On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote: > I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both > Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm > able to successfully join the client:
I think this comes down to a fundamental misunderstanding of what an RODC can do. It is indeed 'read only'! You don't join Samba to a DC, you join Samba to a domain. If the RODC is the most favourable server to use for authentication after that, then we will use it, but we will need to contact a read-write DC from time to time. > [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234 > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'DOMAIN' > dns_domain_name : 'domain.com' > forest_name : 'domain.com' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-2999212452-478241430-698296220 > modified_config : 0x00 (0) > error_string : 'Failed to set account flags for > machine account (NT_STATUS_NOT_SUPPORTED) > ' > domain_is_ad : 0x01 (1) > result : WERR_NOT_SUPPORTED > Failed to join domain: Failed to set account flags for machine account > (NT_STATUS_NOT_SUPPORTED) You should allow Samba and krb5 to find the closest DC to use, and not force a particular server. This not only improves redundancy, it makes Samba much more likely to 'just work'. Remove all these configuration lines: > Configuration files: > > [root@vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/samba/smb.conf | uniq > [global] > workgroup = DOMAIN > password server = wegsfes19234.domain.com > > > [root@vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/krb5.conf > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = false > [realms] > EXAMPLE.COM = { > kdc = kerberos.example.com:88 > admin_server = kerberos.example.com:749 > default_domain = example.com > } > > domain.com = { > kdc = wegsfes19234.domain.com > } > > DOMAIN.COM = { > kdc = wegsfes19234.domain.com > kdc = wegsfes19234.domain.com > } That is, remove the kdc, dns_lookup_kdc and password server configuration options from smb.conf and krb5.conf files. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba