-   Linux - Networking (
-   -   connecting samba to a windows 2003 active directory domain (

Jcrofton 11-25-2004 05:47 PM

connecting samba to a windows 2003 active directory domain
I've been trying with no apparent luck to get a new Suse box to join our AD as a file server. I can ping from a windows client to the netbios name of the linux file server, and it reports a good IP address ( I can also ping from the linux FS to the AD server but only by IP address, it can't resolve the netbios name.

I have configured the smb.conf file to represent the realm as mydomain.local and the security set to ads, but am still unable to join the domain using the net ads join command.

I have also configured Krb5.conf as best as I could via online notes, setting up the default realm = MYDOMAIN.LOCAL and to try and get away from any sort of DNS problem, specified the kdc server = (AD server IP) as well as the admin server =

I have included the typical winbind settings in smb.conf as well.

After all this, if I try to kinit administrator it returns an error "kinit: krb5_init_context failed: -1765328248"

If I try to join the domain using net ads join -U administrator, I am prompted for the administrator's password, it thinks for awhile and then returns to the command prompt. Although there is no message saying welcome to mydomain, there isn't an error message either.

If I then try to wbinfo -u to get user information from the domain, I get a result of error looking up domain users.

I've been going in circles on this for a while, do you guys have any other thoughts of what I could be doing wrong? I am using samba 3.0.2a-51.

PS I have restarted the nmbd and smbd services as well as made sure winbind is running using ps fax | grep winbind. which reports

4657 ? Ss 0:00 winbindd
4658 ? S 0:00 \_winbindd
5368 pts/44 S+ 0:00 \_grep winbindd

PSS. the linux FS shows up in a browse of our windows active directory network but is inaccessible, and if I browse the network on the linux box, our domains show up and I can see the computers but can't access any.

tisource 11-25-2004 06:05 PM

I wish I could help... I ran into a very similar problem... and gave up. I'm running my linux box as a standalone server (we're small enough, it isn't a terrible inconvenience).

Kerberos is what killed my setup... ADS makes things highly complicated. In fact, we're actually considering throwing out Win 2003 and going to samba as a PDC.

If you find anything, I'd love to know about it.

KohlyKohl 11-25-2004 11:43 PM

When in doubt always use Google! Anyways I found some links that might help ok step by step for .net this one is for 2000 but it should still work for .net

I just used "using samba with 2003 active directory" and it came up with alot of very good links that should help out alot.

rob3551 08-02-2006 09:58 PM

whoa I'm workin on this right now.....I have been trying to work out the ad side, seems you have both got the linux side down....I did the same and added it no problem.....But! it seems I can't get the AD to work and nether can I access the share I created (from the windows side) I reasearched it I found you may have to add an ou in AD (idmap)....I have been working out the issues on that side...I inherited this pissy 2003 install were they had changed all the default permissions etc. so now I'm bring up a vmware server image and working with it....if I find it I'll write the .ldf files as default and post them.


KohlyKohl 08-02-2006 10:50 PM

I Know what you are talking about, but its been so long since I've Gotten AD and Samba to work together I can't remember how I did it. Google is your best friend, and the answer is out there and shouldn't be too hard to find. If I remember correctly you need to add some things to the samba.conf to allow windows to access the shares, but I'm not sure.

tisource 09-10-2006 05:53 PM

We upgraded to SLES 10, and I actually got this working. It's very nice!

I had to configure nsswitch.conf to get what I wanted working. I also had to play with kerberos, but that was trivial.

rob3551 09-14-2006 10:40 AM

ya the issues I was running into were on the Linux side....seems my build was locked down too tight I removed the security lock down on it and then had to change some of the permissions on the samba side and it worked perfectly (add your admin group in on folder permissions beside the root permissions) to re-apply the security on linux....this allowed me to control the permissions from the windows side....I left that place as of now and I still have the team build images so if anyone needs it I'll post the smf.conf or any of the other connection files.

DNS could be your biggest issue, seems they were running the DNS in that shop with 1 ip for the pdc and another for the AD fqdn.....I don't know how it ran, windows isn't that good and always wants to have some sort of authoritative DNS to write to....but thats another issue lol.

tisource 09-14-2006 05:23 PM

We're on a private subnet ( and get on the Internet through a masquerade (nat). Talking about the Windows and DNS, we ended up creating a subdomain for Windows, and it is authorative for that. Then, I made our Linux box a slave on that zone. End result: Windows can have its subdomain as it insists, but our Linux is still serving DNS requests for everything - and that is the way I want it!

rob3551 09-17-2006 07:07 PM

I hear ya! I get around the DNS issue by letting windows run as DNS when ever I add a pc to the network, then just copy the new entries to the linux box, and shut off the windows DNS. This seems to work out ok, as windows just fills the event logs with errors, otherwise.

All times are GMT -5. The time now is 12:45 PM.