Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question Problems joining Windows Domain via RODC


    Hey guys,
    I'm trying to join my suse server, which is located in a DMZ, to a windows domain.
    I configured samba and kerberos. With kinit i get a ticket. The computer object was created on a RWDC, and replicated to the RODC and is in the cachable group. It seems that Samba is trying to set flags while joining the domain, namely: ACB_WSTRUST and ACB_PWNOEXP. These flags cannot be set. That's how i interpret the output when i use the net join command.

    net ads join -S rodcserver -U Administrator -d1
    WARNING: The "idmap gid" option is deprecated
    WARNING: The "idmap uid" option is deprecated
    Enter Administrator's password:
    libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
    in: struct libnet_JoinCtx
    dc_name : 'rodcserver'
    machine_name : 'suseserver'
    domain_name : *
    domain_name : 'DOMAIN.COM'
    account_ou : NULL
    admin_account : 'Administrator'
    machine_password : NULL
    join_flags : 0x00000023 (35)
    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
    os_version : NULL
    os_name : NULL
    os_servicepack : NULL
    create_upn : 0x00 (0)
    upn : NULL
    modify_config : 0x00 (0)
    ads : NULL
    debug : 0x01 (1)
    use_kerberos : 0x00 (0)
    secure_channel_type : SEC_CHAN_WKSTA (2)
    libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
    out: struct libnet_JoinCtx
    account_name : NULL
    netbios_domain_name : 'DOMAIN'
    dns_domain_name : 'domain.com'
    forest_name : 'domain.com'
    dn : NULL
    domain_sid : *
    domain_sid : S-1-5-21-583907252-1425521274-1801674531
    modified_config : 0x00 (0)
    error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)
    '
    domain_is_ad : 0x01 (1)
    result : WERR_NOT_SUPPORTED
    Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

    My smb.conf:

    [global]
    workgroup = DOMAIN
    passdb backend = tdbsam
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    include = /etc/samba/dhcp.conf
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    usershare allow guests = No
    idmap gid = 10000-20000
    idmap uid = 10000-20000
    kerberos method = secrets and keytab
    realm = DOMAIN.COM
    security = ADS
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes



    My krb5.conf:

    libdefaults]


    default_realm = DOMAIN.COM
    clockskew = 300
    # default_realm = EXAMPLE.COM


    [realms]
    DOMAIN.COM = {
    kdc = rodc.domain.com
    default_domain = domain.com
    admin_server = rodc.domain.com
    }
    # EXAMPLE.COM = {
    # kdc = kerberos.example.com
    # admin_server = kerberos.example.com
    # }


    [logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICEAEMON
    [domain_realm]
    .domain.com = DOMAIN.COM
    [appdefaults]
    pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    minimum_uid = 1
    }



    Samba version: 4.1

    How can i resolve this?

    Best regards
    Mauro

  2. #2
    -->
    Additional Info:
    I also tried to join the AD with yast. But even thought it is discoverable via net ads lookup, yast doesn't find the DC. That's when i decided to start with the custom configuration.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •