Join Linux to Windows 2003 Active Directory Problem

wearetherock · 05-07-2008, 02:31 AM

I have to join fedora 6 to windows 2003 active directory, I followed this tutorial "How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory?" (sorry i'm a new user, i can't post url)

Environment
windows 2003 sp 2, ip 10.80.27.122
fedora 6, ip 10.80.27.121, samba.i386 3.0.24-11.fc6

But there are some problem that i can't solve, this is error message

Code:

[root@hotspot ~]# net join -U Administrator
Administrator's password:
Using short domain name -- TEST
[2008/05/07 14:16:29, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server
[root@hotspot ~]#

All concern files

smb.conf

Code:

 # Global parameters
[global]
workgroup = TEST
realm = TEST.SCI.UBU.AC.TH
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000

#netbios name = linux

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
browseable = no
printable = yes
guest ok = yes

krb5.conf

Code:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.SCI.UBU.AC.TH
 dns_lookup_realm = true
 dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]

 TEST.SCI.UBU.AC.TH = {
  kdc = winac.test.sci.ubu.ac.th
  admin_server = winac.test.sci.ubu.ac.th
  kdc = 10.80.27.122
 }

[domain_realm]

 test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
 .test.sci.ubu.ac.th = TEST.SCI.UBU.AC.TH
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Message get from /var/log/samba/log.wb-TEST

Code:

[2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
    338   rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800d bind request return        ed ok.
    339 [2008/05/07 14:22:07, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
    340   rpc_pipe_bind: Remote machine winac.test.sci.ubu.ac.th pipe \NETLOGON fnum 0x800e bind request return        ed ok.

Can anyone help me, thanks

madluther · 05-09-2008, 01:43 PM

Try running kinit before trying to join the domain

eg

Code:

kinit administrator@your.kerberos.REALM

then run

Code:

net ads join -U Administrator

HTH

Mad.

wearetherock · 05-11-2008, 09:49 PM

here, output of above command.

Code:

[root@hotspot ~]# kinit  administrator@TEST.SCI.UBU.AC.TH
Password for administrator@TEST.SCI.UBU.AC.TH:
[root@hotspot ~]# net ads join -U Administrator
Administrator's password:
Using short domain name -- TEST
[2008/05/12 09:42:13, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST. Error was NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
[root@hotspot ~]#

knit : no output
net join : still error

What's the meaning of "failed to get schannel session key from server winac.test.sci.ubu.ac.th for domain TEST" ?

mvellon · 07-02-2008, 01:14 PM

As an alternative, you might want to try Likewise Open (http://www.likewisesoftware.com/community. Disclaimer: I work for Likewise). Likewise Open is a free, open source, program that joins UNIX, Linux and Mac OS X computers to AD. It takes a simplified approach that does not require storing any data in AD (it hashes AD SIDs into UIDs and GIDs). Likewise Open greatly simplifies the configuration and join process (all you do is run a command-line or graphical utility). We also sell a proprietary version that adds more flexibility and support for group policy.