[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

Matt Carey mattjcarey at gmail.com
Mon Feb 4 14:20:44 MST 2013


I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
able to successfully join the client:

[root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123
...
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'DOMAIN'
            dns_domain_name          : 'domain.com'
            forest_name              : 'domain.com'
            dn                       :
'CN=vm-ae67a,CN=Computers,DC=domain,DC=com'
            domain_sid               : *
                domain_sid               :
S-1-5-21-2999212452-478241430-698296220
            modified_config          : 0x00 (0)
            error_string             : NULL
            domain_is_ad             : 0x01 (1)
            result                   : WERR_OK
Using short domain name -- DOMAIN
Joined 'VM-AE67A' to realm 'domain.com'
DNS Update for vm-ae67a.**INTERNAL*** failed: ERROR_DNS_GSS_ERROR
DNS update failed!

[root at vm-ae67a log]# net ads info
LDAP server: 10.100.0.231
LDAP server name: wegsfes19123.domain.com
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Sun, 03 Feb 2013 11:45:05 EST
KDC server: 10.100.0.231
Server time offset: 0

However pointing the same client to a RODC(wegsfes19234), for the same
domain, I'm unable to join (/etc/krb5.conf and /etc/samba/smb.conf were
updated to point to the RODC server for authentication):
[root at vm-ae67a log]# kinit Administrator at DOMAIN.COM
Password for Administrator at DOMAIN.COM:
[root at vm-ae67a log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAIN.COM

Valid starting     Expires            Service principal
02/03/13 12:31:17  02/03/13 22:31:24  krbtgt/DOMAIN.COM at DOMAIN.COM
renew until 02/04/13 12:31:17

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'DOMAIN'
            dns_domain_name          : 'domain.com'
            forest_name              : 'domain.com'
            dn                       : NULL
            domain_sid               : *
                domain_sid               :
S-1-5-21-2999212452-478241430-698296220
            modified_config          : 0x00 (0)
            error_string             : 'Failed to set account flags for
machine account (NT_STATUS_NOT_SUPPORTED)
'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)

Any help with this matter would be greatly appreciated.

Regards,
Matt




Configuration files:

[root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/samba/smb.conf | uniq
[global]
   workgroup = DOMAIN
   password server = wegsfes19234.domain.com
   realm = DOMAIN.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   idmap backend = nss
   template homedir = /home/%U
   winbind nss info = rfc2307
   winbind use default domain = true
   server string = vm-ae67a
   netbios name = vm-ae67a
   encrypt passwords = true
 # logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
 # the login script name depends on the machine name
# the login script name depends on the unix user used
# disables profiles support by specifing an empty path
 load printers = yes
cups options = raw
#obtain list of printers automatically on SystemV
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes


[root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
 clockskew = 300

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 domain.com = {
  kdc = wegsfes19234.domain.com
 }

 DOMAIN.COM = {
  kdc = wegsfes19234.domain.com
  kdc = wegsfes19234.domain.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


More information about the samba mailing list