[root@ ]# net ads join -U Administrator
[2010/03/05 15:06:50, 0] param/loadparm.c:7444(lp_do_parameter)
Ignoring unknown parameter “use kerberos keytab”
Enter Administrator’s password:
Using short domain name — ADTEST
Joined ‘WODAO2′ to realm ‘adtest.corp.net’
No DNS domain configured for wodao2. Unable to perform DNS Update.
DNS update failed!

Here is testparm output (unknown parameter):

[root@wodao2 pam.d]# testparm
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: “use kerberos keytab”
Ignoring unknown parameter “use kerberos keytab”
Loaded services file OK.

A samba net ads join will create a keytab, will populate it with SPNs, will create an AD computer account, and will populate the serviceprincipalnames field for it — however, I have not found a mechanism by which they are directly usable.

IE: kinit -kt /etc/krb5.keytab host/hostname.myfqdn should work, but with SPNs it fails.

What apparently needs to be done, and what ktpass does, is to map the userprincipalname under the account, but unfortunately AD only supports one userprincipalname per user account.

You can create a valid keytab entru by doing net ads join and using the createupn field accordingly, it would seem.

The issue i’m having is when I log on to my shared drive ‘MyShare’ it works fine but i see it creates a directory for me called drew (ad domain name)… i’ve tried to log in but can’t. But I can log into the regular samba share..any ideas?

More important that the disto version you’re running is the Samba version, you can find this using for ex. net -V

You should first check that you can reach the domain CG.DC.FOR.ad.corp.com by using for ex. ping IP.ADDR.OF.CG.DC.FOR.ad.corp.com, if you will use -I, or that you can resolve and reach the host DNS.NAME.OF.CG.DC.FOR.ad.corp.com, if you will use -S, for ex. host/nslookup/dig DNS.NAME.OF.CG.DC.FOR.ad.corp.com and ping DNS.NAME.OF.CG.DC.FOR.ad.corp.com

you can find the list of SRV’s using AD DNS and query for SRV records of type _ldap._tcp.gc._msdcs.

Also if something is not working, restart by first deleting from AD the incomplete entry for the Samba machine and don’t use -S with IP, use -S name or use -I IP, or use -I IP and -S name in the net cmd

I’m have OpenSuse 10.3 and im trying to join it to a Win2k ADS. When i try to net join -S IP.ADDR -U administrator%password i get: utils/net_rpc_join.c:net_rpc_join_newstyle(350)
Error in domain join verification (credential setup failed): NT_STATUS_INVALID_COMPUTER_NAME Unable to join domain COMBI. The strange thing is I get computerobject in the ADS. I have the same configuration as your previous articles. Kerberos is working fine.

any ideas??

“getent passwd” tells us if the LDAP configuration is working (which it is, apparently), but you also need to configure Kerberos. I didn’t put Kerberos configuration details in this article because I’ve covered it several times in other articles; refer to this article for more information:

http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

That should give you the information you need to configure Kerberos properly. Once Kerberos is properly configured, you should be able to use “kinit username” (assuming the default Kerberos realm) and successfully authenticate. “klist” will then show a Kerberos ticket.

Hope this helps,
Scott

I got getent password to work ok ,but steel have problem with samba:
from /var/log/messages:

smbd[XXXX]: GSSAPI Error: Miscellaneous failure (No credentials cache found)

smb.conf configured as above.
any idea why?