URN Logo
UNIX Resources » Linux » Linux Forum » Samba Help » Page.159 » [Samba] Samba 3.0.10 joining Windows 20003 ADS
announcement The content of this page is collected from Linux Forum, All copyrights and other associated rights are reserved by the original authors of the articles.
Resources
China Linux Forum(finished)
Linux Forum(finished)
FreeBSD China(finished)
linuxforum.com
  LinuxForum General Chat
  Linux Advocacy
  LinuxForum Polls
  Introductions
  Linux Kernel Support
  Patch Management
  Development Release
  Linux Programming
  Linux Security
  Linux Software
  Linux Hardware Problems
    Linux Video Problems
    Linux Sound Problems
  Linux Networking Support
  Linux Printing Support
  Linux Human Interface Devices Support
  Linux Data Storage Support
  Linux Applications Support
  Linux Installation Support
  Linux Laptops Support
  Linux Motherboard, Chipsets, CPU, Memory
  Miscellaneous
  Debian Linux Support
  Ubuntu Linux Support
  LiveCD Discussions
  Gentoo Linux Support
  Mandrake Linux Support
  Redhat / Fedora Linux Support
  Slackware Linux Support
  SuSE Linux Support
  CentOS Linux Support
  Linux Web Servers
  Linux DNS Servers
  Linux Database Servers
  Linux Email Servers
  Linux FTP Servers
  Linux Squid Proxy Server
  Linux Samba Help
  Linux cPanel Help
  Linux Ensim Help
  Linux Plesk Help
  Linux Webmin / Usermin Help
  Qmail Toaster Help
  Linux Games
  Windows Game Emulation
  Linux Discussions
  General Linux Discussions
  Red Hat Linux Discussions
  More Red Hat Linux Discussions
  Mandrake Linux Discussions
  Slackware Linux Discussions
  SuSE Linux Discussions
  Debian Discussions
  Samba Help
  Linux Security
  Linux Networking
  Gentoo Help
  Operating System Rant Forum
  Hardware Rants
   
[Samba] Samba 3.0.10 joining Windows 20003 ADS
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Andrew Zbikowski    Posted: 2004-12-28 20:20:08    Length: 2,351 byte(s)
[Original] [Print] [Top]
abrams:~# kinit admin@CORP.TCC.INET
This seems to work just fine.

abrams:~# net ads join "TwinCitiesTTAGSSERVERS"
[2004/12/28 18:52:20, 0] libads/ldap.c:ads_add_machine_acct(1475)
  Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- CORP
[2004/12/28 18:52:23, 0] libads/kerberos.c:get_service_ticket(335)
  get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Client not found in
Kerberos database
Segmentation fault

That doesn't work. I look in Active Directory Users & Comptuers and
there is a new computer account in the correct location however.

Looking at that output, it seems to be trying to create a client named
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET. That doesn't seem right, it
should be just TTLNX01$@CORP.TCC.INET right? What would be causing
that extra @CORP.TCC.INET to be added?  Or is it supposed to be that
way?

I have no /etc/krb5.conf, as according to the Official Samba HOWTO it
is not required.
"With both MIT and Heimdal Kerberos, it is unnecessary to configure
the /etc/krb5.conf, and it may be detrimental."

As kinit works, it definitly doesn't seem like I need an /etc/krb5.conf.

Not sure if this list allows attachments, so my smb.conf is at
http://www.ringworld.org/~zibby/stuff/linux/smb.txt

The host system is Debian Testing (Sarge) running 2.4.27 on an Alpha
processor, using the packages for sarge.

If anyone knows how to resolve this, please please please let me know.
If you need/want more details, just ask.

--
Andrew S. Zbikowski | http://andy.zibnet.us
 A password is like your underwear; Change it
 frequently, don't share it with others, and
     don't ask to borrow someone else's.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Thomas M. Skeren III    Posted: 2004-12-28 20:40:09    Length: 4,603 byte(s)
[Original] [Print] [Top]
Andrew Zbikowski wrote:
Since smb.conf is a link..let me try.

I've experienced some strange things as well, the question is, can ADS
users get a share properly?  I had similar probs, but the share works.  
What does net ads testjoin show?

Also in smb.conf you have a passdb backend.  DON'T.

Here's what I use, albeit it is a W2K AD:  (I know some settings are
default that way, but I have been adjusting them)

workgroup = (NETBIOS NAME OF AD DOMAIN)
        realm = YOURDOMAIN.COM
        server string = (Info about server)
        netbios name = (NAME YOU WANT TO GIVE YOUR SERVER)  
        security = ADS
        client schannel = Auto
        server schannel = Auto
        client signing = Auto
        server signing = Auto
        client use spnego = No
        socket options = TCP_NODELAY
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = _
        winbind enum users = No
        winbind enum groups = No
        winbind use default domain = No
        admin users = (AD Administrator that samba will tell Unix to
treat as root...be carefull here...but it's needed. Multiple users are
comma separated.                                      The user is added
like this {assuming you used the winbindd seprarator I suggested}  
DOMAIN_user1, DOMAIN_user2)
        algorithmic rid base = 10000
        dos filetimes = Yes
        dos filemode = Yes
        acl compatibility = win2k
        inherit acls = yes
        inherit permissions = ye


QUOTE
abrams:~# kinit admin@CORP.TCC.INET
This seems to work just fine.

abrams:~# net ads join "TwinCitiesTTAGSSERVERS"
[2004/12/28 18:52:20, 0] libads/ldap.c:ads_add_machine_acct(1475)
Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- CORP
[2004/12/28 18:52:23, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Client not found in
Kerberos database
Segmentation fault

That doesn't work. I look in Active Directory Users & Comptuers and
there is a new computer account in the correct location however.

Looking at that output, it seems to be trying to create a client named
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET. That doesn't seem right, it
should be just TTLNX01$@CORP.TCC.INET right? What would be causing
that extra @CORP.TCC.INET to be added?  Or is it supposed to be that
way?

I have no /etc/krb5.conf, as according to the Official Samba HOWTO it
is not required.
"With both MIT and Heimdal Kerberos, it is unnecessary to configure
the /etc/krb5.conf, and it may be detrimental."

As kinit works, it definitly doesn't seem like I need an /etc/krb5.conf.

Not sure if this list allows attachments, so my smb.conf is at
http://www.ringworld.org/~zibby/stuff/linux/smb.txt

The host system is Debian Testing (Sarge) running 2.4.27 on an Alpha
processor, using the packages for sarge.

If anyone knows how to resolve this, please please please let me know.
If you need/want more details, just ask.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Andrew Zbikowski    Posted: 2004-12-28 21:10:07    Length: 1,119 byte(s)
[Original] [Print] [Top]
Commented out passdb backend

abrams:/etc/samba# net ads testjoin
Join is OK


abrams:/etc/samba# net ads join
[2004/12/28 20:00:31, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for ttlnx01 already exists -
modifying old account
Using short domain name -- CORP
[2004/12/28 20:00:34, 0] libads/kerberos.c:get_service_ticket(335)
  get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Preauthentication failed
Segmentation fault

--
Andrew S. Zbikowski | http://andy.zibnet.us
 A password is like your underwear; Change it
 frequently, don't share it with others, and
     don't ask to borrow someone else's.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Thomas M. Skeren III    Posted: 2004-12-28 21:20:08    Length: 1,435 byte(s)
[Original] [Print] [Top]
Andrew Zbikowski wrote:

QUOTE
Commented out passdb backend

abrams:/etc/samba# net ads testjoin
Join is OK


abrams:/etc/samba# net ads join
[2004/12/28 20:00:31, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for ttlnx01 already exists -
modifying old account
Using short domain name -- CORP
[2004/12/28 20:00:34, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Preauthentication failed
Segmentation fault



Yep I get the same damned thing.  Check to see if user authentication to

the share works.  If so it will work.  I'm not sure about that error
during the re-join.  I  have  150 computers to manage by myself, so if
it works I ain't worrying about it.  As long as the testjoin works, then
users should authenticate.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Pau Capdevila    Posted: 2004-12-30 08:20:31    Length: 2,164 byte(s)
[Original] [Print] [Top]
Authentication does work but it does not permission resolution (we use
winbind). Neither smbclient -U domain user.

I don't know the solution yet.

We also use Debian but I'm afraid it is not Debian related because
I've tried to compile Samba and MIT kerberos from source and it keeps
failing.

What can we do??

Thanks



On Tue, 28 Dec 2004 18:12:40 -0800, Thomas M. Skeren III
[tms3@fskklaw.com] wrote:
QUOTE
Andrew Zbikowski wrote:

Commented out passdb backend

abrams:/etc/samba# net ads testjoin
Join is OK


abrams:/etc/samba# net ads join
[2004/12/28 20:00:31, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for ttlnx01 already exists -
modifying old account
Using short domain name -- CORP
[2004/12/28 20:00:34, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Preauthentication failed
Segmentation fault



Yep I get the same damned thing.  Check to see if user authentication to
the share works.  If so it will work.  I'm not sure about that error
during the re-join.  I  have  150 computers to manage by myself, so if
it works I ain't worrying about it.  As long as the testjoin works, then
users should authenticate.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

--

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author:    Posted: 2004-12-30 08:30:13    Length: 2,322 byte(s)
[Original] [Print] [Top]
On 30 Dec, Pau Capdevila wrote:

QUOTE
Authentication does work but it does not permission resolution (we use
winbind). Neither smbclient -U domain user.

I don't know the solution yet.

We also use Debian but I'm afraid it is not Debian related because
I've tried to compile Samba and MIT kerberos from source and it keeps
failing.

abrams:/etc/samba# net ads join
[2004/12/28 20:00:31, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for ttlnx01 already exists -
modifying old account
Using short domain name -- CORP
[2004/12/28 20:00:34, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Preauthentication failed
Segmentation fault

I don't know if it might also work in your case. After defining an
uppercased netbios name on smb.conf, the segfault warnings stopped.

                  Javier Palacios
                  


============================================================================
This e-mail message and any attached files are intended SOLELY for the addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED  information and may not necessarily represent the opinion of this company. If you receive this message in ERROR, please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED  to use, disclose, distribute, print or copy all or part of the contained information. Thank you.  
============================================================================
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Thomas M. Skeren III    Posted: 2004-12-30 08:50:08    Length: 2,932 byte(s)
[Original] [Print] [Top]
Pau Capdevila wrote:

QUOTE
Authentication does work but it does not permission resolution

Huh?  Do you mean that there's file access permission issues?  If so

have you set up acl's?  Remeber posix permissions are User, Group,
Other.  All clients authenticating via W2K3 are Other.

QUOTE
(we use
winbind). Neither smbclient -U domain user.


I don't use smbclient.


QUOTE
I don't know the solution yet.

We also use Debian but I'm afraid it is not Debian related because
I've tried to compile Samba and MIT kerberos from source and it keeps
failing.

What can we do??

Thanks



On Tue, 28 Dec 2004 18:12:40 -0800, Thomas M. Skeren III
tms3@fskklaw.com] wrote:


Andrew Zbikowski wrote:



Commented out passdb backend

abrams:/etc/samba# net ads testjoin
Join is OK


abrams:/etc/samba# net ads join
[2004/12/28 20:00:31, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for ttlnx01 already exists -
modifying old account
Using short domain name -- CORP
[2004/12/28 20:00:34, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Preauthentication failed
Segmentation fault





Yep I get the same damned thing.  Check to see if user authentication to
the share works.  If so it will work.  I'm not sure about that error
during the re-join.  I  have  150 computers to manage by myself, so if
it works I ain't worrying about it.  As long as the testjoin works, then
users should authenticate.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Pau Capdevila    Posted: 2004-12-31 09:20:08    Length: 2,649 byte(s)
[Original] [Print] [Top]
I'm afraid it is no the issue (that about ACLs).
Winbind resolves local permission with Windows IDs. That not works in
local files with a winbind user.

The smbclient thing is a proof that something goes wrong.

Thank you anyway.


On Thu, 30 Dec 2004 05:40:22 -0800, Thomas M. Skeren III
[tms3@fskklaw.com] wrote:
QUOTE
Pau Capdevila wrote:

Authentication does work but it does not permission resolution Huh?  Do you
mean that there's file access permission issues?  If so have you set up
acl's?  Remeber posix permissions are User, Group, Other.  All clients
authenticating via W2K3 are Other.

(we use winbind). Neither smbclient -U domain user. I don't use smbclient.


I don't know the solution yet. We also use Debian but I'm afraid it is not
Debian related because I've tried to compile Samba and MIT kerberos from
source and it keeps failing. What can we do?? Thanks On Tue, 28 Dec 2004
18:12:40 -0800, Thomas M. Skeren III [tms3@fskklaw.com] wrote:
Andrew Zbikowski wrote:
Commented out passdb backend abrams:/etc/samba# net ads testjoin Join is OK
abrams:/etc/samba# net ads join [2004/12/28 20:00:31, 0]
libads/ldap.c:ads_add_machine_acct(1368) ads_add_machine_acct: Host account
for ttlnx01 already exists - modifying old account Using short domain name
-- CORP [2004/12/28 20:00:34, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Preauthentication failed
Segmentation fault Yep I get the same damned thing. Check to see if user
authentication to the share works. If so it will work. I'm not sure about
that error during the re-join. I have 150 computers to manage by myself, so
if it works I ain't worrying about it. As long as the testjoin works, then
users should authenticate. -- To unsubscribe from this list go to the
following URL and read the instructions:
https://lists.samba.org/mailman/listinfo/samba

--

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Pau Capdevila    Posted: 2004-12-31 09:30:11    Length: 2,339 byte(s)
[Original] [Print] [Top]
The netbios name is defined as:

l%h

so I don't think it is a problem, but I'll try.

thx


On Thu, 30 Dec 2004 14:28:18 +0100 (CET), jpbermejo@prisacom.com
[jpbermejo@prisacom.com] wrote:
QUOTE
On 30 Dec, Pau Capdevila wrote:

Authentication does work but it does not permission resolution (we use
winbind). Neither smbclient -U domain user.

I don't know the solution yet.

We also use Debian but I'm afraid it is not Debian related because
I've tried to compile Samba and MIT kerberos from source and it keeps
failing.

abrams:/etc/samba# net ads join
[2004/12/28 20:00:31, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for ttlnx01 already exists -
modifying old account
Using short domain name -- CORP
[2004/12/28 20:00:34, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password
TTLNX01$@CORP.TCC.INET@CORP.TCC.INET failed: Preauthentication failed
Segmentation fault

I don't know if it might also work in your case. After defining an
uppercased netbios name on smb.conf, the segfault warnings stopped.

Javier Palacios

============================================================================
This e-mail message and any attached files are intended SOLELY for the addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED  information and may not necessarily represent the opinion of this company. If you receive this message in ERROR, please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED  to use, disclose, distribute, print or copy all or part of the contained information. Thank you.
============================================================================

--

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Andrew Zbikowski    Posted: 2005-01-03 11:00:14    Length: 963 byte(s)
[Original] [Print] [Top]
QUOTE
I don't know if it might also work in your case. After defining an
uppercased netbios name on smb.conf, the segfault warnings stopped.

netbios name = TTLNX01

Mine was already uppercased, so that's not it.

--
Andrew S. Zbikowski | http://andy.zibnet.us
 A password is like your underwear; Change it
 frequently, don't share it with others, and
     don't ask to borrow someone else's.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Mark Dixon    Posted: 2005-01-19 11:01:22    Length: 1,587 byte(s)
[Original] [Print] [Top]
On Mon, 3 Jan 2005, Andrew Zbikowski wrote:

QUOTE
I don't know if it might also work in your case. After defining an
uppercased netbios name on smb.conf, the segfault warnings stopped.

netbios name = TTLNX01

Mine was already uppercased, so that's not it.



I've seen similar error messages when I'm trying to join a domain but I
already have a domain machine account in my Samba system's secrets.tdb
file.

On my system, this file is in /usr/local/samba/private/, but I suspect it
will be somewhere else on yours. As a suggestion: try stopping samba,
looking for this file, rename it out of the way and try again.

Hope this helps,

Mark
--
------------------------------------------------------
Mark Dixon                Email    : m.dixon@ucl.ac.uk
Systems Integration       Tel (int): 34371
Information Systems       Tel (ext): 020 7679 4371
University College London, UK
------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Andrew Zbikowski    Posted: 2005-01-24 10:50:08    Length: 733 byte(s)
[Original] [Print] [Top]
Though I'm still concerned about the error, it looks like everything
is actually working. Winbind is authing users no problem, domain users
can gain access, so all seems well.


--
Andrew S. Zbikowski | http://andy.zibnet.us
 A password is like your underwear; Change it
 frequently, don't share it with others, and
     don't ask to borrow someone else's.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
Subject: [Samba] Samba 3.0.10 joining Windows 20003 ADS
Author: Andrew Zbikowski    Posted: 2005-08-02 18:30:12    Length: 1,662 byte(s)
[Original] [Print] [Top]
How about some thread necromancy.

Here's the issue I was working to resolve back in December of '04.
http://lists.samba.org/archive/samba/2004-...ber/097804.html

Until today I never really resolved this problem to my satisfaction.
Samba worked with ADS, and that was fine. Today I was attempting to
perform the same setup on a new Linux server, and I was running into
the same error, and things were just not working.

Unlike last year however, I found a solution. Instead of relying on
Samba to pick it's domain controller or specifying my local domain
controller, I pointed Samba at the FSMO role master using the
"password server" directive in smb.conf. When I did so, net ads join
worked without error, and things came together, and things started to
function beautifully.

As our FSMO roles are on one server, I can't say for sure which FSMO
role Samba was looking for. Maybe it was after all five, maybe just
one.

--
Andrew S. Zbikowski | http://andy.zibnet.us
 A password is like your underwear; Change it
 frequently, don't share it with others, and
     don't ask to borrow someone else's.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Original] [Print] [Top]
« Previous thread
[Samba] Client-side filesystem tree corruption on WinXP
Samba Help
Page. 159
Next thread »
[Samba] ISA server can't validate users over samba trust
     

Copyright © 2007 UNIX Resources Network, All Rights Reserved.      About URN | Privacy & Legal | Help | Contact us
Powered by FreeBSD    webmaster: webmaster@unixresources.net
This page created on 2007-08-01 13:03:19, cost 0.066339015960693 ms.