On Wed, Feb 6, 2013 at 4:45 PM, Andrew Bartlett abart...@samba.org wrote:
On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried
both
Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123)
I'm
able to successfully join the client:
I think this comes down to a fundamental misunderstanding of what an
RODC can do. It is indeed 'read only'!
You don't join Samba to a DC, you join Samba to a domain. If the RODC
is the most favourable server to use for authentication after that, then
we will use it, but we will need to contact a read-write DC from time to
time.
If the object CN=vm-ae67a,CN=Computers,DC=receiptiq,DC=com has already
been created within AD and the Password Replication Policy has been set
such that the object is replicated to the RODC, then what attributes on
that object is the net ads join trying to update/write? I was hoping to
perform the functional equivalent of the MS djoin.exe process and use
winbind to authenticate the AD users against the RODC.
[root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.com'
forest_name : 'domain.com'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-2999212452-478241430-698296220
modified_config : 0x00 (0)
error_string : 'Failed to set account flags for
machine account (NT_STATUS_NOT_SUPPORTED)
'
domain_is_ad : 0x01 (1)
result : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)
You should allow Samba and krb5 to find the closest DC to use, and not
force a particular server. This not only improves redundancy, it makes
Samba much more likely to 'just work'.
Remove all these configuration lines:
Configuration files:
[root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq
[global]
workgroup = DOMAIN
password server = wegsfes19234.domain.com
[root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
domain.com = {
kdc = wegsfes19234.domain.com
}
DOMAIN.COM = {
kdc = wegsfes19234.domain.com
kdc = wegsfes19234.domain.com
}
That is, remove the kdc, dns_lookup_kdc and password server
configuration options from smb.conf and krb5.conf files.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Configuration files have been updated and it finds the RODC via broadcast
rather then being hard coded:
[root@vm-ae67a ~]# net ads lookup dc
Information for Domain Controller: 10.100.0.168
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: a7654231-d835-420a-bba8-b2d78722b056
Flags:
Is a PDC: no
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS:yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable:no
Has a hardware clock: no
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets:yes
Is NT6 DC that has all secrets: no
Forest: domain.com
Domain: domain.com
Domain Controller: WEGSFES19234.domain.com
Pre-Win2k Domain: DOMAIN
Pre-Win2k Hostname: WEGSFES19234
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token:
LM20 Token:
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba