Adding Linux box to Active Directory to use NTLM with Squid proxy
Hello,
I'm trying to add a kubuntu box to my AD but everytime I try to join it I get the same message, which is:
Using short domain name -- DOMAINNAME
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'machinename' in realm 'MY.DOMAIN.COM'
I use some tutorials I found on the web to configure my smb.conf and my krb5.conf files. Here's how I set them up:
smb.conf
[global]
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = IP.ADDRESS
domain master = False
encrypt passwords = Yes
realm = MY.DOMAIN.COM
dns proxy = No
netbios name = machinename
server string = Proxy Server
password server = dc
local master = No
workgroup = DOMAIN
security = ads
preferred master = False
winbind separator = /
winbind use default domain = yes
max log size = 0
idmap gid = 10000-20000
idmap uid = 10000-20000
krb5.conf
[libdefaults]
default_realm = MY.DOMAIN.COM
[realms]
MY.DOMAIN.COM = {
kdc = DC.MY.DOMAIN.COM:88
admin_server = DC.MY.DOMAIN.COM:749
default_domain = MY.DOMAIN.COM
}
[domain_realm]
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM
I can get a ticket using the kinit command with a domain admin account and I see it when typing klist but I can't go further than that...
Any idea what I could check or do to make it work? As mentionned above, the goal of this is to use NTLM authentication with my Squid proxy.
Thanks in advance!
I'm trying to add a kubuntu box to my AD but everytime I try to join it I get the same message, which is:
Using short domain name -- DOMAINNAME
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'machinename' in realm 'MY.DOMAIN.COM'
I use some tutorials I found on the web to configure my smb.conf and my krb5.conf files. Here's how I set them up:
smb.conf
[global]
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = IP.ADDRESS
domain master = False
encrypt passwords = Yes
realm = MY.DOMAIN.COM
dns proxy = No
netbios name = machinename
server string = Proxy Server
password server = dc
local master = No
workgroup = DOMAIN
security = ads
preferred master = False
winbind separator = /
winbind use default domain = yes
max log size = 0
idmap gid = 10000-20000
idmap uid = 10000-20000
krb5.conf
[libdefaults]
default_realm = MY.DOMAIN.COM
[realms]
MY.DOMAIN.COM = {
kdc = DC.MY.DOMAIN.COM:88
admin_server = DC.MY.DOMAIN.COM:749
default_domain = MY.DOMAIN.COM
}
[domain_realm]
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM
I can get a ticket using the kinit command with a domain admin account and I see it when typing klist but I can't go further than that...
Any idea what I could check or do to make it work? As mentionned above, the goal of this is to use NTLM authentication with my Squid proxy.
Thanks in advance!
ASKER
Hello avatech,
Yes I'm using a valid domain admins account to join. The machine name doesn't exist in my AD. I've looked at the link you provided and it looks a lot like what I already did but, since I've spent so much time on this already, I'll restart from the beginning using this howto.
I'll keep you posted about the result. Thanks for your time!
Yes I'm using a valid domain admins account to join. The machine name doesn't exist in my AD. I've looked at the link you provided and it looks a lot like what I already did but, since I've spent so much time on this already, I'll restart from the beginning using this howto.
I'll keep you posted about the result. Thanks for your time!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Disabled account for 'machinename' in realm 'MY.DOMAIN.COM'
You are using a valid domain admin account to perform the net ads join? I've also found that dotted names do not work for net ads join.
Does the machine name you've setup under your samba/winbind exist already in your AD environment?
I used this guide to the letter in setting up several AD integrated Samba boxes with Ubuntu 7.04
http://ubuntuforums.org/showthread.php?t=280702&highlight=active+directory+samba
Although this is for Dapper, making note of the changes in /etc/apt/sources.list at the very beginning, all of this was nearly identical and worked like a charm. My only problem I experienced was the inability to use a dotted login name to join.
Also something else you can consider. I used Vmware to do all of my testing for samba & winbind. Once that was established working, I built a fresh machine and used my own guide from the VM testing.
Cheers!