I'm trying to get AD authentication working on a RHEL 5.4 base system I can wbinfo -[ug] and getent {passwd|group} with 3.0.33 Everything appears to work just fine, except I could not actually authenticate... I'd always get failed password. A lot of Googling turned up a bug that indicated that it was impossible to get 3.0.33 to authenticate against a W2K8 AD, so I installed 3.5.4 Same smb.conf, same krb5.conf... but I cannot join the domain. net ads status works, but net ads join tells me: Failed to join domain: failed to lookup DC info for domain 'MY.DOMAIN' over rpc: Invalid workstation Googling that error leads to a very few responses, none of which help me. What is the "invalid workstation", and how do I make it valid? :-) smb.conf: [global] workgroup = MY password server = 192.168.2.22 realm = MY.DOMAIN security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 client ntlmv2 auth = yes disable netbios = yes smb ports = 445 winbind use default domain = yes winbind offline logon = yes winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes passdb backend = tdbsam krb5.conf: [libdefaults] default_realm = MY.DOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] MY.DOMAIN = { kdc = ad1.my.domain:88 admin_server = ad1.my.domain:749 default_domain = my.domain } [domain_realm] .my.domain = MY.DOMAIN my.domain = MY.DOMAIN [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************
On Thu, 2012-04-19 at 10:20 -0400, John Oliver wrote:> I'm trying to get AD authentication working on a RHEL 5.4 base system > > I can wbinfo -[ug] and getent {passwd|group} with 3.0.33 Everything > appears to work just fine, except I could not actually authenticate... > I'd always get failed password. A lot of Googling turned up a bug that > indicated that it was impossible to get 3.0.33 to authenticate against a > W2K8 AD, so I installed 3.5.4 Same smb.conf, same krb5.conf... but I > cannot join the domain. net ads status works, but net ads join tells > me: >Your smb.conf is wrong needs to look something like the following. This is covered in the man pages these days. # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 2000000 - 2999999 idmap gid = 2000000 - 2999999 idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : schema_mode = rfc2307 idmap config MYDOMAIN : readonly = yes idmap config MYDOMAIN : range = 500 - 1999999 idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false You of course need to have the RFC2307 attributes populated in the AD for this to work, and a winbind entry in /etc/nsswitch and winbind running. Note that you should upgrade to RHEL5.8 immediately and make sure that you have samba3x-3.5.10-0.108.el5_8 installed unless you want your box to be rooted by the first passer by. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.