Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

2013-02-06 Thread Andrew Bartlett
On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
 I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
 Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
 able to successfully join the client:

I think this comes down to a fundamental misunderstanding of what an
RODC can do.  It is indeed 'read only'!  

You don't join Samba to a DC, you join Samba to a domain.  If the RODC
is the most favourable server to use for authentication after that, then
we will use it, but we will need to contact a read-write DC from time to
time. 

 [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
 libnet_Join:
 libnet_JoinCtx: struct libnet_JoinCtx
 out: struct libnet_JoinCtx
 account_name : NULL
 netbios_domain_name  : 'DOMAIN'
 dns_domain_name  : 'domain.com'
 forest_name  : 'domain.com'
 dn   : NULL
 domain_sid   : *
 domain_sid   :
 S-1-5-21-2999212452-478241430-698296220
 modified_config  : 0x00 (0)
 error_string : 'Failed to set account flags for
 machine account (NT_STATUS_NOT_SUPPORTED)
 '
 domain_is_ad : 0x01 (1)
 result   : WERR_NOT_SUPPORTED
 Failed to join domain: Failed to set account flags for machine account
 (NT_STATUS_NOT_SUPPORTED)

You should allow Samba and krb5 to find the closest DC to use, and not
force a particular server.  This not only improves redundancy, it makes
Samba much more likely to 'just work'.

Remove all these configuration lines:

 Configuration files:
 
 [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq
 [global]
workgroup = DOMAIN
password server = wegsfes19234.domain.com
  
 
 [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf

 [libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false

 [realms]
  EXAMPLE.COM = {
   kdc = kerberos.example.com:88
   admin_server = kerberos.example.com:749
   default_domain = example.com
  }
 
  domain.com = {
   kdc = wegsfes19234.domain.com
  }
 
  DOMAIN.COM = {
   kdc = wegsfes19234.domain.com
   kdc = wegsfes19234.domain.com
  }

That is, remove the kdc, dns_lookup_kdc and password server
configuration options from smb.conf and krb5.conf files.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

2013-02-06 Thread Matt Carey
On Wed, Feb 6, 2013 at 4:45 PM, Andrew Bartlett abart...@samba.org wrote:

 On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
  I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried
 both
  Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123)
 I'm
  able to successfully join the client:

 I think this comes down to a fundamental misunderstanding of what an
 RODC can do.  It is indeed 'read only'!

 You don't join Samba to a DC, you join Samba to a domain.  If the RODC
 is the most favourable server to use for authentication after that, then
 we will use it, but we will need to contact a read-write DC from time to
 time.


If the object CN=vm-ae67a,CN=Computers,DC=receiptiq,DC=com has already
been created within AD and the Password Replication Policy has been set
such that the object is replicated to the RODC, then what attributes on
that object is the net ads join trying to update/write? I was hoping to
perform the functional equivalent of the MS djoin.exe process and use
winbind to authenticate the AD users against the RODC.



  [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
  libnet_Join:
  libnet_JoinCtx: struct libnet_JoinCtx
  out: struct libnet_JoinCtx
  account_name : NULL
  netbios_domain_name  : 'DOMAIN'
  dns_domain_name  : 'domain.com'
  forest_name  : 'domain.com'
  dn   : NULL
  domain_sid   : *
  domain_sid   :
  S-1-5-21-2999212452-478241430-698296220
  modified_config  : 0x00 (0)
  error_string : 'Failed to set account flags for
  machine account (NT_STATUS_NOT_SUPPORTED)
  '
  domain_is_ad : 0x01 (1)
  result   : WERR_NOT_SUPPORTED
  Failed to join domain: Failed to set account flags for machine account
  (NT_STATUS_NOT_SUPPORTED)

 You should allow Samba and krb5 to find the closest DC to use, and not
 force a particular server.  This not only improves redundancy, it makes
 Samba much more likely to 'just work'.

 Remove all these configuration lines:

  Configuration files:
 
  [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq
  [global]
 workgroup = DOMAIN
 password server = wegsfes19234.domain.com
 
 
  [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf

  [libdefaults]
   dns_lookup_realm = false
   dns_lookup_kdc = false

  [realms]
   EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
   }
 
   domain.com = {
kdc = wegsfes19234.domain.com
   }
 
   DOMAIN.COM = {
kdc = wegsfes19234.domain.com
kdc = wegsfes19234.domain.com
   }

 That is, remove the kdc, dns_lookup_kdc and password server
 configuration options from smb.conf and krb5.conf files.

 Andrew Bartlett

 --
 Andrew Bartletthttp://samba.org/~abartlet/
 Authentication Developer, Samba Team   http://samba.org



Configuration files have been updated and it finds the RODC via broadcast
rather then being hard coded:
[root@vm-ae67a ~]# net ads lookup dc
Information for Domain Controller: 10.100.0.168

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: a7654231-d835-420a-bba8-b2d78722b056
Flags:
Is a PDC:   no
Is a GC of the forest:  yes
Is an LDAP server:  yes
Supports DS:yes
Is running a KDC:   yes
Is running time services:   yes
Is the closest DC:  yes
Is writable:no
Has a hardware clock:   no
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets:yes
Is NT6 DC that has all secrets: no
Forest: domain.com
Domain: domain.com
Domain Controller: WEGSFES19234.domain.com
Pre-Win2k Domain: DOMAIN
Pre-Win2k Hostname: WEGSFES19234
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: 
LM20 Token: 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba