Problems signing on after adding NIS to domain controller and doing 'net ads join'
I have installed windows NIS on my domain controller and am trying to get a linux system included in the domain. I have install NIS, winbind and samba on the linux system. I have setup samba with the following:
workgroup = Accounting
password server = nestucca
realm = ACCOUNTING.EDT.LOCAL
security = ads
idmap backend = rid
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
When I added the linux system to the domain is seemed to work. When I do a 'net ads info' I get:
LDAP server: 10.10.10.1
LDAP server name: nestucca.Accounting.edt.local
Realm: ACCOUNTING.EDT.LOCAL
Bind Path: dc=ACCOUNTING,dc=EDT,dc=LOCAL
LDAP port: 389
Server time: Wed, 13 Jun 2012 09:07:36 PDT
KDC server: 10.10.10.1
Server time offset: 239
but is I do any other command I get the following error after typing the root password:
[root@wood etc]# net ads status
Enter root's password:
kerberos_kinit_password root@ACCOUNTING.EDT.LOCAL failed: Client not found in Kerberos database
kerberos_kinit_password root@ACCOUNTING.EDT.LOCAL failed: Client not found in Kerberos database
kerberos_kinit_password root@ACCOUNTING.EDT.LOCAL failed: Client not found in Kerberos database
If I try to log in to the domain controller I get the following error:
the name of security Id (SID) of the domain specified is inconsistent with the trust information for that domain.
What can I do to get logged in to the domain controller?
thanks.
June 13th, 2012 12:20pm
I have installed windows NIS on my domain controller and am trying to get a linux system included in the domain. I have install NIS, winbind and samba on the linux system. I have setup samba with the following:
workgroup = Accounting
password server = nestucca
realm = ACCOUNTING.EDT.LOCAL
security = ads
idmap backend = rid
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
When I added the linux system to the domain is seemed to work. When I do a 'net ads info' I get:
LDAP server: 10.10.10.1
LDAP server name: nestucca.Accounting.edt.local
Realm: ACCOUNTING.EDT.LOCAL
Bind Path: dc=ACCOUNTING,dc=EDT,dc=LOCAL
LDAP port: 389
Server time: Wed, 13 Jun 2012 09:07:36 PDT
KDC server: 10.10.10.1
Server time offset: 239
but is I do any other command I get the following error after typing the root password:
[root@wood etc]# net ads status
Enter root's password:
kerberos_kinit_password root@ACCOUNTING.EDT.LOCAL failed: Client not found in Kerberos database
kerberos_kinit_password root@ACCOUNTING.EDT.LOCAL failed: Client not found in Kerberos database
kerberos_kinit_password root@ACCOUNTING.EDT.LOCAL failed: Client not found in Kerberos database
If I try to log in to the domain controller I get the following error:
the name of security Id (SID) of the domain specified is inconsistent with the trust information for that domain.
What can I do to get logged in to the domain controller?
thanks.
** Also posted in the general forum**
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2012 12:07pm
Hi,
Thanks for posting in Microsoft TechNet forums.
Please check the thread below to see if it can helpful in your situation:
Error while logging into Trust domain
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e924e80a-ade5-4325-b483-c1e49eba5527
Regards
Kevin
June 15th, 2012 12:51am
Thanks for the help, but that is not the problem I have.
This is NOT a cloned system! Everything that I have read regarding this error points to a cloned system. I installed and configured NIS on the DC. Then I installed winbind and samba on a linux system and did the 'net ads join' to put the linux
system in the domain. Once I did the join I have not been able to log into the DC at all. This is where I get the error.
How can I log in to the domain controller?
thanks
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2012 11:50am
Hi,
Thank you for clarifying the issue for us.
If we remove the Linux system from the domain, can the problem DC be logged into?
Regards
KevinTechNet Community Support
June 18th, 2012 12:49am
Kevin,
I have tried doing a 'net ads leave' on the linux system, these are the errors :
kerberos_kinit_password root@ACCOUNTING.EDT.LOCAL failed: Client not found in Kerberos database
Failed to leave domain: failed to connect to AD: Client not found in Kerberos database
-----
If I do a 'net ads testjoin' I get back "join is ok"
if I do a 'net ads join' I get:
Failed to join domain: failed to lookup DC info for domain 'ACCOUNTING.EDT.LOCAL' over rpc: Logon failure
So, where do I go from here?
thanks
Free Windows Admin Tool Kit Click here and download it now
June 18th, 2012 11:44am
Hi,
It seems the authenticaition failure because of Kerberos issue. Didi you create Kerberos Keytab for Samba? Resources for your reference:
http://blog.scottlowe.org/2006/12/19/using-samba-in-linux-ad-integration/
http://www.tulg.org/docs/samba_ads_kerb.html
http://technet.microsoft.com/en-us/library/cc779157(WS.10).aspx
Thanks, BrianPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 20th, 2012 1:54am
Brian,
thanks that help a bunch! After going through a couple of those resources I have been able to join the domain and reference information from the domain on the linux system.
But I still am not able to log in to the DC using my account or the administrators account.
Any ideas as to why this is happening? I am still getting the same error:
"The name of security Id (SID) of the domain specified is inconsistent with the trust information for that domain."
thanks again!
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 2:38pm
Okay, maybe after reading my last reply it is not evident of what I can not do!
1. from my linux system I can not log in using my domain account.
but more important
2. I can not log in to the DC from the console or from a remote desktop at all. This is when I get the security ID error. This is the problem that I really need to get fixed. How can I get logged in?
June 22nd, 2012 5:00pm
so, there is no one in the technet realm that knows how to get around or fix this error?
What do folks do when they have problems like this? rebuild? that's ugly!
I would think MS would have a better answer than this!
Why would any os let an installed product change the Sid of the DC. You would think that this would not be allowed!
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2012 6:04pm
Hi,
Do you mean all the account fail to logon to that DC? or the issue only occurs on the specific account? Do you use a cross-domain account?
Thanks, BrianPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 27th, 2012 4:34am
Brian,
As far as I know none of the accounts can log in to the DC. Normal users typically don't log in they just have access to the users disk via mapped drives.
Being the admin I log in quite a bit using either my domain admin account of the administrators account.
There is no cross-domain. We only have one domain. I do have a backup DC that I can log in to but it does not run some of the software that the primary DC runs. I can log into the backup DC without any problems.
any help is really appreciated
thanks
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 1:58pm