Comments on: SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO

By: ilayaraja

ilayaraja — Tue, 01 Jun 2010 12:30:55 +0000

Thanks for your article. i successfully configured joined samba with my windows 2003 ADS.

By: slarti

slarti — Sun, 14 Feb 2010 03:53:25 +0000

Hi Brent,

I found your site by trying to solve my problem for the last 4 days. Maybe you can help.

I have Fedora 11 trying to join MS 2003 R2 AD server. I followed all the steps you outlined and then I did some more experimenting, but I am consistently getting the same error :

net ads join -U administrator
Enter administrator’s password:
[2010/02/14 04:33:01, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

the net ads info works :

net ads info
LDAP server: 192.168.1.5
LDAP server name: bluead.blueteam.local
Realm: BLUETEAM.LOCAL
Bind Path: dc=BLUETEAM,dc=LOCAL
LDAP port: 389
Server time: Sun, 14 Feb 2010 04:51:54 CET
KDC server: 192.168.1.5
Server time offset: 0

I can’t joint the domain. Is there anything I am missing ?
Do you need more info from me ?
Please help.

Thanks,
Mirek

By: Andres PH

Andres PH — Sat, 07 Nov 2009 01:26:11 +0000

Thanks for your article, I am not so experienced with linux but I got.
I am using Linux Centos 3.9 with Win2k3R2 servers and is working fine.
I saw that some people did not get and this is why I want to colaborate considering that I also didnt get the first time.
1.in /etc/samba/smb.conf all lines to “add:” have to be in the [Global] section
2.before joining to the domain with #net ads join…, you have to sincronize the linux server time with de AD server using the command:
#ntpupdate
or using the GUI in SystemSetting/DateTime (enable network time protocol an declaring your AD server)
3.you have to put the smb and winbind services to start automatically, do this using the GUI in Services
4. in my case I will use the linux as a printer server and just share the /home partition with full access for AD Domain Users
5.when setting ACL for the partition you want to create user folders is better to explicity declare starting with /dev/… as in my case:
/dev/hda5 /home ext3 default,acl 1 2
because it was (and leave commented):
LABEL=/home /home etx3 default 1 2
6.I give the access to /home to all domain users
#setfacl -m g:”MYDOMAIN\Domain Users”:rwx /home
7.I confirmed the assignment with
#getfacl /home
and appears this line:
group:Domain Users: rwx
8.now every user that is in the domain can connect to the linux server with full access to the /home partition without asking user/password
9.only in the PCs that are not in the domain, ie in workgroup I have to log with user@mydomain.com and password usisng the credential with some account from AD
10.I also can see the printers shared on the linux server but I still can connect to it, if someone can help me i will apreciate otherwise I will search how to do by myself
thanks.

By: oes tsetnoc

oes tsetnoc — Mon, 28 Sep 2009 08:02:23 +0000

Hi, Just like to tell you that this piece of info is one quick to the point, no nonsense, workable and effective way to have directories shared in Ubuntu as fast as possible. It worked for me and thank you for the effort. Keep up the good work.

By: Lawrence Okpoho

Lawrence Okpoho — Tue, 07 Jul 2009 10:42:24 +0000

i got this error when i type net ads join -U username@DOMAIN
ads_connect: Transport endpoint is not connected

By: Santosh Sonavale

Santosh Sonavale — Mon, 13 Apr 2009 11:02:02 +0000

Dear Sir,

I joined windows 2003 domain with my linux machine. Actually I want to make my linux machine (OS RHEL5) as a File Server for all domain users. I want to take a backup of all windows domain client machines to my linux machine. So I want to create a directory for each user with user can store data upto 5GB. I don’t want to create smbusers as per the domain list & smbpasswd as per domain. Linux machine should authenticate with windows domain controller so domain user can easily access a directory which is assigned to the user on a linux machine.

Waiting for ur reply…..asap.

Regards,

Santosh Sonavale.

By: ndbinh

ndbinh — Wed, 08 Apr 2009 06:11:56 +0000

Dear Brent.
I was try to join Samba server to AD 2003 but I can’t, I have some problem, the info error :

[root@TESTER ~]# net ads join -U Administrator@DIGI-TEXX.LOCAL
Administrator@DIGI-TEXX.LOCAL‘s password:
Using short domain name — DIGI-TEXX
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for ‘TESTER’ in realm ‘DIGI-TEXX.LOCAL’
Failed to join domain: Type or value exists

Can you tell me how to fix the error.

Thanks & best regards.

By: Geoff White

Geoff White — Thu, 12 Mar 2009 22:47:38 +0000

After getting this working a couple of times, I have found that it usually needs a reboot of both the DC and the Linux box to get it working properly.

Normally you can join the domain, but there are problems getting windbind to fetch users and groups.

By: Tank Abbot

Tank Abbot — Wed, 04 Mar 2009 21:16:51 +0000

Does anyone know if this same procedure will work using a Windows 2008 AD Domain? I use RHEL 5.3 and Fedora 10. Thanks! Great site!!

By: CentOS5 (RHEL5) + 9TB Drive + AD + Win/OSX clients + BackupEXEC - Blog - Networks | Email | Mobile | Websites | Online Marketing - Vancouver, Canada - Chatswood Computer Consultants Ltd.

Mon, 02 Feb 2009 16:14:31 +0000

[...] Samba http://www.brentnorris.net/blog/?p=179 [...]