Redhat 7.1 machine not joining Domain

Latest response

Hello,

I have upgraded to Redhat 7.1 and I have trouble adding the machine to the domain. I followed a similar procedure on Redhat 6 and it worked fine but I see the issues below on the new server.

NTP is working correctly:

[root@server1 ~]# ntpq -p

remote refid st t when poll reach delay offset jitter

dc1 x.x.x.x 3 u 3 64 1 0.487 -2.571 0.000
*dc2 y.y.y.y 2 u 3 64 1 0.456 67.811 0.000

Get following errors joining it to the domain:
[root@server1 ~]# sudo net ads join -U adm-df@domain.ie -S 192.168.213.36 createcomputer="OU=LINUX,OU=SYSTEMS,DC=domain,DC=ie" -k
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

Config as follows:
Change /etc/sysconfig/network-scripts/ifcfg-eth0 to ONBOOT=yes
subscription-manager register --username user1 --password pw--auto-attach --force
systemctl stop firewalld
iptables-save

Configure SELINUX=disabled in /etc/selinux/config

sudo yum install sssd krb5-workstation samba-common authconfig pam_krb5.x86_64 sssd-krb5-common.x86_64 pam_krb5.x86_64 yum install ntp.x86_64 ntpdate.x86_64 samba-common.x86_64 samba-libs.x86_64 samba-winbind.x86_64 samba.x86_64 telnet samba-winbind-clients.x86_64

sudo authconfig --enablekrb5 --krb5realm=domain.IE --krb5kdc=proddc1.domain.ie --krb5adminserver=dc1.domain.ie --enablekrb5kdcdns --enablekrb5realmdns --update

sudo yum -y install oddjob

sudo chown root:root /etc/sssd/sssd.conf

sudo chmod 0600 /etc/sssd/sssd.conf

Necessary config files as follows:

[root@server1 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false

default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

default_realm = domain.IE
dns_lookup_kdc = true
[realms]

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com

}

domain.IE = {
kdc = proddc1.domain.ie
admin_server = dc1.domain.ie
}

domain.IE = {
kdc = proddc1.domain.ie
admin_server = dc1.domain.ie
}

[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

domain.ie = domain.IE
.domain.ie = domain.IE

[root@server1 ~]# grep -Ev '#|;' /etc/samba/smb.conf

[global]

    workgroup = CORK
    server string = Samba Server Version %v
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    log file = /var/log/samba/%m.log
    realm = domain.IE
    security = ads


    interfaces = lo eno1



    log file = /var/log/samba/log.%m
    max log size = 50


    security = user
    passdb backend = tdbsam


    load printers = yes
    cups options = raw

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

[root@server1 ~]# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LOCAL,domain.ie

[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999

[domain/domain.ie]
id_provider = ad

access_provider = simple
;simple_allow_users =
simple_allow_groups = server1_users, Linux_Admins

[nss]

[pam]

Any suggestions or any further information that's required.

Responses

In smb.conf file I can see that you have mentioned both security=ads and security=user. In order to join machine to AD, security=ads should be used.

Instead of using 'net ads' on RHEL 7.1 machine you may use 'realmd' which is much simpler and takes care of required configuration file. More details you may find at: 1. https://access.redhat.com/solutions/1350723 2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ch-Configuring_Authentication.html

HTH

This can occur as well if you don't have the the samba services started. I actually just ran into this.

systemctl start smb nmb

also, don't forget to enable them

I've read in the documentation for samba, however, that you're not supposed to have to start the samba service for a domain member. Maybe someone can clarify ?

Hello i use with realm and its work great but no password is require when i enter my user name after opening a new session how can it be solved ? password is must :)

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.