Ok I deleted the incorrect conf file and set it up using Yast again here is the
amended file. I tried using the IP address of the server this time but I'm
still getting the same errors as before.
[libdefaults]
default_realm = ELLISONSLEGAL.COM
clockskew = 300
[domain_realm]
.ELLNET = ELLISONSLEGAL.COM
[realms]
ELLISONSLEGAL.COM = {
kdc = 10.0.0.31
default_domain = ELLNET
kpasswd_server = 10.0.0.31
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
Thanks
-----Original Message-----
From: Penny Willisson
Sent: 11 April 2005 14:43
To: 'Gordon Hopper'; 'ernesto.pereirinha@atminformatica.pt'
Cc: Dimitri Yioulos; samba@lists.samba.org
Subject: RE: [Samba] net ads join fails
I have recreated my dns pointers without success and I think my krb5.conf file
is configured correctly. First I left this to Yast to set up but that
didn't work and then I tried to modify it from a article I found.
I have pasted it in below
[libdefaults]
#default_realm = ellisonslegal.com
clockskew = 300
[realms]
ELLISONSLEGAL.COM = {
kdc = apps.ellisonslegal.com
#default_domain = ELLNET
#kpasswd_server = apps.ellisonslegal.com
}
#ELLISONSLEGAL.COM = {
# kdc = APPS.ELLISONSLEGAL.COM
# admin_server = APPS.ELLISONSLEGAL.COM
# kpasswd_server = APPS.ELLISONSLEGAL.COM
#}
#OTHER.REALM = {
# kdc = OTHER.COMPUTER
#}
[domain_realm]
# .my.domain = MY.REALM
.ellisonslegal.com = ELLISONSLEGAL.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Dimitri would you be able to repost that link for the HOW-TO please? I tried it
but it seems like it is broken, do you have the updated link?
Thanks for your continued help.
Penny
-----Original Message-----
From: Gordon Hopper [mailto:g.hopper@computer.org]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
You might need to add some entries to your krb5.conf file. for example:
[realms]
ellisonslegal.com = {
kdc = domain.controller.ellisonslegal.com:88
}
Where kdc points to a domain controller. Doesn't need to be the primary
domain controller, choose one close by for best performance. (You
shouldn't need to do this if your DNS for the domain resolves to a domain
controller.)
Gordon
On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
Thanks
When I run 'kinit administrator' I get the following error
kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com
any ideas???
-----Original Message-----
From: samba-bounces+pw=ellisonslegal.com@lists.samba.org
[mailto: samba-bounces+pw=ellisonslegal.com@lists.samba.org]On Behalf Of
Dimitri Yioulos
Sent: 08 April 2005 13:30
To: samba@lists.samba.org
Subject: Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
> Hi
>
> I have created the machine account on the AD server and did this logged in
> as Administrator so that should mean that the Administrator account has the
> correct permissions.
>
> I have executed the following command as suggested
>
> net ads join Administrator@apps.ellisonslegal.com -d 2
>
> The following was output to the screen:
>
> [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
>
> added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
>
> [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)
>
> kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed:
> Unknown code krb5 156
>
> [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)
>
> ads_connect: Unknown code krb5 156
>
> [2005/04/08 13:33:41, 2] utils/net.c:main(897)
>
> return code = -1
>
> Thanks
>
> Penny
>
> -----Original Message-----
> From: Gordon Hopper [mailto: g.hopper@computer.org]
> Sent: 06 April 2005 05:28
> To: Penny Willisson
> Subject: Re: [Samba] net ads join fails
>
>
>
> [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
>
> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
>
> [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
>
> kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed: Unknown
> code krb5 156
>
> [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
>
> ads_connect: Unknown code krb5 156
>
>
>
>
> I suggest you post the output of the command you are running to join the
> domain (including the command), for example, "net ads join -U
> username@ds.domain.com -d 2".
>
> Also, note that the credentials you use to join the domain are not
> necessarily the domain Administrator, but they need to be a user who has
> write privileges to the ads folder where the machine account will be
> created. (It worked better for me when the machine account was already
> created in server manager, but according to the docs, that shouldn't be
> necessary.)
>
> It almost looks like the password failed. Or perhaps the folde
> r you
> specified for the machine account does not exist.
>
> Regards,
>
> Gordon Hopper
Try the command "kinit Administrator" (or
Administrator@yourdomain.com"). You
should be prompted for a password. If, after entering the password, you're
returned to a prompt with no further output then, in theory at least, your
Kerberos setup is OK. If you get errors, well ... Run that first, then try
"net ads join -U Administrator@yourdomain.com.
A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba.
HTH.
Dimitri
OK, this is closer. Change [realms] kpasswd_server to admin_server. I also believe that [domain realm] should read: ellisonlegal.com = ELLISONLEGAL.COM .ellisonlegal.com = ELLISONLEGAL.COM I would add to [libdefaults]: dns_lookup_realm = true dns_lookup_kdc = true Try this and report back (like a good IT soldier :-) ) Dimitri On Monday 11 April 2005 10:58 am, you wrote:> Ok I deleted the incorrect conf file and set it up using Yast again here is > the amended file. I tried using the IP address of the server this time but > I'm still getting the same errors as before. > > [libdefaults] > > default_realm = ELLISONSLEGAL.COM > > clockskew = 300 > > [domain_realm] > > .ELLNET = ELLISONSLEGAL.COM > > [realms] > > ELLISONSLEGAL.COM = { > > kdc = 10.0.0.31 > > default_domain = ELLNET > > kpasswd_server = 10.0.0.31 > > } > > [appdefaults] > > pam = { > > ticket_lifetime = 1d > > renew_lifetime = 1d > > forwardable = true > > proxiable = false > > retain_after_close = false > > minimum_uid = 0 > > } > > > > Thanks > > -----Original Message----- > From: Penny Willisson > Sent: 11 April 2005 14:43 > To: 'Gordon Hopper'; 'ernesto.pereirinha@atminformatica.pt' > Cc: Dimitri Yioulos; samba@lists.samba.org > Subject: RE: [Samba] net ads join fails > > > I have recreated my dns pointers without success and I think my krb5.conf > file is configured correctly. First I left this to Yast to set up but that > didn't work and then I tried to modify it from a article I found. > > I have pasted it in below > [libdefaults] > > #default_realm = ellisonslegal.com > > clockskew = 300 > > [realms] > > ELLISONSLEGAL.COM = { > > kdc = apps.ellisonslegal.com > > #default_domain = ELLNET > > #kpasswd_server = apps.ellisonslegal.com > > } > > #ELLISONSLEGAL.COM = { > > # kdc = APPS.ELLISONSLEGAL.COM > > # admin_server = APPS.ELLISONSLEGAL.COM > > # kpasswd_server = APPS.ELLISONSLEGAL.COM > > #} > > #OTHER.REALM = { > > # kdc = OTHER.COMPUTER > > #} > > [domain_realm] > > # .my.domain = MY.REALM > > .ellisonslegal.com = ELLISONSLEGAL.COM > > [logging] > > default = SYSLOG:NOTICE:DAEMON > > kdc = FILE:/var/log/kdc.log > > kadmind = FILE:/var/log/kadmind.log > > [appdefaults] > > pam = { > > ticket_lifetime = 1d > > renew_lifetime = 1d > > forwardable = true > > proxiable = false > > retain_after_close = false > > minimum_uid = 0 > > debug = false > > } > > > Dimitri would you be able to repost that link for the HOW-TO please? I > tried it but it seems like it is broken, do you have the updated link? > > Thanks for your continued help. > > Penny > > -----Original Message----- > From: Gordon Hopper [mailto:g.hopper@computer.org] > Sent: 09 April 2005 00:23 > To: Penny Willisson > Subject: RE: [Samba] net ads join fails > > > You might need to add some entries to your krb5.conf file. for example: > > [realms] > ellisonslegal.com = { > kdc = domain.controller.ellisonslegal.com:88 > } > > > Where kdc points to a domain controller. Doesn't need to be the primary > domain controller, choose one close by for best performance. (You > shouldn't need to do this if your DNS for the domain resolves to a domain > controller.) > > Gordon > > > > On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: > > Thanks > > > > When I run 'kinit administrator' I get the following error > > > > kinit: krb5_get_init_creds: unable to reach any KDC in realm > ellisonslegal.com > > > > any ideas??? > > > > -----Original Message----- > > From: samba-bounces+pw=ellisonslegal.com@lists.samba.org > > [mailto: samba-bounces+pw=ellisonslegal.com@lists.samba.org]On Behalf Of > > Dimitri Yioulos > > Sent: 08 April 2005 13:30 > > To: samba@lists.samba.org > > Subject: Re: [Samba] net ads join fails > > On Friday 08 April 2005 07:46 am, Penny Willisson wrote: > > Hi > > > > > > > > I have created the machine account on the AD server and did this logged > > in > > > > as Administrator so that should mean that the Administrator account has > > the > > > > correct permissions. > > > > > > > > I have executed the following command as suggested > > > > > > > > net ads join Administrator@apps.ellisonslegal.com -d 2 > > > > > > > > The following was output to the screen: > > > > > > > > [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) > > > > > > > > added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 > > > > > > > > [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) > > > > > > > > kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed: > > > > Unknown code krb5 156 > > > > > > > > [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) > > > > > > > > ads_connect: Unknown code krb5 156 > > > > > > > > [2005/04/08 13:33:41, 2] utils/net.c:main(897) > > > > > > > > return code = -1 > > > > > > > > Thanks > > > > > > > > Penny > > > > > > > > -----Original Message----- > > > > From: Gordon Hopper [mailto: g.hopper@computer.org] > > > > Sent: 06 April 2005 05:28 > > > > To: Penny Willisson > > > > Subject: Re: [Samba] net ads join fails > > > > > > > > > > > > > > > > [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) > > > > > > > > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or > > directory) > > > > > > > > [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) > > > > > > > > kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed: > > Unknown > > > > code krb5 156 > > > > > > > > [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) > > > > > > > > ads_connect: Unknown code krb5 156 > > > > > > > > > > > > > > > > > > > > I suggest you post the output of the command you are running to join the > > > > domain (including the command), for example, "net ads join -U > > > > username@ds.domain.com -d 2". > > > > > > > > Also, note that the credentials you use to join the domain are not > > > > necessarily the domain Administrator, but they need to be a user who has > > > > write privileges to the ads folder where the machine account will be > > > > created. (It worked better for me when the machine account was already > > > > created in server manager, but according to the docs, that shouldn't be > > > > necessary.) > > > > > > > > It almost looks like the password failed. Or perhaps the folde > > > > r you > > > > specified for the machine account does not exist. > > > > > > > > Regards, > > > > > > > > Gordon Hopper > > Try the command "kinit Administrator" (or Administrator@yourdomain.com"). > You > > should be prompted for a password. If, after entering the password, you're > > returned to a prompt with no further output then, in theory at least, your > > Kerberos setup is OK. If you get errors, well ... Run that first, then try > > "net ads join -U Administrator@yourdomain.com. > > > > A good how-to can be found at: > http://www.ulug.org.nz/ActiveDirectorySamba. > > > > HTH. > > > > Dimitri
Sorry the same problem is still happening. Thanks -----Original Message----- From: Dimitri Yioulos [mailto:dyioulos@firstbhph.com] Sent: 11 April 2005 16:38 To: Penny Willisson Subject: Re: FW: [Samba] net ads join fails OK, this is closer. Change [realms] kpasswd_server to admin_server. I also believe that [domain realm] should read: ellisonlegal.com = ELLISONLEGAL.COM .ellisonlegal.com = ELLISONLEGAL.COM I would add to [libdefaults]: dns_lookup_realm = true dns_lookup_kdc = true Try this and report back (like a good IT soldier :-) ) Dimitri On Monday 11 April 2005 10:58 am, you wrote:> Ok I deleted the incorrect conf file and set it up using Yast again here is > the amended file. I tried using the IP address of the server this time but > I'm still getting the same errors as before. > > [libdefaults] > > default_realm = ELLISONSLEGAL.COM > > clockskew = 300 > > [domain_realm] > > .ELLNET = ELLISONSLEGAL.COM > > [realms] > > ELLISONSLEGAL.COM = { > > kdc = 10.0.0.31 > > default_domain = ELLNET > > kpasswd_server = 10.0.0.31 > > } > > [appdefaults] > > pam = { > > ticket_lifetime = 1d > > renew_lifetime = 1d > > forwardable = true > > proxiable = false > > retain_after_close = false > > minimum_uid = 0 > > } > > > > Thanks > > -----Original Message----- > From: Penny Willisson > Sent: 11 April 2005 14:43 > To: 'Gordon Hopper'; 'ernesto.pereirinha@atminformatica.pt' > Cc: Dimitri Yioulos; samba@lists.samba.org > Subject: RE: [Samba] net ads join fails > > > I have recreated my dns pointers without success and I think my krb5.conf > file is configured correctly. First I left this to Yast to set up but that > didn't work and then I tried to modify it from a article I found. > > I have pasted it in below > [libdefaults] > > #default_realm = ellisonslegal.com > > clockskew = 300 > > [realms] > > ELLISONSLEGAL.COM = { > > kdc = apps.ellisonslegal.com > > #default_domain = ELLNET > > #kpasswd_server = apps.ellisonslegal.com > > } > > #ELLISONSLEGAL.COM = { > > # kdc = APPS.ELLISONSLEGAL.COM > > # admin_server = APPS.ELLISONSLEGAL.COM > > # kpasswd_server = APPS.ELLISONSLEGAL.COM > > #} > > #OTHER.REALM = { > > # kdc = OTHER.COMPUTER > > #} > > [domain_realm] > > # .my.domain = MY.REALM > > .ellisonslegal.com = ELLISONSLEGAL.COM > > [logging] > > default = SYSLOG:NOTICE:DAEMON > > kdc = FILE:/var/log/kdc.log > > kadmind = FILE:/var/log/kadmind.log > > [appdefaults] > > pam = { > > ticket_lifetime = 1d > > renew_lifetime = 1d > > forwardable = true > > proxiable = false > > retain_after_close = false > > minimum_uid = 0 > > debug = false > > } > > > Dimitri would you be able to repost that link for the HOW-TO please? I > tried it but it seems like it is broken, do you have the updated link? > > Thanks for your continued help. > > Penny > > -----Original Message----- > From: Gordon Hopper [mailto:g.hopper@computer.org] > Sent: 09 April 2005 00:23 > To: Penny Willisson > Subject: RE: [Samba] net ads join fails > > > You might need to add some entries to your krb5.conf file. for example: > > [realms] > ellisonslegal.com = { > kdc = domain.controller.ellisonslegal.com:88 > } > > > Where kdc points to a domain controller. Doesn't need to be the primary > domain controller, choose one close by for best performance. (You > shouldn't need to do this if your DNS for the domain resolves to a domain > controller.) > > Gordon > > > > On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote: > > Thanks > > > > When I run 'kinit administrator' I get the following error > > > > kinit: krb5_get_init_creds: unable to reach any KDC in realm > ellisonslegal.com > > > > any ideas??? > > > > -----Original Message----- > > From: samba-bounces+pw=ellisonslegal.com@lists.samba.org > > [mailto: samba-bounces+pw=ellisonslegal.com@lists.samba.org]On Behalf Of > > Dimitri Yioulos > > Sent: 08 April 2005 13:30 > > To: samba@lists.samba.org > > Subject: Re: [Samba] net ads join fails > > On Friday 08 April 2005 07:46 am, Penny Willisson wrote: > > Hi > > > > > > > > I have created the machine account on the AD server and did this logged > > in > > > > as Administrator so that should mean that the Administrator account has > > the > > > > correct permissions. > > > > > > > > I have executed the following command as suggested > > > > > > > > net ads join Administrator@apps.ellisonslegal.com -d 2 > > > > > > > > The following was output to the screen: > > > > > > > > [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) > > > > > > > > added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 > > > > > > > > [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) > > > > > > > > kerberos_kinit_password Administrator@APPS.ELLISONSLEGAL.COM failed: > > > > Unknown code krb5 156 > > > > > > > > [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) > > > > > > > > ads_connect: Unknown code krb5 156 > > > > > > > > [2005/04/08 13:33:41, 2] utils/net.c:main(897) > > > > > > > > return code = -1 > > > > > > > > Thanks > > > > > > > > Penny > > > > > > > > -----Original Message----- > > > > From: Gordon Hopper [mailto: g.hopper@computer.org] > > > > Sent: 06 April 2005 05:28 > > > > To: Penny Willisson > > > > Subject: Re: [Samba] net ads join fails > > > > > > > > > > > > > > > > [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) > > > > > > > > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or > > directory) > > > > > > > > [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) > > > > > > > > kerberos_kinit_password Administrator@ELLISONSLEGAL.COM failed: > > Unknown > > > > code krb5 156 > > > > > > > > [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) > > > > > > > > ads_connect: Unknown code krb5 156 > > > > > > > > > > > > > > > > > > > > I suggest you post the output of the command you are running to join the > > > > domain (including the command), for example, "net ads join -U > > > > username@ds.domain.com -d 2". > > > > > > > > Also, note that the credentials you use to join the domain are not > > > > necessarily the domain Administrator, but they need to be a user who has > > > > write privileges to the ads folder where the machine account will be > > > > created. (It worked better for me when the machine account was already > > > > created in server manager, but according to the docs, that shouldn't be > > > > necessary.) > > > > > > > > It almost looks like the password failed. Or perhaps the folde > > > > r you > > > > specified for the machine account does not exist. > > > > > > > > Regards, > > > > > > > > Gordon Hopper > > Try the command "kinit Administrator" (or Administrator@yourdomain.com"). > You > > should be prompted for a password. If, after entering the password, you're > > returned to a prompt with no further output then, in theory at least, your > > Kerberos setup is OK. If you get errors, well ... Run that first, then try > > "net ads join -U Administrator@yourdomain.com. > > > > A good how-to can be found at: > http://www.ulug.org.nz/ActiveDirectorySamba. > > > > HTH. > > > > Dimitri
On Mon, 2005-04-11 at 16:51 +0100, Penny Willisson wrote:> Sorry the same problem is still happening.--- it would probably help if you gave us more info...started over... what is output? cat /etc/resolv.conf cat /etc/krb5.conf terminal output of kinit Administrator and/or kinit Administrator@ellingsonlegal.com Craig