[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

Andrew Bartlett abartlet at samba.org
Wed Feb 6 14:45:09 MST 2013


On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
> I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
> Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
> able to successfully join the client:

I think this comes down to a fundamental misunderstanding of what an
RODC can do.  It is indeed 'read only'!  

You don't join Samba to a DC, you join Samba to a domain.  If the RODC
is the most favourable server to use for authentication after that, then
we will use it, but we will need to contact a read-write DC from time to
time. 

> [root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'DOMAIN'
>             dns_domain_name          : 'domain.com'
>             forest_name              : 'domain.com'
>             dn                       : NULL
>             domain_sid               : *
>                 domain_sid               :
> S-1-5-21-2999212452-478241430-698296220
>             modified_config          : 0x00 (0)
>             error_string             : 'Failed to set account flags for
> machine account (NT_STATUS_NOT_SUPPORTED)
> '
>             domain_is_ad             : 0x01 (1)
>             result                   : WERR_NOT_SUPPORTED
> Failed to join domain: Failed to set account flags for machine account
> (NT_STATUS_NOT_SUPPORTED)

You should allow Samba and krb5 to find the closest DC to use, and not
force a particular server.  This not only improves redundancy, it makes
Samba much more likely to 'just work'.

Remove all these configuration lines:

> Configuration files:
> 
> [root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/samba/smb.conf | uniq
> [global]
>    workgroup = DOMAIN
>    password server = wegsfes19234.domain.com
>  
> 
> [root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/krb5.conf

> [libdefaults]
>  dns_lookup_realm = false
>  dns_lookup_kdc = false

> [realms]
>  EXAMPLE.COM = {
>   kdc = kerberos.example.com:88
>   admin_server = kerberos.example.com:749
>   default_domain = example.com
>  }
> 
>  domain.com = {
>   kdc = wegsfes19234.domain.com
>  }
> 
>  DOMAIN.COM = {
>   kdc = wegsfes19234.domain.com
>   kdc = wegsfes19234.domain.com
>  }

That is, remove the kdc, dns_lookup_kdc and password server
configuration options from smb.conf and krb5.conf files.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba mailing list