Hello, I've managed to join four other samba servers to win2k3 domains in the past but I am stuck doing so with samba-3.0.23c_2,1. I've verified hosts / domain forward and reverse lookups succeed. Below are my configurations. I'm running FreeBSD 6.1-stable cvsupped as of Nov 17. I've built Samba with the following options... WITH_LDAP=true WITH_ADS=true WITHOUT_CUPS=true WITH_WINBIND=true WITHOUT_ACL_SUPPORT=true WITHOUT_AIO_SUPPORT=true WITHOUT_FAM_SUPPORT=true WITHOUT_SYSLOG=true WITHOUT_QUOTAS=true WITH_UTMP=true WITHOUT_MSDFS=true WITHOUT_SMBSH=true WITHOUT_PAM_SMBPASS=true WITHOUT_EXP_MODULES=true WITH_POPT=true Below are other relavent configs. ----- BEGIN /etc/krb5.conf ----- [realms] TEST.K12.IN.US = { kdc = tcp/10.0.15.205 } ----- END /etc/krb5.conf ----- ----- BEGIN /usr/local/etc/smb.conf ----- [global] workgroup = TEST realm = TEST.K12.IN.US netbios name = FIREWALL winbind separator = + winbind cache time = 10 winbind nested groups = Yes winbind use default domain = Yes idmap uid = 10000-20000 idmap gid = 10000-20000 security = ADS password server = 10.0.15.205 allow trusted domains = No use spnego = Yes interfaces = 172.30.1.2/32 127.0.0.1/32 ----- END /usr/local/etc/smb.conf ----- ----- BEGIN /etc/nsswitch.conf ----- group: files winbind group_compat: nis hosts: files dns winbind networks: files passwd: files winbind passwd_compat: nis shells: files ----- END /etc/nsswitch.conf ----- Now, when I try and join the domain, I get the following... <root@firewall:namedb>net ads join -U administrator administrators's password: Using short domain name -- TEST Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'FIREWALL' in realm 'TEST.K12.IN.US' Can someone please help me get around this? I'm using the same configuration templates I used on the other four machines that I had no problems with. One of those four samba boxes is on the same domain and working just fine. The only difference is that it's samba version samba-3.0.21b,1.
panovdu@land.ru
2006-Nov-18 11:48 UTC
[Samba] can't join samba to win2k3 domain - please help
Hello> Hello, I've managed to join four other samba servers to win2k3 domains > in the past but I am stuck doing so with samba-3.0.23c_2,1. I've > verified hosts / domain forward and reverse lookups succeed.... I've got this type of error, when domain and samba machines were in /etc/hosts but I've forgot to put newline after the string with samba credenitals (it was the last string in file). =Dmitry Panoff Network administrator Donetsk, Ukraine
Thanks to Senthil Kumar Ramamurthy I was able to get my joining of the samba server to Win2k3 domain fixed. He worked with me via email off the list and it turned out my problem was the order in which I had entries in the /etc/hosts file. The freebsd hosts file by default uses the format of 'xxx.xxx.xxx.xxx alias FQDN' which DOES NOT WORK with samba when joining to a win2k3 domain. Samba requires host entries which are relevant to the KDC etc to be in the format 'xxx.xxx.xxx.xxx FQDN alias'. So, I hope this helps some others out there. Again, a big thanks to Senthil Kumar Ramamurthy for his help and patience! Elvar wrote:> Hello, I've managed to join four other samba servers to win2k3 domains > in the past but I am stuck doing so with samba-3.0.23c_2,1. I've > verified hosts / domain forward and reverse lookups succeed. Below are > my configurations. I'm running FreeBSD 6.1-stable cvsupped as of Nov > 17. I've built Samba with the following options... > > WITH_LDAP=true > WITH_ADS=true > WITHOUT_CUPS=true > WITH_WINBIND=true > WITHOUT_ACL_SUPPORT=true > WITHOUT_AIO_SUPPORT=true > WITHOUT_FAM_SUPPORT=true > WITHOUT_SYSLOG=true > WITHOUT_QUOTAS=true > WITH_UTMP=true > WITHOUT_MSDFS=true > WITHOUT_SMBSH=true > WITHOUT_PAM_SMBPASS=true > WITHOUT_EXP_MODULES=true > WITH_POPT=true > > Below are other relavent configs. > > ----- BEGIN /etc/krb5.conf ----- > [realms] > TEST.K12.IN.US = { > kdc = tcp/10.0.15.205 > } > > ----- END /etc/krb5.conf ----- > > ----- BEGIN /usr/local/etc/smb.conf ----- > [global] > workgroup = TEST > realm = TEST.K12.IN.US > netbios name = FIREWALL > winbind separator = + > winbind cache time = 10 > winbind nested groups = Yes > winbind use default domain = Yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > security = ADS > password server = 10.0.15.205 > allow trusted domains = No > use spnego = Yes > > interfaces = 172.30.1.2/32 127.0.0.1/32 > > ----- END /usr/local/etc/smb.conf ----- > > ----- BEGIN /etc/nsswitch.conf ----- > group: files winbind > group_compat: nis > hosts: files dns winbind > networks: files > passwd: files winbind > passwd_compat: nis > shells: files > ----- END /etc/nsswitch.conf ----- > > Now, when I try and join the domain, I get the following... > > <root@firewall:namedb>net ads join -U administrator > administrators's password: > Using short domain name -- TEST > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Disabled account for 'FIREWALL' in realm 'TEST.K12.IN.US' > > > Can someone please help me get around this? I'm using the same > configuration templates I used on the other four machines that I had > no problems with. One of those four samba boxes is on the same domain > and working just fine. The only difference is that it's samba version > samba-3.0.21b,1. > >