Samba error: Failed to join to AD
Hi,
I'm stuck in this problem since a week ago. I configured Samba to run under a Red Hat 5.1 and I could add this machine to the AD Domain. However I tried to to this again to a new instalation, bul even following the same steps (at least this is what I think) I'm getting an error. After configuring smb.conf and krb.conf, I run kinit and I get the ticket properly but when I run the "net ads join" command I get an error. These are the messages I get: kinit <my_ad_account> Password for <my_ad_account>@<MY_DOMAIN>: _____________________________________________________________ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: <my_ad_account>@<MY_DOMAIN> Valid starting Expires Service principal 03/03/08 11:24:50 03/03/08 21:24:58 krbtgt/<MY_DOMAIN>@<MY_DOMAIN> renew until 03/04/08 11:24:50 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached _____________________________________________________________ net ads join -U <my_ad_account> <my_ad_account>'s password: [2008/03/03 11:14:42, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) Kinit failed: Client not found in Kerberos database Failed to join domain: Improperly formed account name _____________________________________________________________ If I type "net ads join -U <my_ad_account>@<MY_DOMAIN>" I get the same error. Follow above my configuration files: /etc/samba/smb.conf: [global] unix charset = LOCALE workgroup = <MY_WORKGROUP> realm = <MY_DOMAIN> server string = Samba 3.0.20 security = ADS encrypt passwords = yes username map = /etc/samba/smbusers password server = <my_kdc_server> log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 printcap name = CUPS ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 #template primary group = "Domain Users" template shell = /bin/bash template homedir = /home/%D/%U #winbind separator = \\ winbind separator = . winbind enum users = yes winbind enum groups = yes printing = cups /etc/krb5.conf [libdefaults] default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_realm = <MY_DOMAIN> dns_lookup_kdc = true # clockskew = 300 [realms] <MY_DOMAIN> = { kdc = <my_kdc_server> admin_server = <my_kdc_server> default_domain = <my_domain> } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 try_first_pass = true } [domain_realm] .<my_domain> = <MY_DOMAIN> I have already searched a lot by a solution but there were nothing to solve my problem until now. Thanks for your help. |
Folks,
I have run the net command with maximum debug level (-d 10) and I've got the following at the last lines: [2008/03/03 14:06:47, 10] libads/kerberos.c:kerberos_kinit_password_ext(91) kerberos_kinit_password: using [MEMORY:cliconnect] as ccache and config [/var/cache/samba/smb_krb5/krb5.conf.SEFAZ] [2008/03/03 14:06:47, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) Kinit failed: Client not found in Kerberos database [2008/03/03 14:06:47, 3] libsmb/cliconnect.c:cli_session_setup(957) SPNEGO login failed: Client not found in Kerberos database [2008/03/03 14:06:47, 1] libsmb/cliconnect.c:cli_full_connection(1605) failed session setup with NT_STATUS_INVALID_ACCOUNT_NAME [2008/03/03 14:06:47, 1] utils/net.c:connect_to_ipc_krb5(294) Cannot connect to server using kerberos. Error was NT_STATUS_INVALID_ACCOUNT_NAME [2008/03/03 14:06:47, 1] utils/net_ads.c:net_ads_join(1548) call of net_join_domain failed: Improperly formed account name [2008/03/03 14:06:47, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory Failed to join domain: Improperly formed account name [2008/03/03 14:06:47, 2] utils/net.c:main(1032) return code = -1 ________________________________________________________________ About the message "NT_STATUS_INVALID_ACCOUNT_NAME", what does it mean? My hostname is sd2stm03. It doesn't appear to be an invalid name for me. Thanks for any help. |
issue found and problem partially solved
Folks,
I deleted all my confs and I did everything again and I finnaly found out what was wrong. When I configured the first machine, I´ve used the character "\" as winbind separator. The join to the ADS had been fine but I've gotten some problems when setting permissions, since the "\" had been often interpreted as an escape character. I changed the winbind separator to "." and at the machine that was already joined at the domain, everything had continued ok. However, when I did a new instalatiom with the "." as winbind separator, I've always gotten the error above (Kinit failed: Client not found in Kerberos database and Failed to join domain: Improperly formed account name). So a week later I did everything from the beggining and I put the "\" as winbind separator again and maggically it started working again. Examining the packets changed between the linux Samba and windos ADS, I saw that sometime the linux send a kerberos packet with the tail of the REALM as the principal name (e.g COM.BR) and this cause an error and the communication is ended. There is some bug or something so isn't possible to use "." as winbind separator at Red Hat's samba 3.0.25b-0.el5.4. I'm using the "." under debian's samba 3.0.24 and I havent't gotten any problems. Some other interesting thing is that after joining to the domain I can change the winbind separator to ".", restart samba, and everything continues to work perfectly, at least until I try to leave the domain...in that case I should change the winbind separator to "\". I'll use "." since "\" is a headache when it tries to escape a chatacter. I hope I could help anybody who eventually gets this same problem. |
santoyx, thanks for your post, it helped me to get to the right point of problem.
for me it was not problematic with \ and ., but as \ is used as escape character, I just tried \\ and it worked like a charm. hope that my solition will also be useful for someone in future :) |
All times are GMT -5. The time now is 09:50 PM. |