[CentOS] error when join my Centos machine to win2003 ADS server

Rob Townley rob.townley at gmail.com
Thu Mar 26 20:07:14 UTC 2009 

2009/3/26 fabian dacunha <fabian at baladia.gov.kw>:
>
> Dear All,
>
> I have succesfully managed to have my kerberos configured n working
> without error when i say
>
> kinit Administrator
> and after entering password it works fine
>
> my krb5.conf
> --------------
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = BALADIA.LOCAL
>  dns_lookup_kdc = false
>
>  dns_lookup_realm = false
> [realms]
> BALADIA.LOCAL = {
>   default_domain = baladia.local
>  kdc = 172.16.2.227:88
>  admin_server = 172.16.2.227:749
>  kdc = KMUN
> }
>
> [domain_realm]
> baladia.local = BALADIA.LOCAL
>
> --------------------------------
>
> klist shows
>
> icket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at BALADIA.LOCAL
>
> Valid starting     Expires            Service principal
> 03/26/09 11:33:04  03/26/09 21:33:18  krbtgt/BALADIA.LOCAL at BALADIA.LOCAL
>        renew until 03/27/09 11:33:04
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> ------------------------
>
> now i configured /etc/samba/smb.conf but when i try to join the domain
>
>  net ads join -U Administrator
> Administrator's password:
> [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286)
>  ads_connect: No logon servers
> Failed to join domain: No logon servers
>
> after googling and tryin various options in /etc/samba/smb.conf file here
> is the latest smb.conf file
> ---------------------
>
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2009/03/26 12:50:28
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
>   workgroup = BALADIA.LOCAL
> ;   password server = kmun.baladia.local
>   password server = 172.16.2.227
>   realm = KMUN.BALADIA.LOCAL
>   security = ads
>   idmap uid = 16777216-33554431
>   idmap gid = 16777216-33554431
>   winbind separator = +
>   template shell = /bin/bash
>   winbind use default domain = true
>   winbind offline logon = false
>   encrypt passwords = yes
>  log level = 3
> #--authconfig--end-line--
>        encrypt passwords = yes
>       dns proxy = no
>       server string = Samba Server Version %v
>       os level = 20
>      client use spnego = no
>        server signing = auto
>
> --------------------------------------
>
> where i could be goin wrong
> i would be thankful and really apprecite your advice for any setting in my
> smb.conf file
>
> Is there anything else to check
>
> when i run testparam it gives no errors
>
> thnks and Regards
>
> Fabian
>
>
>
>
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

Can you get to the ADS netlogon share?  It is //domainname/netlogon
which may be
//baladia.local/netlogon/    on your network.

//172.16.2.227/netlogon ?

Further, even connecting WinVista to a domain will sometimes require
raw editing of the hosts properties in LDAP.   SysInternal's
adexplorer.exe or jexplorer (don't use java 1.6) are good at this.
Specifically, you will want to make sure dnsHostName and
servicePrincipalName (SPN) are correct.  If not, these tools with the
domain admin privilege will let you edit these ldap entries directly.
Use a known good ADS connected node as an example.

There is a list of apps based on python-ldap at
http://python-ldap.sourceforge.net/apps.shtml
Some of those would provide adexplorer.exe type functionality, but i
haven't tried them for editing.  Hmmm, now i wonder if they work at
all with Samba b/c python hooks were removed in Samba 3.2.0 due to
lack of maintenance???

I would like a script that could be run on a Windows ADS server, a ADS
domain connected windows client, and linux.  The script would generate
and verify everything needed to successfully connect.  SASL required?
Unsecured or Secured auth?   kerberos and ldap identifiying info.
ldapenum.pl was an attempt at this.

You will want to read the announcement for Samba 3.2 which i am not
sure if 3.2 is in the CentOS release repo or not.  i ended up using
fc9/fc10 for ads joins.  EnterpriseSamba.com may still be your best
bet for CentOS.
http://lists.samba.org/archive/samba-announce/2008/000145.html

More information about the CentOS mailing list