FC5 joining Domain Controller (win2003)

http://www.planetmy.com/blog/?p=248

follow that tutorial. its for fedora core 6, but there shouldn't be much of a difference in the how to, if theres any difference at all.

Could you please check the URL, because I could not get it works

? works for me ?

i guess you could try this:
http://www.google.com/search?q=How+to+j ... +Directory
should be the first link that comes up in the search.

Very strange it did not work for me , though I tried the link on two browsers IE and FireFox.

Could you please copy it to a word docuemnt and send it to my email address : forwardtruth@yahoo.com

Regards

i wouldn't publically post your email address, but i can see what i can do

This email for one time ues only, do not worrry

ok. its been sent.

I followed that you posted : http://www.planetmy.com/blog/?p=248

I installed FC6 on VMWare V6.0

I have installed all the required packages that have been mentioned, the only thing that I have not touch is Network Time Protocol.

[root@localhost ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = rami.global
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
rami.global = {
kdc = 192.168.2.10
default_domain = 192.168.2.10
kdc = rami.global
}

[domain_realm]
.rami.global = rami.global
rami.global = rami.global

rami.global = rami.global
.rami.global = rami.global

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@localhost ~]#

















gedit /etc/smb.conf
!
!
!
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = rami
security = ads
realm = rami.global
client use spnego = no----------I added this line
server signing = auto
netbios name = linux
winbind use default domain = yes----------I added this line
winbind separator = +
encrypt passwords = yes----------I added this line
password server = rami.global
template shell = /bin/bash


[test]--------- ----------I added this Title

comment = Test Share using Active Directory
path = /data
valid users = @"rami\Users"
writeable = yes
browseable = yes
[root@localhost ~]#


[root@localhost ~]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
workgroup = MYGROUP
server string = Samba Server
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[root@localhost ~]#



[root@localhost ~]# service smb stop
Shutting down SMB services: [FAILED]
Shutting down NMB services: [FAILED]

is the service running?
it wouldn't be able to be stopped if it was never running..

Yes, you are right,what I did :
System --> Administration --> Server Settings --> Services --> tick " smb " option

yea..that doesn't mean smb IS running, that means that you want it to start as a service the next time you reboot. towards the top of that window there should be a "start" button. highlight smb and then click start and it should come up with a message "smb started successfully.." or an error.
alternatively, you could go command line to accomplish this:

Yes, I have pressed on start button to start the service.

I have another issue .
When I typed in :
[root@linux ~]# kinit administrator@rami.global
(Enter Windows 2003 AD administrator password),,,I entered the admin password , I have been presented with this message :
“kinit(v5): Clock skew too great while getting initial credentials” ,,,,,but document says that I should have been presented with the message above before enterning admin password not after entering it ?

hello friends,

i have done the follow procedure's to authenticate ADS user's in the
LLINUX BOX.here if u follow the 9 procedures u can login using the ADS
account into the LINUXBOX.try it out.




Samba Domain Membership in ADS environnment:


step 1:

make sure the follow things:

1) samba version 3 package's


#rpm -qa | grep samba

samba-client-3.0.21b-2
samba-3.0.21b-2
samba-common-3.0.21b-2


2)kerberos library version 1.3.1 or later

ensure the follow:

krb5-libs-1.4.3-4.1

krb5-devel-1.4.3-4.1


#krb5-config --all

Version: Kerberos 5 release 1.4.3
Vendor: Massachusetts Institute of Technology
Prefix: /usr
Exec_prefix: /usr
#krb5-config --version

Kerberos 5 release 1.4.3




step2:

check the follow:

# smbd -b | grep KRB5


output:


HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_DECODE_KRB5_AP_REQ
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
HAVE_KRB5_C_ENCTYPE_COMPARE
HAVE_KRB5_C_VERIFY_CHECKSUM
HAVE_KRB5_ENCRYPT_BLOCK
HAVE_KRB5_ENCRYPT_DATA
HAVE_KRB5_FREE_AP_REQ
HAVE_KRB5_FREE_DATA_CONTENTS
HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS
HAVE_KRB5_FREE_KTYPES
HAVE_KRB5_FREE_UNPARSED_NAME
HAVE_KRB5_GET_PERMITTED_ENCTYPES
HAVE_KRB5_KEYBLOCK_IN_CREDS
HAVE_KRB5_KEYTAB_ENTRY_KEY
HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM
HAVE_KRB5_KT_FREE_ENTRY
HAVE_KRB5_LOCATE_KDC
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL2SALT
HAVE_KRB5_PRINC_COMPONENT
HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
HAVE_KRB5_SET_REAL_TIME
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_TKT_ENC_PART2
HAVE_KRB5_USE_ENCTYPE
HAVE_LIBGSSAPI_KRB5
HAVE_LIBKRB5
HAVE_TICKET_POINTER_IN_KRB5_AP_REQ
KRB5_VERIFY_CHECKSUM_ARGS



# smbd -b | grep LDAP


output of the above command:


HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_ADD_RESULT_ENTRY
HAVE_LDAP_DOMAIN2HOSTLIST
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS



step 3:

vi /etc/samba/smb.conf


[global]
unix charset = LOCALE
workgroup = EXAMPLE
realm = EXAMPLE.COM
server string = Samba Server
security = ADS
obey pam restrictions = Yes
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind cache time = 100
winbind use default domain = Yes



step 4:

make sure the following things you have edited or not

vi /etc/nsswitch.conf


passwd: files
# shadow: files
group: files




ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: files nisplus

automount: files
aliases: files nisplus

shadow: files


save it


step 5:


1) make sure the following things you have edited or not



1) Here you have Replace the EXAMPLE.COM with your ADS Domain Name.

2) you have to ensure weather your ADS server ip is resolveable or not.



vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE.COM = {
kdc = 192.168.0.1:88
admin_server = nt5.EXAMPLE.com:749
default_domain = EXAMPLE.com
kdc = 192.168.0.1
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}



step 6:

edit the the follow file to resolve the ip of your ADS

vi /etc/hosts


# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost

192.168.0.1 nt5.example.com NT5 (your ADS server)





step 7:

Joining to the ADS Domain:


1)before join to the ADS domain your server should sysnchronice with your ADS server. i.e time

synchronisation


2) after joined to the domain you can get a file called " secrets.tdb " in the /etc/samba dir.

3) type the follow cmd:

# net ads join -UAdministrator%password

# cd /etc/samba/

# tdbdump secrets.tdb

step 8:


After you have successfully joined to the domain you have start the following service


#/etc/init.d/winbind start


#wbinfo -t

output of the abive command:

"checking the trust secret via RPC calls succeeded"


#wbinfo -u

the above command will gives the infoemation of your,

ADS users and Computers.

output of the above command:

aaru
amit
Administrator
Guest
IWAM_NT5
IUSR_NT5
krbtgt
RENTAL1$
OEIPL$
SG$
BHAIRVI$
BOSS$
blossem$
helix$
NT5$



#wbinfo -g

output of the above command:

Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy
Accounts



#getent passwd

if you give the above command you can find it out your /etc/passwd
database is appended by ADS users.

output is:

bhairvi:*:10003:10001:Bhairvi:/home/OE2000/bhairvi:/bin/bash
bala:*:10004:10001:bala:/home/OE2000/bala:/bin/bash
aaru:*:10005:10001:aaru:/home/OE2000/aaru:/bin/bash
sachin:*:10006:10001:sachin:/home/OE2000/sachin:/bin/bash
manish:*:10007:10001:manish:/home/OE2000/manish:/bin/bash
amit:*:10008:10001:amit:/home/OE2000/amit:/bin/bash
sudipta:*:10009:10001:sudipta:/home/OE2000/sudipta:/bin/bash
administrator:*:10010:10001:Administrator:/home/OE2000/administrator:/bin/bash
guest:*:10011:10001:Guest:/home/OE2000/guest:/bin/bash
iwam_nt5:*:10012:10001:IWAM_NT5:/home/OE2000/iwam_nt5:/bin/bash
iusr_nt5:*:10013:10001:IUSR_NT5:/home/OE2000/iusr_nt5:/bin/bash
krbtgt:*:10014:10001:krbtgt:/home/OE2000/krbtgt:/bin/bash
rental1$:*:10015:10002:RENTAL1:/home/OE2000/rental1_:/bin/bash
oeipl$:*:10016:10002:OEIPL:/home/OE2000/oeipl_:/bin/bash
sg$:*:10017:10002:SG:/home/OE2000/sg_:/bin/bash
bhairvi$:*:10018:10002:BHAIRVI:/home/OE2000/bhairvi_:/bin/bash
boss$:*:10019:10002:BOSS:/home/OE2000/boss_:/bin/bash
blossem$:*:10020:10002:blossem:/home/OE2000/blossem_:/bin/bash
wpad$:*:10021:10002:wpad:/home/OE2000/wpad_:/bin/bash
helix$:*:10022:10002:helix:/home/OE2000/helix_:/bin/bash



you should have to get all the information from the above all commands.




with regards,

aaru

http://www.zdnetasia.com/insight/networ ... 966,00.htm
first search result when sticking your error into google

so according to that article, there are two things to try: one is, your system time may be more than 5 minutes off from the server, so try adjusting that to be the same as the server.
the other thing, make your AD domain name all uppercase. so @RAMI.GLOBAL instead of @rami.global

i was aware of that .


When i tried to use uppercase I have received this error :