samba - Oct 2002 - Error joining Win2K domain: ads_connect: DSA is unavailable

I'm running 3.0alpha (both current CVS pull and alpha20 from dist) and
trying to have my samba server join our already in place Win2K ADS domain.  I am
able to 'kinit user@DOMAIN' and auth successfully, but upon attempting
'net ads join', I get the following:

# net ads join -Uadministrator
administrator password:
[2002/10/31 05:11:19, 1] libsmb/clikrb5.c:krb5_mk_req2(63)
  krb5_get_credentials failed for mnu-server$@MNU.EDU (No credentials found with
supported encryption types)
[2002/10/31 05:11:19, 1] utils/net_ads.c:ads_startup(148)
  ads_connect: DSA is unavailable

Any suggestions?

-Matt
MNU Internet System Administrator
MNU Network Security Administrator

On Thu, Oct 31, 2002 at 05:14:19AM -0500, Matt Sapp
wrote:
> I'm running 3.0alpha (both current CVS pull and alpha20 from dist) and
trying to have my samba server join our already in place Win2K ADS domain.  I am
able to 'kinit user@DOMAIN' and auth successfully, but upon attempting
'net ads join', I get the following:
> 
> # net ads join -Uadministrator
> administrator password:
> [2002/10/31 05:11:19, 1] libsmb/clikrb5.c:krb5_mk_req2(63)
>   krb5_get_credentials failed for mnu-server$@MNU.EDU (No credentials found
with supported encryption types)
> [2002/10/31 05:11:19, 1] utils/net_ads.c:ads_startup(148)
>   ads_connect: DSA is unavailable
You have not got the latest MIT kerberos (you need a snapshot, the 
releases don't seem to support it) and your Administrator password
has not been changed since you upgraded to ADS.  As such the only
password is the MD4 based password from pre-ads, which MIT can't 
use.

Andrew Bartlett

I had changed my administrator password on the Win2K server prior to doing the
"net ads join".  'kinit administrator@MNU.EDU' is successful. 
I went ahead and pulled down the krb5-current snapshot from MIT, and
samba3.0alpha wont build with it.  30 some lines of errors when 'Linking
bin/smbd', if anyone is interested.  Looks like brokenness in krb5 though. 
Is there a snapshot out there known to work with samba+win2k kdc?  Or any other
idea?  Is there no one running samba as a member in a Active directory? :)

-Matt
MNU Internet System Administrator
MNU Network Security Administrator


--- Original Message Below ---

From: Andrew Bartlett <abartlet@samba.org>
To: Matt Sapp <matt@mnu.edu>
Subject: Re: [Samba] Error joining Win2K domain: ads_connect: DSA is unavailable
Date: Thu, 31 Oct 2002 11:57:22 +0000

On Thu, Oct 31, 2002 at 05:14:19AM -0500, Matt Sapp
wrote:
> I'm running 3.0alpha (both current CVS pull and alpha20 from dist) and
trying to have my samba server join our already in place Win2K ADS domain.  I am
able to 'kinit user@DOMAIN' and auth successfully, but upon attempting
'net ads join', I get the following:
> 
> # net ads join -Uadministrator
> administrator password:
> [2002/10/31 05:11:19, 1] libsmb/clikrb5.c:krb5_mk_req2(63)
>   krb5_get_credentials failed for mnu-server$@MNU.EDU (No credentials found
with supported encryption types)
> [2002/10/31 05:11:19, 1] utils/net_ads.c:ads_startup(148)
>   ads_connect: DSA is unavailable
You have not got the latest MIT kerberos (you need a snapshot, the 
releases don't seem to support it) and your Administrator password
has not been changed since you upgraded to ADS.  As such the only
password is the MD4 based password from pre-ads, which MIT can't 
use.

Andrew Bartlett
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba