[Samba] Windows != Samba - NETBIOS name handling

Wed Nov 1 15:26:10 GMT 2006

Hi,

I'm using samba just for its "net join" functionality. Computer accounts and kerberos keytabs are
created by Samba in Active Directory via "net ads join", then used by UNIX clients to authorise and
authenticate via LDAP and Kerberos.

Samba works perfectly until the computers hostname is longer than 15 characters. Then any attempt to
join the domain fails with:

----
[root at uk1-sysstg-sqlsyslogtest etc]# net ads join -U Administrator
Administrator's password:
[2006/11/01 13:14:34, 0] libads/ldap.c:ads_join_realm(1763)
  ads_join_realm: ads_add_machine_acct failed (uk1-sysstg-sqlsyslogtest): Internal (implementation
specific) error
ads_join_realm: Internal (implementation specific) error
----

Looking at packet trace output suggests it's because of NETBIOS name length limitations.

So I specify a legal NETBIOS name in smb.conf, and the join succeeds.

The problem is now that this computer is _completely_ identified to AD by this NETBIOS name.

Both the kerberos tickets and the DNS name for this computer are linked to the NETBIOS name, even
though this is different from the UNIX hostname.

If this were a Microsoft AD limitation, I could write this off, but it seems this is a Samba problem.

From:

http://technet2.microsoft.com/WindowsServer/en/library/8ec96981-6b1a-48ec-bd3e-d8d43bc814311033.mspx?mfr=true
-------
-------
To ensure interoperability between NetBIOS and DNS naming in Windows, a new naming parameter called
the NetBIOS computer name was introduced. The value of this parameter, which is not required in a
Windows 2000 or Windows Server 2003  environment, is derived from the first 15 characters of the DNS
full computer name.

When the full computer name is a combination of the computer name and the primary DNS suffix for the
computer, the impact of renaming and making the transition from a NetBIOS namespace to a DNS
namespace can be minimal. Users continue to focus on the short computer name. If this name is 15
characters or less, it can be made identical to the NetBIOS computer name. The administrator can
then also assign a DNS domain name for each computer. This can be done using remote administration
tools.
------
------

It seems Windows allows the NETBIOS name and computer DNS name to be separate, but Samba doesn't.
A look inside the AD properties for a computer account shows these can be different, but a samba
join forces them to be the same.

I've also tried pre-creating the computer accounts in AD - this still happens.

Is there any way round this issue? (And no "rename 100+ production servers" suggestions please ;-) )

thanks

James Masson

------
Redhat EL4
samba-client-3.0.10-1.4E.9
samba-common-3.0.10-1.4E.9
also tried with samba.org samba-3.0.22-1
------- smb.conf
workgroup = TESTING
; netbios name = UK1-SYSSTG-SQLS
realm = TESTING.LOCAL.INVALID
security = ads
use kerberos keytab = True
-------
Windows 2003 R2

**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer.

Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author’s employer.

Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. 

Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. 
_______________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/