| | 
05-07-2008
|
#1 (permalink)
| | Just Joined!
Join Date: May 2008
Posts: 12
|  Join Linux to Windows 2003 Active Directory Problem
I have to join fedora 6 to windows 2003 active directory, I followed this tutorial "http://www.planetmy.com/blog/how-to-join-fedora-core-6-samba-server-to-windows-2003-active-directory/"
Environment
windows 2003 sp 2, ip 10.80.27.122
fedora 6, ip 10.80.27.121, samba.i386 3.0.24-11.fc6
There are some problem that i can't solve, this is error message Code: [root@hotspot ~]# net join -U Administrator
Administrator's password:
Using short domain name -- TEST
[2008/05/07 14:16:29, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server
[root@hotspot ~]#
All configuration files Code: smb.conf
# Global parameters
[global]
workgroup = TEST
realm = TEST.SCI.UBU.AC.TH
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
#netbios name = linux
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = All Printers
browseable = no
printable = yes
guest ok = yes
krb5.conf Code: [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.SCI.UBU.AC.TH
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
TEST.SCI.UBU.AC.TH = {
kdc = winac.test.sci.ubu.ac.th
admin_server = winac.test.sci.ubu.ac.th
kdc = 10.80.27.122
}
[domain_realm]
test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
.test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Message get from /var/log/samba/log.wb-TEST Code: [2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
338 rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800d bind request return ed ok.
339 [2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
340 rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800e bind request return ed ok.
Anyone can help me, thanks | 
| Looking for Linux Hosting? Click Here
 | |
05-07-2008
|
#2 (permalink)
| | Linux Engineer
Join Date: Oct 2004 Location: North Carolina
Posts: 994
| after I got my kerberos smb login working on linux, I found this software Likewise – Making Linux and Windows work well together 
I spent some good time automating my approach and then found that, already automated. look at that and if you would still rather do it manually let me know and I will compare notes and see if I can find the problem | |
| | |
05-08-2008
|
#3 (permalink)
| | Just Joined!
Join Date: May 2008
Posts: 12
| Yes i really want to config manually, anyone known the message "failed to get schannel session key from server " how to fix it? | |
| | |
05-13-2008
|
#4 (permalink)
| | Linux User
Join Date: Aug 2006 Location: Portsmouth, UK
Posts: 465
| I really struggled to get an old RHEL2.1 (which should be fairly similar to RH6) server to connect to an AD but did eventually get it to work:
The Linux Servers hostname must be added to the Windows Active Domain Controller before it can join the domain.
The host option pre-win2K needs to be selected when you create the host entry.
Then on the Linux server as root enter the following command: Code: #smbpasswd -j <Domain Name> -r <PDC / ADS>
Example: Code: #smbpasswd -j WORKGROUP -r myDomainController
Note: No Windows Admin Account information is needed.
HTH
__________________
RHCE #805007238628267
Please don't PM me with questions as no reply may offend, that's what the forums are for.
| |
| | |
05-14-2008
|
#5 (permalink)
| | Just Joined!
Join Date: May 2008
Posts: 12
| Above Commands Code: [root@hotspot samba]# smbpasswd -j TEST -r winac.test.sci.ubu.ac.th
See 'net join' for this functionality
Code: [root@hotspot samba]# net ads join -U Administrator
Administrator's password:
Using short domain name -- TEST
[2008/05/14 10:42:20, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
Another Command Code: [root@hotspot samba]# wbinfo -u
TEST.SCI.UBU.AC.TH\administrator
TEST.SCI.UBU.AC.TH\guest
TEST.SCI.UBU.AC.TH\iusr_winac
TEST.SCI.UBU.AC.TH\iwam_winac
TEST.SCI.UBU.AC.TH\krbtgt
TEST.SCI.UBU.AC.TH\tonkhaw
TEST.SCI.UBU.AC.TH\wearetherock
TEST.SCI.UBU.AC.TH\x_kapong
Code: [root@hotspot samba]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
TEST.SCI.UBU.AC.TH\domain admins
TEST.SCI.UBU.AC.TH\domain users
TEST.SCI.UBU.AC.TH\domain guests
TEST.SCI.UBU.AC.TH\domain computers
TEST.SCI.UBU.AC.TH\domain controllers
TEST.SCI.UBU.AC.TH\schema admins
TEST.SCI.UBU.AC.TH\enterprise admins
TEST.SCI.UBU.AC.TH\group policy creator owners
TEST.SCI.UBU.AC.TH\dnsupdateproxy
Seem i can list group/username on active directory server, but i can't authenticate a user via Kerberos. Code: [root@hotspot samba]# wbinfo -K wearetherock%/7d\'koxu3
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: FILE)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: FILE)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: KCM)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: KCM)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: KCM:0)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: KCM:0)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: Garbage)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: Garbage)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: (null))
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: (null))
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: 0)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: 0)
[root@hotspot samba]#
I can't login using account on active directory server, see nsswitch.conf Code: [root@hotspot ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
#beer not comment
passwd: winbind files
shadow: winbind files
group: winbind files
#passwd: compat winbind
#shadow: conpat winbind
#group: compat winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
[root@hotspot ~]#
| |
| | |
05-14-2008
|
#6 (permalink)
| | Linux User
Join Date: Aug 2006 Location: Portsmouth, UK
Posts: 465
| Oops my bad, I thought you were using RH6 (which was around before Fedora came into existence) Which is why I suggested using the smbpasswd command.
Not very familiar kerberos so can't help you there I'm afraid. Good luck with fixing the problem, post your solution when you find one!
__________________
RHCE #805007238628267
Please don't PM me with questions as no reply may offend, that's what the forums are for.
| |
| | |
05-14-2008
|
#7 (permalink)
| | Linux Engineer
Join Date: Oct 2004 Location: North Carolina
Posts: 994
| Quote:
Originally Posted by wearetherock 
Seem i can list group/username on active directory server, but i can't authenticate a user via Kerberos.
| lets prove that. try this to see if you even have a ticket cached Code: kinit administrator_username
to get a kerb ticket
then run again and report back your results. | |
| | |
05-15-2008
|
#8 (permalink)
| | Just Joined!
Join Date: May 2008
Posts: 12
| Thank you everybody, I have installed Ubuntu and followed this https://help.ubuntu.com/community/Ac...ryWinbindHowto
Haven't any problem on Ubuntu all step is pass , except this command it still error Code: [root@hotspot raddb]# net join -U Administrator
Administrator's password:
Using short domain name -- TEST
[2008/05/15 16:16:49, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server
[root@hotspot raddb]#
But i don't care, becase on domain controller(Windows 2003) this machine has added into specific domain.
I can authenticate users via Kerberos then I use this same solution on fedora , It's also success
@jledhead , prove kerberos Code: [root@hotspot raddb]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEST.SCI.UBU.AC.TH
Valid starting Expires Service principal
05/15/08 13:36:32 05/15/08 20:16:32 krbtgt/TEST.SCI.UBU.AC.TH@TEST.SCI.UBU.AC.TH
05/15/08 13:37:10 05/15/08 20:16:32 winac$@TEST.SCI.UBU.AC.TH
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Code: [root@hotspot raddb]# kinit administrator
Password for administrator@TEST.SCI.UBU.AC.TH:
Code: [root@hotspot raddb]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEST.SCI.UBU.AC.TH
Valid starting Expires Service principal
05/15/08 15:47:59 05/15/08 22:27:59 krbtgt/TEST.SCI.UBU.AC.TH@TEST.SCI.UBU.AC.TH
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@hotspot raddb]#
Sory, I'm not a native english speaker.
I really thanks jledhead and matonb very much that attemp to help me. thanks | |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | | | | Display Modes |  Linear Mode | 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off | | | |
Servers Anything server related, Apache, MySQL, Samba, server security, sendmail, exim, etc
Submit Your Article
Latest Articles
Editor's Choice
Article Categories
Join Linux Forums Today
Win Great Prizes
