I just wanted to share my frustrations with trying to use samba to join linux machines to our AD (so I could use pam_winbind primarily). I'm using Red Hat Enterprise 4 boxes, with samba-3.0.14a, krb5-libs-1.3.4-12, kernel-2.6.9-5.0.5.EL (I tried Fedora Core 3 too, with similar results). I (pre)added machines to the AD using the Active Directory Users and Computers tool. I initially had clock skew problems (yielding kerberos errors), but I now have synchronized system clocks. Now, I've found that the $ net ads join command(*) always says it succeeds joining the domain, but a subsequent $ wbinfo -t about 75% of the time yields an error: NT_STATUS_ACCESS_DENIED If I re-run those 2 commands repeatedly, I *eventually* will get machine that has successfully joined the AD domain (where 'wbinfo -t' succeeds and pam_winbind successfully authenticates users). Now, I'm mostly content that I've found a solution to my problem, but I'm curious why/how 'net ads join' oftemtimes claims false success (and why is it failing at all in the first place)? -- Rex (*) with -d3 or higher, I see random collections of errors, mostly kerberos related saying "pre-authentication failed" and "encryption type not supported"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rex Dieter wrote: | I just wanted to share my frustrations with trying | to use samba to join linux machines to our AD | (so I could use pam_winbind primarily). I'm | using Red Hat Enterprise 4 boxes, with samba-3.0.14a, | krb5-libs-1.3.4-12, kernel-2.6.9-5.0.5.EL (I tried | Fedora Core 3 too, with similar results). I (pre)added | machines to the AD using the Active Directory Users | and Computers tool. | | I initially had clock skew problems (yielding kerberos | errors), but I now have synchronized system clocks. | | Now, I've found that the | $ net ads join | command(*) always says it succeeds joining the domain, | but a subsequent | $ wbinfo -t | about 75% of the time yields an error: | NT_STATUS_ACCESS_DENIED | | If I re-run those 2 commands repeatedly, I *eventually* | will get machine that has successfully joined the | AD domain (where 'wbinfo -t' succeeds | and pam_winbind successfully authenticates users). I doner if you are dealing with a AD replication lag. How many DC's are there in the domain? cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCqY1vIR7qMdg1EfYRAo5gAJwLy/LFXX82huhugrXmSp+WPUChCACg5mmz bX2b3k/PvXxwh4jg68jrWDc=iJfG -----END PGP SIGNATURE-----