tcp fallback, right? What can I try next? Thanks, Nejc
Hi again,> You could either use an administrative account which is not a member of > so many groups (causing the "packet too big" error), or use a more > recent version of samba. > In any version <= 3.0.22 the tcp fallback is not implemented during the > kpasswd request. The krb5.conf kdc line is not taken into account at > this place.I upgraded Samba to 3.0.25a and tried again with the user, who has administrator privileges but is not in so many groups. I get a bit different message, but it is still a no go: root@Bonaparte:~# net ads join -U domainadmin%idsrmap978 [2007/07/11 11:36:34, 0] libads/kerberos.c:ads_kinit_password(227) kerberos_kinit_password domainadmin@INFRAX.LOCAL failed: Response too big for UDP, retry with TCP Failed to join domain: NT_STATUS_PROTOCOL_UNREACHABLE Any ideas? Thanks, Nejc
Hey Todd,> Kinit uses the installed kerberos package - if your kerberos package > does not do TCP fallback in the AS_REQ, you'll never be able to get a > ticket when you see this error message - it's generated by the KDC, > which will refuse to issue a ticket > roughly 1500 bytes (for MS KDCs). > Time to update your Kerberos port (MIT's dist > 1.4.1 supports TCP).OK, I understand now. I installed MIT's Kerberos5 (installed port 'krb5' on FreeBSD, added 'KRB5_HOME=/usr/local' to /etc/make.conf and rebuilt samba3 port) and I succeeded joining the Samba server into ADS domain. Thanks to everyone! Bye, Nejc