[Samba] problem joining AD domain
Nico Kadel-Garcia
nkadel at gmail.com
Wed Jan 23 14:15:32 MST 2013
On Wed, Jan 23, 2013 at 7:13 AM, Paolo Supino <paolo.supino at gmail.com> wrote:
> Hi Nico
>
> It's not up to me to decide (and implement) the OS updates :-( and
> thus cannot do anything about the status of security of the systems.
> Though I completely agree with you :-)
>
> Now to the Samba ADS integraztion problem. I only need to execute the
> net ads command, I need the windows domain membership for a service
> running on this system not for local logins.
>
>
>
> TIA
> Paolo
Can you run on a test host using CentOS or Scientific Linux 5.8? It
really is a security and software features issue to be stuck at RHEL
5.3? And either way, what does "authconfig --test" say about your
configured Kerberos and LDAP settings?
> On Wed, Jan 23, 2013 at 1:12 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>> On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino <paolo.supino at gmail.com> wrote:
>>> Hi
>>>
>>> I'm trying to make a Linux server (RHEL 5.3) join my company's ADS
>>> domain. The company's domain is built from serveral kerberos realms
>>
>> Stop *right* there. If you have RHEL, and you've been regularly
>> applying updates, you've automatically updated to RHEL 5.9 since its
>> release a few weeks ago. RHEL 5.3 is now 4 yours old and you should
>> *not* use it for any security sensitive functions like the critical
>> Kerberos authentication in an ADS domain, without the Red Hat
>> published system updates. So do the system updates first.
>>
>>> and Windows domain. the Linux FQDN resolves to the name of one of the
>>> kerberos realms we have, but I was asked to to have the linux server
>>> join a different kerberos realm and windows Domain. When I attempt to
>>> run the command: 'net ads join -U [account] -w [domain]. I get the
>>> following error:
>>> Failed to set servicePrincipalNames. Please ensure that
>>> the DNS domain of this server matches the AD domain,
>>> Or rejoin with using Domain Admin credentials.
>>>
>>> I know it's possible because it was done in the company in the past
>>> (unfortunately) the sysadmin that did it no longer works here and no
>>> one else knows how to reproduce how he did it.
>>
>> Are you using the built-in Samba 3.0.33, the available "samba3x" tool
>> that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If
>> you're using the built-in Samba 3.0.33 or the "samba3x" package, you
>> should be able to use "authconfig" to set all of this in PAM,a nd only
>> need "net ads" to register the particular host with AD credentials.
>>
>> And are you making sure to use "net ads join -U 'admin at remotedomain'
>> -w 'remotedomain'", if the DNS domain does not match the AD domain?
>>
>> You might also install, and try working with, the X-based version of
>> the "system-config-authentication" command which provides reasonable
>> GUI options for most of this.
>>
>>
>>> I know this email is scarce on helpfull information. I simply don't
>>> know what information to supply (I have the output of join with -d 4
>>> and -d 10 debug levels).
More information about the samba
mailing list