On Wed, Jan 23, 2013 at 7:13 AM, Paolo Supino <paolo.sup...@gmail.com> wrote: > Hi Nico > > It's not up to me to decide (and implement) the OS updates :-( and > thus cannot do anything about the status of security of the systems. > Though I completely agree with you :-) > > Now to the Samba ADS integraztion problem. I only need to execute the > net ads command, I need the windows domain membership for a service > running on this system not for local logins. > > > > TIA > Paolo
Can you run on a test host using CentOS or Scientific Linux 5.8? It really is a security and software features issue to be stuck at RHEL 5.3? And either way, what does "authconfig --test" say about your configured Kerberos and LDAP settings? > On Wed, Jan 23, 2013 at 1:12 AM, Nico Kadel-Garcia <nka...@gmail.com> wrote: >> On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino <paolo.sup...@gmail.com> wrote: >>> Hi >>> >>> I'm trying to make a Linux server (RHEL 5.3) join my company's ADS >>> domain. The company's domain is built from serveral kerberos realms >> >> Stop *right* there. If you have RHEL, and you've been regularly >> applying updates, you've automatically updated to RHEL 5.9 since its >> release a few weeks ago. RHEL 5.3 is now 4 yours old and you should >> *not* use it for any security sensitive functions like the critical >> Kerberos authentication in an ADS domain, without the Red Hat >> published system updates. So do the system updates first. >> >>> and Windows domain. the Linux FQDN resolves to the name of one of the >>> kerberos realms we have, but I was asked to to have the linux server >>> join a different kerberos realm and windows Domain. When I attempt to >>> run the command: 'net ads join -U [account] -w [domain]. I get the >>> following error: >>> Failed to set servicePrincipalNames. Please ensure that >>> the DNS domain of this server matches the AD domain, >>> Or rejoin with using Domain Admin credentials. >>> >>> I know it's possible because it was done in the company in the past >>> (unfortunately) the sysadmin that did it no longer works here and no >>> one else knows how to reproduce how he did it. >> >> Are you using the built-in Samba 3.0.33, the available "samba3x" tool >> that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If >> you're using the built-in Samba 3.0.33 or the "samba3x" package, you >> should be able to use "authconfig" to set all of this in PAM,a nd only >> need "net ads" to register the particular host with AD credentials. >> >> And are you making sure to use "net ads join -U 'admin@remotedomain' >> -w 'remotedomain'", if the DNS domain does not match the AD domain? >> >> You might also install, and try working with, the X-based version of >> the "system-config-authentication" command which provides reasonable >> GUI options for most of this. >> >> >>> I know this email is scarce on helpfull information. I simply don't >>> know what information to supply (I have the output of join with -d 4 >>> and -d 10 debug levels). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba