Find the answer to your Linux question:
Results 1 to 8 of 8
I have to join fedora 6 to windows 2003 active directory, I followed this tutorial "http://www.planetmy.com/blog/how-to-join-fedora-core-6-samba-server-to-windows-2003-active-directory/" Environment windows 2003 sp 2, ip 10.80.27.122 fedora 6, ip 10.80.27.121, samba.i386 3.0.24-11.fc6 There ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2008
    Posts
    14

    Exclamation Join Linux to Windows 2003 Active Directory Problem


    I have to join fedora 6 to windows 2003 active directory, I followed this tutorial "http://www.planetmy.com/blog/how-to-join-fedora-core-6-samba-server-to-windows-2003-active-directory/"

    Environment
    windows 2003 sp 2, ip 10.80.27.122
    fedora 6, ip 10.80.27.121, samba.i386 3.0.24-11.fc6

    There are some problem that i can't solve, this is error message

    Code:
    [root@hotspot ~]# net join -U Administrator
    Administrator's password:
    Using short domain name -- TEST
    [2008/05/07 14:16:29, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
    net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
    Failed to verify membership in domain!
    ADS join did not work, falling back to RPC...
    Unable to find a suitable server
    Unable to find a suitable server
    [root@hotspot ~]#

    All configuration files

    Code:
    smb.conf
    
    # Global parameters
    [global]
    workgroup = TEST
    realm = TEST.SCI.UBU.AC.TH
    preferred master = no
    server string = Samba file and print server
    security = ADS
    encrypt passwords = yes
    log level = 3
    log file = /var/log/samba/%m
    max log size = 50
    winbind separator = +
    printcap name = cups
    printing = cups
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    
    #netbios name = linux
    
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    
    [printers]
    comment = All Printers
    browseable = no
    printable = yes
    guest ok = yes
    krb5.conf
    Code:
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
    default_realm = TEST.SCI.UBU.AC.TH
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes
    
    [realms]
    
    TEST.SCI.UBU.AC.TH = {
    kdc = winac.test.sci.ubu.ac.th
    admin_server = winac.test.sci.ubu.ac.th
    kdc = 10.80.27.122
    }
    
    [domain_realm]
    
    test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
    .test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
    
    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }
    Message get from /var/log/samba/log.wb-TEST

    Code:
    [2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
    338 rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800d bind request return ed ok.
    339 [2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
    340 rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800e bind request return ed ok.
    Anyone can help me, thanks

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    after I got my kerberos smb login working on linux, I found this software Likewise – Making Linux and Windows work well together



    I spent some good time automating my approach and then found that, already automated. look at that and if you would still rather do it manually let me know and I will compare notes and see if I can find the problem

  3. #3
    Just Joined!
    Join Date
    May 2008
    Posts
    14
    Yes i really want to config manually, anyone known the message "failed to get schannel session key from server " how to fix it?

  4. #4
    Linux Enthusiast
    Join Date
    Aug 2006
    Location
    Portsmouth, UK
    Posts
    539
    I really struggled to get an old RHEL2.1 (which should be fairly similar to RH6) server to connect to an AD but did eventually get it to work:

    The Linux Servers hostname must be added to the Windows Active Domain Controller before it can join the domain.

    The host option pre-win2K needs to be selected when you create the host entry.

    Then on the Linux server as root enter the following command:

    Code:
    #smbpasswd -j <Domain Name> -r <PDC / ADS>
    Example:

    Code:
    #smbpasswd -j WORKGROUP -r myDomainController
    Note: No Windows Admin Account information is needed.

    HTH
    RHCE #100-015-395
    Please don't PM me with questions as no reply may offend, that's what the forums are for.

  5. #5
    Just Joined!
    Join Date
    May 2008
    Posts
    14
    Above Commands

    Code:
    [root@hotspot samba]# smbpasswd -j TEST -r winac.test.sci.ubu.ac.th
    See 'net join' for this functionality

    Code:
    [root@hotspot samba]# net ads join -U Administrator
    Administrator's password: 
    Using short domain name -- TEST
    [2008/05/14 10:42:20, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
      net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
    Failed to verify membership in domain!

    Another Command
    Code:
    [root@hotspot samba]# wbinfo -u
    TEST.SCI.UBU.AC.TH\administrator
    TEST.SCI.UBU.AC.TH\guest
    TEST.SCI.UBU.AC.TH\iusr_winac
    TEST.SCI.UBU.AC.TH\iwam_winac
    TEST.SCI.UBU.AC.TH\krbtgt
    TEST.SCI.UBU.AC.TH\tonkhaw
    TEST.SCI.UBU.AC.TH\wearetherock
    TEST.SCI.UBU.AC.TH\x_kapong

    Code:
    [root@hotspot samba]# wbinfo -g
    BUILTIN\administrators
    BUILTIN\users
    TEST.SCI.UBU.AC.TH\domain admins
    TEST.SCI.UBU.AC.TH\domain users
    TEST.SCI.UBU.AC.TH\domain guests
    TEST.SCI.UBU.AC.TH\domain computers
    TEST.SCI.UBU.AC.TH\domain controllers
    TEST.SCI.UBU.AC.TH\schema admins
    TEST.SCI.UBU.AC.TH\enterprise admins
    TEST.SCI.UBU.AC.TH\group policy creator owners
    TEST.SCI.UBU.AC.TH\dnsupdateproxy
    Seem i can list group/username on active directory server, but i can't authenticate a user via Kerberos.

    Code:
    [root@hotspot samba]# wbinfo -K wearetherock%/7d\'koxu3
    plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: FILE)
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: FILE)
    plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: KCM)
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: KCM)
    plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: KCM:0)
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: KCM:0)
    plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: Garbage)
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: Garbage)
    plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: (null))
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: (null))
    plaintext kerberos password authentication for [wearetherock%/7d'koxu3] failed (requesting cctype: 0)
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user [wearetherock%/7d'koxu3] with Kerberos (ccache: 0)
    [root@hotspot samba]#
    I can't login using account on active directory server, see nsswitch.conf

    Code:
    [root@hotspot ~]# cat /etc/nsswitch.conf
    #
    # /etc/nsswitch.conf
    #
    # An example Name Service Switch config file. This file should be
    # sorted with the most-used services at the beginning.
    #
    # The entry '[NOTFOUND=return]' means that the search for an
    # entry should stop if the search in the previous entry turned
    # up nothing. Note that if the search failed due to some other reason
    # (like no NIS server responding) then the search continues with the
    # next entry.
    #
    # Legal entries are:
    #
    #       nisplus or nis+         Use NIS+ (NIS version 3)
    #       nis or yp               Use NIS (NIS version 2), also called YP
    #       dns                     Use DNS (Domain Name Service)
    #       files                   Use the local files
    #       db                      Use the local database (.db) files
    #       compat                  Use NIS on compat mode
    #       hesiod                  Use Hesiod for user lookups
    #       [NOTFOUND=return]       Stop searching if not found so far
    #
    
    # To use db, put the "db" in front of "files" for entries you want to be
    # looked up first in the databases
    #
    # Example:
    #passwd:    db files nisplus nis
    #shadow:    db files nisplus nis
    #group:     db files nisplus nis
    
    #beer not comment
    passwd:     winbind files
    shadow:     winbind files
    group:      winbind files
    
    #passwd:     compat  winbind
    #shadow:     conpat  winbind
    #group:      compat  winbind
    
    
    #hosts:     db files nisplus nis dns
    hosts:      files dns
    
    # Example - obey only what nisplus tells us...
    #services:   nisplus [NOTFOUND=return] files
    #networks:   nisplus [NOTFOUND=return] files
    #protocols:  nisplus [NOTFOUND=return] files
    #rpc:        nisplus [NOTFOUND=return] files
    #ethers:     nisplus [NOTFOUND=return] files
    #netmasks:   nisplus [NOTFOUND=return] files     
    
    bootparams: nisplus [NOTFOUND=return] files
    
    ethers:     files
    netmasks:   files
    networks:   files
    protocols:  files winbind
    rpc:        files
    services:   files winbind
    
    netgroup:   files winbind
    
    publickey:  nisplus
    
    automount:  files winbind
    aliases:    files nisplus
    
    [root@hotspot ~]#

  6. #6
    Linux Enthusiast
    Join Date
    Aug 2006
    Location
    Portsmouth, UK
    Posts
    539
    Oops my bad, I thought you were using RH6 (which was around before Fedora came into existence) Which is why I suggested using the smbpasswd command.

    Not very familiar kerberos so can't help you there I'm afraid. Good luck with fixing the problem, post your solution when you find one!
    RHCE #100-015-395
    Please don't PM me with questions as no reply may offend, that's what the forums are for.

  7. #7
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    Quote Originally Posted by wearetherock View Post

    Seem i can list group/username on active directory server, but i can't authenticate a user via Kerberos.
    lets prove that. try this
    Code:
    klist
    to see if you even have a ticket cached

    Code:
    kinit administrator_username
    to get a kerb ticket

    then run
    Code:
    klist
    again and report back your results.

  8. #8
    Just Joined!
    Join Date
    May 2008
    Posts
    14
    Thank you everybody, I have installed Ubuntu and followed this
    https://help.ubuntu.com/community/Ac...ryWinbindHowto

    Haven't any problem on Ubuntu all step is pass , except this command it still error
    Code:
    [root@hotspot raddb]# net join -U Administrator
    Administrator's password: 
    Using short domain name -- TEST
    [2008/05/15 16:16:49, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
      net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
    Failed to verify membership in domain!
    ADS join did not work, falling back to RPC...
    Unable to find a suitable server
    Unable to find a suitable server
    [root@hotspot raddb]#
    But i don't care, becase on domain controller(Windows 2003) this machine has added into specific domain.
    I can authenticate users via Kerberos then I use this same solution on fedora , It's also success

    @jledhead , prove kerberos
    Code:
    [root@hotspot raddb]# klist 
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@TEST.SCI.UBU.AC.TH
    
    Valid starting     Expires            Service principal
    05/15/08 13:36:32  05/15/08 20:16:32  krbtgt/TEST.SCI.UBU.AC.TH@TEST.SCI.UBU.AC.TH
    05/15/08 13:37:10  05/15/08 20:16:32  winac$@TEST.SCI.UBU.AC.TH
    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached
    Code:
    [root@hotspot raddb]# kinit administrator
    Password for administrator@TEST.SCI.UBU.AC.TH:
    Code:
    [root@hotspot raddb]# klist 
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@TEST.SCI.UBU.AC.TH
    
    Valid starting     Expires            Service principal
    05/15/08 15:47:59  05/15/08 22:27:59  krbtgt/TEST.SCI.UBU.AC.TH@TEST.SCI.UBU.AC.TH
    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached
    [root@hotspot raddb]#
    Sory, I'm not a native english speaker.
    I really thanks jledhead and matonb very much that attemp to help me. thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •