Join Linux to Windows 2003 Active Directory Problem

05-07-2008

#1 (permalink)

wearetherock

Just Joined!

Join Date: May 2008

Posts: 14

Join Linux to Windows 2003 Active Directory Problem

I have to join fedora 6 to windows 2003 active directory, I followed this tutorial "http://www.planetmy.com/blog/how-to-join-fedora-core-6-samba-server-to-windows-2003-active-directory/"

Environment
windows 2003 sp 2, ip 10.80.27.122
fedora 6, ip 10.80.27.121, samba.i386 3.0.24-11.fc6

There are some problem that i can't solve, this is error message

Code:

[root@hotspot ~]# net join -U Administrator
Administrator's password:
Using short domain name -- TEST
[2008/05/07 14:16:29, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server
[root@hotspot ~]#

All configuration files

Code:

smb.conf

# Global parameters
[global]
workgroup = TEST
realm = TEST.SCI.UBU.AC.TH
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000

#netbios name = linux

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
browseable = no
printable = yes
guest ok = yes

krb5.conf

Code:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TEST.SCI.UBU.AC.TH
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]

TEST.SCI.UBU.AC.TH = {
kdc = winac.test.sci.ubu.ac.th
admin_server = winac.test.sci.ubu.ac.th
kdc = 10.80.27.122
}

[domain_realm]

test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
.test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Message get from /var/log/samba/log.wb-TEST

Code:

[2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
338 rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800d bind request return ed ok.
339 [2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
340 rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800e bind request return ed ok.

Anyone can help me, thanks

05-07-2008	#2 (permalink)
jledhead Linux Engineer Join Date: Oct 2004 Location: North Carolina Posts: 1,030	after I got my kerberos smb login working on linux, I found this software Likewise – Making Linux and Windows work well together I spent some good time automating my approach and then found that, already automated. look at that and if you would still rather do it manually let me know and I will compare notes and see if I can find the problem

05-08-2008	#3 (permalink)
wearetherock Just Joined! Join Date: May 2008 Posts: 14	Yes i really want to config manually, anyone known the message "failed to get schannel session key from server " how to fix it?

05-13-2008	#4 (permalink)
matonb Linux User Join Date: Aug 2006 Location: Portsmouth, UK Posts: 481	I really struggled to get an old RHEL2.1 (which should be fairly similar to RH6) server to connect to an AD but did eventually get it to work: The Linux Servers hostname must be added to the Windows Active Domain Controller before it can join the domain. The host option pre-win2K needs to be selected when you create the host entry. Then on the Linux server as root enter the following command: Code: #smbpasswd -j <Domain Name> -r <PDC / ADS> Example: Code: #smbpasswd -j WORKGROUP -r myDomainController Note: No Windows Admin Account information is needed. HTH __________________ RHCE #805007238628267 Please don't PM me with questions as no reply may offend, that's what the forums are for.

05-14-2008

#5 (permalink)

wearetherock

Just Joined!

Join Date: May 2008

Posts: 14

Above Commands

Code:

[root@hotspot samba]# smbpasswd -j TEST -r winac.test.sci.ubu.ac.th
See 'net join' for this functionality

Code:

[root@hotspot samba]# net ads join -U Administrator
Administrator's password: 
Using short domain name -- TEST
[2008/05/14 10:42:20, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!

Another Command

Code:

[root@hotspot samba]# wbinfo -u
TEST.SCI.UBU.AC.TH\administrator
TEST.SCI.UBU.AC.TH\guest
TEST.SCI.UBU.AC.TH\iusr_winac
TEST.SCI.UBU.AC.TH\iwam_winac
TEST.SCI.UBU.AC.TH\krbtgt
TEST.SCI.UBU.AC.TH\tonkhaw
TEST.SCI.UBU.AC.TH\wearetherock
TEST.SCI.UBU.AC.TH\x_kapong

Code:

[root@hotspot samba]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
TEST.SCI.UBU.AC.TH\domain admins
TEST.SCI.UBU.AC.TH\domain users
TEST.SCI.UBU.AC.TH\domain guests
TEST.SCI.UBU.AC.TH\domain computers
TEST.SCI.UBU.AC.TH\domain controllers
TEST.SCI.UBU.AC.TH\schema admins
TEST.SCI.UBU.AC.TH\enterprise admins
TEST.SCI.UBU.AC.TH\group policy creator owners
TEST.SCI.UBU.AC.TH\dnsupdateproxy

Seem i can list group/username on active directory server, but i can't authenticate a user via Kerberos.

Code:

[root@hotspot samba]# wbinfo -K wearetherock%/7d\'koxu3
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: FILE)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: FILE)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: KCM)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: KCM)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: KCM:0)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: KCM:0)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: Garbage)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: Garbage)
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: (null))
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: (null))
plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: 0)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: 0)
[root@hotspot samba]#

I can't login using account on active directory server, see nsswitch.conf

Code:

[root@hotspot ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

#beer not comment
passwd:     winbind files
shadow:     winbind files
group:      winbind files

#passwd:     compat  winbind
#shadow:     conpat  winbind
#group:      compat  winbind


#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind

netgroup:   files winbind

publickey:  nisplus

automount:  files winbind
aliases:    files nisplus

[root@hotspot ~]#

05-14-2008	#6 (permalink)
matonb Linux User Join Date: Aug 2006 Location: Portsmouth, UK Posts: 481	Oops my bad, I thought you were using RH6 (which was around before Fedora came into existence) Which is why I suggested using the smbpasswd command. Not very familiar kerberos so can't help you there I'm afraid. Good luck with fixing the problem, post your solution when you find one! __________________ RHCE #805007238628267 Please don't PM me with questions as no reply may offend, that's what the forums are for.

05-14-2008

#7 (permalink)

jledhead

Linux Engineer

Join Date: Oct 2004

Location: North Carolina

Posts: 1,030

Quote:

Originally Posted by wearetherock

Seem i can list group/username on active directory server, but i can't authenticate a user via Kerberos.

lets prove that. try this

Code:

klist

to see if you even have a ticket cached

Code:

kinit administrator_username

to get a kerb ticket

then run

Code:

klist

again and report back your results.

05-15-2008

#8 (permalink)

wearetherock

Just Joined!

Join Date: May 2008

Posts: 14

Thank you everybody, I have installed Ubuntu and followed this
https://help.ubuntu.com/community/Ac...ryWinbindHowto

Haven't any problem on Ubuntu all step is pass , except this command it still error

Code:

[root@hotspot raddb]# net join -U Administrator
Administrator's password: 
Using short domain name -- TEST
[2008/05/15 16:16:49, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server
[root@hotspot raddb]#

But i don't care, becase on domain controller(Windows 2003) this machine has added into specific domain.
I can authenticate users via Kerberos then I use this same solution on fedora , It's also success

@jledhead , prove kerberos

Code:

[root@hotspot raddb]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEST.SCI.UBU.AC.TH

Valid starting     Expires            Service principal
05/15/08 13:36:32  05/15/08 20:16:32  krbtgt/TEST.SCI.UBU.AC.TH@TEST.SCI.UBU.AC.TH
05/15/08 13:37:10  05/15/08 20:16:32  winac$@TEST.SCI.UBU.AC.TH
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Code:

[root@hotspot raddb]# kinit administrator
Password for administrator@TEST.SCI.UBU.AC.TH:

Code:

[root@hotspot raddb]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEST.SCI.UBU.AC.TH

Valid starting     Expires            Service principal
05/15/08 15:47:59  05/15/08 22:27:59  krbtgt/TEST.SCI.UBU.AC.TH@TEST.SCI.UBU.AC.TH
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@hotspot raddb]#

Sory, I'm not a native english speaker.
I really thanks jledhead and matonb very much that attemp to help me. thanks

Are you a Linux Guru who is willing to share your in-depth Linux knowledge? Try our new Article submission system.