Samba authenticating to ADS?

Does anyone know how to get samba to authenticate & join to ADS? I'd
like my Windows workstation to read Samba shares and for Samba to use
the ADS authentication.

When I try to 'net ads join -U Administrator', I get a lot of
get_service_ticket: kerberos_kinit_password
SERVER$@EXAMPLE.COM@EXAMPLE.COM failed: Preauthentication failed

When I try to 'net ads join -U Administrator -d8', I also see
kerberos_derive_salting_principal_for_enctype(552) is reporting -
verify_service_password: get_service_ticket failed: Preauthentication failed

Can anyone help?

end-user wrote:
> Can anyone help?

Make sure your kerberos configuration is correct. Use "kinit" to test
this. Also, there may be some issues with the fact that SLES9 uses the
Heimdal (open source) version of Kerberos and not the MIT version.
SLES10 will go back to MIT.

--
Justin Grote
Novell Support Connection Sysop
Network Architect
JWG Networks

Justin Grote [SysOp] wrote:
> end-user wrote:
>> Can anyone help?
>
> Make sure your kerberos configuration is correct. Use "kinit" to test
> this. Also, there may be some issues with the fact that SLES9 uses the
> Heimdal (open source) version of Kerberos and not the MIT version.
> SLES10 will go back to MIT.
>

Hmmm... I join SUSE 9 boxes... and I think SLES9 as well to ADS
all the time.. just configure the realm stuff in smb.conf and
do the 'net ads join -S mypdc -U administrator' and I can enumerate
users off the windows domain just fine.

Chris Cox wrote:
> Hmmm... I join SUSE 9 boxes... and I think SLES9 as well to ADS
> all the time.. just configure the realm stuff in smb.conf and
> do the 'net ads join -S mypdc -U administrator' and I can enumerate
> users off the windows domain just fine.

Oh I didn't mean that, I just mean there might be some "gotchas" if you
follow word-for-word other procedures that require MIT instead of
Heimdal. I've gotten SLES9 to join just fine several times as well .


--
Justin Grote
Novell Support Connection Sysop
Network Architect
JWG Networks

Justin Grote [SysOp] wrote:
> Make sure your kerberos configuration is correct. Use "kinit" to test
> this. Also, there may be some issues with the fact that SLES9 uses the
> Heimdal (open source) version of Kerberos and not the MIT version.
> SLES10 will go back to MIT.

'kinit -5 -V' says "Authenticated to Kerberos v5"
'klist -5' shows a valid ticket in the cache

I'm running OpenSuSE 10.0; YaST says I've got the MIT version installed,
v1.4.1-5.

end-user wrote:
> I'm running OpenSuSE 10.0; YaST says I've got the MIT version installed,
> v1.4.1-5.

Err, oops, sorry, thought this was the SLES forum. Check Please!

Post your krb5.conf file. Make sure the realms match (the fact that
kinit worked means they most likely do).

Here's another article on the process, you may just want to dot the i's
and cross the t's to make sure you didn't miss something:

http://www.enterprisenetworkingplane...le.php/3487081


--
Justin Grote
Novell Support Connection Sysop
Network Architect
JWG Networks

Justin Grote [SysOp] wrote:
> Post your krb5.conf file. Make sure the realms match (the fact that
> kinit worked means they most likely do).
[libdefaults]
ticket_lifetime = 24000
default_realm = LOCUSTCREEK.NET
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
clockskew = 300
[logging]
default = FILE:/var/log/krb5lib.log

[domain_realm]
.locustcreek.net = LOCUSTCREEK.NET
locustcreek.net = LOCUSTCREEK.NET

[realms]
LOCUSTCREEK.NET = {
kdc = locustcreek.net
default_domain = locustcreek.net
admin_server = locustcreek.net
}

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}

> Here's another article on the process, you may just want to dot the i's
> and cross the t's to make sure you didn't miss something:
>
> http://www.enterprisenetworkingplane...le.php/3487081

Now, here's a question. The article states that "The workgroup is the
name of your AD domain", yet, under the global parameters, it has:

workgroup = BIGSERVER
realm = DOMAIN.NET

Am I misreading that, or is it correct because of the host file entry:
192.168.10.5 bigserver.domain.net bigserver


Also, I've got another interesting quirk. When I run wbinfo -u|-g, it's
not listing my realm with my users|groups, neither is it listing my
local users|groups.