Comments on: SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO http://www.brentnorris.net/blog/archives/179 The random ramblings of diablo Tue, 29 Nov 2011 20:15:48 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Alex Ruwinskij http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75842 Alex Ruwinskij Mon, 31 Oct 2011 08:29:21 +0000 http://www.brentnorris.net/blog/?p=179#comment-75842 Hi, I am running a SAMBA 3.5.8 Server on Solaris (non global zone) and trying to join MS2003 AD Server. Indeed it´s possible to create the appropriate computer account in AD, but further authtication fails: net ads join -d 7 -S hlsif000 -U ****** [2011/10/31 09:02:46.239017, 3] libads/sasl.c:791() ads_sasl_spnego_bind: got server principal name = server$@sub.domain.DE [2011/10/31 09:02:46.436305, 0] libads/sasl.c:821() kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED [2011/10/31 09:02:46.436725, 1] libnet/libnet_join.c:1978() libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'HLB' dns_domain_name : 'sub.domain.de' forest_name : 'sub.domain.de' dn : NULL domain_sid : * domain_sid : S-1-5-21-1691891752-616008026-1446451325 modified_config : 0x00 (0) error_string : 'failed to connect to AD: NT_STATUS_NOT_SUPPORTED' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED [2011/10/31 09:02:46.437083, 2] utils/net.c:916() return code = -1 root@int-app1 Perhaps I should say, that my winbind service produces following error all the time: [2011/10/31 09:19:55.543982, 1] winbindd/winbindd_util.c:289() Could not receive trustdoms The configured parameter on AD-site for network security is: Send NTLMv2 response only/refuse LM. Many thanks in advance Alex Hi,

I am running a SAMBA 3.5.8 Server on Solaris (non global zone) and trying to join MS2003 AD Server.
Indeed it´s possible to create the appropriate computer account in AD, but further authtication fails:

net ads join -d 7 -S hlsif000 -U ******

[2011/10/31 09:02:46.239017, 3] libads/sasl.c:791()
ads_sasl_spnego_bind: got server principal name = server$@sub.domain.DE
[2011/10/31 09:02:46.436305, 0] libads/sasl.c:821()
kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED
[2011/10/31 09:02:46.436725, 1] libnet/libnet_join.c:1978()
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : ‘HLB’
dns_domain_name : ‘sub.domain.de’
forest_name : ‘sub.domain.de’
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-1691891752-616008026-1446451325
modified_config : 0×00 (0)
error_string : ‘failed to connect to AD: NT_STATUS_NOT_SUPPORTED’
domain_is_ad : 0×01 (1)
result : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED
[2011/10/31 09:02:46.437083, 2] utils/net.c:916()
return code = -1
root@int-app1

Perhaps I should say, that my winbind service produces following error all the time:
[2011/10/31 09:19:55.543982, 1] winbindd/winbindd_util.c:289()
Could not receive trustdoms

The configured parameter on AD-site for network security is: Send NTLMv2 response only/refuse LM.

Many thanks in advance
Alex

]]> By: Prachi http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75827 Prachi Thu, 20 Oct 2011 09:17:28 +0000 http://www.brentnorris.net/blog/?p=179#comment-75827 Hi, I have setup sambe as you mentioned. However I am getting error while adding the host to domain using net join command. error: Failed to join domain: The network name cannot be found The linux host is able to ping/nslooup to domain controller with IP/name. Please suggest what could be the reason. thanks, Prachi Hi,

I have setup sambe as you mentioned. However I am getting error while adding the host to domain using net join command.

error:
Failed to join domain: The network name cannot be found

The linux host is able to ping/nslooup to domain controller with IP/name.
Please suggest what could be the reason.

thanks,
Prachi

]]> By: brahma http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75800 brahma Fri, 22 Jul 2011 07:07:28 +0000 http://www.brentnorris.net/blog/?p=179#comment-75800 My access log returns following message failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.] [2011/07/21 18:30:26, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603) NTLMSSP BH: NT_STATUS_ACCESS_DENIED MY KDC server info LDAP server: 171.18.0.45 LDAP server name: bnsr259.platform.com Realm: PLATFORM.COM Bind Path: dc=PLATFORM,dc=COM LDAP port: 389 Server time: Wed, 20 Jul 2011 20:34:57 IST KDC server: 171.18.0.45 Server time offset: 180 My access log returns following message

failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.]
[2011/07/21 18:30:26, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED

MY KDC server info

LDAP server: 171.18.0.45
LDAP server name: bnsr259.platform.com
Realm: PLATFORM.COM
Bind Path: dc=PLATFORM,dc=COM
LDAP port: 389
Server time: Wed, 20 Jul 2011 20:34:57 IST
KDC server: 171.18.0.45
Server time offset: 180

]]> By: brahma http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75799 brahma Fri, 22 Jul 2011 06:50:06 +0000 http://www.brentnorris.net/blog/?p=179#comment-75799 Hi, i setup samba as you mentioned, added domain to samba,while testing with net rpc shows JOINED OK but testing with net ads it shows following error and also iam not added ACL, please help me. [ samba]# net ads join -U Administrator%welcome*123 [2011/07/21 18:30:26, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: Invalid credentials [ samba]# net rpc join -U Administrator%welcome*123 Joined domain PLATFORM. Hi,
i setup samba as you mentioned, added domain to samba,while testing with net rpc shows JOINED OK but testing with net ads it shows following error and also iam not added ACL, please help me.

[ samba]# net ads join -U Administrator%welcome*123
[2011/07/21 18:30:26, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: Invalid credentials
[ samba]# net rpc join -U Administrator%welcome*123
Joined domain PLATFORM.

]]> By: Cloud81918 http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75785 Cloud81918 Tue, 17 May 2011 21:59:08 +0000 http://www.brentnorris.net/blog/?p=179#comment-75785 I just want to drop a thanks, I've been following another how-to and ended up with everything the way they wanted, but it wasn't working. With your walk through I had it up in minutes. Thanks again for taking the time to put this up. -Jerred I just want to drop a thanks, I’ve been following another how-to and ended up with everything the way they wanted, but it wasn’t working. With your walk through I had it up in minutes. Thanks again for taking the time to put this up.

-Jerred

]]> By: ilayaraja http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75619 ilayaraja Tue, 01 Jun 2010 12:30:55 +0000 http://www.brentnorris.net/blog/?p=179#comment-75619 Thanks for your article. i successfully configured joined samba with my windows 2003 ADS. Thanks for your article. i successfully configured joined samba with my windows 2003 ADS.

]]> By: slarti http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75537 slarti Sun, 14 Feb 2010 03:53:25 +0000 http://www.brentnorris.net/blog/?p=179#comment-75537 Hi Brent, I found your site by trying to solve my problem for the last 4 days. Maybe you can help. I have Fedora 11 trying to join MS 2003 R2 AD server. I followed all the steps you outlined and then I did some more experimenting, but I am consistently getting the same error : net ads join -U administrator Enter administrator's password: [2010/02/14 04:33:01, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: failed to connect to AD: Invalid credentials the net ads info works : net ads info LDAP server: 192.168.1.5 LDAP server name: bluead.blueteam.local Realm: BLUETEAM.LOCAL Bind Path: dc=BLUETEAM,dc=LOCAL LDAP port: 389 Server time: Sun, 14 Feb 2010 04:51:54 CET KDC server: 192.168.1.5 Server time offset: 0 I can't joint the domain. Is there anything I am missing ? Do you need more info from me ? Please help. Thanks, Mirek Hi Brent,

I found your site by trying to solve my problem for the last 4 days. Maybe you can help.

I have Fedora 11 trying to join MS 2003 R2 AD server. I followed all the steps you outlined and then I did some more experimenting, but I am consistently getting the same error :

net ads join -U administrator
Enter administrator’s password:
[2010/02/14 04:33:01, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

the net ads info works :

net ads info
LDAP server: 192.168.1.5
LDAP server name: bluead.blueteam.local
Realm: BLUETEAM.LOCAL
Bind Path: dc=BLUETEAM,dc=LOCAL
LDAP port: 389
Server time: Sun, 14 Feb 2010 04:51:54 CET
KDC server: 192.168.1.5
Server time offset: 0

I can’t joint the domain. Is there anything I am missing ?
Do you need more info from me ?
Please help.

Thanks,
Mirek

]]> By: Andres PH http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75503 Andres PH Sat, 07 Nov 2009 01:26:11 +0000 http://www.brentnorris.net/blog/?p=179#comment-75503 Thanks for your article, I am not so experienced with linux but I got. I am using Linux Centos 3.9 with Win2k3R2 servers and is working fine. I saw that some people did not get and this is why I want to colaborate considering that I also didnt get the first time. 1.in /etc/samba/smb.conf all lines to "add:" have to be in the [Global] section 2.before joining to the domain with #net ads join..., you have to sincronize the linux server time with de AD server using the command: #ntpupdate or using the GUI in SystemSetting/DateTime (enable network time protocol an declaring your AD server) 3.you have to put the smb and winbind services to start automatically, do this using the GUI in Services 4. in my case I will use the linux as a printer server and just share the /home partition with full access for AD Domain Users 5.when setting ACL for the partition you want to create user folders is better to explicity declare starting with /dev/... as in my case: /dev/hda5 /home ext3 default,acl 1 2 because it was (and leave commented): LABEL=/home /home etx3 default 1 2 6.I give the access to /home to all domain users #setfacl -m g:"MYDOMAIN\Domain Users":rwx /home 7.I confirmed the assignment with #getfacl /home and appears this line: group:Domain Users: rwx 8.now every user that is in the domain can connect to the linux server with full access to the /home partition without asking user/password 9.only in the PCs that are not in the domain, ie in workgroup I have to log with user@mydomain.com and password usisng the credential with some account from AD 10.I also can see the printers shared on the linux server but I still can connect to it, if someone can help me i will apreciate otherwise I will search how to do by myself thanks. Thanks for your article, I am not so experienced with linux but I got.
I am using Linux Centos 3.9 with Win2k3R2 servers and is working fine.
I saw that some people did not get and this is why I want to colaborate considering that I also didnt get the first time.
1.in /etc/samba/smb.conf all lines to “add:” have to be in the [Global] section
2.before joining to the domain with #net ads join…, you have to sincronize the linux server time with de AD server using the command:
#ntpupdate
or using the GUI in SystemSetting/DateTime (enable network time protocol an declaring your AD server)
3.you have to put the smb and winbind services to start automatically, do this using the GUI in Services
4. in my case I will use the linux as a printer server and just share the /home partition with full access for AD Domain Users
5.when setting ACL for the partition you want to create user folders is better to explicity declare starting with /dev/… as in my case:
/dev/hda5 /home ext3 default,acl 1 2
because it was (and leave commented):
LABEL=/home /home etx3 default 1 2
6.I give the access to /home to all domain users
#setfacl -m g:”MYDOMAIN\Domain Users”:rwx /home
7.I confirmed the assignment with
#getfacl /home
and appears this line:
group:Domain Users: rwx
8.now every user that is in the domain can connect to the linux server with full access to the /home partition without asking user/password
9.only in the PCs that are not in the domain, ie in workgroup I have to log with user@mydomain.com and password usisng the credential with some account from AD
10.I also can see the printers shared on the linux server but I still can connect to it, if someone can help me i will apreciate otherwise I will search how to do by myself
thanks.

]]> By: oes tsetnoc http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75490 oes tsetnoc Mon, 28 Sep 2009 08:02:23 +0000 http://www.brentnorris.net/blog/?p=179#comment-75490 Hi, Just like to tell you that this piece of info is one quick to the point, no nonsense, workable and effective way to have directories shared in Ubuntu as fast as possible. It worked for me and thank you for the effort. Keep up the good work. Hi, Just like to tell you that this piece of info is one quick to the point, no nonsense, workable and effective way to have directories shared in Ubuntu as fast as possible. It worked for me and thank you for the effort. Keep up the good work.

]]> By: Lawrence Okpoho http://www.brentnorris.net/blog/archives/179/comment-page-2#comment-75450 Lawrence Okpoho Tue, 07 Jul 2009 10:42:24 +0000 http://www.brentnorris.net/blog/?p=179#comment-75450 i got this error when i type net ads join -U username@DOMAIN ads_connect: Transport endpoint is not connected i got this error when i type net ads join -U username@DOMAIN
ads_connect: Transport endpoint is not connected

]]>