Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote: I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: I think this comes down to a fundamental misunderstanding of what an RODC can do. It is indeed 'read only'! You don't join Samba to a DC, you join Samba to a domain. If the RODC is the most favourable server to use for authentication after that, then we will use it, but we will need to contact a read-write DC from time to time. [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : NULL domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) ' domain_is_ad : 0x01 (1) result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) You should allow Samba and krb5 to find the closest DC to use, and not force a particular server. This not only improves redundancy, it makes Samba much more likely to 'just work'. Remove all these configuration lines: Configuration files: [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq [global] workgroup = DOMAIN password server = wegsfes19234.domain.com [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } domain.com = { kdc = wegsfes19234.domain.com } DOMAIN.COM = { kdc = wegsfes19234.domain.com kdc = wegsfes19234.domain.com } That is, remove the kdc, dns_lookup_kdc and password server configuration options from smb.conf and krb5.conf files. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
On Wed, Feb 6, 2013 at 4:45 PM, Andrew Bartlett abart...@samba.org wrote: On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote: I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: I think this comes down to a fundamental misunderstanding of what an RODC can do. It is indeed 'read only'! You don't join Samba to a DC, you join Samba to a domain. If the RODC is the most favourable server to use for authentication after that, then we will use it, but we will need to contact a read-write DC from time to time. If the object CN=vm-ae67a,CN=Computers,DC=receiptiq,DC=com has already been created within AD and the Password Replication Policy has been set such that the object is replicated to the RODC, then what attributes on that object is the net ads join trying to update/write? I was hoping to perform the functional equivalent of the MS djoin.exe process and use winbind to authenticate the AD users against the RODC. [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : NULL domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) ' domain_is_ad : 0x01 (1) result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) You should allow Samba and krb5 to find the closest DC to use, and not force a particular server. This not only improves redundancy, it makes Samba much more likely to 'just work'. Remove all these configuration lines: Configuration files: [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq [global] workgroup = DOMAIN password server = wegsfes19234.domain.com [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } domain.com = { kdc = wegsfes19234.domain.com } DOMAIN.COM = { kdc = wegsfes19234.domain.com kdc = wegsfes19234.domain.com } That is, remove the kdc, dns_lookup_kdc and password server configuration options from smb.conf and krb5.conf files. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Configuration files have been updated and it finds the RODC via broadcast rather then being hard coded: [root@vm-ae67a ~]# net ads lookup dc Information for Domain Controller: 10.100.0.168 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: a7654231-d835-420a-bba8-b2d78722b056 Flags: Is a PDC: no Is a GC of the forest: yes Is an LDAP server: yes Supports DS:yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable:no Has a hardware clock: no Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets:yes Is NT6 DC that has all secrets: no Forest: domain.com Domain: domain.com Domain Controller: WEGSFES19234.domain.com Pre-Win2k Domain: DOMAIN Pre-Win2k Hostname: WEGSFES19234 Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: LM20 Token: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123 ... libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : 'CN=vm-ae67a,CN=Computers,DC=domain,DC=com' domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : NULL domain_is_ad : 0x01 (1) result : WERR_OK Using short domain name -- DOMAIN Joined 'VM-AE67A' to realm 'domain.com' DNS Update for vm-ae67a.**INTERNAL*** failed: ERROR_DNS_GSS_ERROR DNS update failed! [root@vm-ae67a log]# net ads info LDAP server: 10.100.0.231 LDAP server name: wegsfes19123.domain.com Realm: DOMAIN.COM Bind Path: dc=DOMAIN,dc=COM LDAP port: 389 Server time: Sun, 03 Feb 2013 11:45:05 EST KDC server: 10.100.0.231 Server time offset: 0 However pointing the same client to a RODC(wegsfes19234), for the same domain, I'm unable to join (/etc/krb5.conf and /etc/samba/smb.conf were updated to point to the RODC server for authentication): [root@vm-ae67a log]# kinit administra...@domain.com Password for administra...@domain.com: [root@vm-ae67a log]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@domain.com Valid starting ExpiresService principal 02/03/13 12:31:17 02/03/13 22:31:24 krbtgt/domain@domain.com renew until 02/04/13 12:31:17 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : NULL domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) ' domain_is_ad : 0x01 (1) result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) Any help with this matter would be greatly appreciated. Regards, Matt Configuration files: [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq [global] workgroup = DOMAIN password server = wegsfes19234.domain.com realm = DOMAIN.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash idmap backend = nss template homedir = /home/%U winbind nss info = rfc2307 winbind use default domain = true server string = vm-ae67a netbios name = vm-ae67a encrypt passwords = true # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 # the login script name depends on the machine name # the login script name depends on the unix user used # disables profiles support by specifing an empty path load printers = yes cups options = raw #obtain list of printers automatically on SystemV [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 clockskew = 300 [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } domain.com = { kdc = wegsfes19234.domain.com } DOMAIN.COM = { kdc = wegsfes19234.domain.com kdc = wegsfes19234.domain.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM domain.com = DOMAIN.COM .domain.com = DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true