Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
Dear Matthieu, After joining should I change just IP addresses in krb5.conf, smb.conf, lmhost to the local IP address? Could you please summary the steps from remote join to local authentication and getting user list? Thanks, -- Oguz YILMAZ On Sat, Oct 13, 2012 at 11:21 AM, Matthieu Patou wrote: > On 10/13/2012 01:18 AM, Oguz Yilmaz wrote: >> >> I have joined to central DC. AFAIK winbind/samba creates a machine >> account? What other thing is done in Active Directory DC during join >> process? I want to fully understand what samba is doing to be able to >> guide DC administrator. >> >> After this I can not join local DC again. If Central DC replicates >> into local DC, this machine account etc should have been replicated >> into local DC. Isnt it possible to disable this machine account >> creation process? > > If you joined the central one and waited for the replication why rejoin on > the local RODC one ? > > > Matthieu. > > -- > Matthieu Patou > Samba Team > http://samba.org > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
On 10/13/2012 01:18 AM, Oguz Yilmaz wrote: I have joined to central DC. AFAIK winbind/samba creates a machine account? What other thing is done in Active Directory DC during join process? I want to fully understand what samba is doing to be able to guide DC administrator. After this I can not join local DC again. If Central DC replicates into local DC, this machine account etc should have been replicated into local DC. Isnt it possible to disable this machine account creation process? If you joined the central one and waited for the replication why rejoin on the local RODC one ? Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
I have joined to central DC. AFAIK winbind/samba creates a machine account? What other thing is done in Active Directory DC during join process? I want to fully understand what samba is doing to be able to guide DC administrator. After this I can not join local DC again. If Central DC replicates into local DC, this machine account etc should have been replicated into local DC. Isnt it possible to disable this machine account creation process? Thank you -- Oguz On Fri, Oct 12, 2012 at 10:53 AM, Matthieu Patou wrote: > On 10/12/2012 12:05 AM, Oguz Yilmaz wrote: >> >> RODC is Windows Server 2008 R2 Enterprise 7601 Service Pack 1. >> What do you suggest? We keep rodc as read only. How can I join and >> continue to auth and get user list over read only dc? > > Your first problem is the join, I think this can only be done with a RWDC. > As for the day to day use I think it's possible to use a RODC but if you > didn't allow the RODC to replicate then every auth request will be proxied > from the RODC to the RWDC. > The list of users will be served by the RODC directly. > > > Matthieu. > > -- > Matthieu Patou > Samba Team > http://samba.org > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
On 10/12/2012 12:05 AM, Oguz Yilmaz wrote: RODC is Windows Server 2008 R2 Enterprise 7601 Service Pack 1. What do you suggest? We keep rodc as read only. How can I join and continue to auth and get user list over read only dc? Your first problem is the join, I think this can only be done with a RWDC. As for the day to day use I think it's possible to use a RODC but if you didn't allow the RODC to replicate then every auth request will be proxied from the RODC to the RWDC. The list of users will be served by the RODC directly. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
On 10/11/2012 05:29 AM, Oguz Yilmaz wrote: Dear list users, I have a problem when joining an Active Directory domain. In this project we have one Main Dc in capital city and one read only dc in one remote city. We join to main DC succesfully. However, we can not join to local Replicate (rodc14). We are using this method for winbind / squid ntlm authentication purposes not a full samba server. Ä°nternet conection is not fast and we have thousands of users. Remote joining is not our first choice. First of all I try to join without lmhosts entry. That time , I got "Failed to join domain: failed to find DC for domain". /etc/hosts entry was in place and AD dns server was running. Anyway, I have overcomed this problem after adding lmhosts entry. Now my problem is: "result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)" I think that it's expected, you can't join on a RODC maybe Windows is able to discover it and do the join with the RWDC. Is your rodc a samba 4 DC or a Microsoft Windows ? Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
Dear list users, I have a problem when joining an Active Directory domain. In this project we have one Main Dc in capital city and one read only dc in one remote city. We join to main DC succesfully. However, we can not join to local Replicate (rodc14). We are using this method for winbind / squid ntlm authentication purposes not a full samba server. İnternet conection is not fast and we have thousands of users. Remote joining is not our first choice. First of all I try to join without lmhosts entry. That time , I got "Failed to join domain: failed to find DC for domain". /etc/hosts entry was in place and AD dns server was running. Anyway, I have overcomed this problem after adding lmhosts entry. Now my problem is: "result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)" I have searched and come up with, this may be about read only dc.We have changed dc to normal mode. Nothing has changed. I need some help for joining to a read only dc and the problem debugged below. System is Centos 5 i386 AD Server is "Windows Server 2008 R2 Enterprise 7601 Service Pack 1" Samba is samba3-utils-3.6.8-44.el5 samba3-3.6.8-44.el5 samba3-winbind-3.6.8-44.el5 samba3-client-3.6.8-44.el5 Rpms from sernet. (actually I was using samba3x rpms fron Centos. I have upgrades when I have encountered these problems) net ads -d 10 testjoin net ads join -d 3 -U test14%pass Debugs are below. DC: rodc14.testdom.com.tr, 10.10.25.4 domain: TESTDOM.COM.TR Machine Name: TEST14 AD USER: test14 (In administrator group) Best Regards, Oguz [root@test14 ~]# kinit Password for tes...@testdom.com.tr: [root@test14 ~]# echo $? 0 [root@test14 ~]# net ads testjoin kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt integrity check failed kerberos_kinit_password TEST14$@TESTDOM.COM.TR failed: A service is not available that is required to process the request Join to domain is not valid: Undetermined error cat /etc/hosts: # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost test14 ::1 localhost6.localdomain6 localhost6 10.10.25.4 rodc14.testdom.com.tr #Do not edit/remove this line, required for labris AD integration cat /etc/samba/lmhosts: # This file provides the same function that the lmhosts file does for # Windows. It's another way to map netbios names to ip addresses. # # Cf. section 'name resolve order' in the manual page of smb.conf for # more information. 127.0.0.1 localhost #127.0.0.1 FOO#20 #192.168.1.1 MYDOM#1C 10.10.25.4 TESTDOM /etc/samba/smb.conf: [global] netbios name = TEST14 realm = testdom.com.tr workgroup = TEST security = ads encrypt passwords = yes password server = 10.10.25.4 log level = 3 log file = /var/log/samba.log ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind separator = / winbind enum users = yes winbind enum groups = yes winbind use default domain = yes domain master = no local master = no preferred master = no template shell = /sbin/nologin getwd cache = yes winbind cache time = 10 ldap connection timeout = 1200 ldap timeout = 2400 allow trusted domains = yes # ldap ssl = off # winbind offline logon = yes # winbind refresh tickets = yes # client use spnego = no # use spnego = no # ldap ssl ads = no # client ldap sasl wrapping = plain /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTDOM.COM.TR default_tkt_enctypes = rc4-hmac des-cbc-crc default_tgs_enctypes = rc4-hmac des-cbc-crc # dns_lookup_realm = false # dns_lookup_kdc = false dns_lookup_realm = false dns_lookup_kdc = false [realms] TESTDOM.COM.TR = { kdc = 10.10.25.4 admin_server = 10.10.25.4 default_domain = TESTDOM.COM.TR } [domain_realm] .testdom.com.tr = TESTDOM.COM.TR testdom.com.tr = TESTDOM.COM.TR net ads join Log: net ads join -d 3 -U test14%pass lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" WARNING: The "idmap uid" option is deprecated WARNING: The "idmap gid" option is deprecated added interface eth9.102 ip=fe80::20c:bdff:fe05:28f8%eth9.102 bcast=fe80:::::%eth9.102 netmask=::::: added interface eth1 ip=fe80::290:bff:fe21:43ac%eth1 bcast=fe80:::::%eth1 netmask=::::: added interface eth2 ip=fe80::290:bff:fe21:43ad%eth2 bcast=fe80:::::%eth2 netmask=::::: added interface eth0 ip=fe80::290:bff:fe27:b5bf%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth9.102 ip=95.0.0.