subject:"\[Samba\] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC"

Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

2013-02-06 Thread Andrew Bartlett

On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
 I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
 Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
 able to successfully join the client:

I think this comes down to a fundamental misunderstanding of what an
RODC can do.  It is indeed 'read only'!  

You don't join Samba to a DC, you join Samba to a domain.  If the RODC
is the most favourable server to use for authentication after that, then
we will use it, but we will need to contact a read-write DC from time to
time. 

 [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
 libnet_Join:
 libnet_JoinCtx: struct libnet_JoinCtx
 out: struct libnet_JoinCtx
 account_name : NULL
 netbios_domain_name  : 'DOMAIN'
 dns_domain_name  : 'domain.com'
 forest_name  : 'domain.com'
 dn   : NULL
 domain_sid   : *
 domain_sid   :
 S-1-5-21-2999212452-478241430-698296220
 modified_config  : 0x00 (0)
 error_string : 'Failed to set account flags for
 machine account (NT_STATUS_NOT_SUPPORTED)
 '
 domain_is_ad : 0x01 (1)
 result   : WERR_NOT_SUPPORTED
 Failed to join domain: Failed to set account flags for machine account
 (NT_STATUS_NOT_SUPPORTED)

You should allow Samba and krb5 to find the closest DC to use, and not
force a particular server.  This not only improves redundancy, it makes
Samba much more likely to 'just work'.

Remove all these configuration lines:

 Configuration files:
 
 [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq
 [global]
workgroup = DOMAIN
password server = wegsfes19234.domain.com
  
 
 [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf

 [libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false

 [realms]
  EXAMPLE.COM = {
   kdc = kerberos.example.com:88
   admin_server = kerberos.example.com:749
   default_domain = example.com
  }
 
  domain.com = {
   kdc = wegsfes19234.domain.com
  }
 
  DOMAIN.COM = {
   kdc = wegsfes19234.domain.com
   kdc = wegsfes19234.domain.com
  }

That is, remove the kdc, dns_lookup_kdc and password server
configuration options from smb.conf and krb5.conf files.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

2013-02-06 Thread Matt Carey

On Wed, Feb 6, 2013 at 4:45 PM, Andrew Bartlett abart...@samba.org wrote:

 On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
  I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried
 both
  Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123)
 I'm
  able to successfully join the client:

 I think this comes down to a fundamental misunderstanding of what an
 RODC can do.  It is indeed 'read only'!

 You don't join Samba to a DC, you join Samba to a domain.  If the RODC
 is the most favourable server to use for authentication after that, then
 we will use it, but we will need to contact a read-write DC from time to
 time.


If the object CN=vm-ae67a,CN=Computers,DC=receiptiq,DC=com has already
been created within AD and the Password Replication Policy has been set
such that the object is replicated to the RODC, then what attributes on
that object is the net ads join trying to update/write? I was hoping to
perform the functional equivalent of the MS djoin.exe process and use
winbind to authenticate the AD users against the RODC.



  [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
  libnet_Join:
  libnet_JoinCtx: struct libnet_JoinCtx
  out: struct libnet_JoinCtx
  account_name : NULL
  netbios_domain_name  : 'DOMAIN'
  dns_domain_name  : 'domain.com'
  forest_name  : 'domain.com'
  dn   : NULL
  domain_sid   : *
  domain_sid   :
  S-1-5-21-2999212452-478241430-698296220
  modified_config  : 0x00 (0)
  error_string : 'Failed to set account flags for
  machine account (NT_STATUS_NOT_SUPPORTED)
  '
  domain_is_ad : 0x01 (1)
  result   : WERR_NOT_SUPPORTED
  Failed to join domain: Failed to set account flags for machine account
  (NT_STATUS_NOT_SUPPORTED)

 You should allow Samba and krb5 to find the closest DC to use, and not
 force a particular server.  This not only improves redundancy, it makes
 Samba much more likely to 'just work'.

 Remove all these configuration lines:

  Configuration files:
 
  [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq
  [global]
 workgroup = DOMAIN
 password server = wegsfes19234.domain.com
 
 
  [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf

  [libdefaults]
   dns_lookup_realm = false
   dns_lookup_kdc = false

  [realms]
   EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
   }
 
   domain.com = {
kdc = wegsfes19234.domain.com
   }
 
   DOMAIN.COM = {
kdc = wegsfes19234.domain.com
kdc = wegsfes19234.domain.com
   }

 That is, remove the kdc, dns_lookup_kdc and password server
 configuration options from smb.conf and krb5.conf files.

 Andrew Bartlett

 --
 Andrew Bartletthttp://samba.org/~abartlet/
 Authentication Developer, Samba Team   http://samba.org



Configuration files have been updated and it finds the RODC via broadcast
rather then being hard coded:
[root@vm-ae67a ~]# net ads lookup dc
Information for Domain Controller: 10.100.0.168

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: a7654231-d835-420a-bba8-b2d78722b056
Flags:
Is a PDC:   no
Is a GC of the forest:  yes
Is an LDAP server:  yes
Supports DS:yes
Is running a KDC:   yes
Is running time services:   yes
Is the closest DC:  yes
Is writable:no
Has a hardware clock:   no
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets:yes
Is NT6 DC that has all secrets: no
Forest: domain.com
Domain: domain.com
Domain Controller: WEGSFES19234.domain.com
Pre-Win2k Domain: DOMAIN
Pre-Win2k Hostname: WEGSFES19234
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: 
LM20 Token: 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

2013-02-04 Thread Matt Carey

I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
able to successfully join the client:

[root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123
...
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name  : 'DOMAIN'
dns_domain_name  : 'domain.com'
forest_name  : 'domain.com'
dn   :
'CN=vm-ae67a,CN=Computers,DC=domain,DC=com'
domain_sid   : *
domain_sid   :
S-1-5-21-2999212452-478241430-698296220
modified_config  : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result   : WERR_OK
Using short domain name -- DOMAIN
Joined 'VM-AE67A' to realm 'domain.com'
DNS Update for vm-ae67a.**INTERNAL*** failed: ERROR_DNS_GSS_ERROR
DNS update failed!

[root@vm-ae67a log]# net ads info
LDAP server: 10.100.0.231
LDAP server name: wegsfes19123.domain.com
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Sun, 03 Feb 2013 11:45:05 EST
KDC server: 10.100.0.231
Server time offset: 0

However pointing the same client to a RODC(wegsfes19234), for the same
domain, I'm unable to join (/etc/krb5.conf and /etc/samba/smb.conf were
updated to point to the RODC server for authentication):
[root@vm-ae67a log]# kinit administra...@domain.com
Password for administra...@domain.com:
[root@vm-ae67a log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@domain.com

Valid starting ExpiresService principal
02/03/13 12:31:17  02/03/13 22:31:24  krbtgt/domain@domain.com
renew until 02/04/13 12:31:17

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name  : 'DOMAIN'
dns_domain_name  : 'domain.com'
forest_name  : 'domain.com'
dn   : NULL
domain_sid   : *
domain_sid   :
S-1-5-21-2999212452-478241430-698296220
modified_config  : 0x00 (0)
error_string : 'Failed to set account flags for
machine account (NT_STATUS_NOT_SUPPORTED)
'
domain_is_ad : 0x01 (1)
result   : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)

Any help with this matter would be greatly appreciated.

Regards,
Matt




Configuration files:

[root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq
[global]
   workgroup = DOMAIN
   password server = wegsfes19234.domain.com
   realm = DOMAIN.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   idmap backend = nss
   template homedir = /home/%U
   winbind nss info = rfc2307
   winbind use default domain = true
   server string = vm-ae67a
   netbios name = vm-ae67a
   encrypt passwords = true
 # logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
 # the login script name depends on the machine name
# the login script name depends on the unix user used
# disables profiles support by specifing an empty path
 load printers = yes
cups options = raw
#obtain list of printers automatically on SystemV
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes


[root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
 clockskew = 300

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 domain.com = {
  kdc = wegsfes19234.domain.com
 }

 DOMAIN.COM = {
  kdc = wegsfes19234.domain.com
  kdc = wegsfes19234.domain.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true

Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

3 matches

Site Navigation

Mail list logo

Footer information