?
Solved

Samba3 Winbind fails to Join AD

Posted on 2010-01-12
6
Medium Priority
?
2,704 Views
Last Modified: 2013-12-06
I have a RHEL v5.4 machine with Samba3-3.3.9-40.el5 installed and I am attempting to join it to a Windows Server 2003 domain where SMB Signing and LDAPS are required. Upon running net join ads -U user@domain.local I get the following error:
net join ads -U user@domain.local
Enter user@domain.local's password:
Failed to join domain: failed to find DC for domain ads
ADS join did not work, falling back to RPC...
Could not initialise lsa pipe
Enter user@domain.local's password:
Could not connect to server domaincontroller
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

I have attached my smb.conf file. I know my kr5.conf file is proper because when issuing a kinit command I get a ticket. Any help or thoughts are greatly appreciated.

Thanks!
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================

[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/12/02 15:31:34
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = DOMAIN
   password server = *
   realm = DOMAIN.LOCAL
   security = ADS
   idmap uid = 600-20000
   idmap gid = 600-20000
   winbind separator = +
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   client ldap sasl wrapping = sign
#--authconfig--end-line--

# ----------------------- Network Related Options -------------------------
   preferred master = no
   ;server string = Nagios Server
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   obey pam restrictions = true
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   idmap backend = RID
   ;template primary group = "Domain Users"
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
;	workgroup = MYGROUP
	server string = Samba Server Version %v

;	netbios name = MYSERVER

;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;	hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

	# logs split per machine
;	log file = /var/log/samba/%m.log
	# max 50KB per log file, then rotate
;	max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

;	security = user
;	passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;	security = user
;	passdb backend = tdbsam

;	domain master = yes
;	domain logons = yes

	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
;	logon path =  

;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;	local master = no
;	os level = 33
;	preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one	WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes

Open in new window

0
Comment
Question by:showard2007
  • 2
  • 2
  • 2
6 Comments
 
LVL 7

Expert Comment

by:himvy
ID: 26298693
1>Sometimes it is solved by setting up a machine account on the Windows domain for the Unix server.

The net join command must be executed from the Unix machine using an administrative Windows user that is allowed to join the domain.

2>Did you add the samba password on the server for the correct user?
Yes, if a password was set, then enter the password, if not then just push enter.

3>http://www.linuxjournal.com/article/6604

4>Adding "share" to 'Security Options->Network access: Shares than can be
accessed anonymously'  T.set the security settings
'Network access: Let Everyone permissions apply to anonymous users'
0
 
LVL 7

Accepted Solution

by:
himvy earned 2000 total points
ID: 26298711
http://www.experts-exchange.com/OS/Linux/Distributions/Red_Hat/Q_24958638.html

May be the above link tell you about what needs to be done.
0
 
LVL 2

Author Comment

by:showard2007
ID: 26304563
himvy - thanks for the response but the article doesn't seem to be doing what I need it to do. Also the Link you sent me is a problem question I actually posted :) Also there is an account in the domain for the linux server, that's how I get my Kerberos ticket.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 26333851
Try adding the entries in smb.conf
password server = fqdn-of-DC
wins server = dc-fqdn-of-DC
server string = SOMETHING
0
 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 26333860
alos post outputs of

[root@server]# net ads info
[root@server]# net ads lookup
[root@server]# net ads status
0
 
LVL 2

Author Comment

by:showard2007
ID: 26343160
I ended up using the LIkewise open tool and the issue is solved.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question