C.Peterman
2007-Oct-29 15:29 UTC
[Samba] Joining a Linux Machine to a Windows 2003 Active Directory Domain
Hey all, I'm trying to join a Linux machine running CentOS 5, Samba version 3.0.23 to a Windows 2003 Active Directory. I can authenticate successfully against Kerberos, but I cannot seem to join the domain. I'm using instructions from this article http://www.enterprisenetworkingplanet.com/netos/article.php/3487081<https://mymail.clarkson.edu/exchweb/bin/redir.asp?URL=http://www.enterprisenetworkingplanet.com/netos/article.php/3487081> but when I get to the join command I get this [root@0-1-3-1d-38-f2 ~]# net ads join -U adjoin adjoin's password: Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) Failed to join domain! Any help would be most welcome! ~ Chris "Kyral" Peterman Communications & Media Undergraduate Clarkson University Class of 2008
Aaron Kincer
2007-Oct-29 15:43 UTC
[Samba] Joining a Linux Machine to a Windows 2003 Active Directory Domain
I was getting that message when the name of my computer didn't match that of what I set in my SMB.conf for "server string" parameter. Not knowing any details of your smb.conf and your system, that is my shot in the dark gotcha. On 10/29/07, C. Peterman <c.peterman@gmail.com> wrote:> > Hey all, I'm trying to join a Linux machine running CentOS 5, Samba > version > 3.0.23 to a Windows 2003 Active Directory. I can authenticate successfully > against Kerberos, but I cannot seem to join the domain. I'm using > instructions from this article > http://www.enterprisenetworkingplanet.com/netos/article.php/3487081< > https://mymail.clarkson.edu/exchweb/bin/redir.asp?URL=http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 > > > but when I get to the join command I get this > > [root@0-1-3-1d-38-f2 ~]# net ads join -U adjoin > adjoin's password: > Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) > Failed to join domain! > > Any help would be most welcome! > > ~ Chris "Kyral" Peterman > Communications & Media Undergraduate > Clarkson University Class of 2008 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
C.Peterman
2007-Oct-29 16:30 UTC
[Samba] Joining a Linux Machine to a Windows 2003 Active Directory Domain
Ah sorry, here is my smb.conf << Begin smb.conf >> [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH workgroup = AD # server string is the equivalent of the NT Description field server string = 0-1-3-1d-38-f2.noc.clarkson.edu # Security mode. Defines in which mode Samba will operate. Possible # values are share, user, server, domain and ads. Most people will want # user level security. See the Samba-HOWTO-Collection for details. security = ADS # If you want to automatically load your printer list rather # than setting them up individually then you'll need this load printers = yes # This option tells cups that the data has already been rasterized cups options = raw # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/%m.log # Put a capping on the size of the log files (in Kb). max log size = 50 # Use the realm option only with security = ads # Specifies the Active Directory realm the host is part of realm = AD.CLARKSON.EDU # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. ; passdb backend = tdbsam # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply ; local master = no # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable ; os level = 33 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job ; domain master = yes # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election preferred master = no # Enable this if you want Samba to be a domain logon server for # Windows95 workstations. ; domain logons = yes # if you enable domain logons then you may want a per-machine or # per user logon script # run a specific logon batch file per workstation (machine) ; logon script = %m.bat # run a specific logon batch file per username ; logon script = %U.bat # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # You must uncomment the [Profiles] share below ; logon path = \\%L\Profiles\%U # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server ; wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # WINS Proxy - Tells Samba to answer name resolution queries on # behalf of a non WINS capable client, for this to work there must be # at least one WINS Server on the network. The default is NO. ; wins proxy = yes # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The default is NO. dns proxy = no # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts ; add user script = /usr/sbin/useradd %u ; add group script = /usr/sbin/groupadd %g ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u ; delete user script = /usr/sbin/userdel %u ; delete user from group script = /usr/sbin/deluser %u %g ; delete group script = /usr/sbin/groupdel %g encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-20000 idmap gid = 600-20000 template shell = /bin/bash #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no writable = yes read only = No valid users = %S # Un-comment the following and create the netlogon directory for Domain Logons ; [netlogon] ; comment = Network Logon Service ; path = /usr/local/samba/lib/netlogon ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory ;[Profiles] ; path = /usr/local/samba/profiles ; browseable = no ; guest ok = yes # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers] comment = All Printers path = /usr/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = yes writable = no printable = yes << End smb.conf >>> I was getting that message when the name of my computer didn't match that of > what I set in my SMB.conf for "server string" parameter. Not knowing any > details of your smb.conf and your system, that is my shot in the dark > gotcha. > > > On 10/29/07, C. Peterman <c.peterman at gmail.com <https://lists.samba.org/mailman/listinfo/samba>> wrote: >>**>*> Hey all, I'm trying to join a Linux machine running CentOS 5, Samba *>*> version *>*> 3.0.23 to a Windows 2003 Active Directory. I can authenticate successfully *>*> against Kerberos, but I cannot seem to join the domain. I'm using *>*> instructions from this article *>*> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081< <http://www.enterprisenetworkingplanet.com/netos/article.php/3487081%3C> *>*> https://mymail.clarkson.edu/exchweb/bin/redir.asp?URL=http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 *>*> *>*> but when I get to the join command I get this *>>* *>*> [root at 0-1-3-1d-38-f2 <https://lists.samba.org/mailman/listinfo/samba> ~]# net ads join -U adjoin *>*> adjoin's password: *>*> Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) *>*> Failed to join domain! *>>* *>*> Any help would be most welcome! *>>* *>*> ~ Chris "Kyral" Peterman *>*> Communications & Media Undergraduate *>*> Clarkson University Class of 2008*
MK
2007-Oct-29 23:53 UTC
[Samba] Joining a Linux Machine to a Windows 2003 Active DirectoryDomain
Man.. u r not a member of domain admin.. ----- Original Message ----- From: "C.Peterman" <c.peterman@gmail.com> To: <samba@lists.samba.org> Sent: Monday, October 29, 2007 11:28 AM Subject: [Samba] Joining a Linux Machine to a Windows 2003 Active DirectoryDomain> Hey all, I'm trying to join a Linux machine running CentOS 5, Samba > version > 3.0.23 to a Windows 2003 Active Directory. I can authenticate successfully > against Kerberos, but I cannot seem to join the domain. I'm using > instructions from this article > http://www.enterprisenetworkingplanet.com/netos/article.php/3487081<https://mymail.clarkson.edu/exchweb/bin/redir.asp?URL=http://www.enterprisenetworkingplanet.com/netos/article.php/3487081> > but when I get to the join command I get this > > [root@0-1-3-1d-38-f2 ~]# net ads join -U adjoin > adjoin's password: > Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) > Failed to join domain! > > Any help would be most welcome! > > ~ Chris "Kyral" Peterman > Communications & Media Undergraduate > Clarkson University Class of 2008 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba
Chris Peterman
2007-Nov-01 02:42 UTC
[Samba] Joining a Linux Machine to a Windows 2003 Active Directory Domain
I talked with the AD admin and he realized that ADJoin doesn't have the full complement of privileges needed. So he tried his (full admin) account and it still doesn't work. He noticed that klist dumped something wierd out... I dunno if this is the right place to talk about Kerberbos, but since this relates to the whole Samba thing. Here is the output from kinit + klist Script started on Wed 31 Oct 2007 01:26:18 PM EDT [root@0-1-3-1d-38-f2 ~]# kinit petermcv@AD.CLARKSON.EDU mwinscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared file: /var/run/pcscd.pub Password for petermcv@AD.CLARKSON.EDU: [root@0-1-3-1d-38-f2 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: petermcv@AD.CLARKSON.EDU Valid starting Expires Service principal 10/31/07 13:27:10 10/31/07 23:27:13 krbtgt/AD.CLARKSON.EDU@AD.CLARKSON.EDU renew until 11/01/07 13:27:10 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@0-1-3-1d-38-f2 ~]# Script done on Wed 31 Oct 2007 01:27:24 PM EDT He thought it was odd that it was appending AD.CLARKSON.EDU to the domain. The krb5.conf is basically what is in the article with appropriate values subbed in. On Monday 29 October 2007 12:05:38 you wrote:> Chris, > > Does the user "adjoin" have privileges to join the domain? Usually the > user "Administrator" is used. > For clarification see: > http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#id37 >1232 > > The command "net rpc rights list -U adjoin" must return > "SeMachineAccountPrivilege". > > I used the same article to set up my systems, and Administrator seems to > have these rights by default, because it's always worked with no > intervention on my part. Once you get this part working, a good > followup article is: > http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 > > Good luck, > Dale > > C.Peterman wrote: > > Hey all, I'm trying to join a Linux machine running CentOS 5, Samba > > version 3.0.23 to a Windows 2003 Active Directory. I can authenticate > > successfully against Kerberos, but I cannot seem to join the domain. I'm > > using instructions from this article > > http://www.enterprisenetworkingplanet.com/netos/article.php/3487081<https > >://mymail.clarkson.edu/exchweb/bin/redir.asp?URL=http://www.enterprisenetw > >orkingplanet.com/netos/article.php/3487081> but when I get to the join > > command I get this > > > > [root@0-1-3-1d-38-f2 ~]# net ads join -U adjoin > > adjoin's password: > > Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) > > Failed to join domain! > > > > Any help would be most welcome! > > > > ~ Chris "Kyral" Peterman > > Communications & Media Undergraduate > > Clarkson University Class of 2008-- ~ Chris "Kyral" Peterman Communications & Media Undergraduate Clarkson University Associate Member of the Free Software Foundation Member of the Association for Computing Machinery -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba/attachments/20071031/bc30b82a/attachment.bin