Attention:

 Only newly created accounts in ADS or accounts that have had 

their passwords changed once since migration will work. If an account stems 

from before the migration (or installation in the case of Administrator) the 

kinit

 command returns a message about a wrong encryption. Changing the 

password of the account resolves this problem.

To actually join the AD domain you execute the following:

net ads join  U administrator

This will prompt for the administrator password, for example, joining client 

machine client1 to the domain AD6380 using administrative user idsadmin (see 

Example 7 4).

Example 7 4   Example of joining client1 to domain AD6380

[root@client1 root]# net ads join  U idsadmin

idsadmin password:*******

Using short domain name    AD6380

Joined  CLIENT1  to realm  AD6380.LOCAL 

Joining in a particular organizational unit can be done by first getting the correct 

credentials and then joining the unit. For example, if you want to join the domain 

(that is, create a computer account) in a container called Clients under the 

organizational directory Computers/ITSO, you execute:

kinit Administrator@AD6380.LOCAL

net ads join  Computers\ITSO\Clients 

Attention:

 Since Windows 2003 uses SMB signing you have to put the 

following line in the smb.conf file when trying to join a Windows 2003 ADS.

client use spnego = yes

More details on joining an Active Directory domain can be found in the 

Samba 

HOWTO collection section 6.4:

http://samba.org/samba/docs/Samba HOWTO Collection.pdf/

7.2  How to use winbind to make domain users known 

locally

After joining a domain as described in 7.1,  How to join a Windows domain  on 

page 134, it will be necessary to add all domain accounts to the Linux client if the 

domain accounts are going to log on to the client. In smaller domains this will not 

136 

Linux Client Migration Cookbook   A Practical Planning and Implementation Guide for Migrating to Desktop