[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
Matt Carey
mattjcarey at gmail.com
Wed Feb 6 16:25:31 MST 2013
On Wed, Feb 6, 2013 at 4:45 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
> > I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried
> both
> > Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123)
> I'm
> > able to successfully join the client:
>
> I think this comes down to a fundamental misunderstanding of what an
> RODC can do. It is indeed 'read only'!
>
> You don't join Samba to a DC, you join Samba to a domain. If the RODC
> is the most favourable server to use for authentication after that, then
> we will use it, but we will need to contact a read-write DC from time to
> time.
>
>
If the object "CN=vm-ae67a,CN=Computers,DC=receiptiq,DC=com" has already
been created within AD and the Password Replication Policy has been set
such that the object is replicated to the RODC, then what attributes on
that object is the "net ads join" trying to update/write? I was hoping to
perform the functional equivalent of the MS djoin.exe process and use
winbind to authenticate the AD users against the RODC.
> > [root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
> > libnet_Join:
> > libnet_JoinCtx: struct libnet_JoinCtx
> > out: struct libnet_JoinCtx
> > account_name : NULL
> > netbios_domain_name : 'DOMAIN'
> > dns_domain_name : 'domain.com'
> > forest_name : 'domain.com'
> > dn : NULL
> > domain_sid : *
> > domain_sid :
> > S-1-5-21-2999212452-478241430-698296220
> > modified_config : 0x00 (0)
> > error_string : 'Failed to set account flags for
> > machine account (NT_STATUS_NOT_SUPPORTED)
> > '
> > domain_is_ad : 0x01 (1)
> > result : WERR_NOT_SUPPORTED
> > Failed to join domain: Failed to set account flags for machine account
> > (NT_STATUS_NOT_SUPPORTED)
>
> You should allow Samba and krb5 to find the closest DC to use, and not
> force a particular server. This not only improves redundancy, it makes
> Samba much more likely to 'just work'.
>
> Remove all these configuration lines:
>
> > Configuration files:
> >
> > [root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/samba/smb.conf | uniq
> > [global]
> > workgroup = DOMAIN
> > password server = wegsfes19234.domain.com
> >
> >
> > [root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/krb5.conf
>
> > [libdefaults]
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
>
> > [realms]
> > EXAMPLE.COM = {
> > kdc = kerberos.example.com:88
> > admin_server = kerberos.example.com:749
> > default_domain = example.com
> > }
> >
> > domain.com = {
> > kdc = wegsfes19234.domain.com
> > }
> >
> > DOMAIN.COM = {
> > kdc = wegsfes19234.domain.com
> > kdc = wegsfes19234.domain.com
> > }
>
> That is, remove the kdc, dns_lookup_kdc and password server
> configuration options from smb.conf and krb5.conf files.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
>
Configuration files have been updated and it finds the RODC via broadcast
rather then being hard coded:
[root at vm-ae67a ~]# net ads lookup dc
Information for Domain Controller: 10.100.0.168
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: a7654231-d835-420a-bba8-b2d78722b056
Flags:
Is a PDC: no
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: no
Has a hardware clock: no
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: yes
Is NT6 DC that has all secrets: no
Forest: domain.com
Domain: domain.com
Domain Controller: WEGSFES19234.domain.com
Pre-Win2k Domain: DOMAIN
Pre-Win2k Hostname: WEGSFES19234
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
More information about the samba
mailing list