Hello, I've managed to join four other samba servers to win2k3 domains
in the past but I am stuck doing so with samba-3.0.23c_2,1. I've
verified hosts / domain forward and reverse lookups succeed. Below are
my configurations. I'm running FreeBSD 6.1-stable cvsupped as of Nov 17.
I've built Samba with the following options...
WITH_LDAP=true
WITH_ADS=true
WITHOUT_CUPS=true
WITH_WINBIND=true
WITHOUT_ACL_SUPPORT=true
WITHOUT_AIO_SUPPORT=true
WITHOUT_FAM_SUPPORT=true
WITHOUT_SYSLOG=true
WITHOUT_QUOTAS=true
WITH_UTMP=true
WITHOUT_MSDFS=true
WITHOUT_SMBSH=true
WITHOUT_PAM_SMBPASS=true
WITHOUT_EXP_MODULES=true
WITH_POPT=true
Below are other relavent configs.
----- BEGIN /etc/krb5.conf -----
[realms]
TEST.K12.IN.US = {
kdc = tcp/10.0.15.205
}
----- END /etc/krb5.conf -----
----- BEGIN /usr/local/etc/smb.conf -----
[global]
workgroup = TEST
realm = TEST.K12.IN.US
netbios name = FIREWALL
winbind separator = +
winbind cache time = 10
winbind nested groups = Yes
winbind use default domain = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
security = ADS
password server = 10.0.15.205
allow trusted domains = No
use spnego = Yes
interfaces = 172.30.1.2/32 127.0.0.1/32
----- END /usr/local/etc/smb.conf -----
----- BEGIN /etc/nsswitch.conf -----
group: files winbind
group_compat: nis
hosts: files dns winbind
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
----- END /etc/nsswitch.conf -----
Now, when I try and join the domain, I get the following...
<root@firewall:namedb>net ads join -U administrator
administrators's password:
Using short domain name -- TEST
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'FIREWALL' in realm 'TEST.K12.IN.US'
Can someone please help me get around this? I'm using the same
configuration templates I used on the other four machines that I had no
problems with. One of those four samba boxes is on the same domain and
working just fine. The only difference is that it's samba version
samba-3.0.21b,1.
panovdu@land.ru
2006-Nov-18 11:48 UTC
[Samba] can't join samba to win2k3 domain - please help
Hello> Hello, I've managed to join four other samba servers to win2k3 domains > in the past but I am stuck doing so with samba-3.0.23c_2,1. I've > verified hosts / domain forward and reverse lookups succeed.... I've got this type of error, when domain and samba machines were in /etc/hosts but I've forgot to put newline after the string with samba credenitals (it was the last string in file). =Dmitry Panoff Network administrator Donetsk, Ukraine
Thanks to Senthil Kumar Ramamurthy I was able to get my joining of the samba server to Win2k3 domain fixed. He worked with me via email off the list and it turned out my problem was the order in which I had entries in the /etc/hosts file. The freebsd hosts file by default uses the format of 'xxx.xxx.xxx.xxx alias FQDN' which DOES NOT WORK with samba when joining to a win2k3 domain. Samba requires host entries which are relevant to the KDC etc to be in the format 'xxx.xxx.xxx.xxx FQDN alias'. So, I hope this helps some others out there. Again, a big thanks to Senthil Kumar Ramamurthy for his help and patience! Elvar wrote:> Hello, I've managed to join four other samba servers to win2k3 domains > in the past but I am stuck doing so with samba-3.0.23c_2,1. I've > verified hosts / domain forward and reverse lookups succeed. Below are > my configurations. I'm running FreeBSD 6.1-stable cvsupped as of Nov > 17. I've built Samba with the following options... > > WITH_LDAP=true > WITH_ADS=true > WITHOUT_CUPS=true > WITH_WINBIND=true > WITHOUT_ACL_SUPPORT=true > WITHOUT_AIO_SUPPORT=true > WITHOUT_FAM_SUPPORT=true > WITHOUT_SYSLOG=true > WITHOUT_QUOTAS=true > WITH_UTMP=true > WITHOUT_MSDFS=true > WITHOUT_SMBSH=true > WITHOUT_PAM_SMBPASS=true > WITHOUT_EXP_MODULES=true > WITH_POPT=true > > Below are other relavent configs. > > ----- BEGIN /etc/krb5.conf ----- > [realms] > TEST.K12.IN.US = { > kdc = tcp/10.0.15.205 > } > > ----- END /etc/krb5.conf ----- > > ----- BEGIN /usr/local/etc/smb.conf ----- > [global] > workgroup = TEST > realm = TEST.K12.IN.US > netbios name = FIREWALL > winbind separator = + > winbind cache time = 10 > winbind nested groups = Yes > winbind use default domain = Yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > security = ADS > password server = 10.0.15.205 > allow trusted domains = No > use spnego = Yes > > interfaces = 172.30.1.2/32 127.0.0.1/32 > > ----- END /usr/local/etc/smb.conf ----- > > ----- BEGIN /etc/nsswitch.conf ----- > group: files winbind > group_compat: nis > hosts: files dns winbind > networks: files > passwd: files winbind > passwd_compat: nis > shells: files > ----- END /etc/nsswitch.conf ----- > > Now, when I try and join the domain, I get the following... > > <root@firewall:namedb>net ads join -U administrator > administrators's password: > Using short domain name -- TEST > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Disabled account for 'FIREWALL' in realm 'TEST.K12.IN.US' > > > Can someone please help me get around this? I'm using the same > configuration templates I used on the other four machines that I had > no problems with. One of those four samba boxes is on the same domain > and working just fine. The only difference is that it's samba version > samba-3.0.21b,1. > >