[Samba] Joining samba server to Windows AD OU when OU has slashes in OU name

david.lists.samba.org at neo-neural.net david.lists.samba.org at neo-neural.net
Sat Mar 18 13:24:59 GMT 2006

I'm attempting to join a samba server to a Windows 2003 Active Directory
on a network I do not control. The admins are working to help me on
this, but I am also attempting to be as inobtrusive as possible. To that
end, I have set up a Windows PDC and another samba server (with the same
configuration) on a private network to do my own testing without having
to hassle the Windows admins and ask them to tweak things on their live

The problem is that it appears the "net" command ('net ads join',
specifically) translates forward slashes as OU name separators, when in
fact, they can actually be part of an OU name. Example: I want to join
my system, TEST001, to the OU 'IT Systems/Admins' in the realm
EXAMPLE.COM (KDC: EXAMPLE.EXAMPLE.COM). I can successfully get a
kerberos ticket (and hence, authenticate), but cannot actually create a
computer account in the desired OU using net, as detailed in the following:

# kinit testuser at EXAMPLE.EXAMPLE.COM
(confirm success with klist)
# net ads join 'IT Systems/Admins' -U testuser at EXAMPLE.EXAMPLE.COM
ads_join_realm: organizational unit IT Systems/Admins does not exist
(dn:ou=Admins,ou=IT Systems,dc=EXAMPLE,dc=EXAMPLE,dc=COM)

On the permissions side, I'm logged in as root on the samba server, and
have domain admin rights on the Windows test server.
If the slash is removed from the OU name (e.g. 'IT Systems Admins'),
then the samba server successfully joins the Windows AD.

I've tried everything I can think of to explain to the net command
explicitly what I want - single quotes, double quotes, escaping the
forward slashes with backslashes, etc., all for naught. This suggests to
me that the net command doesn't consider slashes to be valid for Windows
AD OU names, which they most assuredly are, unfortunately. The one thing
I have yet to do is edit the samba source code and attempt to modify
net's behaviour... and since I'm not a programmer, that isn't a good
option for me, in my opinion.
Yes, the simple thing to do is to convince the Windows admins to remove
all slashes from the OU names, which they likely will, but that still
leaves this issue unresolved. 

All this to say, and correct me if I'm wrong, that the net command
considers some legal Windows OU characters to be illegal and/or
translates them as OU separators improperly. Any thoughts, suggestions,

Config files from the test samba server:
realm = example.example.com
security = ADS
encrypt passwords = yes
password server = example.example.com

 default_realm = EXAMPLE.COM

  kdc = kerberos.example.com

 .kerberos_server = EXAMPLE.EXAMPLE.COM

(Side note: commas in OU names appear to be legal inside OU names from
the Windows side, but throw an "ads_join_realm: Invalid DN syntax" error
when using 'net ads join "IT Systems,Admins" -U
testuser at EXAMPLE.EXAMPLE.COM'. Same issue with trying to escape the
character with backslashes, quotes, etc. as above.)

More information about the samba mailing list