I am trying to connect to an ADS domain and it is failing all the time. I am running SuSE Linux 9.0 with Samba 3.0.13 and have configured Samba with ldap and heimdal kerberos Attached is my debug level 10 error log created when the join is attempted. I would appreciate any advice on solving this problem. Thanks in advance Penny Willisson DISCLAIMER: The information contained within or attached to this transmission is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution of the message, either in full or in part, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. Although every effort is taken to ensure that all e-mail is scanned for viruses, Ellisons will accept no responsibility for any damage or inconvenience resulting from any virus that may be contained in this e-mail. A list of Partners is available on request.
Sorry attachment was removed - I have now pasted log file here.
[2005/04/05 15:11:44, 5] lib/debug.c:debug_dump_status(366)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
[2005/04/05 15:11:44, 3] param/loadparm.c:lp_load(3907)
lp_load: refreshing parameters
[2005/04/05 15:11:44, 3] param/loadparm.c:init_globals(1321)
Initialising global parameters
[2005/04/05 15:11:44, 3] param/params.c:pm_process(573)
params.c:pm_process() - Processing configuration file
"/usr/local/samba3/lib/smb.conf"
[2005/04/05 15:11:44, 3] param/loadparm.c:do_section(3409)
Processing section "[global]"
doing parameter workgroup = ELLNET
doing parameter realm = ellisonslegal.com
doing parameter server string = Samba 3.0.13
doing parameter security = ADS
doing parameter allow trusted domains = No
doing parameter log level = 1
doing parameter syslog = 0
doing parameter log file = /var/log/samba/%m
doing parameter max log size = 50
doing parameter printcap name = CUPS
doing parameter ldap ssl = no
doing parameter idmap backend = idmap_rid:KPAK=500-100000000
doing parameter idmap uid = 500-100000000
doing parameter idmap gid = 500-100000000
doing parameter template shell = /bin/bash
doing parameter winbind use default domain = yes
doing parameter winbind enum users = No
doing parameter winbind enum groups = No
doing parameter winbind nested groups = Yes
doing parameter deadtime = 30
doing parameter keepalive = 60
doing parameter os level = 2
doing parameter preferred master = No
doing parameter wins support = Yes
[2005/04/05 15:11:44, 4] param/loadparm.c:lp_load(3938)
pm_process() returned Yes
[2005/04/05 15:11:44, 7] param/loadparm.c:lp_servicenumber(4048)
lp_servicenumber: couldn't find homes
[2005/04/05 15:11:44, 10] param/loadparm.c:set_server_role(3856)
set_server_role: role = ROLE_DOMAIN_MEMBER
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UCS-2LE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UCS-2LE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF-16LE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF-16LE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UCS-2BE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UCS-2BE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF-16BE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF-16BE
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF8
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF8
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF-8
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF-8
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset ASCII
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset ASCII
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset 646
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset 646
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset ISO-8859-1
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset ISO-8859-1
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UCS2-HEX
[2005/04/05 15:11:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UCS2-HEX
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'ISO-8859-1' for LOCALE
[2005/04/05 15:11:44, 5] lib/util.c:init_names(256)
Netbios name list:-
my_netbios_names[0]="FSRVCOL2"
[2005/04/05 15:11:44, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
[2005/04/05 15:11:44, 5] libads/ldap.c:ads_try_connect(123)
ads_try_connect: trying ldap server 'apps' port 389
[2005/04/05 15:11:44, 6] libads/ldap.c:ads_find_dc(214)
ads_find_dc: looking for realm 'ELLISONSLEGAL.COM'
[2005/04/05 15:11:44, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
get_sorted_dc_list: attempting lookup using [ads]
[2005/04/05 15:11:44, 10] libsmb/namequery.c:internal_resolve_name(1028)
internal_resolve_name: looking up ELLISONSLEGAL.COM#1c
[2005/04/05 15:11:44, 5] lib/gencache.c:gencache_init(59)
Opening cache file at /usr/local/samba3/var/locks/gencache.tdb
[2005/04/05 15:11:44, 10] lib/gencache.c:gencache_get(285)
Cache entry with key = NBT/ELLISONSLEGAL.COM#1C couldn't be found
[2005/04/05 15:11:44, 5] libsmb/namecache.c:namecache_fetch(195)
no entry for ELLISONSLEGAL.COM#1C found.
[2005/04/05 15:11:44, 10] lib/gencache.c:gencache_del(214)
Deleting cache entry (key = NBT/ELLISONSLEGAL.COM#1C)
[2005/04/05 15:11:44, 5] libsmb/namequery.c:resolve_ads(955)
resolve_hosts: Attempting to resolve DC's for ELLISONSLEGAL.COM using DNS
[2005/04/05 15:11:44, 3] lib/util.c:interpret_addr(1148)
sys_gethostbyname: Unknown host. exchange.ellisonslegal.com
[2005/04/05 15:11:44, 3] lib/util.c:interpret_addr(1148)
sys_gethostbyname: Unknown host. apps.ellisonslegal.com
[2005/04/05 15:11:44, 3] lib/util.c:interpret_addr(1148)
sys_gethostbyname: Unknown host. exchange.ellisonslegal.com
[2005/04/05 15:11:44, 5] libsmb/namecache.c:namecache_store(131)
namecache_store: storing 0 addresses for ELLISONSLEGAL.COM#1c:
[2005/04/05 15:11:44, 10] libsmb/namequery.c:internal_resolve_name(1145)
internal_resolve_name: returning 0 addresses:
[2005/04/05 15:11:44, 8] libsmb/namequery.c:get_dc_list(1316)
Adding 0 DC's from auto lookup
[2005/04/05 15:11:44, 4] libsmb/namequery.c:get_dc_list(1332)
get_dc_list: no servers found
[2005/04/05 15:11:44, 6] libads/ldap.c:ads_find_dc(214)
ads_find_dc: looking for domain 'ELLNET'
[2005/04/05 15:11:44, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
get_sorted_dc_list: attempting lookup using [lmhosts wins host bcast]
[2005/04/05 15:11:44, 10] libsmb/namequery.c:internal_resolve_name(1028)
internal_resolve_name: looking up ELLNET#1c
[2005/04/05 15:11:44, 10] lib/gencache.c:gencache_get(263)
Returning valid cache entry: key = NBT/ELLNET#1C, value =
10.0.0.31:0,10.0.0.32:0, timeout = Tue Apr 5 15:22:26 2005
[2005/04/05 15:11:44, 5] libsmb/namecache.c:namecache_fetch(201)
name ELLNET#1C found.
[2005/04/05 15:11:44, 8] libsmb/namequery.c:get_dc_list(1316)
Adding 2 DC's from auto lookup
[2005/04/05 15:11:44, 10] libsmb/namequery.c:remove_duplicate_addrs2(320)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2005/04/05 15:11:44, 4] libsmb/namequery.c:get_dc_list(1406)
get_dc_list: returning 2 ip addresses in an unordered list
[2005/04/05 15:11:44, 4] libsmb/namequery.c:get_dc_list(1407)
get_dc_list: 10.0.0.31:0 10.0.0.32:0
[2005/04/05 15:11:44, 5] libads/ldap.c:ads_try_connect(123)
ads_try_connect: trying ldap server '10.0.0.31' port 389
[2005/04/05 15:11:44, 3] libads/ldap.c:ads_connect(285)
Connected to LDAP server 10.0.0.31
[2005/04/05 15:11:44, 3] libads/ldap.c:ads_server_info(2469)
got ldap server name apps@ELLISONSLEGAL.COM, using bind path:
dc=ELLISONSLEGAL,dc=COM
[2005/04/05 15:11:44, 4] libads/ldap.c:ads_server_info(2475)
time offset is -3170 seconds
[2005/04/05 15:11:44, 4] libads/sasl.c:ads_sasl_bind(447)
Found SASL mechanism GSS-SPNEGO
[2005/04/05 15:11:44, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2005/04/05 15:11:44, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2005/04/05 15:11:44, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2005/04/05 15:11:44, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2005/04/05 15:11:44, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
ads_sasl_spnego_bind: got server principal name =apps$@ELLISONSLEGAL.COM
[2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed: Unknown code
krb5 156
[2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
[2005/04/05 15:11:44, 2] utils/net.c:main(897)
return code = -1
I am trying to connect to an ADS domain and it is failing all the time.
I am running SuSE Linux 9.0 with Samba 3.0.13 and have configured Samba with
ldap and heimdal kerberos
Attached is my debug level 10 error log created when the join is attempted.
I would appreciate any advice on solving this problem.
Thanks in advance
Penny Willisson
DISCLAIMER: The information contained within or attached to this transmission is
confidential and may be legally privileged. It is intended solely for the
addressee. Access to this message by anyone else is unauthorised. If you are not
the intended recipient, any disclosure, copying, or distribution of the message,
either in full or in part, or any action or omission taken by you in reliance on
it, is prohibited and may be unlawful. Please immediately contact the sender if
you have received this message in error. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
company. Although every effort is taken to ensure that all e-mail is scanned
for viruses, Ellisons will accept no responsibility for any damage or
inconvenience resulting from any virus that may be contained in this e-mail. A
list of Partners is available on request.
Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join Administrator@apps.ellisonslegal.com -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -----Original Message----- From: Gordon Hopper [mailto:g.hopper@computer.org] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, "net ads join -U username@ds.domain.com -d 2". Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folder you specified for the machine account does not exist. Regards, Gordon Hopper
Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -----Original Message----- From: samba-bounces+pw=ellisonslegal.com@lists.samba.org [mailto:samba-bounces+pw=ellisonslegal.com@lists.samba.org]On Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote:> Hi > > I have created the machine account on the AD server and did this logged in > as Administrator so that should mean that the Administrator account has the > correct permissions. > > I have executed the following command as suggested > > net ads join Administrator@apps.ellisonslegal.com -d 2 > > The following was output to the screen: > > [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) > > added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 > > [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) > > kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed: > Unknown code krb5 156 > > [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) > > ads_connect: Unknown code krb5 156 > > [2005/04/08 13:33:41, 2] utils/net.c:main(897) > > return code = -1 > > Thanks > > Penny > > -----Original Message----- > From: Gordon Hopper [mailto:g.hopper@computer.org] > Sent: 06 April 2005 05:28 > To: Penny Willisson > Subject: Re: [Samba] net ads join fails > > > > [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) > > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) > > [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) > > kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed: Unknown > code krb5 156 > > [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) > > ads_connect: Unknown code krb5 156 > > > > > I suggest you post the output of the command you are running to join the > domain (including the command), for example, "net ads join -U > username@ds.domain.com -d 2". > > Also, note that the credentials you use to join the domain are not > necessarily the domain Administrator, but they need to be a user who has > write privileges to the ads folder where the machine account will be > created. (It worked better for me when the machine account was already > created in server manager, but according to the docs, that shouldn't be > necessary.) > > It almost looks like the password failed. Or perhaps the folde > r you > specified for the machine account does not exist. > > Regards, > > Gordon HopperTry the command "kinit Administrator" (or Administrator@yourdomain.com"). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try "net ads join -U Administrator@yourdomain.com. A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Hi! Check your dns configuration! I had similar problems and found out my dns server wasn't working correctly the reverse resolution. Good luck! Ernesto Pereirinha ----- Original Message ----- From: "Penny Willisson" <Penny.Willisson@Ellisonslegal.com> Date: Friday, April 8, 2005 3:41 pm Subject: RE: [Samba] net ads join fails> Thanks > > When I run 'kinit administrator' I get the following error > > kinit: krb5_get_init_creds: unable to reach any KDC in realm > ellisonslegal.com > any ideas??? > > -----Original Message----- > From: samba-bounces+pw=ellisonslegal.com@lists.samba.org > [mailto:samba-bounces+pw=ellisonslegal.com@lists.samba.org]On > Behalf Of > Dimitri Yioulos > Sent: 08 April 2005 13:30 > To: samba@lists.samba.org > Subject: Re: [Samba] net ads join fails > > > On Friday 08 April 2005 07:46 am, Penny Willisson wrote: > > Hi > > > > I have created the machine account on the AD server and did this > logged in > > as Administrator so that should mean that the Administrator > account has the > > correct permissions. > > > > I have executed the following command as suggested > > > > net ads join Administrator@apps.ellisonslegal.com -d 2 > > > > The following was output to the screen: > > > > [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) > > > > added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 > > > > [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) > > > > kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed: > > Unknown code krb5 156 > > > > [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) > > > > ads_connect: Unknown code krb5 156 > > > > [2005/04/08 13:33:41, 2] utils/net.c:main(897) > > > > return code = -1 > > > > Thanks > > > > Penny > > > > -----Original Message----- > > From: Gordon Hopper [mailto:g.hopper@computer.org] > > Sent: 06 April 2005 05:28 > > To: Penny Willisson > > Subject: Re: [Samba] net ads join fails > > > > > > > > [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) > > > > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or > directory)> > > [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) > > > > kerberos_kinit_password Administrator@ELLISONSLEGAL.COM > failed: Unknown > > code krb5 156 > > > > [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) > > > > ads_connect: Unknown code krb5 156 > > > > > > > > > > I suggest you post the output of the command you are running to > join the > > domain (including the command), for example, "net ads join -U > > username@ds.domain.com -d 2". > > > > Also, note that the credentials you use to join the domain are not > > necessarily the domain Administrator, but they need to be a user > who has > > write privileges to the ads folder where the machine account > will be > > created. (It worked better for me when the machine account was > already> created in server manager, but according to the docs, > that shouldn't be > > necessary.) > > > > It almost looks like the password failed. Or perhaps the folde > > r you > > specified for the machine account does not exist. > > > > Regards, > > > > Gordon Hopper > > Try the command "kinit Administrator" (or > Administrator@yourdomain.com"). You > should be prompted for a password. If, after entering the > password, you're > returned to a prompt with no further output then, in theory at > least, your > Kerberos setup is OK. If you get errors, well ... Run that first, > then try > "net ads join -U Administrator@yourdomain.com. > > A good how-to can be found at: > http://www.ulug.org.nz/ActiveDirectorySamba. > HTH. > > Dimitri > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
I have recreated my dns pointers without success and I think my krb5.conf file
is configured correctly. First I left this to Yast to set up but that
didn't work and then I tried to modify it from a article I found.
I have pasted it in below
[libdefaults]
#default_realm = ellisonslegal.com
clockskew = 300
[realms]
ELLISONSLEGAL.COM = {
kdc = apps.ellisonslegal.com
#default_domain = ELLNET
#kpasswd_server = apps.ellisonslegal.com
}
#ELLISONSLEGAL.COM = {
# kdc = APPS.ELLISONSLEGAL.COM
# admin_server = APPS.ELLISONSLEGAL.COM
# kpasswd_server = APPS.ELLISONSLEGAL.COM
#}
#OTHER.REALM = {
# kdc = OTHER.COMPUTER
#}
[domain_realm]
# .my.domain = MY.REALM
.ellisonslegal.com = ELLISONSLEGAL.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Dimitri would you be able to repost that link for the HOW-TO please? I tried it
but it seems like it is broken, do you have the updated link?
Thanks for your continued help.
Penny
-----Original Message-----
From: Gordon Hopper [mailto:g.hopper@computer.org]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
You might need to add some entries to your krb5.conf file. for example:
[realms]
ellisonslegal.com = {
kdc = domain.controller.ellisonslegal.com:88
}
Where kdc points to a domain controller. Doesn't need to be the primary
domain controller, choose one close by for best performance. (You
shouldn't need to do this if your DNS for the domain resolves to a domain
controller.)
Gordon
On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
Thanks
When I run 'kinit administrator' I get the following error
kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com
any ideas???
-----Original Message-----
From: samba-bounces+pw=ellisonslegal.com@lists.samba.org
[mailto: samba-bounces+pw=ellisonslegal.com@lists.samba.org]On Behalf Of
Dimitri Yioulos
Sent: 08 April 2005 13:30
To: samba@lists.samba.org
Subject: Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
> Hi
>
> I have created the machine account on the AD server and did this logged in
> as Administrator so that should mean that the Administrator account has the
> correct permissions.
>
> I have executed the following command as suggested
>
> net ads join Administrator@apps.ellisonslegal.com -d 2
>
> The following was output to the screen:
>
> [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
>
> added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
>
> [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)
>
> kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed:
> Unknown code krb5 156
>
> [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)
>
> ads_connect: Unknown code krb5 156
>
> [2005/04/08 13:33:41, 2] utils/net.c:main(897)
>
> return code = -1
>
> Thanks
>
> Penny
>
> -----Original Message-----
> From: Gordon Hopper [mailto: g.hopper@computer.org]
> Sent: 06 April 2005 05:28
> To: Penny Willisson
> Subject: Re: [Samba] net ads join fails
>
>
>
> [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
>
> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
>
> [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
>
> kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed: Unknown
> code krb5 156
>
> [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
>
> ads_connect: Unknown code krb5 156
>
>
>
>
> I suggest you post the output of the command you are running to join the
> domain (including the command), for example, "net ads join -U
> username@ds.domain.com -d 2".
>
> Also, note that the credentials you use to join the domain are not
> necessarily the domain Administrator, but they need to be a user who has
> write privileges to the ads folder where the machine account will be
> created. (It worked better for me when the machine account was already
> created in server manager, but according to the docs, that shouldn't be
> necessary.)
>
> It almost looks like the password failed. Or perhaps the folde
> r you
> specified for the machine account does not exist.
>
> Regards,
>
> Gordon Hopper
Try the command "kinit Administrator" (or
Administrator@yourdomain.com"). You
should be prompted for a password. If, after entering the password, you're
returned to a prompt with no further output then, in theory at least, your
Kerberos setup is OK. If you get errors, well ... Run that first, then try
"net ads join -U Administrator@yourdomain.com.
A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba.
HTH.
Dimitri
No neither /var/kerberos/krb5kdc/ nor /var/log/krb5/ exist is this part of the problem? For Craig White and anyone new to the problem here are the outputs of some files.>cat /etc/resolv.confsearch ellisonslegal.com domain ellisonslegal.com nameserver 10.0.0.31>cat /etc/krb5.conf[libdefaults] default_realm = ELLISONSLEGAL.COM clockskew = 300 dns_lookup_realm = true dns_lookup_kdc = true [domain_realm] ellisonslegal.com = ELLISONSLEGAL.COM .ellisonslegal.com = ELLISONSLEGAL.COM [realms] ELLISONSLEGAL.COM = { kdc = 10.0.0.31 default_domain = ELLNET admin_server = 10.0.0.31 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 }>kinit Administrator >and/or >kinit Administrator@ellingsonlegal.comI do not have the kinit command I am running Samba 3.0.13 on Suse Linux 9.0 Thank you for your help Penny -----Original Message----- From: Radu.STANUC@cec.eu.int [mailto:Radu.STANUC@cec.eu.int] Sent: 11 April 2005 16:57 To: Penny Willisson Subject: RE: [Samba] net ads join fails Try that, it is working for me [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] ticket_lifetime = 24000 default_realm = BLABLA.COM forwardable = true proxiable = true [realms] BLABLA.COM = { kdc = ip_address_of_kdc default_domain = blabla.com } [domain_realm] .blabla.com = BLABLA.COM blabla.com = BLABLA.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false Check if /var/kerberos/krb5kdc/ and /var/log/krb5/ exist , also replace BLABLA.COM and blabla.com with the right value Radu STANUC -----Original Message----- From: samba-bounces+radu.stanuc=cec.eu.int@lists.samba.org [mailto:samba-bounces+radu.stanuc=cec.eu.int@lists.samba.org] On Behalf Of Penny Willisson Sent: Monday, April 11, 2005 3:43 PM To: Gordon Hopper; ernesto.pereirinha@atminformatica.pt Cc: samba@lists.samba.org Subject: RE: [Samba] net ads join fails I have recreated my dns pointers without success and I think my krb5.conf file is configured correctly. First I left this to Yast to set up but that didn't work and then I tried to modify it from a article I found. I have pasted it in below [libdefaults] #default_realm = ellisonslegal.com clockskew = 300 [realms] ELLISONSLEGAL.COM = { kdc = apps.ellisonslegal.com #default_domain = ELLNET #kpasswd_server = apps.ellisonslegal.com } #ELLISONSLEGAL.COM = { # kdc = APPS.ELLISONSLEGAL.COM # admin_server = APPS.ELLISONSLEGAL.COM # kpasswd_server = APPS.ELLISONSLEGAL.COM #} #OTHER.REALM = { # kdc = OTHER.COMPUTER #} [domain_realm] # .my.domain = MY.REALM .ellisonslegal.com = ELLISONSLEGAL.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Dimitri would you be able to repost that link for the HOW-TO please? I tried it but it seems like it is broken, do you have the updated link? Thanks for your continued help. Penny -----Original Message----- From: Gordon Hopper [mailto:g.hopper@computer.org] Sent: 09 April 2005 00:23 To: Penny Willisson Subject: RE: [Samba] net ads join fails You might need to add some entries to your krb5.conf file. for example: [realms] ellisonslegal.com = { kdc = domain.controller.ellisonslegal.com:88 } Where kdc points to a domain controller. Doesn't need to be the primary domain controller, choose one close by for best performance. (You shouldn't need to do this if your DNS for the domain resolves to a domain controller.) Gordon On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? -----Original Message----- From: samba-bounces+pw=ellisonslegal.com@lists.samba.org [mailto: samba-bounces+pw=ellisonslegal.com@lists.samba.org]On Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote:> Hi>> I have created the machine account on the AD server and did this > logged in> as Administrator so that should mean that the Administrator account > has the> correct permissions.>> I have executed the following command as suggested>> net ads join Administrator@apps.ellisonslegal.com -d 2>> The following was output to the screen:>> [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)>> added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0>> [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)>> kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed:> Unknown code krb5 156>> [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)>> ads_connect: Unknown code krb5 156>> [2005/04/08 13:33:41, 2] utils/net.c:main(897)>> return code = -1>> Thanks>> Penny>> -----Original Message-----> From: Gordon Hopper [mailto: g.hopper@computer.org]> Sent: 06 April 2005 05:28> To: Penny Willisson> Subject: Re: [Samba] net ads join fails>>>> [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or > directory)>> [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)>> kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed:Unknown> code krb5 156>> [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)>> ads_connect: Unknown code krb5 156>>>>> I suggest you post the output of the command you are running to join > the> domain (including the command), for example, "net ads join -U> username@ds.domain.com -d 2".>> Also, note that the credentials you use to join the domain are not> necessarily the domain Administrator, but they need to be a user who > has> write privileges to the ads folder where the machine account will be> created. (It worked better for me when the machine account was > already> created in server manager, but according to the docs, that shouldn't > be> necessary.)>> It almost looks like the password failed. Or perhaps the folde> r you> specified for the machine account does not exist.>> Regards,>> Gordon HopperTry the command "kinit Administrator" (or Administrator@yourdomain.com"). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try "net ads join -U Administrator@yourdomain.com. A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri