samba - Jul 2006 - Samba 3.0.22 on AIX Authenticating to AD 2003

I have been trying to get Samba 3.0.22 to authenticate to our Active
Directory 2k3 environment for about 3 weeks now. I have gotten to a
point where google searches are no longer helpful. We have an IBM 9133
server on AIX 5.3. I had to use the binaries because the sources failed
the make install. We are using IBM's version of Kerberos Network
Authentication Service because the MIT version failed the make with a
variety of compiler errors. I have installed and compiled OpenLDAP using
openldap-stable-20060606.tgz. When I attempt to join the server to the
domain I get 

 

# /opt/Samba/3.0.22/bin/net ads join

root's password:

[2006/07/19 09:46:39, 0] libads/kerberos.c:ads_kinit_password(164)

  kerberos_kinit_password root@CREDITORSINTERCHANGE.LOCAL failed: Cannot
resolve

 network address for KDC in requested realm

[2006/07/19 09:46:39, 0] utils/net_ads.c:ads_startup(191)

  ads_connect: Cannot resolve network address for KDC in requested realm

 

here is a copy of my smb.conf

 

# Creditors Interchange LLC Samba 3.0.22 Configuration File smb.conf

# This file is the sole property of Creditors Interchange LLC.
Permission to

# use; redistribute, copy, or modify this file is strictly prohibited
without

# prior consent from the management or officers of Creditors Interchange
LLC.

# /opt/Samba/3.0.22/lib/smb.conf

# Global options needed to communicate Samba to Windows 2003 Active
Diectory.

[global]

        netbios name = CICUBS2

        password server = creditors1.creditorsinterchange.local

        unix password sync = yes

        workgroup = CREDITORSINTERCHANGE

        os level = 20

        encrypt passwords = yes

        security = ads

        realm = CREDITORSINTERCHANGE.LOCAL

        dns proxy = yes

 

 

 

# Winbind configuration: mapping  ADS users to Unix uid's and gid's
enabling

# the enumeration of users and groups.

# Winbind seperator is the character that seperates user and group names
from

# the domain name.

 

#       winbind seperator = +

        idmap gid = 10000-20000

        idmap uid = 10000-20000

        winbind enum users=yes

        winbind enum groups=yes

 

 

[public]

# define user and group shares here.

# Example

# comment = A description of the share such as Public data directory

# read only = yes or no

# path = /path to shared directory or file

# user = @"domain name+user group to be given access"

 

                                                      

PS... I almost forgot to mention I ama networking guy with little unix
experience which I am sure is the reason I cant get this to work.

 

Thanks,

 

Steven Johnson

LAN/WAN Analyst

Creditors interchange

sjohnson@Creditorsinterchange.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven,
> kerberos_kinit_password root@CREDITORSINTERCHANGE.LOCAL 
> failed: Cannot resolve
> 
>  network address for KDC in requested realm
You'll need to either enable DNS SRV lookups for KDC
in /etc/krb5.conf (dns_lookup_kdc - true) or manually
specify the KDCs or your realm.




cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEvlSKIR7qMdg1EfYRAuvdAJ9kg/YaTSTDu06cElaj/ljasX1j+QCbB5mb
DAmrNbiHocZ4/yAkksU3v/g=mKna
-----END PGP SIGNATURE-----