Redhat 7.1 machine not joining Domain
Hello,
I have upgraded to Redhat 7.1 and I have trouble adding the machine to the domain. I followed a similar procedure on Redhat 6 and it worked fine but I see the issues below on the new server.
NTP is working correctly:
[root@server1 ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
dc1 x.x.x.x 3 u 3 64 1 0.487 -2.571 0.000
*dc2 y.y.y.y 2 u 3 64 1 0.456 67.811 0.000
Get following errors joining it to the domain:
[root@server1 ~]# sudo net ads join -U adm-df@domain.ie -S 192.168.213.36 createcomputer="OU=LINUX,OU=SYSTEMS,DC=domain,DC=ie" -k
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
Config as follows:
Change /etc/sysconfig/network-scripts/ifcfg-eth0 to ONBOOT=yes
subscription-manager register --username user1 --password pw--auto-attach --force
systemctl stop firewalld
iptables-save
Configure SELINUX=disabled in /etc/selinux/config
sudo yum install sssd krb5-workstation samba-common authconfig pam_krb5.x86_64 sssd-krb5-common.x86_64 pam_krb5.x86_64 yum install ntp.x86_64 ntpdate.x86_64 samba-common.x86_64 samba-libs.x86_64 samba-winbind.x86_64 samba.x86_64 telnet samba-winbind-clients.x86_64
sudo authconfig --enablekrb5 --krb5realm=domain.IE --krb5kdc=proddc1.domain.ie --krb5adminserver=dc1.domain.ie --enablekrb5kdcdns --enablekrb5realmdns --update
sudo yum -y install oddjob
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf
Necessary config files as follows:
[root@server1 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = domain.IE
dns_lookup_kdc = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
domain.IE = {
kdc = proddc1.domain.ie
admin_server = dc1.domain.ie
}
domain.IE = {
kdc = proddc1.domain.ie
admin_server = dc1.domain.ie
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
domain.ie = domain.IE
.domain.ie = domain.IE
[root@server1 ~]# grep -Ev '#|;' /etc/samba/smb.conf
[global]
workgroup = CORK
server string = Samba Server Version %v
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = domain.IE
security = ads
interfaces = lo eno1
log file = /var/log/samba/log.%m
max log size = 50
security = user
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[root@server1 ~]# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LOCAL,domain.ie
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
[domain/domain.ie]
id_provider = ad
access_provider = simple
;simple_allow_users =
simple_allow_groups = server1_users, Linux_Admins
[nss]
[pam]
Any suggestions or any further information that's required.
Responses
In smb.conf file I can see that you have mentioned both security=ads and security=user. In order to join machine to AD, security=ads should be used.
Instead of using 'net ads' on RHEL 7.1 machine you may use 'realmd' which is much simpler and takes care of required configuration file. More details you may find at: 1. https://access.redhat.com/solutions/1350723 2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ch-Configuring_Authentication.html
HTH
This can occur as well if you don't have the the samba services started. I actually just ran into this.
systemctl start smb nmb
also, don't forget to enable them
I've read in the documentation for samba, however, that you're not supposed to have to start the samba service for a domain member. Maybe someone can clarify ?
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
