samba - Mar 2008 - net join fails NT_STATUS_INVALID_COMPUTER_NAME

We want to join out Linux-Server:
SLES 10 SP1 x86 with Samba (samba-client-3.0.24-2.23)
 to our  W2000 Domain.

so i use the command:
   net join -S TQ-NET.DE -UAdministrator
and i get the following Errormessage:
Failed to join domain!
ADS join did not work, falling back to RPC...
[2008/03/12 12:07:29, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(350)
  Error in domain join verification (credential setup failed):
NT_STATUS_INVALID_COMPUTER_NAME

A Computer-Account was created but a the authentication and access to the shares
doesn`t work!

smb.conf:
[global]
        workgroup = TQG
        netbios name = tq-backupsrv-1
        realm = TQ-NET.DE
        security = ADS
        idmap uid = 10000-15000
        idmap gid = 10000-15000
        winbind separator = /
        winbind use default domain = yes
        encrypt passwords = yes
        password server = tq-dc-1.tq-net.de
        client use spnego = no
        domain logons = No
        domain master = No
        wins server = TQ-DC-1.TQ-NET.DE
        wins support = No
[share1]
...
krb5.conf
[libdefaults]
        default_realm = TQ-NET.DE
        clockskew = 300
[realms]
        TQ-NET.DE = {
                kdc = TQ-DC-1.TQ-NET.DE
                default_domain = TQG
                admin_server = TQ-DC-1.TQ-NET.DE
        }
[domain_realm]
        .tq-net.DE = TQ-NET.DE
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = true
                retain_after_close = true
                minimum_uid = 0
                try_first_pass = true
                debug = false
        }
krb5.conf

kerberos works fine.



_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066

You have probally already tried but check the following.
 
I have always used YAST to join a SLES box to a domain.  If you do not have a
GUI installed, just type yast at the shell.  Under the Network Services section
is Windows Domain Membership.  Open this.  Type in all the correct information
and make sure you select "Use for Authentication".  It should join the
domain.
 
Also make sure the time of the server you are adding to the domain matchecs the
domian controler.  On a standard Windows AD setup anything past 5 min. can cause
problems.
The command to do this is "net time set -S domain server"

________________________________

From: samba-bounces+rstewart=iccpartners.com@lists.samba.org on behalf of Lothar
Belle
Sent: Wed 3/12/2008 8:18 AM
To: samba@lists.samba.org
Subject: [Samba] net join fails NT_STATUS_INVALID_COMPUTER_NAME




We want to join out Linux-Server:
SLES 10 SP1 x86 with Samba (samba-client-3.0.24-2.23)
 to our  W2000 Domain.

so i use the command:
   net join -S TQ-NET.DE -UAdministrator
and i get the following Errormessage:
Failed to join domain!
ADS join did not work, falling back to RPC...
[2008/03/12 12:07:29, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(350)
  Error in domain join verification (credential setup failed):
NT_STATUS_INVALID_COMPUTER_NAME

A Computer-Account was created but a the authentication and access to the shares
doesn`t work!

smb.conf:
[global]
        workgroup = TQG
        netbios name = tq-backupsrv-1
        realm = TQ-NET.DE
        security = ADS
        idmap uid = 10000-15000
        idmap gid = 10000-15000
        winbind separator = /
        winbind use default domain = yes
        encrypt passwords = yes
        password server = tq-dc-1.tq-net.de
        client use spnego = no
        domain logons = No
        domain master = No
        wins server = TQ-DC-1.TQ-NET.DE
        wins support = No
[share1]
...
krb5.conf
[libdefaults]
        default_realm = TQ-NET.DE
        clockskew = 300
[realms]
        TQ-NET.DE = {
                kdc = TQ-DC-1.TQ-NET.DE
                default_domain = TQG
                admin_server = TQ-DC-1.TQ-NET.DE
        }
[domain_realm]
        .tq-net.DE = TQ-NET.DE
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = true
                retain_after_close = true
                minimum_uid = 0
                try_first_pass = true
                debug = false
        }
krb5.conf

kerberos works fine.



_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Lothar Belle wrote:
> We want to join out Linux-Server:
> SLES 10 SP1 x86 with Samba (samba-client-3.0.24-2.23)
>  to our  W2000 Domain.
> 
> krb5.conf
> [libdefaults]
>         default_realm = TQ-NET.DE
>         clockskew = 300
> [realms]
>         TQ-NET.DE = {
>                 kdc = TQ-DC-1.TQ-NET.DE
>                 default_domain = TQG
      default_domain = tq-net.de

The domain here is the DNS domain.
>                 admin_server = TQ-DC-1.TQ-NET.DE
>         }
> [domain_realm]
>         .tq-net.DE = TQ-NET.DE
> [appdefaults]
>         pam = {
>                 ticket_lifetime = 1d
>                 renew_lifetime = 1d
>                 forwardable = true
>                 proxiable = true
>                 retain_after_close = true
>                 minimum_uid = 0
>                 try_first_pass = true
>                 debug = false
>         }
> krb5.conf
> 
> kerberos works fine.
> 
That's all that I noticed.

Regards, Doug

> You have probally already tried but check the following.
>  
> I have always used YAST to join a SLES box to a domain.  If you do not have
a GUI installed, just type yast at the shell.  >Under the Network Services
section is Windows Domain Membership.  Open this.  Type in all the correct
information and make >sure you select "Use for Authentication".  It
should join the domain.
yast says the join was succsessfully,
but the Authentiaction to the share still fails!
>  
> Also make sure the time of the server you are adding to the domain matchecs
the domian controler.  On a standard Windows AD setup anything past 5 min. can
cause problems.
> The command to do this is "net time set -S domain server"
time ist set by a ntp server 
--> Time is synchron.
Kerberos authentication works testet with :
#kinit Administrator@TQ-NET.DE
tq-backupsrv-1:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@TQ-NET.DE

Valid starting     Expires            Service principal
03/13/08 07:05:06  03/14/08 07:05:06  krbtgt/TQ-NET.DE@TQ-NET.DE


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

_______________________________________________________________
Schon geh?rt? Der neue WEB.DE MultiMessenger kann`s mit allen: 
http://www.produkte.web.de/messenger/?did=3015