Problems getting a linux server to join a AD domain

Rowley, Mathew Mathew_Rowley at cable.comcast.com
Thu Oct 28 22:30:56 CEST 2010 

Ignored netbios-name, but 'netbios name' was accepted, but still, same
error...




On 10/28/10 2:03 PM, "schilling" <schilling2006 at gmail.com> wrote:

>add netbios-name = MAT-DESKTOP
>
>That's what we have here.
>
>On Thu, Oct 28, 2010 at 3:49 PM, Rowley, Mathew
><Mathew_Rowley at cable.comcast.com> wrote:
>> It would make sense that was the issue due to:
>>
>>   server string = %h server (Samba, Ubuntu)
>>
>> but still getting the same error:
>>
>> $ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator
>> Enter Administrator's password:
>> [2010/10/28 13:40:07.929859,  0]
>> utils/net_rpc_join.c:406(net_rpc_join_newstyle)
>>  Error in domain join verification (credential setup failed):
>> NT_STATUS_INVALID_COMPUTER_NAME
>>
>> Unable to join domain SECLAB.
>>
>>
>> $ grep 'server name' /etc/samba/smb.conf
>> $ grep 'server string' /etc/samba/smb.conf
>> server string = MAT-DESKTOP
>> # server string is the equivalent of the NT Description field
>> #   server string = %h server (Samba, Ubuntu)
>>
>>
>>
>>
>>
>>
>> On 10/28/10 1:31 PM, "schilling" <schilling2006 at gmail.com> wrote:
>>
>>>put server string = MAT-DESKTOP
>>>
>>>On Thu, Oct 28, 2010 at 3:24 PM, Rowley, Mathew
>>><Mathew_Rowley at cable.comcast.com> wrote:
>>>> $ hostname
>>>> mat-desktop.security.lab.net
>>>>
>>>>
>>>> Short name is just mat-desktop
>>>>
>>>>
>>>>
>>>> Mathew Rowley
>>>> IIS Network Security Architecture
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 10/28/10 12:41 PM, "Sallee, Stephen (Jake)" <Jake.Sallee at umhb.edu>
>>>> wrote:
>>>>
>>>>>I have to ask ... but what is your server's name?  The error is saying
>>>>>that the name is incompatible with AD, do you have and special
>>>>>characters, any spaces, or any other weirdness in you server's name?
>>>>>
>>>>>Jake Sallee
>>>>>Godfather Of Bandwidth
>>>>>Network Engineer
>>>>>
>>>>>Fone: 254-295-4658
>>>>>Phax: 254-295-4221
>>>>>
>>>>>
>>>>>-----Original Message-----
>>>>>From: 
>>>>>freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org
>>>>>[mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius
>>>>>.o
>>>>>rg] On Behalf Of Rowley, Mathew
>>>>>Sent: Thursday, October 28, 2010 1:33 PM
>>>>>To: freeradius-users at lists.freeradius.org
>>>>>Subject: Problems getting a linux server to join a AD domain
>>>>>
>>>>>In an attempt to integrate Radius with AD, and following the tutorial
>>>>>(http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HO
>>>>>WT
>>>>>O) I have set up an AD server in our lab, and having trouble adding my
>>>>>linux box to the domain. Can anyone see what im doing wrong? The
>>>>>error I
>>>>>keep getting is:
>>>>>
>>>>>$ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator [sudo]
>>>>>password for wuntee:
>>>>>Enter Administrator's password:
>>>>>[2010/10/28 12:23:36.656829,  0]
>>>>>utils/net_rpc_join.c:406(net_rpc_join_newstyle)
>>>>>  Error in domain join verification (credential setup failed):
>>>>>NT_STATUS_INVALID_COMPUTER_NAME
>>>>>
>>>>>Unable to join domain SECLAB.
>>>>>
>>>>>
>>>>>Kerberos seems to work fine:
>>>>>
>>>>>$ kinit mrowle000
>>>>>Password for mrowle000 at SECLAB.SECURITY.LAB.NET:
>>>>>$ klist
>>>>>Ticket cache: FILE:/tmp/krb5cc_1000
>>>>>Default principal: mrowle000 at SECLAB.SECURITY.LAB.NET
>>>>>
>>>>>Valid starting     Expires            Service principal
>>>>>10/28/10 12:27:29  10/28/10 22:27:23
>>>>>krbtgt/SECLAB.SECURITY.LAB.NET at SECLAB.SECURITY.LAB.NET
>>>>>renew until 10/29/10 12:27:29
>>>>>
>>>>>
>>>>>CONFIGS:
>>>>>
>>>>>krb5.conf
>>>>>[logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> kdc = SYSLOG:INFO:AUTH
>>>>> admin_server = FILE:/var/log/kadmind.log  admin_server =
>>>>>SYSLOG:INFO:AUTH
>>>>>
>>>>>[libdefaults]
>>>>> default_realm = SECLAB.SECURITY.LAB.NET  dns_lookup_realm = false
>>>>>dns_lookup_kdc = false  ticket_lifetime = 24h  forwardable = yes
>>>>>
>>>>>[appdefaults]
>>>>> pam = {
>>>>>   debug = false
>>>>>   ticket_lifetime = 36000
>>>>>   renew_lifetime = 36000
>>>>>   forwardable = true
>>>>>   krb4_convert = false
>>>>> }
>>>>>
>>>>>[realms]
>>>>>SECLAB.SECURITY.LAB.NET = {
>>>>> kdc = seclab.security.lab.net:88
>>>>> default_domain = seclab.secuitry.lab.net }
>>>>>
>>>>>[domain_realm]
>>>>>.seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
>>>>>seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
>>>>>
>>>>>
>>>>>Samba.conf
>>>>>[global]
>>>>>   workgroup = SECLAB.SECURITY.LAB.NET
>>>>>   server string = %h server (Samba, Ubuntu)
>>>>>   dns proxy = no
>>>>>   log file = /var/log/samba/log.%m
>>>>>   max log size = 1000
>>>>>   syslog = 0
>>>>>   panic action = /usr/share/samba/panic-action %d
>>>>>   security = ads
>>>>>   encrypt passwords = true
>>>>>   passdb backend = tdbsam
>>>>>   obey pam restrictions = yes
>>>>>   unix password sync = yes
>>>>>   passwd program = /usr/bin/passwd %u
>>>>>   passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>>*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>>>   pam password change = yes
>>>>>   map to guest = bad user
>>>>>   idmap uid = 16777216-33554431
>>>>>   idmap gid = 16777216-33554431
>>>>>   template shell = /bin/bash
>>>>>   winbind use default domain = no
>>>>>   password server = seclab.security.lab.net //your AD-server
>>>>>   realm = SECLAB.SECURITY.LAB.NET //your real
>>>>>   usershare allow guests = yes
>>>>>
>>>>>[homes]
>>>>>   comment = Home Directories
>>>>>   browseable = no
>>>>>   writable = yes
>>>>>
>>>>>[printers]
>>>>>   comment = All Printers
>>>>>   browseable = no
>>>>>   path = /var/spool/samba
>>>>>   printable = yes
>>>>>   guest ok = no
>>>>>   read only = yes
>>>>>   create mask = 0700
>>>>>
>>>>>[print$]
>>>>>   comment = Printer Drivers
>>>>>   path = /var/lib/samba/printers
>>>>>   browseable = yes
>>>>>   read only = yes
>>>>>   guest ok = no
>>>>>
>>>>>
>>>>>-
>>>>>List info/subscribe/unsubscribe? See
>>>>>http://www.freeradius.org/list/users.html
>>>>>
>>>>>-
>>>>>List info/subscribe/unsubscribe? See
>>>>>http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>>http://www.freeradius.org/list/users.html
>>>>
>>>
>>>-
>>>List info/subscribe/unsubscribe? See
>>>http://www.freeradius.org/list/users.html
>>
>>

More information about the Freeradius-Users mailing list