HPE Community
Operating System - HP-UX
1833823 Members
2308 Online
110063 Solutions
New Discussion

Re: Samba connectivity to Active Directory 2003 domain...

 
Harihar K
New Member

‎09-25-2006 08:54 PM

‎09-25-2006 08:54 PM

Samba connectivity to Active Directory 2003 domain...

I executed the "samba_setup" utility to connect to our AD domain and I received the message:
==============
An error occurred in the join command!

Net ads join returned the following:
ads_set_machine_password: KRB5 error code 52
==============

I know I provided the correct info on the realm, ADS DC and Admin account as it asked for the domain admin password.

What could be the reason for this error? Appreciate a prompt reply. Thanks.
0 Kudos
Reply
6 REPLIES 6
Peter Godron
Honored Contributor

‎09-25-2006 09:04 PM

‎09-25-2006 09:04 PM

Re: Samba connectivity to Active Directory 2003 domain...

Hi,
how many groups does the user belong to ?
Also see:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=792689

And, as it is your first post(Welcome !):
http://forums1.itrc.hp.com/service/forums/helptips.do?#28
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-25-2006 09:32 PM

‎09-25-2006 09:32 PM

Re: Samba connectivity to Active Directory 2003 domain...

Shalom,

Note that changes may be required to the ADS machine PDC in order th facilitate this interactivity.

A patch is required to make Windows 2003 ADS work properly with certain versions of Keberos.

Also note there was a security bulliten this week on CIFS/9000 that requires a new version installation to close the exploit.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎09-26-2006 12:26 AM

‎09-26-2006 12:26 AM

Re: Samba connectivity to Active Directory 2003 domain...

Actually, go check out my thread - tells you how to get this up and running.



You need to be at CIFS version A.02.01.01 or higher (I used A.02.01.02 - latest from HP).

You need LDAP-UX installed and Kerberos:

J4269AA B.03.30 LDAP-UX Integration

and

# swlist |grep -i ker
KRB5CLIENT C.1.3.5.01 Kerberos V5 Client Version 1.3.5.01


See this thread for more info:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Eric Raeburn
Trusted Contributor

‎09-27-2006 06:20 AM

‎09-27-2006 06:20 AM

Re: Samba connectivity to Active Directory 2003 domain...

I looked up error 52 in /usr/include/krb5.h . Until recently it was defined as a "placeholder", then it was redefined as KRB5KRB_ERR_RESPONSE_TOO_BIG. Hence it is difficult to know if Microsoft is using the new, standard meaning, or one they invented.

If they are using the standard meaning, then this thread may help, which I found by Googling the new definition:

http://www.stacken.kth.se/lists/heimdal-discuss/2003-11/msg00008.html

-Eric
0 Kudos
Reply
Eric Raeburn
Trusted Contributor

‎09-27-2006 06:36 AM

‎09-27-2006 06:36 AM

Re: Samba connectivity to Active Directory 2003 domain...

Upon further investigation, it seems if the thread I referenced is relevant, then only reducing the number of groups will work. I tried the syntax suggested in the thread:

kdc = tcp/kdc.domain

but the Kerberos library on my HP-UX system did not like that. Check out the thread...the server is Windows.

-Eric
0 Kudos
Reply
eric roseme
Respected Contributor

‎09-27-2006 09:45 AM

‎09-27-2006 09:45 AM

Re: Samba connectivity to Active Directory 2003 domain...

Here's a whitepaper that goes into exhaustive detail about configuring HP CIFS Server to authenticate to ADS using Kerberos. There are many things that can go wrong, so it would be hard to guess.

http://www.docs.hp.com/en/7213/HPCIFSKerberosV103.pdf

Hint: When doing any net command line, use the "-d 10" parm to set debug to 10. The Kerberos auth-n errors only display at log level 10. So you'll have to forego the samba_setup script and do the tasks manually in order to get the debug level that you need.

Eric Roseme
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.