Sowmya Manjanatha
2014-Mar-01 00:16 UTC
[Samba] Need help joining an IPv6 Windows 2008 AD server
I have been trying to successfully join a Windows 2008 AD server using net ads join createcomputer="<OUname>" -U <usename>%password? for days and have been unsuccessful.? smb.conf and krb5.conf files are below.? It fails with a message "Cannot contact any KDC for requested realm".? I have checked all the service records via dig +short _ldap._tcp.mydomain.com which returns serv1.mydomain.com serv1 is the ipv6 server and the client I am communicating from only has ipv6 addresses (shown below) configured.? I have also tried to query other records e.g. _kerberos, _kpasswd, _gc etc and everything checks out. I also verified that I can join the domain from an ipv4 client with the same credentials, same realm etc. I also have no problems when I do a kinit username at MYDOMAIN.COM.? It asks for a password and it is accepted.? So, I am wondering if any one has successfully joined an ipv6 AD server using "net ads".? Any? help is appreciated. Thanks, Sowmya.>>>>> smb.conf >>>>>[global] ?? workgroup = MYGROUP ?? strict sync = yes ?? server string = My Archive ?? load printers = no ?? disable spoolss = yes ?? printcap name = /dev/null ????? # Create a samba daemon that only listens on one network IP. ?? # List the namespace directories corresponding to this network ??? bind interfaces only = yes ?? interfaces = 2001:0:0:0:0:0:0:efca ?? pid directory?? = /var/run/samba/_hcp_system_ ?? ncalrpc dir???? = /var/run/samba/_hcp_system_/ncalrpc ?? lock directory? = /var/cache/samba/_hcp_system_ ?? private dir???? = /var/cache/samba/_hcp_system_ ?? log file??????? = /var/log/samba/log.smbd._hcp_system_ ?? log level?????? = 1 ?? fake oplocks = yes ?? security = ads ?? password server = servername.mydomain.com ?? realm = mydomain.com ?? kerberos method = secrets only ?? # Map users that cannot be resolve by AD to the guest account. If guest ?? # access is allowed on that share they will get in, otherwise they will be ?? # denied ?? map to guest = Bad User ?? client ldap sasl wrapping = sign ?? client ntlmv2 auth = no ?? usershare max shares = 10>>>>> krb5.conf >>>>>[libdefaults] ?default_realm = MYDOMAIN.COM ?default_keytab_name = FILE:/opt/arc/node-config/krb5.keytab ?udp_preference_limit = 50 ?default_tkt_enctypes = rc4-hmac ?default_tgs_enctypes = rc4-hmac [realms] MYDOMAIN.COM = { ? kdc = serv1.mydomain.com ? kpasswd_server = serv1.mydomain.com:464 } [domain_realm] mydomain.com? = MYDOMAIN.COM .mydomain.com = MYDOMAIN.COM [logging] kdc = STDERR
Sowmya Manjanatha
2014-Mar-01 00:23 UTC
[Samba] Need help joining an IPv6 Windows 2008 AD server
I need to add btw that I had to modify "resolve_name" function in namequery.c in libsmb to get past ipv4 only resolution.? It was initially getting "No logon servers" which I got past after setting prefer_ipv4=false in that function. On Friday, February 28, 2014 7:16 PM, Sowmya Manjanatha <sowmya_ambale at yahoo.com> wrote: I have been trying to successfully join a Windows 2008 AD server using net ads join createcomputer="<OUname>" -U <usename>%password? for days and have been unsuccessful.? smb.conf and krb5.conf files are below.? It fails with a message "Cannot contact any KDC for requested realm".? I have checked all the service records via dig +short _ldap._tcp.mydomain.com which returns serv1.mydomain.com serv1 is the ipv6 server and the client I am communicating from only has ipv6 addresses (shown below) configured.? I have also tried to query other records e.g. _kerberos, _kpasswd, _gc etc and everything checks out. I also verified that I can join the domain from an ipv4 client with the same credentials, same realm etc. I also have no problems when I do a kinit username at MYDOMAIN.COM.? It asks for a password and it is accepted.? So, I am wondering if any one has successfully joined an ipv6 AD server using "net ads".? Any? help is appreciated. Thanks, Sowmya.>>>>> smb.conf >>>>>[global] ?? workgroup = MYGROUP ?? strict sync = yes ?? server string = My Archive ?? load printers = no ?? disable spoolss = yes ?? printcap name = /dev/null ????? # Create a samba daemon that only listens on one network IP. ?? # List the namespace directories corresponding to this network ??? bind interfaces only = yes ?? interfaces = 2001:0:0:0:0:0:0:efca ?? pid directory?? = /var/run/samba/_hcp_system_ ?? ncalrpc dir???? = /var/run/samba/_hcp_system_/ncalrpc ?? lock directory? = /var/cache/samba/_hcp_system_ ?? private dir???? = /var/cache/samba/_hcp_system_ ?? log file??????? = /var/log/samba/log.smbd._hcp_system_ ?? log level?????? = 1 ?? fake oplocks = yes ?? security = ads ?? password server = servername.mydomain.com ?? realm = mydomain.com ?? kerberos method = secrets only ?? # Map users that cannot be resolve by AD to the guest account. If guest ?? # access is allowed on that share they will get in, otherwise they will be ?? # denied ?? map to guest = Bad User ?? client ldap sasl wrapping = sign ?? client ntlmv2 auth = no ?? usershare max shares = 10>>>>> krb5.conf >>>>>[libdefaults] ?default_realm = MYDOMAIN.COM ?default_keytab_name = FILE:/opt/arc/node-config/krb5.keytab ?udp_preference_limit = 50 ?default_tkt_enctypes = rc4-hmac ?default_tgs_enctypes = rc4-hmac [realms] MYDOMAIN.COM = { ? kdc = serv1.mydomain.com ? kpasswd_server = serv1.mydomain.com:464 } [domain_realm] mydomain.com? MYDOMAIN.COM .mydomain.com = MYDOMAIN.COM [logging] kdc = STDERR