INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

net ads join -->Kinit failed: Client not found in Kerberos database

net ads join -->Kinit failed: Client not found in Kerberos database

(OP)
Hi all!
I'm new to this forum... and a newbie in samba + ads configuration.

I have this problem:

I'm trying to config my server (Freebsd 6.2 - Samba 3.0.25a - heimdal - openldap) to act as a native AD client.
For this purpose i' ve used this howto: @http://oslabs.mikro-net.com/fbsd_samba.html"
things seems to go allright until i' ve typed:
 -

CODE

net ads join
and it reutrned (after prompting for password):

 -

CODE

  libsmb/cliconnect.c:cli_session_setup_spnego(853)
  Kinit failed: Client not found in Kerberos database
Failed to join domain: Improperly formed account name

I don' t know where i'm wrong, becuse if i type

CODE

wbinfo -u
i see all my users in the DC!!

Plz help me... Thanks

theese are my config files:

CODE

-------------------------smb.conf------------------------


[global]
        workgroup = YYYY
        realm = YYYY.XXXX.IT
        encrypt passwords = yes
        server string = Samba Server
        security = ADS
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192
        password server = SERVER2003
        #winbind_separator = \
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        allow trusted domains= No
        log file = /var/log/samba/log.%m
        max log size = 50
        printcap name = cups
        disable spoolss = Yes
        disable netbios = Yes
        show add printer wizard = No
        preferred master = No
        domain master = No
        dns proxy = No
        read only = No
        wins server = SERVER2003.YYYY.XXXX.IT
        ldap ssl = No
        ldap admin dn = "cn=Administrator,cn=Users,DC=YYYY,DC=XXXX,DC=IT"
        idmap backend = idmap_rid:YYYY=10000-30000
        idmap uid = 10000-30000
        idmap gid = 10000-30000
        template shell = /usr/local/bin/bash
        winbind use default domain = Yes
        client signing = mandatory
        server signing = mandatory
        smb ports = 445
        restrict anonymous = 2
        client schannel = yes
        server schannel = yes
        client ntlmv2 auth = yes
        logon path =

-----------------------krb5.conf---------------------------

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = YYYY.XXXX.IT
[realms]
        CEDI.DALFINI.IT = {
                kdc = SERVER2003.YYYY.XXXX.IT
                default_domain = YYYY.XXXX.IT
                admin_server = SERVER2003.YYYY.XXXX.IT
        }
[domain_realm]
        .yyyy.xxxx.it = YYYY.XXXX.IT
         yyyy.xxxx.it = YYYY.XXXX.IT
        .YYYY.XXXX.IT = YYYY.XXXX.IT
[appdefaults]
        pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
}

---------------------------ldap.conf------------------------

#
# LDAP Defaults
#
host SERVER2003.YYYY.XXXX.IT
# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=YYYY, dc=XXXX, dc=IT
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
ldap_version 3
#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
URI ldaps://YYYY.XXXX.IT
binddn cn=Administrator,cn=Users,dc=YYYY,dc=XXXX,dc=IT
bindpw BindPassword

 # Search scope
scope sub

# User ID attr for AD
pam_login_attribute sAMAccountName

#MD5 passwd hash
pam_password md5
# Break of the connection after one hour idle time
idle_timelimit 3600
# This is mapping made possible by nss_ldap
# Bases for the searches. These should be the OU's
# you create the user accounts in.
# Here we reference the standard default AD user container
# Please change to the container your users reside in
nss_base_passwd cn=Users,dc=CEDI,dc=DALFINI,dc=IT?one
nss_base_group cn=Users,dc=CEDI,dc=DALFINI,dc=IT?one

# The msSFU mappings reference Microsoft's Services for Unix
# Which you may uncomment if you have this installed on your DC
# *Schema mappings for Active Directory*
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
#nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

# SSL is enabled - Comment this line if no MS Enterprise Root CA Cert
ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no" Uncomment this is you have a client cert (you won't MS LDAP
# over SSL does not auth client cert, just a valid AD password)
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# This again refers to the MS Root CA Cert - comment it if none
TLS_CACERT /lib/server2003.pem

# SSL cipher suite
# See man ciphers for syntax
# comment this if no cert
tls_ciphers TLSv1

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
krb5_ccname FILE:/tmp/krb5cc_0

RE: net ads join -->Kinit failed: Client not found in Kerberos database

I've got the same issue. Trying to join a 2008 domain though.

RE: net ads join -->Kinit failed: Client not found in Kerberos database

(OP)
Nobody can help me? I really don' t know what to do!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close