net ads join with REALM not FQDN in 3.0.25pre1

Hansjörg Maurer Hansjoerg.Maurer at dlr.de
Tue Mar 20 07:12:20 GMT 2007 

Hi

I am testing 3.0.25per1 right now.
We had the following situation
REALM and AD-DNS Name: NTROBOTIC.FOO.DE
FQDN of the samba-server
[root at rmvbs02 root]# hostname -f
rmvbs02.cluster.foo.de

krb config (RHEL3) seems to work (User Admin has full Domain Admin
privileges in the AD):

[root at rmvbs02 root]# kinit Admin
Password for Admin at NTROBOTIC.FOO.DE:

[root at rmvbs02 root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Admin at NTROBOTIC.FOO.DE
Valid starting     Expires            Service principal
03/20/07 07:52:01  03/20/07 17:52:01 
krbtgt/NTROBOTIC.FOO.DE at NTROBOTIC.FOO.DE
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

When I try to join the domain it did not works

net ads join createcomputer="RM Rechner/RM andere" -U Admin
Admin's password:
Using short domain name -- NTROBOTIC
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for 'RMVBS02' in realm 'NTROBOTIC.FOO.DE'
Failed to join domain: Type or value exists

The problem seems to occur first time with 3.0.23.
With 3.0.24 the computer account the created in the right OU, but
dNSHostName and ServicePrinciplaName are not populated.
With older Version of samba, in dNSHostName the FQDN of the host was put
and in ServicePrinciplaName entries like
CIFS/rmvbs02
CIFS/rmvbs02.cluster.foo.de
CIFS/rmvbs02.ntrobotic.foo.de
HOST/rmvbs02
HOST/rmvbs02.cluster.foo.de
HOST/rmvbs02.ntrobotic.foo.de

are put.
Starting with 3.0.25 the object is automatically deleted in the
container, when
the join failes.
With 3.0.24 it just has been disabled.
I try to set the values of ServicePrinciplaName and dNSHostName
by hand with adsiedit and activated the account, but a net ads testjoin
fails.

I have controlled, that user Admin has the rights he change the settings
of ServicePrinciplaName and dNSHostName
(Security dialog in adsiedit, effective rights ...), but the join fails

It is possible to join with net rpc join createcomputer="RM Rechner/RM
andere" -U Admin
but the, the computer is placed in the Computers OU.

I have searched the archives and did not find any hint appart setting
the right permissions to the user who performs the join.

But this seems not to help in this case

regards

Hansjörg

More information about the samba-technical mailing list