samba ads setup troubles: ads_join_realm: Operations error

Roderick Derks · ‎04-15-2008

Hi,

I got a poblem trying to get Samba configured on my HP-UX ELITIL1 B.11.23 U ia64 server. I want it to act as a Windows domain server so I can autheticate users using ADS groups.

# ./net ads join -U administrator -d 10
....
[2008/04/15 11:21:43, 10] libsmb/clikrb5.c:ads_krb5_mk_req(408)
ads_krb5_mk_req: Ticket (ezhdc01$@ELISABETH.NL) in ccache (MEMORY:net_ads) is valid until: (Tue, 15 Apr 2008 21:21:46 MET - 1208287306)
[2008/04/15 11:21:43, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(509)
Got KRB5 session key of length 8
[2008/04/15 11:21:43, 1] libads/ldap.c:ads_default_ou_string(1085)
Failed while searching for:
ads_join_realm: Operations error
[2008/04/15 11:21:43, 2] utils/net.c:main(901)
return code = -1

The kinit command seem to work (no error message) after I adjusted a setting in the ADS for the user I autenticate with ("Do not require Kerebos preauthentication").

I'm just guessing here but do I need a newer version of kerebos?

Here is my krb5.conf:
[logging]
default = FILE:/var/adm/krb5libs.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmind.log

[libdefaults]
default_realm = ELISABETH.NL
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2

[realms]
ELISABETH.NL = {
kdc = ezhdc01.elisabeth.nl:88
admin_server = ezhdc01.elisabeth.nl
}

[domain_realm]
.ezhdc01.elisabeth.nl = ELISABETH.NL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Thnx for helping out here.
Grtz,
Roderick

Steven E. Protter · ‎04-15-2008

Shalom,

with an ads security configuration in smb.conf

Try this:

/opt/samba/bin/net join -w -S -U adm_user

the user adm_user needs to have powers on the Windows Primary Domain Controller(PDC) to join the domain.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Roderick Derks · ‎04-15-2008

Thanks for your reply.

# /opt/samba/bin/net join -w ELISABETH.NL -S ezhdc01.elisabeth.nl -U adminisrator

ads_join_realm: Operations error
ADS join did not work, falling back to RPC...
Joined domain ELISABETH.

Ok, now I can see the server in the ADS. Anyt idea why this command worked and not the other command?
Is there a difference now compared to the other command?

Roderick Derks · ‎04-15-2008

Group authentication is not working yet. Someone knows what the problem is?

[global]
preferred master = auto
local master = yes
domain master = auto
domain logons = no
password server = xxxxxxx.domain.nl, *
realm = ELISABETH.NL
security = ADS
wins server = winsserver.domain.nl
wins support = no
workgroup = DOMAIN
netbios name = servername
server string = Philips EasyAccess
encrypt passwords = yes
guest account = samba
directory mask = 0775

[folders]
comment = folders
path = /samba_exports
read only = Yes
create mask = 0775
browseable = No
oplocks = No
valid users = @"elisabeth+FS_C_SAMBA_PACS_FOLDERS"

Roderick Derks · ‎04-15-2008

Group authentication is not working yet. Someone knows what the problem is?

[global]
preferred master = auto
local master = yes
domain master = auto
domain logons = no
password server = xxxxxxx.domain.nl, *
realm = DOMAIN.NL
security = ADS
wins server = winsserver.domain.nl
wins support = no
workgroup = DOMAIN
netbios name = servername
server string = EasyAccess
encrypt passwords = yes
guest account = samba
directory mask = 0775

[folders]
comment = folders
path = /samba_exports
read only = Yes
create mask = 0775
browseable = No
oplocks = No
valid users = @"elisabeth+FS_C_SAMBA_PACS_FOLDERS"

Roderick Derks · ‎04-15-2008

winbind cant connect either:

[2008/04/15 15:34:51, 1] nsswitch/winbindd.c:main(864)
winbindd version 3.0.14a based HP CIFS Server A.02.02.01 started.
Copyright The Samba Team 2000-2004
[2008/04/15 15:34:51, 0] nsswitch/winbindd_util.c:winbindd_param_init(555)
winbindd: idmap uid range missing or invalid
[2008/04/15 15:34:51, 0] nsswitch/winbindd_util.c:winbindd_param_init(556)
winbindd: cannot continue, exiting.
[2008/04/15 15:34:51, 1] nsswitch/winbindd.c:main(897)
Could not init idmap -- netlogon proxy only
[2008/04/15 15:34:51, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password host/ELITIL1@ELISABETH.NL failed: Client not found in Kerberos database
[2008/04/15 15:34:51, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain ELISABETH failed: Client not found in Kerberos database

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

samba ads setup troubles: ads_join_realm: Operations error

samba ads setup troubles: ads_join_realm: Operations error

Re: samba ads setup troubles: ads_join_realm: Operations error

Re: samba ads setup troubles: ads_join_realm: Operations error

Re: samba ads setup troubles: ads_join_realm: Operations error

Re: samba ads setup troubles: ads_join_realm: Operations error

Re: samba ads setup troubles: ads_join_realm: Operations error