I'm attempting to join a samba server to a Windows 2003 Active Directory on a network I do not control. The admins are working to help me on this, but I am also attempting to be as inobtrusive as possible. To that end, I have set up a Windows PDC and another samba server (with the same configuration) on a private network to do my own testing without having to hassle the Windows admins and ask them to tweak things on their live setup.
The problem is that it appears the "net" command ('net ads join', specifically) translates forward slashes as OU name separators, when in fact, they can actually be part of an OU name. Example: I want to join my system, TEST001, to the OU 'IT Systems/Admins' in the realm EXAMPLE.COM (KDC: EXAMPLE.EXAMPLE.COM). I can successfully get a kerberos ticket (and hence, authenticate), but cannot actually create a computer account in the desired OU using net, as detailed in the following: # kinit [EMAIL PROTECTED] (confirm success with klist) # net ads join 'IT Systems/Admins' -U [EMAIL PROTECTED] ads_join_realm: organizational unit IT Systems/Admins does not exist (dn:ou=Admins,ou=IT Systems,dc=EXAMPLE,dc=EXAMPLE,dc=COM) On the permissions side, I'm logged in as root on the samba server, and have domain admin rights on the Windows test server. If the slash is removed from the OU name (e.g. 'IT Systems Admins'), then the samba server successfully joins the Windows AD. I've tried everything I can think of to explain to the net command explicitly what I want - single quotes, double quotes, escaping the forward slashes with backslashes, etc., all for naught. This suggests to me that the net command doesn't consider slashes to be valid for Windows AD OU names, which they most assuredly are, unfortunately. The one thing I have yet to do is edit the samba source code and attempt to modify net's behaviour... and since I'm not a programmer, that isn't a good option for me, in my opinion. Yes, the simple thing to do is to convince the Windows admins to remove all slashes from the OU names, which they likely will, but that still leaves this issue unresolved. All this to say, and correct me if I'm wrong, that the net command considers some legal Windows OU characters to be illegal and/or translates them as OU separators improperly. Any thoughts, suggestions, etc.? Config files from the test samba server: smb.conf WORKGROUP = EXAMPLE.COM realm = example.example.com security = ADS encrypt passwords = yes password server = example.example.com krb5.conf [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kerberos.example.com } [domain_realms] .kerberos_server = EXAMPLE.EXAMPLE.COM (Side note: commas in OU names appear to be legal inside OU names from the Windows side, but throw an "ads_join_realm: Invalid DN syntax" error when using 'net ads join "IT Systems,Admins" -U [EMAIL PROTECTED]'. Same issue with trying to escape the character with backslashes, quotes, etc. as above.) - David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba