I have a problem joining the AD domain. And this problem has kept us
from upgrading to any other release of samba since 3.0.14a. That is the
release we're running on our production server. That release was the
last one to successfully join the domain.
The short version of the problem:
The samba server refuses to use 'TCP' when running the 'net'
command
to join the domain. And the DC refuses to use UDP to answer to the samba
server.
The long version now:
On the 3.0.14a release, we can force the communication with the DC to
go over TCP by specifying 'tcp' on the "kdc = ..." entry on
the
krb5.conf file. Every other release since then, promptly ignores the
krb5.conf file so, all communication with the DC goes over UDP. I have
snooped the traffic from the samba server to the DC, and every time I
see the miscommunication taking place.
What seems even more confusing is the fact that, if I trace the 'net
ads status' command, I see where the krb5.conf file is read and
communication with the DC takes place using TCP. But if I trace the 'net
ads join' command, the krb5.conf is never even considered. I don't see
the process stating/opening it at all. It seems as if the 'net join'
command doesn't need to read any kerberos config file. It seems to
assume it knows what to do automagically.
The samba server is running Red Hat 4 Eterprise Level. The samba
package was built with the latest packages; heimdal-0.8.1,
openldap-2.3.36, sasl-2.1.22, openssl-0.9.8e. The krb5.conf, and the
smb.conf files look as follows:
********************************************
[libdefaults]
default_realm = AD.RICE.EDU
# default_tkt_enctypes = rc4-hmac
# default_tgs_enctypes = rc4-hmac
default_etypes = des-cbc-crc
large_msg_size = 1
# default_etypes = des-cbc-crc "Have tried all these
combinations to no avail"
# default_etypes_des = des-cbc-crc
# default_tkt_enctypes = des-cbc-md5
# default_tgs_enctypes = des-cbc-md5
# default_tkt_enctypes = rc4-hmac
# default_tgs_enctypes = rc4-hmac
[realms]
AD.RICE.EDU = {
kdc = tcp/support-dc6......
admin_server = support-dc6.......
}
RICE.EDU = {
kdc = kerberos.rice.edu.
kdc = cerberos.rice.edu.
admin_server = kerberos.rice.edu.
}
[domain_realm]
.ad.rice.edu = AD.RICE.EDU
.rice.edu = RICE.EDU
*****************************************************
smb.conf
[global]
unix charset = LOCALE
workgroup = ADRICE
server string = Samba RN2
security = ADS
realm = AD.RICE.EDU
allow trusted domains = No
encrypt passwords = yes
username map = /etc/samba/smbusers
ldap ssl = no
idmap uid = 500-10000000
idmap gid = 500-10000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
password server = support-dc6.......
wins server = 128.X.X.X
*************************
Please help.
Thanks;
Al.
