Joining a Fedora/SAMBA machine to Active Directory

R

Relli

Weaksauce
Joined
Jan 16, 2001
Messages
98
I'm trying to joint a Fedora Core 1/Samba 3 machine to our corporate ADS so I can authenticate users with active directory. I have tried to follow The Official Samba How-To and Samba 3 By Example. I have read the applicable material in both books. So far, I've edited the smb.conf and krb5.conf as listed in the books. When I try:

krbinit '[email protected]'

and put in the correct password, I get no output. If I put in the wrong password I get an error message saying "failed getting initial credentials." I assume the no output is what is supposed to happen when it authenticates properly. Then I try and actually join the machine to the domain using:

net ads join -U'name'

and the output is this (the host name is testmachine):

libads/ldap.c:ads_add_machine_acct(1006)
Host account for testmachine already exists - modifying old account
libads/ldap.c:ads_join_realm(1342)
ads_add_machine_acct: No such object
ads_join_realm: No such object

One of the books said the DC had to have MS Services for Unix installed. I'm not sure if it is installed because I do not actually administer the DC. Is anyone intimate enough with Samba and ADS to know if Services for Unix would cause this, or if it could be something else? Any other little tricks I should look into?

If the Services for Unix is not installed and required, the DC admins would not let me install it. I do have full admin access to a Win 2003 Server on AD though, it just isn't a DC. I could install Services for Unix on that. Is it possible to send auth. requests to that server and have that server request auth to AD?
 
Well, I didn't use kbinit, I just modified the /etc/krb5.conf file to point to my domain controller, then did net ads join -U'username'.

Presto, it's joined.

Let me know if you want a copy of that file
 
I wouldnt mind having a look at it, as I just have a very jerry rigged samba setup that works as a domain controller, but I would love to look into integrating AD users with samba...
 
That would be helpful I'm sure. I think it is set up correctly, but that would be reasuring. Either post it, or e-mail it to [email protected]. Thanks.

This may help to:
When I join a WinXP/2000 machine to AD, I have to remote into the DC and create a machine account. Then I can join the workstation to the domain.
 
Code: 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = BOCA
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 BOCA= {
  kdc = MOYA.BOCA:88
  admin_server = MOYA.BOCA:749
  default_domain = BOCA
 }

[domain_realm]
 .boca = BOCA
 boca = BOCA

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

My domain name is 'BOCA', obviously. And 'MOYA' is one of my domain controllers ( tribute to the finest SCIFI show ever created. I hate the Sci Fi channel ).

If anybody sees any errors or corrections to this, let me know. I just went through, by hand, and replaced the default info with mine. I have little idea what any of it does.
 
That is exactly what mine looks like except where you have MOYA, I have DC-01 (the name of a DC), and where you have BOCA, I have UMH.EDU (the name of the domain).

I'm not the most competent with AD, so I'll explain the log-in procedure a little because I don't know exactly what every term means/is called.

A workstation is joined to the UMH.EDU domain. When a user logs in, they log into UMHS-USERS, not umh.edu. I shouldn't need UMHS-USERS anywhere in the krb5.conf should I?

Do you know if your DC has MS Services for Unix installed?
 
You must log in or register to reply here.
Back
Top