Adding Linux box to Active Directory to use NTLM with Squid proxy

Posted on 2007-09-28
Last Modified: 2012-05-05

I'm trying to add a kubuntu box to my AD but everytime I try to join it I get the same message, which is:

Using short domain name -- DOMAINNAME
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'machinename' in realm 'MY.DOMAIN.COM'

I use some tutorials I found on the web to configure my smb.conf and my krb5.conf files. Here's how I set them up:


      log file = /var/log/samba/%m.log
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      wins server = IP.ADDRESS
      domain master = False
      encrypt passwords = Yes
      realm = MY.DOMAIN.COM
      dns proxy = No
      netbios name = machinename
      server string = Proxy Server
      password server = dc
      local master = No
      workgroup = DOMAIN
      security = ads
      preferred master = False
      winbind separator = /
      winbind use default domain = yes
      max log size = 0
      idmap gid = 10000-20000
      idmap uid = 10000-20000


      default_realm = MY.DOMAIN.COM

      MY.DOMAIN.COM = {
            kdc = DC.MY.DOMAIN.COM:88
            admin_server = DC.MY.DOMAIN.COM:749
            default_domain = MY.DOMAIN.COM

[domain_realm] = MY.DOMAIN.COM = MY.DOMAIN.COM

I can get a ticket using the kinit command with a domain admin account and I see it when typing klist but I can't go further than that...

Any idea what I could check or do to make it work? As mentionned above, the goal of this is to use NTLM authentication with my Squid proxy.

Thanks in advance!
Question by:DolGuldur
    LVL 4

    Expert Comment

    Or rejoin with using Domain Admin credentials.
    Disabled account for 'machinename' in realm 'MY.DOMAIN.COM'

    You are using a valid domain admin account to perform the net ads join?  I've also found that dotted names do not work for net ads join.

    Does the machine name you've setup under your samba/winbind exist already in your AD environment?

    I used this guide to the letter in setting up several AD integrated Samba boxes with Ubuntu 7.04

    Although this is for Dapper, making note of the changes in /etc/apt/sources.list at the very beginning, all of this was nearly identical and worked like a charm.  My only problem I experienced was the inability to use a dotted login name to join.

    Also something else you can consider.  I used Vmware to do all of my testing for samba & winbind.  Once that was established working, I built a fresh machine and used my own guide from the VM testing.

    LVL 5

    Author Comment

    Hello avatech,

    Yes I'm using a valid domain admins account to join. The machine name doesn't exist in my AD. I've looked at the link you provided and it looks a lot like what I already did but, since I've spent so much time on this already, I'll restart from the beginning using this howto.

    I'll keep you posted about the result. Thanks for your time!
    LVL 4

    Accepted Solution

    Ok hope it helps just remember that there are some very minor modifications along the way that you will need to personalize, like the sources.list and default permissions and forced permissions on Samba in regards to the directory and file masks.  There's also another doc you may want to check out regarding ACL on the file system.  Take a gander here:

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Suggested Solutions

    rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
    Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now