Samba 'net ads' client problem - can't use -U user%password
Hello All,
Perhaps I'm missing something basic here but I can register clients to our Windows Server 2008R2 ADS domain via:
net ads join -U someuser
enter password for someuser
But I cannot join a RHEL 6 client via:
net ads join -U someuser%password
...which is documented in the man page for net.
I need to be able to automate joins in our build process which means I need to be able to make the net command take the username and password as a single argument which is detailed in the man page as a feature.
Here is the debug output I see when I try to do this:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'FOO'
domain_name : *
domain_name : 'AD.FOO.EDU'
account_ou : 'Servers/Linux'
admin_account : 'ADDOMAINlinuxjoin'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x01 (1)
upn : 'host/foo.foo.edu@AD.foo.EDU'
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain 'AD.FOO.EDU' over rpc: Logon failure'
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
Failed to join domain: failed to lookup DC info for domain 'AD.FOO.EDU' over rpc: Logon failure
Any ideas?
Responses
Hello Kodiak. I use next step for connect RHEL to MS Active Directory
- Install addition packages
yum install samba*
yum install krb5-libs krb5-workstation
- Confuguration Kerberos /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TRANSTK.RU = {
kdc = dns-name-your-domain-controller
}
[domain_realm]
netbiosnameyourdoamin = NETBIOSNAMEYOURDOMAIN
netbiosnameyourdomain = NETBIOSNAMETYOURDOMAIN
- Configuration samba /etc/samba/smb.conf
[global]
workgroup = TTK
password server = dns-name-your-domain-controller:88
realm = NETBIOSNAMETYOURDOMAIN
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = true
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
-
Add dns name in /etc/hosts
-
Install and configuration ntp server (It's important for use Kerborose authorization)
yum install ntpd
edit /etc/ntp.conf
server ip-address-your-ntp-server prefer
- Create ticket
kinit account-admin-for-active-directory@NETBIOSNAMETYOURDOMAIN
- Add server in doamin
net ads join -S dns-name-your-domain-controlle -U account-admin-for-active-director
- Create keytab for Kerberos
net ads keytab create -U account-admin-for-active-director
- Edit file /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
- Restart samba and windind
- Test
net ads info
wbinfo -t
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
