If you weren’t able to succeed in integrating Active Directory into Linux, don’t worry. This page will show you how to test Kerberos authentication and join the Active Directory domain manually so you can identify the problem.
Launch the terminal window and type in the highlighted items below.
Test the Kerberos authentication
Kerberos is an authentication mechanism used by Active Directory to verify user or host identity. We will use kinit, an executable used to obtain Kerberos access granting ticket, to test the Kerberos authentication mechanism.
[root@mail ~]# kinit bugsbunny
Change bugsbunny to any Active Directory user account.
If it replies
- Cannot resolve network address for KDC in requested realm while getting initial credentials
DNS problem, check the DNS or use ip addresses in the Domain Controllers field of the Winbind Settings.
- Cannot find KDC for requested realm while getting initial credentials
Check the spelling of your Active Directory realm and check the spelling in Winbind Settings. Capitalization is important.
- Client not found in Kerberos database while getting initial credentials
Check the user name you used if it exists in Active Directory.
- Cannot contact any KDC for requested realm while getting initial credentials
Check if the domain controller you specified in Winbind Settings is indeed working is not firewalled.
See Winbind Setting for RHEL/CentOS 5
See Winbind Setting for RHEL/CentOS 4
Password for bugsbunny@ACME.LOCAL: type in the password here
If it replies
- Preauthentication failed while getting initial credentials
It means the password is wrong.
- Password has expired while getting initial credentials
The password is no longer valid and needs to be changed.
- Clock skew too great while getting initial credentials
Synchronize your clocks using NTP. For a quick and temporary fix, use net time set to synchronize time with the domain controller.
Join the Active Directory Domain
[root@mail ~]# net ads join -U administrator
Replace administrator with any user name having Domain Admin rights. Specify your password when asked. You should be able to join the Active Directory domain now.
***
Posted on 4/25/2007 and last updated on 10/31/2008
Filed under Active Directory , Kerberos , Samba
Share This
May 6th, 2008 at 4:34 pm
Hi. I’m running opensuse 10.3 and samba-3.0.26a-3.5. I’m trying to make Windbind and Active Directory work together.When I run smb -b |grep LDAP I don’t get HAVE_LDAP_DOMAIN2HOSTLIST
host:/etc/samba # smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_ADD_RESULT_ENTRY
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
Should I necessarily have it listed?.
However trying:
host:/etc/samba # kinit -V admin@PRUEBA
Password for admin@PRUEBA:
Authenticated to Kerberos v5
host:/etc/samba # net ads join -U admin
admin’s password:
Using short domain name — MAIN
Joined ‘HOST’ to realm ‘PRUEBA’
host:/etc/samba # net ads testjoin
Join is OK
When I run wbinfo -u
host:/etc/samba # wbinfo -u
Error looking up domain users
And I see the message in the log file and when I run
2008/05/02 13:32:30, 1] libads/cldap.c:recv_cldap_netlogon(247) Failed to parse cldap reply
It seems it’s working, but I just keep getting those errors in the log files and of course it won’t work. Can anybody help me?
Thank you in advance.