Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
Dear Matthieu, After joining should I change just IP addresses in krb5.conf, smb.conf, lmhost to the local IP address? Could you please summary the steps from remote join to local authentication and getting user list? Thanks, -- Oguz YILMAZ On Sat, Oct 13, 2012 at 11:21 AM, Matthieu Patou wrote: > On 10/13/2012 01:18 AM, Oguz Yilmaz wrote: >> >> I have joined to central DC. AFAIK winbind/samba creates a machine >> account? What other thing is done in Active Directory DC during join >> process? I want to fully understand what samba is doing to be able to >> guide DC administrator. >> >> After this I can not join local DC again. If Central DC replicates >> into local DC, this machine account etc should have been replicated >> into local DC. Isnt it possible to disable this machine account >> creation process? > > If you joined the central one and waited for the replication why rejoin on > the local RODC one ? > > > Matthieu. > > -- > Matthieu Patou > Samba Team > http://samba.org > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
On 10/13/2012 01:18 AM, Oguz Yilmaz wrote: I have joined to central DC. AFAIK winbind/samba creates a machine account? What other thing is done in Active Directory DC during join process? I want to fully understand what samba is doing to be able to guide DC administrator. After this I can not join local DC again. If Central DC replicates into local DC, this machine account etc should have been replicated into local DC. Isnt it possible to disable this machine account creation process? If you joined the central one and waited for the replication why rejoin on the local RODC one ? Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
I have joined to central DC. AFAIK winbind/samba creates a machine account? What other thing is done in Active Directory DC during join process? I want to fully understand what samba is doing to be able to guide DC administrator. After this I can not join local DC again. If Central DC replicates into local DC, this machine account etc should have been replicated into local DC. Isnt it possible to disable this machine account creation process? Thank you -- Oguz On Fri, Oct 12, 2012 at 10:53 AM, Matthieu Patou wrote: > On 10/12/2012 12:05 AM, Oguz Yilmaz wrote: >> >> RODC is Windows Server 2008 R2 Enterprise 7601 Service Pack 1. >> What do you suggest? We keep rodc as read only. How can I join and >> continue to auth and get user list over read only dc? > > Your first problem is the join, I think this can only be done with a RWDC. > As for the day to day use I think it's possible to use a RODC but if you > didn't allow the RODC to replicate then every auth request will be proxied > from the RODC to the RWDC. > The list of users will be served by the RODC directly. > > > Matthieu. > > -- > Matthieu Patou > Samba Team > http://samba.org > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
On 10/12/2012 12:05 AM, Oguz Yilmaz wrote: RODC is Windows Server 2008 R2 Enterprise 7601 Service Pack 1. What do you suggest? We keep rodc as read only. How can I join and continue to auth and get user list over read only dc? Your first problem is the join, I think this can only be done with a RWDC. As for the day to day use I think it's possible to use a RODC but if you didn't allow the RODC to replicate then every auth request will be proxied from the RODC to the RWDC. The list of users will be served by the RODC directly. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
On 10/11/2012 05:29 AM, Oguz Yilmaz wrote: Dear list users, I have a problem when joining an Active Directory domain. In this project we have one Main Dc in capital city and one read only dc in one remote city. We join to main DC succesfully. However, we can not join to local Replicate (rodc14). We are using this method for winbind / squid ntlm authentication purposes not a full samba server. Ä°nternet conection is not fast and we have thousands of users. Remote joining is not our first choice. First of all I try to join without lmhosts entry. That time , I got "Failed to join domain: failed to find DC for domain". /etc/hosts entry was in place and AD dns server was running. Anyway, I have overcomed this problem after adding lmhosts entry. Now my problem is: "result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)" I think that it's expected, you can't join on a RODC maybe Windows is able to discover it and do the join with the RWDC. Is your rodc a samba 4 DC or a Microsoft Windows ? Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
Dear list users,
I have a problem when joining an Active Directory domain. In this
project we have one Main Dc in capital city and one read only dc in
one remote city.
We join to main DC succesfully. However, we can not join to local
Replicate (rodc14). We are using this method for winbind / squid ntlm
authentication purposes not a full samba server. İnternet conection is
not fast and we have thousands of users. Remote joining is not our
first choice.
First of all I try to join without lmhosts entry. That time , I got
"Failed to join domain: failed to find DC for domain". /etc/hosts
entry was in place and AD dns server was running. Anyway, I have
overcomed this problem after adding lmhosts entry.
Now my problem is:
"result : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)"
I have searched and come up with, this may be about read only dc.We
have changed dc to normal mode. Nothing has changed.
I need some help for joining to a read only dc and the problem debugged below.
System is Centos 5 i386
AD Server is "Windows Server 2008 R2 Enterprise 7601 Service Pack 1"
Samba is
samba3-utils-3.6.8-44.el5
samba3-3.6.8-44.el5
samba3-winbind-3.6.8-44.el5
samba3-client-3.6.8-44.el5
Rpms from sernet. (actually I was using samba3x rpms fron Centos. I
have upgrades when I have encountered these problems)
net ads -d 10 testjoin
net ads join -d 3 -U test14%pass
Debugs are below.
DC: rodc14.testdom.com.tr, 10.10.25.4
domain: TESTDOM.COM.TR
Machine Name: TEST14
AD USER: test14 (In administrator group)
Best Regards,
Oguz
[root@test14 ~]# kinit
Password for tes...@testdom.com.tr:
[root@test14 ~]# echo $?
0
[root@test14 ~]# net ads testjoin
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt
integrity check failed
kerberos_kinit_password TEST14$@TESTDOM.COM.TR failed: A service is
not available that is required to process the request
Join to domain is not valid: Undetermined error
cat /etc/hosts:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost test14
::1 localhost6.localdomain6 localhost6
10.10.25.4 rodc14.testdom.com.tr #Do not edit/remove this line,
required for labris AD integration
cat /etc/samba/lmhosts:
# This file provides the same function that the lmhosts file does for
# Windows. It's another way to map netbios names to ip addresses.
#
# Cf. section 'name resolve order' in the manual page of smb.conf for
# more information.
127.0.0.1 localhost
#127.0.0.1 FOO#20
#192.168.1.1 MYDOM#1C
10.10.25.4 TESTDOM
/etc/samba/smb.conf:
[global]
netbios name = TEST14
realm = testdom.com.tr
workgroup = TEST
security = ads
encrypt passwords = yes
password server = 10.10.25.4
log level = 3
log file = /var/log/samba.log
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
domain master = no
local master = no
preferred master = no
template shell = /sbin/nologin
getwd cache = yes
winbind cache time = 10
ldap connection timeout = 1200
ldap timeout = 2400
allow trusted domains = yes
# ldap ssl = off
# winbind offline logon = yes
# winbind refresh tickets = yes
# client use spnego = no
# use spnego = no
# ldap ssl ads = no
# client ldap sasl wrapping = plain
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTDOM.COM.TR
default_tkt_enctypes = rc4-hmac des-cbc-crc
default_tgs_enctypes = rc4-hmac des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TESTDOM.COM.TR = {
kdc = 10.10.25.4
admin_server = 10.10.25.4
default_domain = TESTDOM.COM.TR
}
[domain_realm]
.testdom.com.tr = TESTDOM.COM.TR
testdom.com.tr = TESTDOM.COM.TR
net ads join Log:
net ads join -d 3 -U test14%pass
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
added interface eth9.102 ip=fe80::20c:bdff:fe05:28f8%eth9.102
bcast=fe80:::::%eth9.102 netmask=:::::
added interface eth1 ip=fe80::290:bff:fe21:43ac%eth1
bcast=fe80:::::%eth1 netmask=:::::
added interface eth2 ip=fe80::290:bff:fe21:43ad%eth2
bcast=fe80:::::%eth2 netmask=:::::
added interface eth0 ip=fe80::290:bff:fe27:b5bf%eth0
bcast=fe80:::::%eth0 netmask=:::::
added interface eth9.102 ip=95.0.0.
