[Samba] problem joining AD domain
Nico Kadel-Garcia
nkadel at gmail.com
Tue Jan 22 17:12:51 MST 2013
On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino <paolo.supino at gmail.com> wrote:
> Hi
>
> I'm trying to make a Linux server (RHEL 5.3) join my company's ADS
> domain. The company's domain is built from serveral kerberos realms
Stop *right* there. If you have RHEL, and you've been regularly
applying updates, you've automatically updated to RHEL 5.9 since its
release a few weeks ago. RHEL 5.3 is now 4 yours old and you should
*not* use it for any security sensitive functions like the critical
Kerberos authentication in an ADS domain, without the Red Hat
published system updates. So do the system updates first.
> and Windows domain. the Linux FQDN resolves to the name of one of the
> kerberos realms we have, but I was asked to to have the linux server
> join a different kerberos realm and windows Domain. When I attempt to
> run the command: 'net ads join -U [account] -w [domain]. I get the
> following error:
> Failed to set servicePrincipalNames. Please ensure that
> the DNS domain of this server matches the AD domain,
> Or rejoin with using Domain Admin credentials.
>
> I know it's possible because it was done in the company in the past
> (unfortunately) the sysadmin that did it no longer works here and no
> one else knows how to reproduce how he did it.
Are you using the built-in Samba 3.0.33, the available "samba3x" tool
that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If
you're using the built-in Samba 3.0.33 or the "samba3x" package, you
should be able to use "authconfig" to set all of this in PAM,a nd only
need "net ads" to register the particular host with AD credentials.
And are you making sure to use "net ads join -U 'admin at remotedomain'
-w 'remotedomain'", if the DNS domain does not match the AD domain?
You might also install, and try working with, the X-based version of
the "system-config-authentication" command which provides reasonable
GUI options for most of this.
> I know this email is scarce on helpfull information. I simply don't
> know what information to supply (I have the output of join with -d 4
> and -d 10 debug levels).
More information about the samba
mailing list