Cannot join Fedora box to domain

Posted on 2009-04-27
Last Modified: 2013-12-06
Hi all.

I am attempting to run the following join command as su, then i get the below error.

[root@epicfedora01 samba]# net rpc join -S epic16 -U xhutchinson
Enter xhutchinson's password:
[2009/04/28 16:30:36,  0] rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
  get_schannel_session_key: could not fetch trust account password for domain 'EPICENTRE'
[2009/04/28 16:30:36,  0] utils/net_rpc_join.c:net_rpc_join_ok(87)
  net_rpc_join_ok: failed to get schannel session key from server epic16 for domain EPICENTRE. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Unable to join domain EPICENTRE.
[root@epicfedora01 samba]#


Question by:locdang
    LVL 20

    Expert Comment

    by:Daniel McAllister
    Sounds like your domain controller doesn't like you....

    More specifically, there may be a firewall or rule on the AD server that is blocking your request. (Of course, I am ASSUMING that your username & password correspond to a user on the domain that has domain admin rights).

    Let me know what you find!

    LVL 5

    Accepted Solution


    'First, make sure kerberos is installed:
    # rpm -qa | grep krb
    this should return at least 3 packages: krb5-devel, krb5-libs and krb5-workstation

    Next, make sure the ldap development libraries are installed:
    # rpm -qa | grep ldap-devel

    If either of these returns nothing, you'll need to install them - which you can do from the Redhat CD.

    make sure there's an entry for your active directory DC in your /etc/hosts file: addc

    Next, edit your /etc/krb5.conf to match your site. Everything should be fairly self-explanitory - and everything is case sensitive. Do not comment this file.

    Once you've gotten to this point, you can try:
    # /usr/kerberos/bin/kinit user@DOMAIN.COM
    replacing *user* with a real user and DOMAIN.COM with a real domain (which must be UPPERCASE). If things are working, you'll be prompted for a password. If you enter the correct password, you'll come back to a bash shell, if not, you should be presented with:
    "kinit(v5): Preauthentication failed while getting initial credentials"
    or some such.

    Note: If the clock time on the Linux machine is more than 5 minutes off from the time on the windows machine no ticket information will work. There are three wys to deal with this:
    1. Have the Linux server act as a network time server, with the windows machine as a client
    2. Have the windows machine act as a time server for the linux client
    3. Make both systems pull the time from the same 3rd server ( some are listed here - )

    Next, uninstall samba if it's installed:
    # rpm -e samba

    get the latest version of samba:
    $ wget ""

    expand and install samba:
    Line number On/Off
    Code: Select all
    $ tar -zxvf samba*.tar.gz

    $ cd samba-3.0.13

    $ ./configure --prefix=/usr/local/samba --with-ldap --with-ads --with-krb5 --with-pam --with-winbind

    # make && make install

    In your smb.conf:
    netbios name = LINUX_SERVER_NAME
    realm = DOMAIN.COM
    ads server =
    security = ADS
    encrypt passwords = yes

    start samba:
    # /etc/rc.d/init.d/smb start

    To add the linux computer to the AD, you need to log into the DC and add it as a user with such privledges, so (from the Linux system):
    # /usr/local/samba/bin/net ads join -U Administrator
    it should prompt you for Administrator's password. Note that Administrator should be a user with the right to add a computer to the AD.

    you should see something like:
    Joined 'LINUX_MACHINE_NAME' to realm 'DOMAIN.COM'

    To verify this worked, go to the windows DC and open Active Directory->Users and Computers and look for your linux machine to be listed there.

    That's all you absolutely need to connect to the AD. If you want to map users to the AD (which is probably why you're doing this), open /etc/nsswitch.conf and change this:
    passwd: files
    shadow: files
    group: files

    to this:
    passwd: compat winbind
    shadow: compat
    group: compat winbind

    start the winbind daemon:
    # winbindd

    make sure it's running:
    # ps -ae | grep winbindd

    if nothing gets returned, you probably didn't configure samba with kerberos and ldap support. If it shows winbindd running, you're all set. To make sure everything starts on reboot:
    open /etc/rc.d/init.d/smb and /etc/rc.d/init.d/winbindd and make sure the line:
    # chkconfig: 345 NN NN
    exixts (NN will be different numbers pertaining to priority), it should be on line 3 of both files. if these lines don't exist, add them. If they read:
    # chkconfig: - NN NN
    change the - to 345

    save and close those files and run chkconfig:
    # chkconfig smb reset
    # chkconfig winbindd reset

    you can check the runlevels they will start at with
    # chkconfig smb --list
    # chkconfig winbindd --list

    That should about cover everything.' However, if the setup steps listed did not work, please refer to RedHat instructions for setup:

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
    The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now