Problems getting a linux server to join a AD domain

Rowley, Mathew Mathew_Rowley at cable.comcast.com
Thu Oct 28 20:32:30 CEST 2010 

In an attempt to integrate Radius with AD, and following the tutorial (http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO) I have set up an AD server in our lab, and having trouble adding my linux box to the domain. Can anyone see what im doing wrong? The error I keep getting is:

$ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator
[sudo] password for wuntee:
Enter Administrator's password:
[2010/10/28 12:23:36.656829,  0] utils/net_rpc_join.c:406(net_rpc_join_newstyle)
  Error in domain join verification (credential setup failed): NT_STATUS_INVALID_COMPUTER_NAME

Unable to join domain SECLAB.


Kerberos seems to work fine:

$ kinit mrowle000
Password for mrowle000 at SECLAB.SECURITY.LAB.NET:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mrowle000 at SECLAB.SECURITY.LAB.NET

Valid starting     Expires            Service principal
10/28/10 12:27:29  10/28/10 22:27:23  krbtgt/SECLAB.SECURITY.LAB.NET at SECLAB.SECURITY.LAB.NET
renew until 10/29/10 12:27:29


CONFIGS:

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 kdc = SYSLOG:INFO:AUTH
 admin_server = FILE:/var/log/kadmind.log
 admin_server = SYSLOG:INFO:AUTH

[libdefaults]
 default_realm = SECLAB.SECURITY.LAB.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[realms]
SECLAB.SECURITY.LAB.NET = {
 kdc = seclab.security.lab.net:88
 default_domain = seclab.secuitry.lab.net
}

[domain_realm]
.seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
seclab.security.lab.net = SECLAB.SECURITY.LAB.NET


Samba.conf
[global]
   workgroup = SECLAB.SECURITY.LAB.NET
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = no
   password server = seclab.security.lab.net //your AD-server
   realm = SECLAB.SECURITY.LAB.NET //your real
   usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

More information about the Freeradius-Users mailing list