Kinit failed error when joining Linux to AD

[HodgeHi]

Hello,

I have been going through the installation guide for setting up a Linux box running as a print server with Pykota installed. As complete Linux Noob it is somewhat a little difficult.

I have got to the point where i need to join it to the AD. I run the command

Code:

net ads join -U administrator

and the output is less than satisfying but i am not sure why it failed.The output was this:

[2008/06/28 20:49:59, 0] libsmb/cliconnect.c:cli_session_setup_spnego(785)
Kinit failed: Configuration file does not specify default realm

Any ideas as to why?

I literally copied and pasted the smb.conf from the guide into the smb.conf file on my debian 4r3 install. I changed the netbios name to point to my AD server (wasn't sure if this was right) and l also changed the realm name CRONEHILLS.SANDWELL.SCH.UK. I set the workgroup to CRONEHILLS and i removed the WINS server line as i am not using one.

I copied and pasted the krb5 into the one on the debian box too. I edited to read

kdc = SERVER1.CRONEHILLS.SANDWELL.SCH.UK
admin_server = SERVER1.CRONEHILLS.SANDWELL.SCH.UK

So from what i can see the realm is in correctly.

[HodgeHi]

I have since resolved (i think) this error. I had removed the section for the default realm. I have now put this back in but am still struggling with the general configuration of the kerberos setup.

I had configured the smb.conf, nsswitch.conf, and krb5.conf file as best i can work out and when i try to run the command net ads join -U administrator i get the error:

utils/net_ads.c:ads_startup(289)
ads_connect: Invalid credentials

If i change the configs i usually end up with:

preauthentication failed.

I'm not entirely sure which is the better of the 2.

And my network device keeps getting a no entry sign on it saying no network devices found but yet it still resolves and pings addresses...



I looked up the error and on the Ubuntu forum a guy said he had the problem mentioned in this post and was down to DNS issues although i could resolve the server name fine. Just for information this edit.

[localzuk]

When I set up SMB/Winbind authentication on my machines, I used the tutorials here:
https://help.ubuntu.com/community/Ac...ryWinbindHowto
https://help.ubuntu.com/community/Samba/Kerberos

Ok, they're for Ubuntu, but they should apply to debian too. Hope these help.

[HodgeHi]

Thanks. I will look into these. Just re-installing Server 2003 at the moment.

[ahuxham]

Remove the server names as well, and use the IP addresses for a start, as this will ease any problems.

Easier way to join as well is as follows:

Code:

net ADS join -S 192.168.0.xx -U administrator%password

Samba.conf:

PHP Code:

[global]
netbios name = servername
workgroup = name
realm = school.somerset.sch.uk
password server = primary DC IP_ADDR
security = ADS
winbind use default domain = yes 


krb5.conf

PHP Code:

[libdefaults]
default_realm = SCHOOL.SOMERSET.SCH.UK
clockskew = 300

[realms]
   SCHOOL.SOMERSET.SCH.UK = {
      kdc = DC IP address
      kdc = DC IP address as a failover
      admin_server = DC IP address
      default_domain = SCHOOL.SOMERSET.SCH.UK
} 


Thats the absolute minimum requried for joining to a domain, please not CAPS ARE THERE FOR A REASON. Kerberbos and the k* programs are very strict on this fact, if prompted to enter domain name, ALWAYS ensure caps!

[HodgeHi]

Cheers for posting your config files. I had a look at the links localz posted up and decided to give those a try. And i was successful in managing to get the server to join the server 2003 domain.

The only thing is though is i am not sure how much on Ric_ guide was required by the PyKota system.

I also did not get the required output from the nsswitch test.
I haven't got access to them right at this moment so can't post what i tried. I did this last night while watching Germany lose miserably.

[ahuxham]

http://www.centeris.com/products/likewise_open/index.php

Is a good program, does all the Active Directory joining as well, configures your krb5.conf, smb.conf, nsswitch.conf, pam.d/* files etc for intergration, (and it never seems to fail)

[Geoff]

BTW, if you using MIT Keberos, you do not need a krb5.conf file at all. Kerberos will read all the server settings from DNS. Just like windows does.

[HodgeHi]

How do you install the MIT Kerberos. Is this the same as the krb5.config install?

[Geoff]

On ubuntu all I need to do to get functional Keberos for samba is to install 'krb5-usr'. The package configuration will ask some questions then generate a krb.conf file. However as I said, it's not nessercery and I prefer to rely on DNS. So I remove the /etc/krb5.conf file. kinit works fine.

[HodgeHi]

Cool. I will try this out when i start to build for the actual domain.