-----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Rafiq_Maniar@xxxxxxxx Sent: Tuesday, November 16, 2004 1:01 PM To: fedora-list@xxxxxxxxxx Subject: RE: Authenticating off a Windows 2003 ADS DC with Samba/Winbind Ok guys, at least I know that it does work for other people. Here's the network configuration: - Windows 2003 Server gx270-rmaniar [192.168.0.100] - Fedora Core 3 gx280rmaniarFC3 [192.168.0.5] FYI: A Windows XP box correctly connects to the DC OK. ********************** Here's what I've done: - removed the Active Directory service from the W2K3 box and started from scratch again. - configured /etc/krb5.conf - timesynced both the Linux and Windows boxes - Used kinit Administrator@xxxxxxxx to login, all OK. - Can login to smb share using smbclient -k //gx270-rmaniar/C$ so kerberos ticket is ok. - configured winbind/smb.conf using the Authentication applet. - smb/winbind are started ok. ********************** Here's the problem: [root@gx280rmaniarFC3 samba]# net ads join -S gx270-rmaniar -U Administrator Administrator's password: [2004/11/16 17:35:12, 0] libads/ldap.c:ads_join_realm(1640) ads_add_machine_acct (gx280rmaniarfc3): Type or value exists ads_join_realm: Type or value exists So it says it exists already, despite the fact that its not shown in the 'Computers' list in AD. Tried it again, and got: [root@gx280rmaniarFC3 pam.d]# net ads join -S gx270-rmaniar -U Administrator Administrator's password: [2004/11/16 17:51:26, 0] libads/ldap.c:ads_add_machine_acct(1297) ads_add_machine_acct: Host account for gx280rmaniarfc3 already exists - modifying old account [2004/11/16 17:51:26, 0] libads/ldap.c:ads_join_realm(1640) ads_add_machine_acct (gx280rmaniarfc3): Type or value exists ads_join_realm: Type or value exists The computer now appears in the "Computers" list on the Windows server. [root@gx280rmaniarFC3 samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5) Could not check secret ********************** Here's the relevant info from smb.conf: workgroup = TEST.COM security = ads password server = 192.168.0.100 realm = TEST.COM idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = no And someone asked for authconfig --test --kickstart: caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is disabled LDAP+TLS is disabled LDAP server = "127.0.0.1" LDAP base DN = "dc=example,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is enabled SMB workgroup = "TEST.COM" SMB servers = "192.168.0.100" SMB security = "ads" SMB realm = "TEST.COM" Winbind template shell = "/bin/bash" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_wins is disabled pam_unix is always enabled shadow passwords are enabled md5 passwords are enabled pam_krb5 is disabled krb5 realm = "TEST.COM" krb5 realm via dns is disabled krb5 kdc = "192.168.0.100:88,192.168.0.100" krb5 kdc via dns is disabled krb5 admin server = "" pam_ldap is disabled LDAP+TLS is disabled LDAP server = "127.0.0.1" LDAP base DN = "dc=example,dc=com" pam_smb_auth is disabled SMB workgroup = "TEST.COM" SMB servers = "192.168.0.100" pam_winbind is enabled SMB workgroup = "TEST.COM" SMB servers = "192.168.0.100" SMB security = "ads" SMB realm = "TEST.COM" pam_cracklib is enabled (retry=3) pam_passwdqc is disabled () So there you have it. I've googled for the problem with no luck. Any ideas? Thanks, Rafiq -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list Rafiq, One problem I can see right off the bat is that the domain name you have chosen for your DC is test.com. This has caused problems in the past using real domain names because DNS tells the stations to look elsewhere for info. I know it is a hassle to reload Server 2003, especially if this is on a working machine. But I would suggest that you use a domain name of test.local so it does not look outside your network for resolution. Thanx, Don Casey Systems Administrator World Ramp Inc. 2221 Lee Rd. Suite 25 Winter Park, Fl 32789 (407)740-5987 (407)740-7250 Fax
