Cowan, Christopher O SRA GARRISON-FSHTX
2005-May-06 21:31 UTC
[Samba] Problem getting Solaris 8 server to join an AD Domain
I went out and compiled the latest MIT krb5-1.4, openldap-2.2.23, and Samba 3.0.14a. I am able to authenticate fine using kinit, and use smbclient -k with no problems. I can not get the server to join the domain with net ads join -U xxxxx. I am getting the error ads_connect: Strong(er) authentication required The AD server is running Win2003, and we do not have administrative access to the domain. Some of my coworkers have admin access limited to specific OUs. I am wondering whether this message may be related to the fact that we are running with NTLMCompatibility Mode 3. I used AFS and DCE/DFS for years, so I know my way around Kerb4 and 5. Not being a Windows AD guru, I'm not sure if the NTLMCompat setting applies to Kerberos (I thought this basically shutoff the older, non-Kerberized authentication methods). I also saw some blurbs in the list archive about having to reset user passwords at least once on Win2003 AD servers in order to get the password encoded correctly. Perhaps the machine principal needs to manually set in a similar fashion. We also tried enabling delegation, but discovered that top-level policy prevents use from enabling it. My question is, will I be able to get this server to join the domain?
Cowan, Christopher O SRA GARRISON-FSHTX
2005-May-16 18:23 UTC
[Samba] RE: Problem getting Solaris 8 server to join an AD Domain
A little more time using Google, and I found the following: On Thu, 21 Oct 2004 12:47:17 -0400, Jeremy Naylor <jnaylor at gmail.com <http://lists.samba.org/mailman/listinfo/samba-technical> > wrote:> Hello! > > In trying to get a linux machine to join a Win2k3 AD domain, I kept > getting this error message when I ran "net join -U admin": > > [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183) > ads_connect: Strong(er) authentication required > > After much googling and experimentation, I discovered that this was > caused by having this set in the Security Policy on the DC: > > Domain Controller: LDAP server signing requirements = Require Signing > > Changing this to "None" got it working. I assume this is because the > openldap code doesn't support signing? I couldn't find anything about > that. > > I've attached a patch that enables TLS in the libads code. The > "Require Signing" setting allows for SSL/TLS instead of signing.. > There needs to be a certificate installed on the domain controller for > TLS to work, but that's better than signing anyway. You also need the > CA certificate to verify the server cert, adding "TLS_CACERT > /etc/samba/testca.cer" to /etc/openldap/ldap.conf (after exporting the > CA cert and saving it in testca.cer) got that working. > > I've only tested this on Fedora Core 2 with a DC that has "Require > Signing" set and has a certificate installed, but setting "ldap ssl > off" should disable it. > > Can someone let me know if there's anything else I need to do to get > this feature integrated in the trunk? > > Thanks! > > -Jeremy > > >Unfortunately, I will not be able to have the LDAP signing disabled and most likely will not be able to have a cert installed on our KDC. Is there a technique for manually creating a machine account on both ends (using the same password) and then generating a keytab file? Otherwise, it appears that I am S.O.L. _____ From: Cowan, Christopher O SRA GARRISON-FSHTX Sent: Friday, May 06, 2005 4:30 PM To: 'samba@lists.samba.org' Subject: Problem getting Solaris 8 server to join an AD Domain I went out and compiled the latest MIT krb5-1.4, openldap-2.2.23, and Samba 3.0.14a. I am able to authenticate fine using kinit, and use smbclient -k with no problems. I can not get the server to join the domain with net ads join -U xxxxx. I am getting the error ads_connect: Strong(er) authentication required The AD server is running Win2003, and we do not have administrative access to the domain. Some of my coworkers have admin access limited to specific OUs. I am wondering whether this message may be related to the fact that we are running with NTLMCompatibility Mode 3. I used AFS and DCE/DFS for years, so I know my way around Kerb4 and 5. Not being a Windows AD guru, I'm not sure if the NTLMCompat setting applies to Kerberos (I thought this basically shutoff the older, non-Kerberized authentication methods). I also saw some blurbs in the list archive about having to reset user passwords at least once on Win2003 AD servers in order to get the password encoded correctly. Perhaps the machine principal needs to manually set in a similar fashion. We also tried enabling delegation, but discovered that top-level policy prevents use from enabling it. My question is, will I be able to get this server to join the domain?