Hi,
I have this (Linux) Samba file server, that indeed is a client of a Windows 2000 Server PDC, using Active Directory.
I am the Samba machine admin, but not the Windows one.
I have to join the Samba machine to the PDC on the 2000 server.
I ask the Windows 2000 server admin to come to my Samba machine and insert his login and password to join my machine, but i always get the same error (after my signature, along with other relevant data).
I tried:
# net ads join -Uzbr@dte.ua.pt
What could be causing the error ?
Another question.: In the moment of joining the Samba machine to the PDC on the Windows 2000 Server, the Samba daemons must be up or down (i've read contraditory things about this issue) ?
Any help would be apreciated.
Warm Regards, Mário Gamito ------------ [root@tux moreira]# # net ads join -Uzbr@dte.ua.pt foobar@foobar.pt's password: [2005/04/06 09:24:16, 0] ads_connect: Cannot find KDC for requested realm [root@tux moreira]#
- DTE is the domain name in question. - My Samba server FQDN is tux.dte.ua.pt - My Samba server Netbios name is SRV-TUX-DTE - Windows 2000 server FQDN is srv-dte.dte.ua.pt - Windows 2000 server Netbios name is SRV-DTE - Command i'm using to join the Samba server to w2000 AD PDC: # net ads join -Uzbr@dte.ua.pt (zbr@dte.ua.pt has rights on w2000 to join machines to the domain).
My smb.conf: ---------------------------------------- [global] workgroup = DTE netbios name = SRV-DTE-TUX password server = SRV-DTE realm = DTE.UA.PT #os level = 4 #preferred master = yes #domain master = yes local master = yes #KDC server = 193.137.84.81 security = ADS encrypt passwords = yes
# domain logons = yes
smb passwd file = /usr/local/samba/lib/passwd
wins support = no #dns proxy = yes #wins server = 193.136.80.7 wins server = 193.136.172.4 wins proxy = yes
#winbind separator = + #idmap uid = 10000-20000 #idmap gid = 10000-20000 #winbind enum users = yes #winbind enum groups = yes
#winbind use default domain = yes
unix char set = ISO-8859-15
log file = /var/log/samba/%m
[homes] comment = Areas pessoais. browseable = yes read only = no guest ok = no create mask = 600 directory mask = 700
[Docentes] comment = Area partilhada para Docentes. path = /home/Docentes writeable = yes guest ok = no force group = profs create mask = 660 directory mask = 770
[Secretaria] comment = Area partilhada para os funcionário da secretaria. path=/home/Secretaria writeable = yes guest ok = no force group = secretaria create mask = 660 directory mask = 770
[Comum] comment = Area partilhada para funcionários e Docentes. path = /home/Comum writeable = yes guest ok = no create mask = 666 directory mask = 777 ------------------------------------
On Wed, 2005-04-06 at 11:19 +0100, Mário Gamito wrote:
Hi,
I have this (Linux) Samba file server, that indeed is a client of a Windows 2000 Server PDC, using Active Directory.
I am the Samba machine admin, but not the Windows one.
I have to join the Samba machine to the PDC on the 2000 server.
I ask the Windows 2000 server admin to come to my Samba machine and insert his login and password to join my machine, but i always get the same error (after my signature, along with other relevant data).
I tried:
# net ads join -Uzbr@dte.ua.pt
What could be causing the error ?
Another question.: In the moment of joining the Samba machine to the PDC on the Windows 2000 Server, the Samba daemons must be up or down (i've read contraditory things about this issue) ?
Any help would be apreciated.
Warm Regards, Mário Gamito
[root@tux moreira]# # net ads join -Uzbr@dte.ua.pt foobar@foobar.pt's password: [2005/04/06 09:24:16, 0] ads_connect: Cannot find KDC for requested realm [root@tux moreira]#
Mario-
Have you fixed your /etc/krb5.conf to reflect your AD domain? Can you kinit as zbr? I had a similar problem with kinit, and it turned out that I had not fully configured my krb5.conf to reflect our AD domain (still had some references to EXAMPLE.COM .. d'oh :)
Hope that helps, Sean
Hi Sean,
No, i did nothing to krb5.conf Didn't find any reference to that.
Can you send me your example, please ?
I only put
tux.dte.ua.pt TUX.DTE.UA.PT
in krb.realms
Warm Regards, Mário Gamito
Sean O'Connell wrote:
On Wed, 2005-04-06 at 11:19 +0100, Mário Gamito wrote:
Hi,
I have this (Linux) Samba file server, that indeed is a client of a Windows 2000 Server PDC, using Active Directory.
I am the Samba machine admin, but not the Windows one.
I have to join the Samba machine to the PDC on the 2000 server.
I ask the Windows 2000 server admin to come to my Samba machine and insert his login and password to join my machine, but i always get the same error (after my signature, along with other relevant data).
I tried:
# net ads join -Uzbr@dte.ua.pt
What could be causing the error ?
Another question.: In the moment of joining the Samba machine to the PDC on the Windows 2000 Server, the Samba daemons must be up or down (i've read contraditory things about this issue) ?
Any help would be apreciated.
Warm Regards, Mário Gamito
[root@tux moreira]# # net ads join -Uzbr@dte.ua.pt foobar@foobar.pt's password: [2005/04/06 09:24:16, 0] ads_connect: Cannot find KDC for requested realm [root@tux moreira]#
Mario-
Have you fixed your /etc/krb5.conf to reflect your AD domain? Can you kinit as zbr? I had a similar problem with kinit, and it turned out that I had not fully configured my krb5.conf to reflect our AD domain (still had some references to EXAMPLE.COM .. d'oh :)
Hope that helps, Sean
On Wed, 2005-04-06 at 17:35 +0100, Mário Gamito wrote:
Hi Sean,
No, i did nothing to krb5.conf Didn't find any reference to that.
Can you send me your example, please ?
I only put
tux.dte.ua.pt TUX.DTE.UA.PT
in krb.realms
Mario-
Take a look at the stock /etc/krb5.conf, and change all the example.com/EXAMPLE.COM settings to match your domain/realm settings. Once you can kinit as zbr, you'll know that your kerberos setup is functional.
For example, at UCSD, the campus active directory is (some would argue, cleverly :) called AD.UCSD.EDU, so a working krb5.conf looks like
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = AD.UCSD.EDU dns_lookup_realm = false dns_lookup_kdc = false
[realms] AD.UCSD.EDU = { kdc = ad.ucsd.edu:88 admin_server = ad.ucsd.edu:749 default_domain = AD.UCSD.EDU }
[domain_realm] .ucsd.edu = AD.UCSD.EDU ucsd.edu = AD.UCSD.EDU .ad.ucsd.edu = AD.UCSD.EDU ad.ucsd.edu = AD.UCSD.EDU
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
This is pretty much the stock krb5.conf after replacing all the example.com/EXAMPLE.COM with ad.ucsd.edu/AD.UCSD.EDU with a very minor tweak [domain_realm] section.
Hi Sean,
Thanks for your help. I've configured /etc/krb5.conf and although i still can't join the Samba server to the Windows 2000 Server / Active Directory, the error messages shows some progress :P
[root@tux samba]# net ads join -Uf418@dte.ua.pt f418@dte.ua.pt's password: [2005/04/07 01:47:49, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password f418@DTE.UA.PT failed: Client not found in Kerberos database [2005/04/07 01:47:49, 0] utils/net_ads.c:ads_startup(186) ads_connect: Client not found in Kerberos database [root@tux samba]#
What missing client is this ?
----
On the other hand,
# kinit f148@dte.ua.pt
gives me this:
# [root@tux samba]# kinit f148@dte.ua.pt kinit(v5): Cannot find KDC for requested realm while getting initial credentials [root@tux samba]#
Where do i define this KDC thing ?
Any ideas ?
Thank you.
Warm Regards, Mário Gamito
Sean O'Connell wrote:
On Wed, 2005-04-06 at 17:35 +0100, Mário Gamito wrote:
Hi Sean,
No, i did nothing to krb5.conf Didn't find any reference to that.
Can you send me your example, please ?
I only put
tux.dte.ua.pt TUX.DTE.UA.PT
in krb.realms
Mario-
Take a look at the stock /etc/krb5.conf, and change all the example.com/EXAMPLE.COM settings to match your domain/realm settings. Once you can kinit as zbr, you'll know that your kerberos setup is functional.
For example, at UCSD, the campus active directory is (some would argue, cleverly :) called AD.UCSD.EDU, so a working krb5.conf looks like
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = AD.UCSD.EDU dns_lookup_realm = false dns_lookup_kdc = false
[realms] AD.UCSD.EDU = { kdc = ad.ucsd.edu:88 admin_server = ad.ucsd.edu:749 default_domain = AD.UCSD.EDU }
[domain_realm] .ucsd.edu = AD.UCSD.EDU ucsd.edu = AD.UCSD.EDU .ad.ucsd.edu = AD.UCSD.EDU ad.ucsd.edu = AD.UCSD.EDU
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
This is pretty much the stock krb5.conf after replacing all the example.com/EXAMPLE.COM with ad.ucsd.edu/AD.UCSD.EDU with a very minor tweak [domain_realm] section.
# [root@tux samba]# kinit f148@dte.ua.pt kinit(v5): Cannot find KDC for requested realm while getting initial credentials [root@tux samba]#
Where do i define this KDC thing ?
You should have a [realms] section in your /etc/krb5.conf file. It should look like this:
[realms]
FAKE_REALM = { kdc = kerberos.server.com kdc = kerberos2.server.com }
Also, for some broken environments, you may have to add "noaddresses = false" in [libdefaults]
Another thing for the libdefaults section is: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc (thanks to marc powell for this one)
-- Jim Perrin
On Wed, 2005-04-06 at 17:51, Mário Gamito wrote:
Hi Sean,
Thanks for your help. I've configured /etc/krb5.conf and although i still can't join the Samba server to the Windows 2000 Server / Active Directory, the error messages shows some progress :P
[root@tux samba]# net ads join -Uf418@dte.ua.pt f418@dte.ua.pt's password: [2005/04/07 01:47:49, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password f418@DTE.UA.PT failed: Client not found in Kerberos database [2005/04/07 01:47:49, 0] utils/net_ads.c:ads_startup(186) ads_connect: Client not found in Kerberos database [root@tux samba]#
What missing client is this ?
On the other hand,
# kinit f148@dte.ua.pt
gives me this:
# [root@tux samba]# kinit f148@dte.ua.pt kinit(v5): Cannot find KDC for requested realm while getting initial credentials [root@tux samba]#
Where do i define this KDC thing ?
Any ideas ?
Mario-
The kdc(s) is(are) defined in /etc/krb5.conf in the [realms] section. Could you post your /etc/krb5.conf?
Do you know which machines in your active directory setup are the domain controllers? These machines will be the KDCs.
Hi,
The kdc(s) is(are) defined in /etc/krb5.conf in the [realms] section. Could you post your /etc/krb5.conf?
After my signature. I also join my current smb.conf
Do you know which machines in your active directory setup are the domain controllers? These machines will be the KDCs.
Yes. Its FQDN is srv-dte.dte.ua.pt and the domain name is DTE. Its IP is 192.137.84.81 It's a Windows 2000 Server with Active Directory.
I remember my data: My domain is dte.ua.pt; whatever xxx.dte.ua.pt means xxx is, therefore, the name of the machine.
1 - The domain server as described above;
2 - I'm trying to join a Linux Samba server to the DTE domain, i. e., to the Windows 2000 Server.
3 - This Linux server FQDN is tux.dte.ua.pt and its IP is 193.137.84.84
Thank you.
Warm Regards, Mário Gamito
--
krb5.conf: --------------------------------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DTE.UA.PT dns_lookup_realm = false dns_lookup_kdc = false
[realms] DTE.UA.PT = { kdc = dte.ua.pt:88 admin_server = dte.ua.pt:749 default_domain = DTE.UA.PT }
[domain_realm] .dte.ua.pt = DTE.UA.PT dte.ua.pt = DTE.UA.PT .srv-dte.dte.ua.pt = DTE.UA.PT srv-dte.dte.ua.pt = DTE.UA.PT
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ------------------------------------
smb.conf: ------------------------------------- [global] workgroup = DTE netbios name = SRV-DTE-TUX password server = 193.137.84.81 #realm = DTE.UA.PT #os level = 4 #preferred master = yes #domain master = yes local master = yes KDC server = 193.137.84.81 security = ADS encrypt passwords = yes
domain logons = yes
smb passwd file = /usr/local/samba/lib/passwd
wins support = no #dns proxy = yes #wins server = 193.136.80.7 wins server = 193.136.172.4 wins proxy = yes
unix char set = ISO-8859-15
log file = /var/log/samba/%m
[homes] comment = Areas pessoais. browseable = yes read only = no guest ok = no create mask = 600 directory mask = 700
[Docentes] comment = Area partilhada para Docentes. path = /home/Docentes writeable = yes guest ok = no force group = profs create mask = 660 directory mask = 770
[Secretaria] comment = Area partilhada para os funcionário da secretaria. path=/home/Secretaria writeable = yes guest ok = no force group = secretaria create mask = 660 directory mask = 770
[Comum] comment = Area partilhada para funcionários e Docentes. path = /home/Comum writeable = yes guest ok = no create mask = 666 directory mask = 777
-
Jim Perrin -
Mário Gamito -
Sean O'Connell