Problems getting a linux server to join a AD domain
Rowley, Mathew
Mathew_Rowley at cable.comcast.com
Thu Oct 28 21:24:38 CEST 2010
$ hostname
mat-desktop.security.lab.net
Short name is just mat-desktop
Mathew Rowley
IIS Network Security Architecture
On 10/28/10 12:41 PM, "Sallee, Stephen (Jake)" <Jake.Sallee at umhb.edu>
wrote:
>I have to ask ... but what is your server's name? The error is saying
>that the name is incompatible with AD, do you have and special
>characters, any spaces, or any other weirdness in you server's name?
>
>Jake Sallee
>Godfather Of Bandwidth
>Network Engineer
>
>Fone: 254-295-4658
>Phax: 254-295-4221
>
>
>-----Original Message-----
>From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org
>[mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.o
>rg] On Behalf Of Rowley, Mathew
>Sent: Thursday, October 28, 2010 1:33 PM
>To: freeradius-users at lists.freeradius.org
>Subject: Problems getting a linux server to join a AD domain
>
>In an attempt to integrate Radius with AD, and following the tutorial
>(http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT
>O) I have set up an AD server in our lab, and having trouble adding my
>linux box to the domain. Can anyone see what im doing wrong? The error I
>keep getting is:
>
>$ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator [sudo]
>password for wuntee:
>Enter Administrator's password:
>[2010/10/28 12:23:36.656829, 0]
>utils/net_rpc_join.c:406(net_rpc_join_newstyle)
> Error in domain join verification (credential setup failed):
>NT_STATUS_INVALID_COMPUTER_NAME
>
>Unable to join domain SECLAB.
>
>
>Kerberos seems to work fine:
>
>$ kinit mrowle000
>Password for mrowle000 at SECLAB.SECURITY.LAB.NET:
>$ klist
>Ticket cache: FILE:/tmp/krb5cc_1000
>Default principal: mrowle000 at SECLAB.SECURITY.LAB.NET
>
>Valid starting Expires Service principal
>10/28/10 12:27:29 10/28/10 22:27:23
>krbtgt/SECLAB.SECURITY.LAB.NET at SECLAB.SECURITY.LAB.NET
>renew until 10/29/10 12:27:29
>
>
>CONFIGS:
>
>krb5.conf
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> kdc = SYSLOG:INFO:AUTH
> admin_server = FILE:/var/log/kadmind.log admin_server =
>SYSLOG:INFO:AUTH
>
>[libdefaults]
> default_realm = SECLAB.SECURITY.LAB.NET dns_lookup_realm = false
>dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
>
>[appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>[realms]
>SECLAB.SECURITY.LAB.NET = {
> kdc = seclab.security.lab.net:88
> default_domain = seclab.secuitry.lab.net }
>
>[domain_realm]
>.seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
>seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
>
>
>Samba.conf
>[global]
> workgroup = SECLAB.SECURITY.LAB.NET
> server string = %h server (Samba, Ubuntu)
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> security = ads
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
>*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> map to guest = bad user
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/bash
> winbind use default domain = no
> password server = seclab.security.lab.net //your AD-server
> realm = SECLAB.SECURITY.LAB.NET //your real
> usershare allow guests = yes
>
>[homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
>[printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
>
>[print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list