[Samba] problem joining AD domain

[Paolo Supino]

Hi Nico

It's not up to me to decide (and implement) the OS updates :-( and
thus cannot do anything about the status of security of the systems.
Though I completely agree with you :-)

Now to the Samba ADS integraztion problem. I only need to execute the
net ads command, I need the windows domain membership for a service
running on this system not for local logins.



TIA
Paolo



On Wed, Jan 23, 2013 at 1:12 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino <paolo.supino at gmail.com> wrote:
>> Hi
>>
>> I'm trying to make a Linux server (RHEL 5.3) join my company's ADS
>> domain. The company's domain is built from serveral kerberos realms
>
> Stop *right* there. If you have RHEL, and you've been regularly
> applying updates, you've automatically updated to RHEL 5.9 since its
> release a few weeks ago. RHEL 5.3 is now 4 yours old and you should
> *not* use it for any security sensitive functions like the critical
> Kerberos authentication in an ADS domain, without the Red Hat
> published system updates. So do the system updates first.
>
>> and Windows domain. the Linux FQDN resolves to the name of one of the
>> kerberos realms we have, but I was asked to to have the linux server
>> join a different kerberos realm and windows Domain. When  I attempt to
>> run the command: 'net ads join -U [account] -w [domain]. I get the
>> following error:
>> Failed to set servicePrincipalNames. Please ensure that
>> the DNS domain of this server matches the AD domain,
>> Or rejoin with using Domain Admin credentials.
>>
>> I know it's possible because it was done in the company in the past
>> (unfortunately) the sysadmin that did it no longer works here and no
>> one else knows how to reproduce how he did it.
>
> Are you using the built-in Samba 3.0.33, the available "samba3x" tool
> that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If
> you're using the built-in Samba 3.0.33 or the "samba3x" package, you
> should be able to use "authconfig" to set all of this in PAM,a nd only
> need "net ads" to register the particular host with AD credentials.
>
> And are you making sure to use "net ads join -U 'admin at remotedomain'
> -w 'remotedomain'", if the DNS domain does not match the AD domain?
>
> You might also install, and try working with, the X-based version of
> the "system-config-authentication" command which provides reasonable
> GUI options for most of this.
>
>
>> I know this email is scarce on helpfull information. I simply don't
>> know what information to supply (I have the output of join with -d 4
>> and -d 10 debug levels).