[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
Andrew Bartlett
abartlet at samba.org
Wed Feb 6 14:45:09 MST 2013
On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
> I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
> Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
> able to successfully join the client:
I think this comes down to a fundamental misunderstanding of what an
RODC can do. It is indeed 'read only'!
You don't join Samba to a DC, you join Samba to a domain. If the RODC
is the most favourable server to use for authentication after that, then
we will use it, but we will need to contact a read-write DC from time to
time.
> [root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'DOMAIN'
> dns_domain_name : 'domain.com'
> forest_name : 'domain.com'
> dn : NULL
> domain_sid : *
> domain_sid :
> S-1-5-21-2999212452-478241430-698296220
> modified_config : 0x00 (0)
> error_string : 'Failed to set account flags for
> machine account (NT_STATUS_NOT_SUPPORTED)
> '
> domain_is_ad : 0x01 (1)
> result : WERR_NOT_SUPPORTED
> Failed to join domain: Failed to set account flags for machine account
> (NT_STATUS_NOT_SUPPORTED)
You should allow Samba and krb5 to find the closest DC to use, and not
force a particular server. This not only improves redundancy, it makes
Samba much more likely to 'just work'.
Remove all these configuration lines:
> Configuration files:
>
> [root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/samba/smb.conf | uniq
> [global]
> workgroup = DOMAIN
> password server = wegsfes19234.domain.com
>
>
> [root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/krb5.conf
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = false
> [realms]
> EXAMPLE.COM = {
> kdc = kerberos.example.com:88
> admin_server = kerberos.example.com:749
> default_domain = example.com
> }
>
> domain.com = {
> kdc = wegsfes19234.domain.com
> }
>
> DOMAIN.COM = {
> kdc = wegsfes19234.domain.com
> kdc = wegsfes19234.domain.com
> }
That is, remove the kdc, dns_lookup_kdc and password server
configuration options from smb.conf and krb5.conf files.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list