As a followup to this issue,
net ads join -U username@domain yields ads_join_realm: Operations
error
wbinfo -t yields checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
net ads testjoin [2008/01/23 11:08:13, 0]
libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password "machinename"@DOMAIN failed:
Preauthentication
failed
[2008/01/23 11:08:14, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password "machinename"@DOMAIN failed:
Preauthentication
failed
[2008/01/23 11:08:14, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Preauthentication failed
Join to domain is not valid
however kinit username@Domain works wbinfo -u error looking up domain
users wbinfo -g BUILTIN+system operators
BUILTIN+replicators
BUILTIN+guests
BUILTIN+power users
BUILTIN+print operators
BUILTIN+administrators
BUILTIN+account operators
BUILTIN+backup operators
BUILTIN+users
none of which are from domain
We have another machine, that is identical to the failing machine in all
accounts except for it's machine name. This other machine works well.
The only difference between the machines is that the working machine
joined the domain months ago when it was first set up and has worked
perfectly ever since.
In the meantime, the unix services where patched and we can now no
longer add any new linux machines to the domain, even when they have the
identical configuration.
Is this a known issue? What can I try next?
best regards
Dalton
On Tue, 2008-01-22 at 14:53 -0500, Dalton Calford wrote:> We are having problems joining onto our 2003 server domain. This is
> strange in that other linux clients on our network are NOT having
> problems.
>
> It appears that the domain will not allow new linux machines to join the
> domain, even when allowing existing machines that have the exact same
> configuration, to authenticate from the domain.
>
> In order to test this I have taken a stripped down debian box and
> performed a new install.
>
> I have installed samba 3.0.28 with winbind and krb5
> I have configured the boxes but when I attempt to perform a kinit, I get
> the following response
>
> kinit(v5): KDC reply did not match expectations while getting initial
> credentials
>
> Has anyone else encountered this?
>
> best regards
>
> Dalton
>