Naadir Jeewa
2008-Apr-01 15:22 UTC
[Samba] Strong(er) authentication required when joining Active Directory (Samba 3.0.28)
Hello all, I'm having problems getting Samba to join a Windows AD. I am delegated OU admin, and have no direct access to the domain controller. We have 3 DCs in one domain where my OU exists. The users I wish to authenticate are in a different domain. I have set up Kerberos and can receive tickets correctly. I run net -d 4 ads join createcomputer=[Delegated OU] -U [account with join permissions] After filling in a password, I get the following: [2008/04/01 16:06:01, 4] libsmb/namequery_dc.c:ads_dc_name(139) ads_dc_name: using server= dc_server' IP=dc_ip ccspmed's password: [2008/04/01 16:06:03, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ", *" [2008/04/01 16:06:03, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 3 ip addresses in an ordered list [2008/04/01 16:06:03, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.10.250.17:389 10.10.250.3:389 10.10.250.1:389 [2008/04/01 16:06:03, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.10.250.17 [2008/04/01 16:06:03, 4] libads/ldap.c:ads_current_time(2414) time offset is -5 seconds [2008/04/01 16:06:03, 4] libads/sasl.c:ads_sasl_bind(521) Found SASL mechanism GSS-SPNEGO [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = dc_server [2008/04/01 16:06:03, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2008/04/01 16:06:03, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Wed, 02 Apr 2008 02:05:58 BST [2008/04/01 16:06:03, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: Strong(er) authentication required Failed to join domain: Strong(er) authentication required [2008/04/01 16:06:03, 2] utils/net.c:main(1036) return code = -1 Any help appreciated. Yours, Naadir Jeewa
Naadir Jeewa
2008-Apr-03 17:29 UTC
[Samba] RE: Strong(er) authentication required when joining Active Directory (Samba 3.0.28)
Problem solved. The AD admin turned off server signing and samba is able to join the domain. -----Original Message----- From: Naadir Jeewa Sent: 01 April 2008 16:07 To: 'samba@lists.samba.org' Subject: Strong(er) authentication required when joining Active Directory (Samba 3.0.28) Hello all, I'm having problems getting Samba to join a Windows AD. I am delegated OU admin, and have no direct access to the domain controller. We have 3 DCs in one domain where my OU exists. The users I wish to authenticate are in a different domain. I have set up Kerberos and can receive tickets correctly. I run net -d 4 ads join createcomputer=[Delegated OU] -U [account with join permissions] After filling in a password, I get the following: [2008/04/01 16:06:01, 4] libsmb/namequery_dc.c:ads_dc_name(139) ads_dc_name: using server= dc_server' IP=dc_ip ccspmed's password: [2008/04/01 16:06:03, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: ", *" [2008/04/01 16:06:03, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 3 ip addresses in an ordered list [2008/04/01 16:06:03, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.10.250.17:389 10.10.250.3:389 10.10.250.1:389 [2008/04/01 16:06:03, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.10.250.17 [2008/04/01 16:06:03, 4] libads/ldap.c:ads_current_time(2414) time offset is -5 seconds [2008/04/01 16:06:03, 4] libads/sasl.c:ads_sasl_bind(521) Found SASL mechanism GSS-SPNEGO [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2008/04/01 16:06:03, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = dc_server [2008/04/01 16:06:03, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2008/04/01 16:06:03, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Wed, 02 Apr 2008 02:05:58 BST [2008/04/01 16:06:03, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: Strong(er) authentication required Failed to join domain: Strong(er) authentication required [2008/04/01 16:06:03, 2] utils/net.c:main(1036) return code = -1 Any help appreciated. Yours, Naadir Jeewa