Quest of SUSE 10 with Server2k8 AD authentication
steve
steve at steve-ss.com
Thu Feb 13 05:26:53 MST 2014
On Thu, 2014-02-13 at 13:56 +0200, Danie Wessels wrote:
> >> >>As part of the net ads join process, the machine is registered.
> >> registered as what?
> >> as Domain Controller in the domain
> - IF realm is set to domain and security = user?
> >> as Computer on Domain
> - IF security = ads?
>
ads. Look:
> > net ads join will join the computer to the domain
> and register its name in DNS. Hence the DNS server must be able to work out the name of the computer _before_ you issue the the command. Hence:
> >> >> If it is not then the DC does not know the fqdn of the VM.
> Is it meant that FQDN of machine (1) should be resolvable (by DNS) before attempting join.
No.
> { Maybe I should draw a picture of this and add it to the samba docs.. :^) }
> >> >> An easy way to make sure is to un-join, add the fqdn to the localhost line in hosts.conf and rejoin.
> > You can still join, but that first dns update is vital if you want to avoid issues later.
> And to remove it altogether would a
> net ads leave -U"someadmin"%"passwd" {from the machine} be sufficient?
Yes.
> Or is manual action for a DC on AD also required?
>
> Do I need to be a Domain Controller (as machine 1) to authenticate AD users on local machine 1 for login?
> (Here I suppose I have to assign manually the AD users to the local Linux login group.
> This will not be an issue because I think this is what had happened.)
>
> It seems once again here that the AD/DNS setup is faulty (not stable).
No, I don't think so. net is quite correctly throwing up the DNS error
upon joining.. I can't keep repeating how to fix that;)
> - I have asked the AD admin to fix recurring static IPs for the old machine 1 and 2 with same names as their VMs
> (we only had old physical machine 2 on last Thursday for a while)
Just remove the machines, make sure that AD knows their fqdn and then
rejoin them. If they're static IP's, the name will be registered once
upon the join and you can then forget about it forever. Unless you
enable dynamic updates on a Linux box it will never send IP update
requests. That's just great for a server or a DC.
> - This is causing that a mount share for machine 2 on 1 is not available for 2.
>
You're almost certainly correct.
> > HTH
> > Steve
>
> Every bit of the picture makes it clearer!
> Thanks
Good luck.
Steve
> Danie W
>
> The perusal, use, dissemination, copying or storing of this message or its attachments and the opening of attachments is subject to PBMR's standard email disclaimer available at internet address: http://www.pbmr.com/index.asp?Content=233 - Disclaimer or on request from the sender.
More information about the samba-technical
mailing list