Brent's Thoughts

Journal 28 Dec 2005 03:27 pm

SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO

Finally got a good method down and it works consistantly… You can read it in straight HTML too.
Everything done in this howto is done with root permissions. It is always best to start out with a completely updated machine:
yum upgrade

Next it is important to make sure that you have the Kerberos files on your machine:
yum install krb5-server krb5-workstation

Next you need to edit the /etc/krb5.conf file so that it looks similar to this (Case IS important. Bolded Items are things that need changing) :

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EDMONSON.KETSDS.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
EDMONSON.KETSDS.NET = {
kdc = ed151000d1.edmonson.ketsds.net
admin_server = 10.76.16.50:749
default_domain = edmonson.ketsds.net
}
[domain_realm]
.example.com = EDMONSON.KETSDS.NET
example.com = EDMONSON.KETSDS.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now it is a good idea to add your domain controller to your /etc/hosts file. That way if something happens to DNS you can still resolve out to it. We are on to editing the /etc/samba/smb.conf file. There are several things to add and change here (again case is important and bolded items are what needs changed or added):
change: workgroup = EDMONSON add: realm = EDMONSON.KETSDS.NET change: server string = Linux Samba File Server change: security = ADS change: encrypt passwords = yes change: preferred master = no add: template shell = /bin/false add: template homedir = /home/%D/%U add: idmap uid = 10000-20000 add: idmap gid = 10000-20000 add: enhanced browsing = no add: winbind use default domain = yes

After you get those edited then it is a good idea to run testparm and correct any errors that you get. With just the changes that I posted above there shouldn’t be any errors.
Next start SAMBA and join the machine to the domain using the commands:
/etc/init.d/smb start net ads join -U bnorris@EDMONSON.KETSDS.NET
Again case is important. The program should ask you for your network password and then it should join the box to the network.
If all went well you need to stop SAMBA while you finish up the pieces:
/etc/init.d/smb stop

Now we need to edit /etc/nsswitch.conf and tell the machine to use Winbind to authenticate people.
change: passwd: files winbind change: group: files winbind

Now we can start Winbind and SAMBA back up:
/etc/init.d/winbind start /etc/init.d/smb start

Test to make sure it is working using wbinfo:
wbinfo -u wbinfo -g

Those commands should give you a list of users and groups from your domain. If you have a particularly complex domain with lots of trusts and such to you might want to limit wbinfo to one domain with the --domain=EDMONSON option. If wbinfo hangs and never returns then you will need to stop and start Winbind in order to get it working again.

You can also get some info about your connection to the domain with:
net ads info

Now you need to enable extended Access Control Lists (ACLs) on the filesystem that you will be using. This will give you access to extended security settings similar to Windows file permissions. To change this we will need to edit /etc/fstab. You might not want to enable ACLs for all of your filesystems as it can induce some overhead that you might not need. Find the filesystem entry that you want to enable ACL for and edit the options field (the fourth field, usually says defaults). After the entries that are in there put ,acl

Now you need to unmount that filesystem and remount it. The easiest way to do that is to just reboot the machine, since sometimes there might be users with files open and you can’t unmount while that is going on.

Now if you are planning on give your users home folders you need to make their directories. I cheated a little and did the following to quickly create mine:
wbinfo -u --domain=EDMONSON | grep -v '$' | sort > ~/temp for i in `cat ~/temp` ; do mkdir -p /home/EDMONSON/$i setfacl -m u:"EDMONSON\\$i":rwx /home/EDMONSON/$i done

That should give you a directory for every user with them having full control of that directory. I think there is an option to SAMBA to get it to do this when a user connects to the machine, but I couldn’t find it quickly today to set it. If anyone knows what it is, just let me know and I will edit this to get it in there.

So there you go. You should now have a machine that will authenticate to the AD and show you the shares that you are allowed to access. If you want to add shares for specific users it isn’t too tough, just add them to /etc/samba/smb.conf
A good template share definition looks something like this:
[vivnenoi] comment = wireless to connect field house path = /home/shares/vivnenoi valid users = EDMONSON\lamar.miller EDMONSON\jcarnes EDMONSON\bnorris public = no writable = yes printable = no create mask = 0765

I have also written a shell script that can be accessed through a webpage to dynamically generate shares for groups of users. I will post in another entry soon.

62 Responses to “SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO”

	on 26 Jan 2007 at 2:04 am 1. Junji’s Blog Site said … If you have problems with this howto you can post questions or comments to my blog post about this.Everything done in this howto is done with root permissions. It is always best to start out with a completely updated machine: yum upgrade Read more at Brent’s Homepage
	on 03 Jun 2008 at 8:45 am 2. .: o-o-s.de :. said … net ads info prüfen ob der PC zum AD hinzugefügt werden kann net ads testjoin Kerberos Tickets anzeigen kinit Links: http://www.debian-administration.org/articles/340 http://www.software-krause.de/index.php?id=40http://www.brentnorris.net/blog/archives/179http://www.brentnorris.net/blog/archives/179
	on 17 Feb 2006 at 9:15 am 3. jim beam said … Many thanks for the help. So far. How does one determine the exact realm name on a 2003 server? Is it the (case-sensitive) high-level name that appears in Domain.msc?
	on 17 Feb 2006 at 11:53 am 4. Brent said … Yes I believe that would be the thing you are looking for.
	on 03 Mar 2006 at 1:51 am 5. Santosh said … Thanks Brent, I have added my RHEL-4 machine to my windows 2003 ADS successfully. But i can’nt access shares on my linux box from windows, its asking me user name & password, if i supplied my user name & password its not accepting it. But i am able to access windows share from linux box. Can you pls help me to resolve this issue.. Thanks in advance. Santosh
	on 03 Mar 2006 at 6:02 am 6. Brent said … If you can’t get to the Linux shares from a Windows machine then something isn’t setup correctly. That is what this process is really all about. You don’t even really have to setup SAMBA to get from Linux to Windows. I would suggest going through the process again and making sure that everything is the way I said and that all the test commands return correctly. If they don’t then you need to work on that section and find out why it isn’t working right.
	on 03 Mar 2006 at 3:35 pm 7. Towlesd said … I’ve been working on same stuff for last few weeks and have modified a few files to allow most connection types to auth via AD, (ssh, samba, login screen etc). Basically at the same place but a few things to think about. Winbind needs to be started for this to work, but even when i add it with chkconfig it doesn’t work unless i first login with root, restart the service, after that i can log out and login fine but it has to be with root. Also if an account is ever renamed…….. basically their seen as a new user. I work for a university in a 30 thousand user environment so just the volume of shares becomes an issue. Also you can have the accounts homes created using “pam_mkhomedir.so”. Any comments, questions, or curses would be thankful.
	on 05 Jul 2006 at 1:44 pm 8. Rick D said … So, whaddya think about this: I have samba running on several linux servers (RHEL), and I can see both the server and the shares from XP workstation but only the server and NOT the shares from Win2K3 server. I have tried changing smb.conf to security – ADS, etc., but to no avail. I have even added my user to smbpasswd. Still no luck. Any ideas would be helpful. Thanks. Rick
	on 12 Aug 2006 at 12:09 am 9. shanaf said … Hi, I have configurred a samba server, and my windows Active direcory users have been authenticated through WINBIND, there is no problem for authentication and accessing the shares. the problem comes when a user creating a folder or a file in the samba server, he cant allow or deny specific user for his file. i can change the permission for the currently listed users, but cant add or delete any other users. Its showing error ” cannot save changes for the share in the server” how can i solve this issue. Thanks in advance for the help
	on 12 Aug 2006 at 4:44 am 10. Brent said … You need to read the above part about turning Access Control Lists on. That is a common problem when it is not turned on.
	on 25 Aug 2006 at 3:08 am 11. tily.p said … hi nice tutorial .. very helpfull .. but perhaps you can help me and many other users regarding the folowing issue i joined samba to ads 2k3 rc2 with no problem .. no acl support in my samba and in kernel .. wbinfo ,getent work well .. BUT !!!! i create a share public with chmod 770 and one group sambausers in my ads chgrp sambausers /public and chmod 770 on /public .. in that group are 2 users user1 and user2 .. both users and only them have access to that share .. i remove one user and stil after 24 hours he still has access there until i restart samba and winbind .. same happends if i add a user to the group .. he has no access until samba restart … winbind cache is set up on 0 .. getent and wbinfo sees the group modifications, also another samba from another machine works well against this group modification (i can connect with smbclient) .. but NOT from windows xp stations or 2000 stations thanks for any help
	on 25 Aug 2006 at 5:59 am 12. Brent said … That is a little hard to follow, I guess just because it is early, but I would say your problem stems from the fact that Windows doesn’t check groups again until a log off and back on. See the windows box caches the creditials that you supplied until a log off. So as long as a connection is still possible then it will always think it is in that group. When you restart SMB it looses the connection and tries to re-auth to the Linux machine. When it does this then everything gets ran by the AD again and the group members are updated. Then no access. I bet if you log out and back in on the Windows machine without restarting SMB and Winbind, it will have a similar effect. Or it is at least something to try.
	on 25 Aug 2006 at 6:07 am 13. tily.p said … thanks for the answer but here is another problem regarding of what you said .. i can even restart my windows boxes .. no effect .. i still cannot logon (with my user as a member of that group) i forgot to mention that i tried with many versions and linux distros and even with obsd 3.9 (same problem) i asked a guy who had the same problem .. he couldn’t find the answer .. i tried also to sniff the network with ethereal from both sides to check the dialogs between server and client .. nothing PS: in win 2000 ADS all work well so it is a win 2003 problem as i see .. i have about 300 XP workstations and 3 samba servers and 2 2003 DC .. it is not so easy to restart services everytime a modification is made
	on 25 Aug 2006 at 7:31 am 14. Brent said … hmm… Well that was my only shot at it then. Perhaps the samba lists could help you out with it? Please if you figure it out, post back. It will only help to get the word out on how to fix it.
	on 26 Aug 2006 at 5:41 am 15. tily.p said … i already posted … no one answered back .. and i found someone who has the same problem but he also like me doesn’t know what to configure anymore .. i think it is a problem of how windows stations question the 2003ADS to get the rights .. in 2000 ADS all worked well .. someone said that it could be my domain controller problem .. ok.. i installed a new one and with a crossover cable connected it to a fresh samba install .. i configured everything but the same issue appeared
	on 06 Sep 2006 at 10:55 pm 16. Babu said … I get the below error after going through the said configuration…Any idea? utils/net_ads.c:ads_sratup(191) ads_connect: Transport endpoint is not connected This error is while i trying to join to the domain… Thanx Babu
	on 20 Sep 2006 at 1:47 am 17. tily.p said … Hi Brent .. solved my problem … it was a pam configuration problem .. i needed to change teh config files in /etc/pam.d/samba and /etc/pam.d/login .. if someone has a problem you can find me on yahoo msg id: zaafiel_666 .. my samba works great now (win2k3 goups,users,acl and also i can change rights from windows explorer for the files and directories in samba) … please Brent if you can index this page to google so everyone who has this problem to solve it
	on 17 Nov 2006 at 9:12 am 18. Sunny said … Hi Brent, It is really superb piece of work, and I think it would have helped many. I have joined the samba server against windows 2000 authentication without problem but now I have upgraded my windows server from 2000 to 2003 and the same configuration does not work here I am able to connect to ads server even wbinfo -u,g,t,a and getent passwd,group joining also works fine. but when I use this command this is the error. [root@starlinux root]# net ads testjoin [2006/11/17 20:38:50, 0] libads/kerberos.c:ads_kinit_password(136) kerberos_kinit_password STARLINUX$@STARBANG failed: Preauthentication failed [2006/11/17 20:38:50, 0] libads/kerberos.c:ads_kinit_password(136) kerberos_kinit_password STARLINUX$@STARBANG failed: Preauthentication failed Join to domain is not valid would you please help me on this. Thanks in advance.
	on 23 Dec 2006 at 6:33 am 19. Config Fun said … Samba as MS AD member… I am working a lot around making Linux and Windows work together nicely, especially in the places where MS Active Directory is installed. I have managed to set up many things the way it is transparent for the end user which OS (s)he is accessing on the…
	on 26 Jan 2007 at 2:55 pm 20. Ghys said … Great piece of work ! Glad to see that it is working for you coz for me it’s not working…for now I am having the same bug as Babu’s . Where did i miss something? I can’t figure out. I did restart all services : winbind, SMB. would be nice to have some sort of a solution from a working system. Also get a full printout of all needed files (without compromising infos ) that way we could compare and make adjustements. thanks again for all the effort and info .
	on 22 Feb 2007 at 6:04 am 21. trance said … Good explaination, Had a q what if i dont want home directories created only want it for shares for particular groups who will never logon to linux server.
	on 08 Mar 2007 at 6:15 am 22. Daniele said … Hi! My installation hangs infinetly after “net ads join -U xxxx@xxxx” with this message: [2007/03/08 14:10:51, 0] libads/ldap.c:ads_add_machine_acct(1405) ads_add_machine_acct: Host account for saenet01 already exists – modifying old account [2007/03/08 14:10:51, 5] libads/ldap_utils.c:ads_do_search_retry(56) Search for (objectclass=*) gave 1 replies I’m using Samba 3.0.24 on a RedHat Enterprise 3 with AD on Windows 2003: I have google and found others having same problem, but no solution found. If anyone has some hints… Thanks! Daniele
	on 09 Mar 2007 at 11:44 am 23. Joo said … Hey! there is an error in your documentation. The option in the /etc/fstab is not alc, it’s acl cheers Jo
	on 30 Mar 2007 at 5:14 pm 24. Zither said … Hello! Is there a way to make samba clients (like smbclient, nautilus, konqueror, etc) to use the authentication information (a kerberos ticket) whenever i access a network share, thus avoiding to ask for authentication? Assume that the client computer has already joined a windows2003 domain controller and the logged user is a domain user obtained with winbind. Thank you in advance!
	on 25 May 2007 at 12:26 am 25. Zenu said … Hallo All! SAMBA 3 Authenticating to a Windows 2003 Active Directory work with winbind and pam_mkhomedir.so greatly but the pam_mkhomedir.so make tha home folder for the machine. Can you pls help me to resolve this issue.. Thanks. Zenu
	on 23 Jul 2007 at 1:48 am 26. CentOS5 (RHEL5) + 9TB Drive + AD + Win/OSX clients at From Sydney to 北京 & Vancouver said … [...] http://www.brentnorris.net/blog/?p=179 [...]
	on 09 Aug 2007 at 5:35 am 27. Jackie said … Hi, When I run the kinit command, i got the following error msg: kinit @ kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials And I check that there’s no kdc.conf file or the log files specified in krb5.conf. Do I miss anything here? Regards, Jackie
	on 09 Aug 2007 at 6:44 am 28. Jackie said … Hi, When I run the kinit command, i got the following error msg: kinit AD_userid@dns_of_AD_Server kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials And I check that there’s no kdc.conf file or the log files specified in krb5.conf. Do I miss anything here? Regards, Jackie
	on 13 Sep 2007 at 3:48 am 29. Jason said … Just want to say THANK YOU BRENT!, exactly what I needed without having to read through miles of BS. Good Work mate! Regards Jason
	on 27 Nov 2007 at 5:10 am 30. Samba + activedirectory - SWiK said … [...] SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO Wednesday, October 17, 2007 [...]
	on 08 Jan 2008 at 3:46 am 31. irfan.farid said … this is my network scheme : CLIENT (WORK001)—————– ADS.SERVER (DOMAIN) SMB.SERVER (DEVEL) ————————-\| the shared folders which set to writeable without “valid users” setting is working fine, but the one with contain “valid users = DOMAIN\user.name1 DOMAIN\user.name2″ everytime i try to browse them, it keeps return asking login and password, i typed “DOMAIN\user.name” + the right password but the username back to “DEVEL\user.name”, i changed again but keep the same, is there something i did wrong with the config? Pls help, Thanks.
	on 15 Feb 2008 at 10:36 pm 32. Almir said … Great work! Thanks a lot for this article. regards, Almir
	on 05 Mar 2008 at 2:52 pm 33. Nico Kadel-Garcia said … It looks like you have a typo: where you say “put alc” in the fstab, it should be “put acl”. It would also be more clear if you emphasized the “acl” a bit.
	on 17 Mar 2008 at 6:55 pm 34. Francis said … Hi all, I’m trying to join my samba server to active directory on windows 2003. Here are my system’s details: SAMBA: samba3-3.0.28a-35 samba3-utils-3.0.28a-35 samba3-client-3.0.28a-35 KERBEROS: krb5-auth-dialog-0.7-1 krb5-libs-1.6.1-17.el5 krb5-workstation-1.6.1-17.el5 krb5-server-1.6.1-17.el5 Operating System: Centos 5 with kernel version 2.6.18-53.1.14.el5 running on vmware server The specific problems that I have are the following: when I do a testjoin to my AD server: kerberos_kinit_password ADSERVE$@DOMAIN.COM failed: Preauthentication failed Join to domain is not valid: Logon failure This is strange, since I can get my ticket using kinit with no problem. When I do a join to my AD server: [2008/03/18 08:51:23, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: Invalid credentials Again, this is strange considering I can get the ticket using klist. If it’s any help, I get kerberos errors on my AD server event logs. It says something to the effect that I might have duplicate machine accounts and local accounts. I do have duplicate accounts, but I removed it already from the client. Still, I get the same errors. This is all for now. We’ll work in this topic by topic I guess.
	on 15 May 2008 at 3:09 am 35. ross said … hi ima using samba 3 in fedora 5 and windows AD 2000 , after configuring krb 5 and kinit it works fine but when i am trying to add ads getting error net ads join -U Administrator@GSADOMAIN.COM Administrator@GSADOMAIN.COM‘s password: [2008/05/15 15:38:04, 0] utils/net_ads.c:ads_startup(289) ads_connect: Operations error Pls help.
	on 15 May 2008 at 10:25 am 36. Cheeseball said … Nice documentation, I’ve read a lot on this subject and yours seems to be spot on. Everyhing is working fine for me with one exception, I still cannot log into my Linux (CentOS 5.1) box with an active directory account. Kerberos is working and I can get tickets. Winbind and Samba seem to be working, I was able to join ADS and can get a list of users or groups with wbinfo. However, for the life of me I still cannot get the box set up to allow me to actually log into it with a domain account. I suspect it’s a PAM configuration problem, but I’m not sure. Even when I’ve verified that winbind and smb are running, I can swtich to a different TTY and try to log into a console session with an AD account but still get a “Login Incorrect” message returned. Any ideas on what I am missing?
	on 26 May 2008 at 12:13 pm 37. Your page is now on StumbleUpon! said … [...] Your page is on StumbleUpon [...]
	on 03 Jun 2008 at 8:29 am 38. Aplon NS said … Follow Brent suggestion on top of this forum… especially the krb5.conf and nsswitch.conf. I had the same problem, smb and winbind running but still getting a windows authentication window when i connect. Happy now.
	on 01 Aug 2008 at 2:11 am 39. santhosh said … Hi all When i try to connect, i am getting this error: net ads join -U santhosh@xxxx.xxxxx.com santhosh@xxxx.xxxxxx.com‘s password: [2008/08/01 20:53:00, 0] utils/net_ads.c:ads_startup(281) ads_connect: Invalid or incomplete multibyte or wide character please help me for sort out this problem
	on 05 Aug 2008 at 6:42 am 40. Thomas said … I was looking at a printable version of this page when I was following the instructions… the comments weren’t there. I noticed that when editing the fstab he had “alc” instead of “acl” but I figured he knew what was right so I put that in. Now, after a reboot. I cannot edit ANY files and even the root user cannot modify the fstab file to correct it. I’m completely screwed. Do I have to rebuild my server from scratch?!
	on 05 Aug 2008 at 1:21 pm 41. Brent said … Most likely your root filesystem is just mounted readonly. if you are at the recovery console you should be able to remount it read write and edit the fstab the command would be something like this mount / -o remount,rw but check the man page for mount to get the correct one. you might want to check it on a machine that isn’t the one that is having the problem. Above article fixed… sorry I thought I had already fixed it.
	on 05 Aug 2008 at 1:29 pm 42. Thomas Deliduka said … I got it fixed after a few hour work. I looked online and saw stuff like modifying the kernel parameters to have init=/bin/bash to have just the shell come up. i then would do the command you mention above and for some reason it would still read the fstab because it would give me “Unrecognized option alc” and simply not mount properly. So, even after reading a post that this wouldn’t work… I booted with the fedora core 6 CD, went into recovery mode which put the volume under /mnt/sysvol or something like that. from there I edited the fstab and everything is fine. After tweaking some things including the iptables firewall I was able to get this to work. Your blog post has been invaluable so I thank you. Just please, if you haven’t already, correct the spelling on the fstab section!
	on 09 Nov 2008 at 10:00 am 43. unix86.org » Samba integrate into Windows AD said … [...] http://www.brentnorris.net/blog/archives/179 [...]
	on 19 Dec 2008 at 6:09 am 44. Fernando Galvao said … good day…sorry my English is that I am using a translator on-line. I need its aid for the sharing of folders: I have a called folder given and inside of it he has some folders of each department then I want to place permissions in the folders inside of data for users and groups as I make? I can make this right-hander of windows 2003 or have that to make direct of linux? an example: ‘ the user Pablo has access alone has access to the sharing //files/DP (it only can here read) the user michael alone has access to the commercial sharing //files/commercial (it can save, record, excrever here and erase) all users have access to the //files/Q sharing (only reading and total access apra administrator) all these users are of Ad windows 2003.
	on 21 Jan 2009 at 7:46 pm 45. CJ said … Dear Brent .. Thanks your for your cool site. I had learn lots of things however , when i try to use “command” setfacl -m user:”domain\user”:rwz foldername my system gives me aerfacl foldername: Operation not supported do you have any ideas about this ?
	on 22 Jan 2009 at 7:53 am 46. Brent said … Sounds like you didn’t enable ACL support on that filesystem and then unmount it and remount it
	on 22 Jan 2009 at 7:59 am 47. Fernando Galvao said … and on my problem somebody can help me?
	on 02 Feb 2009 at 9:14 am 48. CentOS5 (RHEL5) + 9TB Drive + AD + Win/OSX clients + BackupEXEC - Blog - Networks \| Email \| Mobile \| Websites \| Online Marketing - Vancouver, Canada - Chatswood Computer Consultants Ltd. said … [...] Samba http://www.brentnorris.net/blog/?p=179 [...]
	on 04 Mar 2009 at 3:16 pm 49. Tank Abbot said … Does anyone know if this same procedure will work using a Windows 2008 AD Domain? I use RHEL 5.3 and Fedora 10. Thanks! Great site!!
	on 12 Mar 2009 at 4:47 pm 50. Geoff White said … After getting this working a couple of times, I have found that it usually needs a reboot of both the DC and the Linux box to get it working properly. Normally you can join the domain, but there are problems getting windbind to fetch users and groups.
	on 08 Apr 2009 at 12:11 am 51. ndbinh said … Dear Brent. I was try to join Samba server to AD 2003 but I can’t, I have some problem, the info error : [root@TESTER ~]# net ads join -U Administrator@DIGI-TEXX.LOCAL Administrator@DIGI-TEXX.LOCAL‘s password: Using short domain name — DIGI-TEXX Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for ‘TESTER’ in realm ‘DIGI-TEXX.LOCAL’ Failed to join domain: Type or value exists Can you tell me how to fix the error. Thanks & best regards.
	on 13 Apr 2009 at 5:02 am 52. Santosh Sonavale said … Dear Sir, I joined windows 2003 domain with my linux machine. Actually I want to make my linux machine (OS RHEL5) as a File Server for all domain users. I want to take a backup of all windows domain client machines to my linux machine. So I want to create a directory for each user with user can store data upto 5GB. I don’t want to create smbusers as per the domain list & smbpasswd as per domain. Linux machine should authenticate with windows domain controller so domain user can easily access a directory which is assigned to the user on a linux machine. Waiting for ur reply…..asap. Regards, Santosh Sonavale.
	on 07 Jul 2009 at 4:42 am 53. Lawrence Okpoho said … i got this error when i type net ads join -U username@DOMAIN ads_connect: Transport endpoint is not connected
	on 28 Sep 2009 at 2:02 am 54. oes tsetnoc said … Hi, Just like to tell you that this piece of info is one quick to the point, no nonsense, workable and effective way to have directories shared in Ubuntu as fast as possible. It worked for me and thank you for the effort. Keep up the good work.
	on 06 Nov 2009 at 7:26 pm 55. Andres PH said … Thanks for your article, I am not so experienced with linux but I got. I am using Linux Centos 3.9 with Win2k3R2 servers and is working fine. I saw that some people did not get and this is why I want to colaborate considering that I also didnt get the first time. 1.in /etc/samba/smb.conf all lines to “add:” have to be in the [Global] section 2.before joining to the domain with #net ads join…, you have to sincronize the linux server time with de AD server using the command: #ntpupdate or using the GUI in SystemSetting/DateTime (enable network time protocol an declaring your AD server) 3.you have to put the smb and winbind services to start automatically, do this using the GUI in Services 4. in my case I will use the linux as a printer server and just share the /home partition with full access for AD Domain Users 5.when setting ACL for the partition you want to create user folders is better to explicity declare starting with /dev/… as in my case: /dev/hda5 /home ext3 default,acl 1 2 because it was (and leave commented): LABEL=/home /home etx3 default 1 2 6.I give the access to /home to all domain users #setfacl -m g:”MYDOMAIN\Domain Users”:rwx /home 7.I confirmed the assignment with #getfacl /home and appears this line: group:Domain Users: rwx 8.now every user that is in the domain can connect to the linux server with full access to the /home partition without asking user/password 9.only in the PCs that are not in the domain, ie in workgroup I have to log with user@mydomain.com and password usisng the credential with some account from AD 10.I also can see the printers shared on the linux server but I still can connect to it, if someone can help me i will apreciate otherwise I will search how to do by myself thanks.
	on 13 Feb 2010 at 9:53 pm 56. slarti said … Hi Brent, I found your site by trying to solve my problem for the last 4 days. Maybe you can help. I have Fedora 11 trying to join MS 2003 R2 AD server. I followed all the steps you outlined and then I did some more experimenting, but I am consistently getting the same error : net ads join -U administrator Enter administrator’s password: [2010/02/14 04:33:01, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: failed to connect to AD: Invalid credentials the net ads info works : net ads info LDAP server: 192.168.1.5 LDAP server name: bluead.blueteam.local Realm: BLUETEAM.LOCAL Bind Path: dc=BLUETEAM,dc=LOCAL LDAP port: 389 Server time: Sun, 14 Feb 2010 04:51:54 CET KDC server: 192.168.1.5 Server time offset: 0 I can’t joint the domain. Is there anything I am missing ? Do you need more info from me ? Please help. Thanks, Mirek
	on 01 Jun 2010 at 6:30 am 57. ilayaraja said … Thanks for your article. i successfully configured joined samba with my windows 2003 ADS.
	on 17 May 2011 at 3:59 pm 58. Cloud81918 said … I just want to drop a thanks, I’ve been following another how-to and ended up with everything the way they wanted, but it wasn’t working. With your walk through I had it up in minutes. Thanks again for taking the time to put this up. -Jerred
	on 22 Jul 2011 at 12:50 am 59. brahma said … Hi, i setup samba as you mentioned, added domain to samba,while testing with net rpc shows JOINED OK but testing with net ads it shows following error and also iam not added ACL, please help me. [ samba]# net ads join -U Administrator%welcome123 [2011/07/21 18:30:26, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: Invalid credentials [ samba]# net rpc join -U Administrator%welcome123 Joined domain PLATFORM.
	on 22 Jul 2011 at 1:07 am 60. brahma said … My access log returns following message failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.] [2011/07/21 18:30:26, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603) NTLMSSP BH: NT_STATUS_ACCESS_DENIED MY KDC server info LDAP server: 171.18.0.45 LDAP server name: bnsr259.platform.com Realm: PLATFORM.COM Bind Path: dc=PLATFORM,dc=COM LDAP port: 389 Server time: Wed, 20 Jul 2011 20:34:57 IST KDC server: 171.18.0.45 Server time offset: 180
	on 20 Oct 2011 at 3:17 am 61. Prachi said … Hi, I have setup sambe as you mentioned. However I am getting error while adding the host to domain using net join command. error: Failed to join domain: The network name cannot be found The linux host is able to ping/nslooup to domain controller with IP/name. Please suggest what could be the reason. thanks, Prachi
	on 31 Oct 2011 at 2:29 am 62. Alex Ruwinskij said … Hi, I am running a SAMBA 3.5.8 Server on Solaris (non global zone) and trying to join MS2003 AD Server. Indeed it´s possible to create the appropriate computer account in AD, but further authtication fails: net ads join -d 7 -S hlsif000 -U ****** [2011/10/31 09:02:46.239017, 3] libads/sasl.c:791() ads_sasl_spnego_bind: got server principal name = server$@sub.domain.DE [2011/10/31 09:02:46.436305, 0] libads/sasl.c:821() kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED [2011/10/31 09:02:46.436725, 1] libnet/libnet_join.c:1978() libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : ‘HLB’ dns_domain_name : ‘sub.domain.de’ forest_name : ‘sub.domain.de’ dn : NULL domain_sid : * domain_sid : S-1-5-21-1691891752-616008026-1446451325 modified_config : 0×00 (0) error_string : ‘failed to connect to AD: NT_STATUS_NOT_SUPPORTED’ domain_is_ad : 0×01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED [2011/10/31 09:02:46.437083, 2] utils/net.c:916() return code = -1 root@int-app1 Perhaps I should say, that my winbind service produces following error all the time: [2011/10/31 09:19:55.543982, 1] winbindd/winbindd_util.c:289() Could not receive trustdoms The configured parameter on AD-site for network security is: Send NTLMv2 response only/refuse LM. Many thanks in advance Alex