samba - Jan 2010 - Trouble getting past net join ads...

I am in the process of getting samba working again with Activer 
Directory. Recently our IT department
upgraded their windows server to 2008.

     I am following the approach described here: 
http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/

     I am able to get kerberos to issue a ticket, but where I am running 
into a wall is with the net join ads part... It appears to work in that
setting the correct dn and using the username given to me by Jim for 
binding to the windows server passes back a message that looks OK:
> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U
XXXXX
> Enter XXXXX's password:
> Got 1 replies
But if I try to test this by issuing the net ads testjoin command, I am 
always asked this (highlighted in red):
> nanoelecfs:/home/joel# net ads testjoin
> Enter NANOELECFS$@FS.UML.EDU's password:
> [2010/01/25 22:36:17,  0] libads/kerberos.c:ads_kinit_password(356)
>   kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed: 
> Preauthentication failed
> Join to domain is not valid: Logon failure
There is no such account, as kerberos is happy to indicate. This is odd 
because I do not recall getting this
before the upgrade to 2008. NANOELECFS is the name of the linux box.

     Trying wbinfo -t gives the following:
> nanoelecfs:/home/joel# wbinfo -t
> checking the trust secret via RPC calls failed
> Could not check secret

I am running a Debian Lenny system with kernel version 2.6.26-2-amd64

I am running samba version 2:3.2.5

Thanks in advance!

Joel Therrien

My config files are below:

smb.conf
[global]
    workgroup = ad
    realm = FS.UML.EDU
    preferred master = no
    server string = %h server
    dns proxy = no

#### Debugging/Accounting ####

    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d

####### Authentication #######

    security = ADS
    encrypt passwords = true
    passdb backend = tdbsam
    obey pam restrictions = yes
    invalid users = root
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    guest account = nobody
    map to guest = bad user

########## Printing ##########

    load printers = no
    printing = bsd
    printcap name = /dev/null
    show add printer wizard = no
    disable spoolss = yes

############ Misc ############

   idmap backend = hash
   winbind nss info = hash
   winbind use default domain = yes
   winbind separator = +
   winbind enum groups = no
   winbind enum users = no
   winbind nested groups = yes
   template homedir = /ls/users/%U
   template shell = /bin/bash
   winbind refresh tickets = yes
#  kerberos method = system keytab
   winbind offline logon = yes
#  get quota command = /root/sambaquota.sh

krb5.conf

[libdefaults]
         default_realm = FS.UML.EDU

# The following krb5.conf variables are only for MIT Kerberos.
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 }
                 plain = {
                         something = something-else
                 }
         }
         fcc-mit-ticketflags = true

[realms]
         FS.UML.EDU = {
                 kdc = FSDC1.FS.UML.EDU
                 kdc = FSDC2.FS.UML.EDU
                 admin_server = FSDC1.FS.UML.EDU
         }
         STUDENT.UML.EDU = {
                 kdc = STDC1.STUDENT.UML.EDU
                 kdc = STDC2.STUDENT.UML.EDU
         }


[domain_realm]
         .umlfs01.fs.uml.edu = FS.UML.EDU
         umlfs01.fs.uml.edu = FS.UML.EDU

[login]
         krb4_convert = true
         krb4_get_tickets = false

-- 
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical&  Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854

Joel,

When I've received this error, I've been able to resolve by telling it 
the name of the DC.
net ads join -S pdc -U admin_user

See if it works for you.

Dale


On 01/28/2010 9:14 AM, Joel Therrien wrote:
>     I am in the process of getting samba working again with Activer 
> Directory. Recently our IT department
> upgraded their windows server to 2008.
>
>     I am following the approach described here: 
>
http://www.surlyjake.com/linux/samba/join-debian-lenny-to-active-directory-using-samba/
>
>
>     I am able to get kerberos to issue a ticket, but where I am 
> running into a wall is with the net join ads part... It appears to 
> work in that
> setting the correct dn and using the username given to me by Jim for 
> binding to the windows server passes back a message that looks OK:
>
>> nanoelecfs:/home/joel# net ads dn 'DC=fs,DC=uml,DC=edu' join -U
XXXXX
>> Enter XXXXX's password:
>> Got 1 replies
>
> But if I try to test this by issuing the net ads testjoin command, I 
> am always asked this (highlighted in red):
>
>> nanoelecfs:/home/joel# net ads testjoin
>> Enter NANOELECFS$@FS.UML.EDU's password:
>> [2010/01/25 22:36:17,  0] libads/kerberos.c:ads_kinit_password(356)
>>   kerberos_kinit_password NANOELECFS$@FS.UML.EDU failed: 
>> Preauthentication failed
>> Join to domain is not valid: Logon failure
>
> There is no such account, as kerberos is happy to indicate. This is 
> odd because I do not recall getting this
> before the upgrade to 2008. NANOELECFS is the name of the linux box.
>
>     Trying wbinfo -t gives the following:
>
>> nanoelecfs:/home/joel# wbinfo -t
>> checking the trust secret via RPC calls failed
>> Could not check secret
>
>
> I am running a Debian Lenny system with kernel version 2.6.26-2-amd64
>
> I am running samba version 2:3.2.5
>
> Thanks in advance!
>
> Joel Therrien
>
> My config files are below:
>
> smb.conf
> [global]
>    workgroup = ad
>    realm = FS.UML.EDU
>    preferred master = no
>    server string = %h server
>    dns proxy = no
>
> #### Debugging/Accounting ####
>
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
>    security = ADS
>    encrypt passwords = true
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    invalid users = root
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    guest account = nobody
>    map to guest = bad user
>
> ########## Printing ##########
>
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    show add printer wizard = no
>    disable spoolss = yes
>
> ############ Misc ############
>
>   idmap backend = hash
>   winbind nss info = hash
>   winbind use default domain = yes
>   winbind separator = +
>   winbind enum groups = no
>   winbind enum users = no
>   winbind nested groups = yes
>   template homedir = /ls/users/%U
>   template shell = /bin/bash
>   winbind refresh tickets = yes
> #  kerberos method = system keytab
>   winbind offline logon = yes
> #  get quota command = /root/sambaquota.sh
>
> krb5.conf
>
> [libdefaults]
>         default_realm = FS.UML.EDU
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>
> # The following encryption type specification will be used by MIT 
> Kerberos
> # if uncommented.  In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # Thie only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about 
> (such as
> # old versions of Sun Java).
>
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
> [realms]
>         FS.UML.EDU = {
>                 kdc = FSDC1.FS.UML.EDU
>                 kdc = FSDC2.FS.UML.EDU
>                 admin_server = FSDC1.FS.UML.EDU
>         }
>         STUDENT.UML.EDU = {
>                 kdc = STDC1.STUDENT.UML.EDU
>                 kdc = STDC2.STUDENT.UML.EDU
>         }
>
>
> [domain_realm]
>         .umlfs01.fs.uml.edu = FS.UML.EDU
>         umlfs01.fs.uml.edu = FS.UML.EDU
>
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>