LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 03-03-2008, 08:38 AM   #1
santoyx
LQ Newbie
 
Registered: Feb 2008
Location: Fortaleza-CE, Brasil
Distribution: Red Hat, CentOS
Posts: 3

Rep: Reputation: 0
Question Samba error: Failed to join to AD


Hi,

I'm stuck in this problem since a week ago. I configured Samba to run under a Red Hat 5.1 and I could add this machine to the AD Domain.
However I tried to to this again to a new instalation, bul even following the same steps (at least this is what I think) I'm getting an error.
After configuring smb.conf and krb.conf, I run kinit and I get the ticket properly but when I run the "net ads join" command I get an error. These are the messages I get:

kinit <my_ad_account>
Password for <my_ad_account>@<MY_DOMAIN>:
_____________________________________________________________

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <my_ad_account>@<MY_DOMAIN>

Valid starting Expires Service principal
03/03/08 11:24:50 03/03/08 21:24:58
krbtgt/<MY_DOMAIN>@<MY_DOMAIN>
renew until 03/04/08 11:24:50


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

_____________________________________________________________

net ads join -U <my_ad_account>
<my_ad_account>'s password:
[2008/03/03 11:14:42, 0]
libsmb/cliconnect.c:cli_session_setup_spnego(853)
Kinit failed: Client not found in Kerberos database
Failed to join domain: Improperly formed account name

_____________________________________________________________

If I type "net ads join -U <my_ad_account>@<MY_DOMAIN>" I get the same error.

Follow above my configuration files:

/etc/samba/smb.conf:
[global]
unix charset = LOCALE
workgroup = <MY_WORKGROUP>
realm = <MY_DOMAIN>
server string = Samba 3.0.20
security = ADS
encrypt passwords = yes
username map = /etc/samba/smbusers
password server = <my_kdc_server>
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
#template primary group = "Domain Users"
template shell = /bin/bash
template homedir = /home/%D/%U
#winbind separator = \\
winbind separator = .
winbind enum users = yes
winbind enum groups = yes
printing = cups


/etc/krb5.conf

[libdefaults]
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_realm = <MY_DOMAIN>
dns_lookup_kdc = true
# clockskew = 300

[realms]
<MY_DOMAIN> = {
kdc = <my_kdc_server>
admin_server = <my_kdc_server>
default_domain = <my_domain>
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICEAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
[domain_realm]
.<my_domain> = <MY_DOMAIN>



I have already searched a lot by a solution but there were nothing to solve my problem until now. Thanks for your help.
 
Old 03-03-2008, 11:19 AM   #2
santoyx
LQ Newbie
 
Registered: Feb 2008
Location: Fortaleza-CE, Brasil
Distribution: Red Hat, CentOS
Posts: 3

Original Poster
Rep: Reputation: 0
Folks,

I have run the net command with maximum debug level (-d 10) and I've got the following at the last lines:

[2008/03/03 14:06:47, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
kerberos_kinit_password: using [MEMORY:cliconnect] as ccache and config [/var/cache/samba/smb_krb5/krb5.conf.SEFAZ]
[2008/03/03 14:06:47, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853)
Kinit failed: Client not found in Kerberos database
[2008/03/03 14:06:47, 3] libsmb/cliconnect.c:cli_session_setup(957)
SPNEGO login failed: Client not found in Kerberos database
[2008/03/03 14:06:47, 1] libsmb/cliconnect.c:cli_full_connection(1605)
failed session setup with NT_STATUS_INVALID_ACCOUNT_NAME
[2008/03/03 14:06:47, 1] utils/net.c:connect_to_ipc_krb5(294)
Cannot connect to server using kerberos. Error was NT_STATUS_INVALID_ACCOUNT_NAME
[2008/03/03 14:06:47, 1] utils/net_ads.c:net_ads_join(1548)
call of net_join_domain failed: Improperly formed account name
[2008/03/03 14:06:47, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
Failed to join domain: Improperly formed account name
[2008/03/03 14:06:47, 2] utils/net.c:main(1032)
return code = -1

________________________________________________________________

About the message "NT_STATUS_INVALID_ACCOUNT_NAME", what does it mean?
My hostname is sd2stm03. It doesn't appear to be an invalid name for me.

Thanks for any help.
 
Old 03-11-2008, 01:14 PM   #3
santoyx
LQ Newbie
 
Registered: Feb 2008
Location: Fortaleza-CE, Brasil
Distribution: Red Hat, CentOS
Posts: 3

Original Poster
Rep: Reputation: 0
Smile issue found and problem partially solved

Folks,

I deleted all my confs and I did everything again and I finnaly found out what was wrong.
When I configured the first machine, Ive used the character "\" as winbind separator. The join to the ADS had been fine but I've gotten some problems when setting permissions, since the "\" had been often interpreted as an escape character. I changed the winbind separator to "." and at the machine that was already joined at the domain, everything had continued ok. However, when I did a new instalatiom with the "." as winbind separator, I've always gotten the error above (Kinit failed: Client not found in Kerberos database and Failed to join domain: Improperly formed account name). So a week later I did everything from the beggining and I put the "\" as winbind separator again and maggically it started working again.
Examining the packets changed between the linux Samba and windos ADS, I saw that sometime the linux send a kerberos packet with the tail of the REALM as the principal name (e.g COM.BR) and this cause an error and the communication is ended. There is some bug or something so isn't possible to use "." as winbind separator at Red Hat's samba 3.0.25b-0.el5.4. I'm using the "." under debian's samba 3.0.24 and I havent't gotten any problems.
Some other interesting thing is that after joining to the domain I can change the winbind separator to ".", restart samba, and everything continues to work perfectly, at least until I try to leave the domain...in that case I should change the winbind separator to "\". I'll use "." since "\" is a headache when it tries to escape a chatacter. I hope I could help anybody who eventually gets this same problem.
 
Old 10-11-2013, 03:59 AM   #4
tymik
LQ Newbie
 
Registered: Oct 2013
Posts: 1

Rep: Reputation: Disabled
santoyx, thanks for your post, it helped me to get to the right point of problem.

for me it was not problematic with \ and ., but as \ is used as escape character, I just tried \\ and it worked like a charm.

hope that my solition will also be useful for someone in future
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kinit failed: Clock skew too great | Join in AD xudonw1 Linux - Server 6 11-07-2007 10:29 AM
samba error: failed to create user guy_ripper Linux - Server 3 11-06-2007 07:57 AM
Windows virtual machine can't join domain using bridging on Linux host (RPC failed) bgottesman Linux - Networking 0 07-10-2007 05:09 PM
samba 3 problem - samba PDC can not join to the domain ananthak Linux - Networking 1 05-21-2006 10:39 AM
online_update failed - ERROR(Media:connection failed)[Connect failed] rover Suse/Novell 8 02-22-2005 07:57 AM


All times are GMT -5. The time now is 05:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration