Unknown Error: Could Not Obtain Winbind Separator! Reading Winbind Reply Failed! (0x01) : .

suggestme

Hi,

I am configuring FreeRadius server on FreeBSD to perform hallmark against Active Directory using Kerberos & Samba. I installed Samba, Kerberos server packages and did configuration changes on smb.conf file and /etc/krb5.conf file accordingly. From root I tried the command:

# cyberspace ads join -U [b]username[/b] -Southward [b]nt-server-hostname.company.com[/b]

Information technology gives me the output every bit: (which I recollect might be OK)

Code:

                        Enter [B]username's[/B] password: Using short domain proper name -- "   " Joined '    ' to realm '      ' DNS update failed!

If I just try another control, it gives fault:

# net join -U [b]Administrator[/b]

It gives the output as :

Code:

                        Failed to join domain: failed to find DC for domain '     ' ADS bring together did not work, falling dorsum to RPC... Unable to discover a suitable server for domain '    ' Unable to find a suitable server for domain '    '

I get authentication mistake when I try the following control as:

# wbinfo -a [b]user[/b]%[b]password[/b]

Code:

                        plaintext password authentication failed Could not cosign user [B]username[/B]%[B]password[/B] with plaintext password could not obtain winbind interface details! could not obtain winbind separator! challenge/response countersign authentication failed Could not authenticate user [B]username[/B] with claiming/response

Can anyone please tell me what might exist the problem?

Thank you

AndyUKG

Did yous setup the

smb.conf

with things like server name, PDC, domain name, security type as required? What documentation are you following for Samba?

suggestme

AndyUKG,

Yes I changed some configurations in

smb.conf

. I am following "deployingradius.com" steps for information technology. Some of the configurations I changed on

smb.conf

are as shown on Bold LETTER:

Code:

                        workgroup = [B]MYDOMAIN[/B]  security = [B]ads[/B]  password server = [B]nt-server-hostname.company.com[/B]  realm = [B]REALM.COMPAMY.COM[/B]  [B]winbind separator = +[/B]

I also changed some configurations on

/etc/krb5.conf

, changes I have made is shown in Bold LETTER:

Code:

                        [libdefaults]         default_realm = [B]REALM.Visitor.COM[/B]	         clockskew = 300 	v4_instance_resolve = false 	v4_name_convert = { 		host = { 			rcmd = host 			ftp = ftp 		} 		plain = { 			something = something-else 		} 	} 	  [realms]   	[B]REALM.COMPANY.COM[/B] = { 		kdc = [B]nt-server-hostname.company.com[/B]	 } 	OTHER.REALM = { 		v4_instance_convert = { 			kerberos = kerberos 			computer = computer.some.other.domain 		} 	} [domain_realm] 	[B].my.domain [/B]= [B]REALM.COMPANY.COM[/B]

While executing [cmd=]# wbinfo -a user%password [/cmd]command it was giving

winbind

interface and separator error so, I just added

Information technology eliminated that error, but yet can't authenticate the user. Other errors are occuring as I mentioned in previous post.

Thanks,

suggestme

Sylhouette / Johan,

Cheers and then much for the thread suggestion. I followed up all the configuration details mentioned under the thread provided But still I am having post-obit bug.

I can join the domain by using the control:

[cmd=]# net ads join -U username -South nt-server-hostname.visitor.com[/cmd]

simply can't join it by just using the control

[cmd=]# net join -U Administrator[/cmd]

My server is already showing upwards under the list of users under Domain users list. But if I try to see users or groups respectively using:

[cmd=]# wbinfo -u[/cmd]
[cmd=]# wbinfo -g[/cmd]

It doesn't show any users or groups. Likewise no mistake shows, just seems like no effect.

As well similar before, while using the command:

[cmd=]# wbinfo -a user%countersign[/cmd]

It is not working and giving the same error every bit I mentioned in previous post.

Thanks

Sylhouette

[cmd=]net join -U Administrator[/cmd]

It should read.

[cmd=]internet ads bring together -Uadministrator[/cmd]

Do you have your

/etc/resolv.conf

entries pointed at your windows Ad server?

Regards
Johan Hendriks

suggestme

Sylhouette,

Lawmaking:

                        # cyberspace ads join -U Administrator  Failed to join domain: failed to discover DC for domain '   '

Information technology also doesn't piece of work. It gives the error. Information technology's so foreign that the following command allows to join the domain but I can't run across the user and group using

wbinfo -u

and

wbinfo -g

commands.

[cmd=]# cyberspace ads join -U username -S nt-server-hostname.company.com[/cmd]

Sylhouette

It looks like it can not notice the domain. Tin can you show your

/etc/nsswitch

,

/etc/krb5.conf

,

/etc/hosts

and

/etc/resolv.conf

file?

regards
Johan

suggestme

Sylhouette,

Deplorable, I forgot to mention the answer of:

Do yous have your

/etc/resolv.conf

entries pointed at your windows AD server.

I can run across two entries in this file:

Code:

                        domain  '     '           -----> It shows the domain name nameserver      '     '   -----> It shows correct IP address of server

Thanks,

Sylhouette

Ok I did reread your question.

Lawmaking:

                          workgroup = MYDOMAIN security = ads password server = nt-server-hostname.visitor.com realm = REALM.COMPAMY.COM

Your workgroup must exist the same name as your domain. So if your windows server is nt-server-hostname.company.com your workgroup name must be company. Your realm reads REALM.COMPANY.COM, this must read

The same thing goes for your

/etc/krb5.conf

file.

One more thing did you install the kerberos port, if so, exercise you lot demand to edit

/usr/local/etc/krb5.conf

instead of

/etc/krb5.conf

. Equally I never install the kerberos port, I tin not tell you if that is the instance.

Also the krb5.conf file has a lot of things I exercise not know (I am not an expert). Endeavour to utilize a config as minimal as needed, and later on add things y'all need if you miss them.

In your instance it would probably look similar this.

Code:

                        [libdefaults]         default_realm = COMPANY.COM         clockskew = 600  [realms]         COMPANY.COM = {                 kdc = tcp/nt-server-hostname.company.com }  [domain_realms]         .company.com = COMPANY.COM

Also your host must be in the same domain. and then your

/etc/hosts

file must read something like this, where 192.168.1.1 is the ipaddress of your FreeBSD server.

Code:

                        192.168.ane.1          bsd-server-hostname.visitor.com bsd-server-hostname 192.168.i.ane          bsd-server-hostname.company.com

and in your

/etc/rc.conf

file your hosname must exist set appropriately

Code:

                        hostname="bsd-server-hostname.company.com"

Your

/etc/resolv.conf

file must comprise the following

Code:

                        domain company.com nameserver 192.168.1.10

where 192.168.1.10 is the ip accost off your Advertising server.

regards
Johan

DutchDaemon

Guys, format your posts correctly. This includes file names, path names, commands, etc. It really adds to the readability of your posts (and better apply of my time). Cheers.

Sylhouette

I will endeavour to utilise the tags more.

Information technology is not my intention to waste matter your time.
BTW for what it is worth, i think you do a really fantabulous job here on the forums.

Ik zeg vooral zo doorgaan.

And i will watch my mail format.

regards
Johan

suggestme

DutchDaemon,

I will try my best to format my posts correctly. I am new forum member so, trying to get used to with information technology. Sorry for any inconvenience acquired past this.

Sylhouette,

I checked all the configurations and did all the modifications but I am nevertheless getting the aforementioned issue. Yes I installed Kerberos port. So, at first I was besides confused with

krb5.conf

location. There was no

krb5.conf

file in

/etc/krb5.conf

location before. It was in

/usr/ports/net/samba35/work/samba-3.v.vi/source4/setup/krb5.conf

location from which I copied the file to

/etc

location. Then there are krb5.conf files in two locations with the aforementioned configuration. I copied these considering I read in and then many sites the location of

krb5.conf

in

/etc/krb5.conf

. I am also new to FreeBSD and these samba, kerberos installation. Then, I don't know this might exist the event.

Can anyone please suggest me anything in this thing. This time I am already suffering from this problem for so many days.

Thanks

Sylhouette

Could you but re-create and paste your config files.

that would exist

/etc/krb5.conf /etc/nsswitch /etc/hosts /usr/local/etc/smb.conf /etc/resolv.conf /etc/rc.conf

The proper noun of the domain controller and its ipaddress.

Possibly i do not answer today anymore because i am on the road.!

regards
Johan

suggestme

How-do-you-do,

Finally I am able to authenticate user confronting Active Directory using Samba & Kerberos. I simply rechecked and modified the configurations; Near importantly, synchronized the time with my Domain server fourth dimension using NTP

/etc/ntp.conf

, and restarted the Samba & Kerberos Server. Now user authentication for Plaintext password and Challenge/response is successful.

Thank you so much AndyUKG & Sylhouette for all your feedbacks.
Also Thank you and so much DutchDaemon for giving your valuable time for moderating this forum. This forum is really very helpful.

Sylhouette

Nice to hear.
The funny thing is that i had the same result one time, and it was also the time.
But i got messages in my logs, something near time scew to nifty i believe.

regards
Johan

Avery Freeman

Sorry to revive old thread, only I am setting upwardly FreeBSD 11.i-Electric current equally an Ad fellow member, and I but want to say that this helped me. The issues are even so relevant in late 2017.

I did non notice many threads that helped with my bug related specifically to FreeBSD, and this thread is old, so I thought mentioning that the info still works might help someone else with the aforementioned bug if they run beyond it like I did in my search.

I synchronized the member'due south datetime using the DC every bit the NTP in

/etc/ntp.conf

and restarted ntpd, and so I could join without error.

I also created

/etc/nsswitch

and

/etc/krb5.conf

equally described in a thread Sylhouette replied to here: https://forums.freebsd.org/threads/20007/

I'yard not sure this was necessary, I would recommend other people only endeavour synchronizing NTP with the DC starting time.

Thanks!

SirDice

That version does not exist.

Camp Chereappleas

Unknown Error: Could Not Obtain Winbind Separator! Reading Winbind Reply Failed! (0x01) : .

suggestme

New Member

AndyUKG

Well-Known Member

suggestme

New Member

Sylhouette

Active Member

suggestme

New Member

Sylhouette

Agile Member

suggestme

New Member

Sylhouette

Active Fellow member

suggestme

New Fellow member

Sylhouette

Agile Member

DutchDaemon

Administrator

Sylhouette

Active Member

suggestme

New Member

Sylhouette

Active Member

suggestme

New Member

Sylhouette

Active Member

SirDice

Administrator

Enregistrer un commentaire for "Unknown Error: Could Not Obtain Winbind Separator! Reading Winbind Reply Failed! (0x01) : ."