Samba 'net ads' client problem - can't use -U user%password

Latest response

Hello All,
Perhaps I'm missing something basic here but I can register clients to our Windows Server 2008R2 ADS domain via:

net ads join -U someuser

enter password for someuser

But I cannot join a RHEL 6 client via:

net ads join -U someuser%password

...which is documented in the man page for net.

I need to be able to automate joins in our build process which means I need to be able to make the net command take the username and password as a single argument which is detailed in the man page as a feature.

Here is the debug output I see when I try to do this:

libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'FOO'
domain_name : *
domain_name : 'AD.FOO.EDU'
account_ou : 'Servers/Linux'
admin_account : 'ADDOMAINlinuxjoin'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x01 (1)
upn : 'host/foo.foo.edu@AD.foo.EDU'
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain 'AD.FOO.EDU' over rpc: Logon failure'
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
Failed to join domain: failed to lookup DC info for domain 'AD.FOO.EDU' over rpc: Logon failure

Any ideas?

Responses

Hello Kodiak Firesmith,
Are you install and configurations samba, samba-client, krb5, ntp?

Hello Alexey,
Yes all AD/Kerberos stuff is configured fine. The interactive method of doing a 'net ads join -U someuser' then entering the password when prompted works fine - it's just the -U %
method that appears to be broken.

Hello Kodiak. I use next step for connect RHEL to MS Active Directory

  1. Install addition packages
yum install samba*
yum install krb5-libs krb5-workstation
  1. Confuguration Kerberos /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = YOURDOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TRANSTK.RU = {
  kdc = dns-name-your-domain-controller
 }

[domain_realm]
 netbiosnameyourdoamin = NETBIOSNAMEYOURDOMAIN
 netbiosnameyourdomain = NETBIOSNAMETYOURDOMAIN
  1. Configuration samba /etc/samba/smb.conf
[global]

   workgroup = TTK
   password server = dns-name-your-domain-controller:88
   realm = NETBIOSNAMETYOURDOMAIN
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = false
   winbind offline logon = true

    log file = /var/log/samba/log.%m
    max log size = 50

    passdb backend = tdbsam

    load printers = yes
    cups options = raw

[homes]
    comment = Home Directories
    browseable = no
    writable = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes
  1. Add dns name in /etc/hosts

  2. Install and configuration ntp server (It's important for use Kerborose authorization)

yum install ntpd
edit /etc/ntp.conf
server ip-address-your-ntp-server prefer 
  1. Create ticket
kinit account-admin-for-active-directory@NETBIOSNAMETYOURDOMAIN
  1. Add server in doamin
net ads join -S dns-name-your-domain-controlle -U account-admin-for-active-director
  1. Create keytab for Kerberos
net ads keytab create -U account-admin-for-active-director
  1. Edit file /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
  1. Restart samba and windind
  2. Test
net ads info
wbinfo -t
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.