Hi, I am trying to configure winbind on redhat 9, using samba 3.
I would like to join a machine that already has an existing Active Directory
account to our Domain.
Unfortunately, the command "net join -U(our Administrator account) fails.
Text in brackets () has been replaced to hide specific information.
Here is the output of "net join -U (Administrator account)
[2004/04/21 13:11:55, 0] libads/ldap.c:ads_add_machine_acct(1006)
Host account for id010393 already exists - modifying old account
[2004/04/21 13:11:55, 0] libads/ldap.c:ads_join_realm(1342)
ads_add_machine_acct: No such object
ads_join_realm: No such object
ADS join did not work, falling back to RPC...
[2004/04/21 13:11:56, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(286)
error setting trust account password: NT_STATUS_ACCESS_DENIED
Unable to join domain (DOMAIN).
Has anyone experience this before ? I will be happy to document a solution if
anyone has one.
Thanks,
Ian McNally
System Configuration:
I have installed
samba-3.0.2a-1_rh9.i386.rpm
krb5-devel-1.2.7-10.i386.rpm
krb5-devel-1.2.7-10.i386.rpm
krb5-workstation-1.2.7-10.i386.rpm
I have configured Kerebos such that kinit (Adminstrator account)@(DOMAIN)
succeeds.
Klist returns this output :
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: (Adminuser)@(DOMAIN)
Valid starting Expires Service principal
04/21/04 12:36:45 04/21/04 22:36:45 krbtgt/(Domain)@(Domain)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Contents of /etc/samba/smb.conf
workgroup = (DOMAIN)
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
security = ADS
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
realm = (DOMAIN)
password server = (KDC).(DOMAIN)
Contents of /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = (DOMAIN)
dns_lookup_realm = yes
dns_lookup_kdc = yes
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc=crc des-cbc-md5
[realms]
(DOMAIN) = {
kdc = (KDC)
default_domain = (domain)
}
[domain_realm]
.(domain) = (DOMAIN)
(domain) = (DOMAIN)
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[logging]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Please Note:
This communication has been sent on behalf of The Royal Automobile Club of
Queensland Limited (RACQ). The information contained in this communication
may be privileged and confidential. If you are not the intended recipient,
any use, disclosure or copying of this communication is expressly
prohibited. If you have received this communication in error, please delete
it immediately. RACQ and its associated entities do not warrant or
represent that this communication (including any enclosed files) is free
from electronic viruses, faults or defects.
If this is a commercial electronic message within the meaning of the Spam
Act(2003), you may indicate that you do not wish to receive any further
commercial electronic messages from RACQ by sending an e-mail to
unsubscribe@racq.com.au with your details or by contacting RACQ on 131905