Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.


Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

net ads join -->Kinit failed: Client not found in Kerberos database

net ads join -->Kinit failed: Client not found in Kerberos database

Hi all!
I'm new to this forum... and a newbie in samba + ads configuration.

I have this problem:

I'm trying to config my server (Freebsd 6.2 - Samba 3.0.25a - heimdal - openldap) to act as a native AD client.
For this purpose i' ve used this howto: @"
things seems to go allright until i' ve typed:


net ads join
and it reutrned (after prompting for password):



  Kinit failed: Client not found in Kerberos database
Failed to join domain: Improperly formed account name

I don' t know where i'm wrong, becuse if i type


wbinfo -u
i see all my users in the DC!!

Plz help me... Thanks

theese are my config files:



        workgroup = YYYY
        realm = YYYY.XXXX.IT
        encrypt passwords = yes
        server string = Samba Server
        security = ADS
        password server = SERVER2003
        #winbind_separator = \
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        allow trusted domains= No
        log file = /var/log/samba/log.%m
        max log size = 50
        printcap name = cups
        disable spoolss = Yes
        disable netbios = Yes
        show add printer wizard = No
        preferred master = No
        domain master = No
        dns proxy = No
        read only = No
        wins server = SERVER2003.YYYY.XXXX.IT
        ldap ssl = No
        ldap admin dn = "cn=Administrator,cn=Users,DC=YYYY,DC=XXXX,DC=IT"
        idmap backend = idmap_rid:YYYY=10000-30000
        idmap uid = 10000-30000
        idmap gid = 10000-30000
        template shell = /usr/local/bin/bash
        winbind use default domain = Yes
        client signing = mandatory
        server signing = mandatory
        smb ports = 445
        restrict anonymous = 2
        client schannel = yes
        server schannel = yes
        client ntlmv2 auth = yes
        logon path =


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

        default_realm = YYYY.XXXX.IT
        CEDI.DALFINI.IT = {
                kdc = SERVER2003.YYYY.XXXX.IT
                default_domain = YYYY.XXXX.IT
                admin_server = SERVER2003.YYYY.XXXX.IT
[domain_realm] = YYYY.XXXX.IT = YYYY.XXXX.IT
        pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false


# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=YYYY, dc=XXXX, dc=IT
#URI    ldap:// ldap://
ldap_version 3
#DEREF        never
binddn cn=Administrator,cn=Users,dc=YYYY,dc=XXXX,dc=IT
bindpw BindPassword

 # Search scope
scope sub

# User ID attr for AD
pam_login_attribute sAMAccountName

#MD5 passwd hash
pam_password md5
# Break of the connection after one hour idle time
idle_timelimit 3600
# This is mapping made possible by nss_ldap
# Bases for the searches. These should be the OU's
# you create the user accounts in.
# Here we reference the standard default AD user container
# Please change to the container your users reside in
nss_base_passwd cn=Users,dc=CEDI,dc=DALFINI,dc=IT?one
nss_base_group cn=Users,dc=CEDI,dc=DALFINI,dc=IT?one

# The msSFU mappings reference Microsoft's Services for Unix
# Which you may uncomment if you have this installed on your DC
# *Schema mappings for Active Directory*
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
#nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

# SSL is enabled - Comment this line if no MS Enterprise Root CA Cert
ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no" Uncomment this is you have a client cert (you won't MS LDAP
# over SSL does not auth client cert, just a valid AD password)
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# This again refers to the MS Root CA Cert - comment it if none
TLS_CACERT /lib/server2003.pem

# SSL cipher suite
# See man ciphers for syntax
# comment this if no cert
tls_ciphers TLSv1

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
krb5_ccname FILE:/tmp/krb5cc_0

RE: net ads join -->Kinit failed: Client not found in Kerberos database

I've got the same issue. Trying to join a 2008 domain though.

RE: net ads join -->Kinit failed: Client not found in Kerberos database

Nobody can help me? I really don' t know what to do!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close