?
Solved

Cannot Join Linux (Fedora) Server to Windows 2003 Domain

Posted on 2007-10-07
22
Medium Priority
?
5,700 Views
Last Modified: 2013-12-15
We are using a RedHat fedora version 2.6.18-1.2798.fc6 with Samba 3.02476. We are trying to bind the machine to our Windows 2003 Domain.

We have configured smb.conf and krb5.conf correctly (we think)

Running kinit user@DOMAIN gives no errors
kinit tickets gives

kinit(v5): Cannot find KDC for requested realm while getting initial credentials

When I try and join the domain I get

net ads join -U USER
USER's password:
[2007/10/06 18:02:05, 0] utils/net_ads.c:ads_startup(289)
  ads_connect: Operations error

USER has domain admin privs


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMAIN.LOCAL = {
  kdc = 10.0.10.1
  admin_server = 10.0.10.1
  default_domain = domain.local
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

smb.conf is

[global]
  workgroup = DOMAIN
  server string = TH-NAS-01
  realm = DOMAIN.LOCAL
  timestamp logs = yes
  dos filetimes = yes
  dos filemode = yes
  inherit acls = yes
  name cache timeout = 0
  winbind uid = 20000-600000
  winbind gid = 20000-600000
  local master = No
  guest account = nobody
  map to guest = Never
  unix charset = CP1252
  dos charset = CP850
  security = ads
  encrypt passwords = Yes
  username level = 5
  debug level = 0
  log level = 0
  map acl inherit = yes
  load printers = no
  printing = bsd
  client signing = no
  server signing = auto
  include = /etc/samba/smb_shares.conf
  client use spnego = no
  winbind user default domain = yes

[windows]
  comment = TH-NAS-01 Windows Share
  path = /shares/windows
  valid users = @"DOMAIN"\Domain Admins"
  writeable = yes
  browseable = yes
~

Saw this http://kbase.redhat.com/faq/FAQ_71_2343.shtm but we don't want to turn off signing and can't understand why this would be required as we have other linux devices (Adaptec Snap Server running Samba) connected to the domain just fine.
0
Comment
Question by:jbreg
  • 13
  • 9
22 Comments
 
LVL 4

Expert Comment

by:redcelltech
ID: 20030982
I just finished doing this. "ads" should be all capital "ADS". Also the krd5.conf file is case sensitive. You must also have a homes share defined in smb.conf

Here are the steps that I use.

Edit /etc/samba/smb.conf
In the [global] section
# workgroup = NT-Domain-Name or Workgroup-Name
  workgroup = XYZDOM  //the name of your domain

# Security mode. Most people will want user level
# security. See security_level.txt for details.
  security = ADS


#==================== Share Definitions =====================
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = no
   password server = XYZSRV.XYZ-COMPANY.COM //your AD-server
   realm = XYZ-COMPANY.COM      //your realm


Verify the following lines in the [homes] section
   comment = Home Directories
   browseable = no
   writable = yes

Edit /etc/krd5.conf
Note: File is case sensitive
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 XYZ-COMPANY.COM = {
  kdc = XYZSRV.XYZ-COMPANY.COM
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
Edit /etc/nsswitch.conf and add winbind at the end of each line shown below:
passwd:     files winbind
shadow:     files winbind
group:      files winbind

protocols:  files winbind

services:   files winbind

netgroup:   files winbind

automount:  files winbind
Restart the machine.
Verify if the Samba service is running by typing:
ps ef | grep nmbd
ps ef | grep smbd
Execute the following command line (you must be logged in as root)
net join U Administrator
Administrator is the name of the domain controller admin. Enter your password when prompted. If everything works fine, the Linux server has been registered to the Windows domain.
Verify winbindd daemon is running:
~#ps ef | grep winbindd
Try next if you can authenticate a user from the domain:
~#wbinfo a user%password
The output should be something like the following:
[root@radiussrv1]# wbinfo a CHSchwartz%mypassword
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user CHSchwartz%mypassword with plaintext password
The error is absolutely normal in this case because there are no cleartext user credentials on the domain Controller (Active Directory) for this user.
challenge/response password authentication succeeded
As cleartext authentication fails, wbinfo tries a challenge/response. If a challenge/response succeeds, the Linux server is configured correctly to authenticate users against Active Directory, however despite of the succes of this test, you may need to set some extra permissions on the winbindd_privileged directory (see below at WARNING)!
Lets try to authenticate with NTLM, which is necessary for using FREERADIUS with Active Directory.
Type the following line:
[root@radiussrv1]# ntlm_auth -request-nt-key -domain=<your domain> -username= <your username>
For me, the command would look like this:
[root@radiussrv1]# ntlm_auth -request-nt-key -domain=XYZDOM -username= CHSchwartz
You will be prompted for your password.
The command line returns
NT_STATUS_OK : Success (0x0)
[root@radiussrv1]#
if the username and password are the same as those stored in Active Directory. Note that this mechanism is based on a challenge/response of the nt-key, a character string that has been encrypted with information taken from the username and password.
During this operation, no exchange of user information takes place. Everything is based upon a comparison of encrypted strings.


Hope this helps
0
 

Author Comment

by:jbreg
ID: 20031161
[2007/10/07 22:56:04, 0] utils/net_ads.c:ads_startup(289)
  ads_connect: Operations error
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server

Still get this--followed each step above--are there logs which will give more details as to what's going on?
0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20031271
Can you repost your smb.conf file. I do not see a "password server" or "realm" in the current posted file. Also logs would help.

0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 4

Expert Comment

by:redcelltech
ID: 20031289
Here is a smb.conf file from a working server.

[global]
workgroup = domain

server string = host

security = ADS

idmap uid = 167777216-33554431

idmap gud = 167777216-33554431

template shell = /bin/bash

winbind user default domain = no

password server host1.domain.com

realm = domain.com

[homes]
comment = Home Directories
   browseable = no
   writable = yes

Do you have the firewall enabled? or SE Linux?
0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20031304
Also another question. Are the clocks in sync? I have had this issue before also. Make sure you domain controller and linux box are using an ntp server.
0
 

Author Comment

by:jbreg
ID: 20032495
Yes NTP is configured and using the PDC to sync

No firewall should be configured--but I suppose we could test by trying to telnet to the PDC--on which ports?

[global]
  workgroup = DOMAIN
  server string = TH-NAS-01
  realm = DOMAIN.LOCAL
  timestamp logs = yes
  dos filetimes = yes
  dos filemode = yes
  inherit acls = yes
  name cache timeout = 0
  winbind uid = 20000-600000
  winbind gid = 20000-600000
  local master = No
  guest account = nobody
  map to guest = Never
  unix charset = CP1252
  dos charset = CP850
  security = ADS
  encrypt passwords = Yes
  username level = 5
  debug level = 0
  log level = 0
  map acl inherit = yes
  load printers = no
  printing = bsd
  client signing = no
  server signing = auto
  include = /etc/samba/smb_shares.conf
  client use spnego = no
  winbind user default domain = yes

[homes]
  comment = Home Directories
  browseable = no
  writeable = no

[windows]

comment = TH-NAS-01 Windows Share
browseable = yes
writeable = yes
public = yes
path = /shares/windows
~
0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20034117
Add this line under realm:
password server = host1.domain.com //Your PDC

These are the ports used by AD
Protocol
      
Port

LDAP
      

udp 389
tcp 389

LDAP (SSL)
      

udp 636
tcp 636

Kerberos
      

udp 88
tcp 88

DNS
      

udp 53
tcp 53

SMB over IP
      

udp 445
tcp 445

Global Catalog Server
      

tcp 3269
tcp 3268

Also please submit your logs
0
 

Author Comment

by:jbreg
ID: 20064126
Where do I find the logs? Which logs?
0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20066280
/etec/samba/smb.log generally. Also did you add the other entry?
0
 

Author Comment

by:jbreg
ID: 20071722
[root@ecourier-nas-1 ~]# vi /var/log/samba/smbd.log
[2007/10/07 22:49:37, 0] smbd/server.c:main(847)
  smbd version 3.0.24-7.fc6 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/10/07 22:49:38, 0] param/loadparm.c:lp_do_parameter(3447)
  Global parameter client use spnego found in service section!
[2007/10/07 22:49:38, 0] param/loadparm.c:map_parameter(2693)
  Unknown parameter encountered: "winbind user default domain"
[2007/10/07 22:49:38, 0] param/loadparm.c:lp_do_parameter(3429)
  Ignoring unknown parameter "winbind user default domain"
[2007/10/07 22:49:39, 0] printing/nt_printing.c:nt_printing_init(649)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2007/10/07 22:55:07, 0] smbd/server.c:main(847)
  smbd version 3.0.24-7.fc6 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/10/07 22:55:07, 0] param/loadparm.c:lp_do_parameter(3447)
  Global parameter client use spnego found in service section!
[2007/10/07 22:55:07, 0] param/loadparm.c:map_parameter(2693)
  Unknown parameter encountered: "winbind user default domain"
[2007/10/07 22:55:07, 0] param/loadparm.c:lp_do_parameter(3429)
  Ignoring unknown parameter "winbind user default domain"
[2007/10/07 22:55:09, 0] printing/nt_printing.c:nt_printing_init(649)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2007/10/12 23:46:04, 0] smbd/server.c:main(847)
  smbd version 3.0.24-7.fc6 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/10/12 23:46:04, 0] param/loadparm.c:lp_do_parameter(3447)
  Global parameter client use spnego found in service section!
[2007/10/12 23:46:04, 0] param/loadparm.c:map_parameter(2693)
  Unknown parameter encountered: "winbind user default domain"
[2007/10/12 23:46:04, 0] param/loadparm.c:lp_do_parameter(3429)
  Ignoring unknown parameter "winbind user default domain"
[2007/10/12 23:46:04, 0] printing/nt_printing.c:nt_printing_init(649)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20072697
You have syntax error in:

Unknown parameter encountered: "winbind user default domain

The parameter is winbind use default domain (drop the r in user)

I would recommend that you start with a minimal smb.conf file to get this up and working. Start with the example I gave and then build on the options you want to use.

0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20072702
sorry, I noticed the r in one of my last postings. That was due to me retyping the file.
0
 

Author Comment

by:jbreg
ID: 20073991
Changed now I get the same error and this in logs

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 16:16:57, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 16:16:57, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 16:16:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 16:16:57, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 16:16:57, 3] printing/printing.c:start_background_queue(1386)
  start_background_queue: Starting background LPQ thread
[2007/10/14 16:16:57, 2] smbd/server.c:open_sockets_smbd(384)
  waiting for a connection
0
 

Author Comment

by:jbreg
ID: 20074790
Ok, much closer, now I get this

[root@th-nas-01 ~]# net join -U Administrator
Administrator's password:
Using short domain name -- DOMAIN
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'TH-NAS-01' in realm 'DOMAIN.LOCAL'
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server


[global]
  workgroup = DOMAIN
  netbios name = TH-NAS-01
  server string = TH-NAS-01
  realm = DOMAIN.LOCAL
  password server = 10.10.0.1
  timestamp logs = yes
  dos filetimes = yes
  dos filemode = yes
  inherit acls = yes
  name cache timeout = 0
  winbind uid = 20000-600000
  winbind gid = 20000-600000
  local master = No
  guest account = nobody
  map to guest = Never
  unix charset = CP1252
  dos charset = CP850
  security = ADS
  #security = user
  encrypt passwords = yes
  username level = 5
  debug level = 0
  log level = 3
  map acl inherit = yes
  load printers = no
  printing = bsd
  client signing = yes
  server signing = auto
  include = /etc/samba/smb_shares.conf
  client use spnego = yes
  winbind use default domain = yes

[homes]
  comment = Home Directories
  browseable = no
  writeable = no

[windows]

comment = TH-NAS-01 Windows Share
browseable = yes
writeable = yes
public = yes
path = /shares/windows

Logs as follows

_stack_ndx = 2
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] auth/auth_util.c:create_local_nt_token(909)
  create_local_nt_token: failed to check for local Administrators membership (NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-1-0]
[2007/10/14 20:09:15, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2007/10/14 20:09:15, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(250)
[2007/10/14 20:09:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/10/14 20:09:15, 3] libsmb/namequery.c:get_dc_list(1426)
  get_dc_list: preferred server list: ", 10.0.10.1"
[2007/10/14 20:09:15, 3] libads/ldap.c:ads_connect(287)
  Connected to LDAP server 10.0.10.1
[2007/10/14 20:09:15, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/10/14 20:09:15, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/10/14 20:09:15, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/10/14 20:09:15, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/10/14 20:09:15, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
  ads_sasl_spnego_bind: got server principal name =tbisa01$@ECOURIERUK.LOCAL
[2007/10/14 20:09:15, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/10/14 20:09:15, 3] printing/nt_printing.c:check_published_printers(3242)
  ads_connect failed: Cannot read password
[2007/10/14 20:09:15, 0] printing/nt_printing.c:nt_printing_init(649)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] auth/auth_util.c:create_local_nt_token(909)
  create_local_nt_token: failed to check for local Administrators membership (NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-1-99]
[2007/10/14 20:09:15, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-99]
[2007/10/14 20:09:15, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2007/10/14 20:09:15, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-32-546]
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/10/14 20:09:15, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/10/14 20:09:15, 3] printing/printing.c:start_background_queue(1386)
  start_background_queue: Starting background LPQ thread
[2007/10/14 20:09:15, 2] smbd/server.c:open_sockets_smbd(384)
  waiting for a connection



0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20075275
Alright, lets insure DNS works in both directions. Can the server ping the hostname of the DC, both forward and reverse. Can the DC ping the linux box, both forward and reverse and the domain name domain.local. Also check your workgroup and insure it is properly set. I think the last thing you need to do is insure the smb.conf file is correct. Read through the entire file and verify you have missed something. Also check krd5.cond and make sure everything is there alright. And the last "make sure you are logged in as root". Almost there.

0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20075276
0
 

Author Comment

by:jbreg
ID: 20076444
There was no DNS from the DC to the hostname of the linux box. I have now named the linux box site.domain.local and put an A record in DNS in the DC. If I run NSlookup I can see the record but if I try and ping I get "could not find host"--I can do it from the other DC which to me indicates they have not synched yet (each DC uses the other as primary DNS)
0
 
LVL 4

Accepted Solution

by:
redcelltech earned 2000 total points
ID: 20079426
Keep working on the DNS records, both A and PTR should work. How did the ping tests go from the linux box. Can you ping hostname.domain.local, domain.local and nslookup the address for those hosts, meaning, nslookup 192.168.1.1 (example). Because AD relies on dns all of this has to be solid.
0
 

Author Comment

by:jbreg
ID: 20081921
Appears to have worked now. The trick was to get DNS right and set the primary DNS server of the linux box as the DC!

How do I test that it worked?
0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20085650
Follow the reset of the doc I posted up top. That will let you know that the server can auth from AD.

Try next if you can authenticate a user from the domain:
~#wbinfo a user%password
The output should be something like the following:
[root@radiussrv1]# wbinfo a CHSchwartz%mypassword
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user CHSchwartz%mypassword with plaintext password
The error is absolutely normal in this case because there are no cleartext user credentials on the domain Controller (Active Directory) for this user.
challenge/response password authentication succeeded
As cleartext authentication fails, wbinfo tries a challenge/response. If a challenge/response succeeds, the Linux server is configured correctly to authenticate users against Active Directory, however despite of the succes of this test, you may need to set some extra permissions on the winbindd_privileged directory (see below at WARNING)!
Lets try to authenticate with NTLM, which is necessary for using FREERADIUS with Active Directory.
Type the following line:
[root@radiussrv1]# ntlm_auth -request-nt-key -domain=<your domain> -username= <your username>
For me, the command would look like this:
[root@radiussrv1]# ntlm_auth -request-nt-key -domain=XYZDOM -username= CHSchwartz
You will be prompted for your password.
The command line returns
NT_STATUS_OK : Success (0x0)
[root@radiussrv1]#
if the username and password are the same as those stored in Active Directory. Note that this mechanism is based on a challenge/response of the nt-key, a character string that has been encrypted with information taken from the username and password.
During this operation, no exchange of user information takes place. Everything is based upon a comparison of encrypted strings.
0
 

Author Comment

by:jbreg
ID: 20093570
The shares work so we're happy--couldn't run commands you stated in your response, perhaps characters not translating properly.
0
 
LVL 4

Expert Comment

by:redcelltech
ID: 20093910
Great, glad to finally see found the solution.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month16 days, 12 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question