egold@fsa.com
2004-Sep-27 17:58 UTC
[Samba] why does samba need "anonymous access enabled" on windows to join AD server?
I noticed when trying to use a windows active directory server for my "password server" that i cannot join the windows AD domain (using the net join command) unless the windows server has "anonymous access enabled". Why is this? I am trying to join as "administrator" so why does it need anonymous? My windows admins want to change all the windows AD servers to disable anonymous access. so my question is: how can i get samba to use windows AD with anonymous access disabled? why does samba need anonymous access? im running solaris 8 and samba 3.0.7. here is the error i get when anonymous access is turned off: /usr/local/samba/lib# net join -w MYDOMAIN.com -S WINSERVER3 -U Administrator Password: Unable to join domain FSA. here is my smb.conf: smb.conf: [Global] parameters workgroup = MYDOMAIN wins support = Yes hosts allow = all encrypt passwords = Yes unix password sync = Yes passwd program = /usr/bin/passwd %u update encrypted = No lm announce = true log level = 2 # for AD passwords # password server = * password server = WINSERVER1 WINSERVER2 security = domain [export] path = /export comment = export browseable = yes writable = yes read only = No public = No ____________________________________ This e-mail message is for the sole use of the intended recipient(s) and may contain proprietary, confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient (or an employee or agent responsible to deliver it to the intended recipient), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail.
egold@fsa.com
2004-Sep-28 17:17 UTC
[Samba] RE: why does samba need "anonymous access enabled" on windows to join AD server?
Ive asked this question several times but have not gotten an answer, can anyone give me any clues or tell me where to read about this please?! original post: I noticed when trying to use a windows active directory server for my "password server" that i cannot join the windows AD domain (using the net join command) unless the windows server has "anonymous access enabled". Why is this? I am trying to join as "administrator" so why does it need anonymous? My windows admins want to change all the windows AD servers to disable anonymous access. so my question is: how can i get samba to use windows AD with anonymous access disabled? why does samba need anonymous access? im running solaris 8 and samba 3.0.7. here is the error i get when anonymous access is turned off: /usr/local/samba/lib# net join -w MYDOMAIN.com -S WINSERVER3 -U Administrator Password: Unable to join domain FSA. here is my smb.conf: smb.conf: [Global] parameters workgroup = MYDOMAIN wins support = Yes hosts allow = all encrypt passwords = Yes unix password sync = Yes passwd program = /usr/bin/passwd %u update encrypted = No lm announce = true log level = 2 # for AD passwords # password server = * password server = WINSERVER1 WINSERVER2 security = domain [export] path = /export comment = export browseable = yes writable = yes read only = No public = No ____________________________________ This e-mail message is for the sole use of the intended recipient(s) and may contain proprietary, confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient (or an employee or agent responsible to deliver it to the intended recipient), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail.
Andreas
2004-Sep-29 12:54 UTC
[Samba] RE: why does samba need "anonymous access enabled" on windows to join AD server?
On Tue, Sep 28, 2004 at 01:17:06PM -0400, egold@fsa.com wrote:> I noticed when trying to use a windows active directory server for my > "password server" that i cannot join the windows AD domain (using the net > join command) unless the windows server has "anonymous access enabled". > Why is this? I am trying to join as "administrator" so why does it need > anonymous?I think you need to use kerberos, then it will work.> smb.conf: > [Global] parameters > workgroup = MYDOMAIN > wins support = Yes > hosts allow = all > encrypt passwords = Yes > unix password sync = Yes > passwd program = /usr/bin/passwd %u > update encrypted = No > lm announce = true > log level = 2 > # for AD passwords > # password server = * > password server = WINSERVER1 WINSERVER2 > security = domain > [export] > path = /export > comment = export > browseable = yes > writable = yes > read only = No > public = No >Try to use "security = ads" and "realm = YOUR.AD.REALM". Configure kerberos, grab a ticket granting ticket (TGT) for the Administrator principal and you should be able to use "net ads join"