Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[2012/02/22 15:06:22.001366, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: No credentials found with supported encryption types
[2012/02/22 15:06:22.014129, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: No credentials found with supported encryption types
Join to domain is not valid: Undetermined error
net rpc testjoin
Code:
Join to 'DOMAIN' is OK
net ads info
Code:
LDAP server: x.x.x.x
LDAP server name: SERVER.domain.com
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: mer, 22 f_v 2012 15:08:38 CET
KDC server: x.x.x.x
Server time offset: -40
And the strange part :
when I try to join the samba server with my DC, the server appear on computers in my domain (on the DC server), but I've an error...
the command : net ads join -d3 -U administrateur
the error :
I would recommend using a newer version of CentOS 6 at least, RHEL3 is several years old and there are many more packages available in the newer distro.
when you joined the domain , do you see the linux server in AD?..And to be safe, even though you get a ticket, make sure the ADS server is in the /etc/hosts file ip address and FQDN.Your config is a bit confusing so its kinda hard to decipher where your using <domain name> as the actual domain and where its just a copy from a config file.Because in smb.conf you have and password server = <domain.com> , this should actually be either the ip address or name of the windows box.
@rhbegin : actually, we can't, but I'm agree with you, this should be the better solution...
@cbtshare : when I join the domain, the linux server appear in the AD. I just add the ADS server on the hosts file, but nothing change.
About the password server variable, I change them to the AD server ip, but same thing.
I'll try to clean the config, and restart at the beginning ^^
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
echo "Enter the Domain Admin name: "
read DADMIN
echo "Enter the Domain Group name: "
read DGROUP
STATE_OK=0
STATE_ERROR=1
HOSTLEN=`hostname | awk '{print length}'`
if [ ${HOSTLEN} -gt 24 ]
then
echo "The Hostname is too long! rename and rerun the script. Current length is: ${HOSTLEN}"
exit ${STATE_ERROR}
else
echo "Hostname is proper length! process continuing..."
fi
yum erase samba-* -y
yum install pam_krb5 sudo authconfig -y
yum install samba3x-winbind.i386 samba3x-winbind.x86_64 samba3x-winbind-devel.i386 samba3x-winbind-devel.x86_64 -y
chkconfig winbind on
#change DOMAIN to fit yours
mkdir /home/DOMAIN
chmod 777 /home/DOMAIN
#change DOMAIN to fit yours
authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=DOMAIN --smbrealm=DOMAIN.LOCAL --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/DOMAIN/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=DOMAIN.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
sed -i "/auth sufficient pam_unix.so nullok try_first_pass/a auth requisite pam_succeed_if.so user ingroup $DGROUP debug" /etc/pam.d/system-auth
sed -i '/session optional pam_mkhomedir.so/c session optional pam_mkhomedir.so umask=0077' /etc/pam.d/system-auth
sed -i "/Allows people in group wheel to run all commands/a %$DGROUP ALL = DEPLOY" /etc/sudoers
service winbind restart
net ads join -U $DADMIN
cat >> /etc/sudoers << EOF
Cmnd_Alias DEPLOY = /bin/touch *, /usr/bin/readlink, /bin/chown, /bin/echo, /usr/bin/mysql, /usr/bin/mysqldump, /bin/ln, /sbin/service, /bin/ls, /bin/rm, /bin/mkdir, /bin/chmod, /bin/mv, /bin/sudo, /usr/bin/tail, /bin/chgrp, /bin/cat, /bin/more
EOF
service winbind restart
make sure you enable UNIX attributes on your windows server, and the domain group should be a group that the user belongs to in AD
the reason that the length of the hostname matters, is because if it is over 15, then it wont bind to AD. ours end with .1on1.com (which is 9 chars) so 15 chars max plus our 9 = 24
Last edited by Beandip408; 03-05-2012 at 12:17 PM.
Reason: explaination for hostname length
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
echo "Enter the Domain Admin name: "
read DADMIN
echo "Enter the Domain Group name: "
read DGROUP
STATE_OK=0
STATE_ERROR=1
HOSTLEN=`hostname | awk '{print length}'`
if [ ${HOSTLEN} -gt 15 ]
then
echo "The Hostname is too long! rename and rerun the script. Current length is: ${HOSTLEN}"
exit ${STATE_ERROR}
else
echo "Hostname is proper length! process continuing..."
fi
if sestatus | grep -q "enforcing"
then
echo "Your firewall is running! service ufw is running! "
echo "do you want to disable your selinux firewall?"
read DISFIREWALL
fi
if [ "$DISFIREWALL" = "yes" -o "$DISFIREWALL" = "y" ]
then
setenforce 0
sed -i '/SELINUX=enforcing/c SELINUX=disabled' /etc/selinux/config
if sestatus | grep -q "enforcing"
then
echo "Your firewall is still running, try a different way to disable it!"
exit ${STATE_ERROR}
fi
else
echo "Your firewall is off, good job! process continuing..."
fi
yum erase samba-* -y
yum install pam_krb5 sudo authconfig -y
yum install samba3x-winbind.i386 samba3x-winbind.x86_64 samba3x-winbind-devel.i386 samba3x-winbind-devel.x86_64 -y
chkconfig winbind on
mkdir /home/PUTYOURDOMAINNAMEHERE
chmod 777 /home/PUTYOURDOMAINNAMEHERE
authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=PUTYOURDOMAINNAMEHERE --smbrealm=PUTYOURDOMAINNAMEHERE.LOCAL --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/PUTYOURDOMAINNAMEHERE/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=PUTYOURDOMAINNAMEHERE.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
sed -i "/auth sufficient pam_unix.so nullok try_first_pass/a auth requisite pam_succeed_if.so user ingroup $DGROUP debug" /etc/pam.d/system-auth
sed -i '/session optional pam_mkhomedir.so/c session optional pam_mkhomedir.so umask=0077' /etc/pam.d/system-auth
sed -i "/Allows people in group wheel to run all commands/a %$DGROUP ALL = DEPLOY" /etc/sudoers
service winbind restart
net ads join -U $DADMIN
cat >> /etc/sudoers << EOF
Cmnd_Alias DEPLOY = /bin/touch *, /usr/bin/readlink, /bin/chown, /bin/echo, /usr/bin/mysql, /usr/bin/mysqldump, /bin/ln, /sbin/service, /bin/ls, /bin/rm, /bin/mkdir, /bin/chmod, /bin/mv, /bin/sudo, /usr/bin/tail, /bin/chgrp, /bin/cat, /bin/more
EOF
service winbind restart
yep. just make sure that you create a group called something like "linuxgroup" in your AD and then add the users to that group. make sure to change the "PUTYOURDOMAINNAMEHERE" to your domain name here in caps
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.