Problems getting a linux server to join a AD domain
Sallee, Stephen (Jake)
Jake.Sallee at umhb.edu
Thu Oct 28 20:41:42 CEST 2010
I have to ask ... but what is your server's name? The error is saying
that the name is incompatible with AD, do you have and special
characters, any spaces, or any other weirdness in you server's name?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.o
rg] On Behalf Of Rowley, Mathew
Sent: Thursday, October 28, 2010 1:33 PM
To: freeradius-users at lists.freeradius.org
Subject: Problems getting a linux server to join a AD domain
In an attempt to integrate Radius with AD, and following the tutorial
(http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT
O) I have set up an AD server in our lab, and having trouble adding my
linux box to the domain. Can anyone see what im doing wrong? The error I
keep getting is:
$ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator [sudo]
password for wuntee:
Enter Administrator's password:
[2010/10/28 12:23:36.656829, 0]
utils/net_rpc_join.c:406(net_rpc_join_newstyle)
Error in domain join verification (credential setup failed):
NT_STATUS_INVALID_COMPUTER_NAME
Unable to join domain SECLAB.
Kerberos seems to work fine:
$ kinit mrowle000
Password for mrowle000 at SECLAB.SECURITY.LAB.NET:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mrowle000 at SECLAB.SECURITY.LAB.NET
Valid starting Expires Service principal
10/28/10 12:27:29 10/28/10 22:27:23
krbtgt/SECLAB.SECURITY.LAB.NET at SECLAB.SECURITY.LAB.NET
renew until 10/29/10 12:27:29
CONFIGS:
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
kdc = SYSLOG:INFO:AUTH
admin_server = FILE:/var/log/kadmind.log admin_server =
SYSLOG:INFO:AUTH
[libdefaults]
default_realm = SECLAB.SECURITY.LAB.NET dns_lookup_realm = false
dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
SECLAB.SECURITY.LAB.NET = {
kdc = seclab.security.lab.net:88
default_domain = seclab.secuitry.lab.net }
[domain_realm]
.seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
Samba.conf
[global]
workgroup = SECLAB.SECURITY.LAB.NET
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
password server = seclab.security.lab.net //your AD-server
realm = SECLAB.SECURITY.LAB.NET //your real
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list