[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
Matt Carey
mattjcarey at gmail.com
Mon Feb 4 14:20:44 MST 2013
I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
able to successfully join the client:
[root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123
...
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.com'
forest_name : 'domain.com'
dn :
'CN=vm-ae67a,CN=Computers,DC=domain,DC=com'
domain_sid : *
domain_sid :
S-1-5-21-2999212452-478241430-698296220
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- DOMAIN
Joined 'VM-AE67A' to realm 'domain.com'
DNS Update for vm-ae67a.**INTERNAL*** failed: ERROR_DNS_GSS_ERROR
DNS update failed!
[root at vm-ae67a log]# net ads info
LDAP server: 10.100.0.231
LDAP server name: wegsfes19123.domain.com
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Sun, 03 Feb 2013 11:45:05 EST
KDC server: 10.100.0.231
Server time offset: 0
However pointing the same client to a RODC(wegsfes19234), for the same
domain, I'm unable to join (/etc/krb5.conf and /etc/samba/smb.conf were
updated to point to the RODC server for authentication):
[root at vm-ae67a log]# kinit Administrator at DOMAIN.COM
Password for Administrator at DOMAIN.COM:
[root at vm-ae67a log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAIN.COM
Valid starting Expires Service principal
02/03/13 12:31:17 02/03/13 22:31:24 krbtgt/DOMAIN.COM at DOMAIN.COM
renew until 02/04/13 12:31:17
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.com'
forest_name : 'domain.com'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-2999212452-478241430-698296220
modified_config : 0x00 (0)
error_string : 'Failed to set account flags for
machine account (NT_STATUS_NOT_SUPPORTED)
'
domain_is_ad : 0x01 (1)
result : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)
Any help with this matter would be greatly appreciated.
Regards,
Matt
Configuration files:
[root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/samba/smb.conf | uniq
[global]
workgroup = DOMAIN
password server = wegsfes19234.domain.com
realm = DOMAIN.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
idmap backend = nss
template homedir = /home/%U
winbind nss info = rfc2307
winbind use default domain = true
server string = vm-ae67a
netbios name = vm-ae67a
encrypt passwords = true
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
# the login script name depends on the machine name
# the login script name depends on the unix user used
# disables profiles support by specifing an empty path
load printers = yes
cups options = raw
#obtain list of printers automatically on SystemV
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
clockskew = 300
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
domain.com = {
kdc = wegsfes19234.domain.com
}
DOMAIN.COM = {
kdc = wegsfes19234.domain.com
kdc = wegsfes19234.domain.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
More information about the samba
mailing list