Re: [Samba] problem joining AD domain
Hi Nico It's not up to me to decide (and implement) the OS updates :-( and thus cannot do anything about the status of security of the systems. Though I completely agree with you :-) Now to the Samba ADS integraztion problem. I only need to execute the net ads command, I need the windows domain membership for a service running on this system not for local logins. TIA Paolo On Wed, Jan 23, 2013 at 1:12 AM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino paolo.sup...@gmail.com wrote: Hi I'm trying to make a Linux server (RHEL 5.3) join my company's ADS domain. The company's domain is built from serveral kerberos realms Stop *right* there. If you have RHEL, and you've been regularly applying updates, you've automatically updated to RHEL 5.9 since its release a few weeks ago. RHEL 5.3 is now 4 yours old and you should *not* use it for any security sensitive functions like the critical Kerberos authentication in an ADS domain, without the Red Hat published system updates. So do the system updates first. and Windows domain. the Linux FQDN resolves to the name of one of the kerberos realms we have, but I was asked to to have the linux server join a different kerberos realm and windows Domain. When I attempt to run the command: 'net ads join -U [account] -w [domain]. I get the following error: Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. I know it's possible because it was done in the company in the past (unfortunately) the sysadmin that did it no longer works here and no one else knows how to reproduce how he did it. Are you using the built-in Samba 3.0.33, the available samba3x tool that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If you're using the built-in Samba 3.0.33 or the samba3x package, you should be able to use authconfig to set all of this in PAM,a nd only need net ads to register the particular host with AD credentials. And are you making sure to use net ads join -U 'admin@remotedomain' -w 'remotedomain', if the DNS domain does not match the AD domain? You might also install, and try working with, the X-based version of the system-config-authentication command which provides reasonable GUI options for most of this. I know this email is scarce on helpfull information. I simply don't know what information to supply (I have the output of join with -d 4 and -d 10 debug levels). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining AD domain
On Wed, Jan 23, 2013 at 7:13 AM, Paolo Supino paolo.sup...@gmail.com wrote: Hi Nico It's not up to me to decide (and implement) the OS updates :-( and thus cannot do anything about the status of security of the systems. Though I completely agree with you :-) Now to the Samba ADS integraztion problem. I only need to execute the net ads command, I need the windows domain membership for a service running on this system not for local logins. TIA Paolo Can you run on a test host using CentOS or Scientific Linux 5.8? It really is a security and software features issue to be stuck at RHEL 5.3? And either way, what does authconfig --test say about your configured Kerberos and LDAP settings? On Wed, Jan 23, 2013 at 1:12 AM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino paolo.sup...@gmail.com wrote: Hi I'm trying to make a Linux server (RHEL 5.3) join my company's ADS domain. The company's domain is built from serveral kerberos realms Stop *right* there. If you have RHEL, and you've been regularly applying updates, you've automatically updated to RHEL 5.9 since its release a few weeks ago. RHEL 5.3 is now 4 yours old and you should *not* use it for any security sensitive functions like the critical Kerberos authentication in an ADS domain, without the Red Hat published system updates. So do the system updates first. and Windows domain. the Linux FQDN resolves to the name of one of the kerberos realms we have, but I was asked to to have the linux server join a different kerberos realm and windows Domain. When I attempt to run the command: 'net ads join -U [account] -w [domain]. I get the following error: Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. I know it's possible because it was done in the company in the past (unfortunately) the sysadmin that did it no longer works here and no one else knows how to reproduce how he did it. Are you using the built-in Samba 3.0.33, the available samba3x tool that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If you're using the built-in Samba 3.0.33 or the samba3x package, you should be able to use authconfig to set all of this in PAM,a nd only need net ads to register the particular host with AD credentials. And are you making sure to use net ads join -U 'admin@remotedomain' -w 'remotedomain', if the DNS domain does not match the AD domain? You might also install, and try working with, the X-based version of the system-config-authentication command which provides reasonable GUI options for most of this. I know this email is scarce on helpfull information. I simply don't know what information to supply (I have the output of join with -d 4 and -d 10 debug levels). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining AD domain
On Tue, Jan 22, 2013 at 6:44 AM, Paolo Supino paolo.sup...@gmail.com wrote: Hi I'm trying to make a Linux server (RHEL 5.3) join my company's ADS domain. The company's domain is built from serveral kerberos realms Stop *right* there. If you have RHEL, and you've been regularly applying updates, you've automatically updated to RHEL 5.9 since its release a few weeks ago. RHEL 5.3 is now 4 yours old and you should *not* use it for any security sensitive functions like the critical Kerberos authentication in an ADS domain, without the Red Hat published system updates. So do the system updates first. and Windows domain. the Linux FQDN resolves to the name of one of the kerberos realms we have, but I was asked to to have the linux server join a different kerberos realm and windows Domain. When I attempt to run the command: 'net ads join -U [account] -w [domain]. I get the following error: Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. I know it's possible because it was done in the company in the past (unfortunately) the sysadmin that did it no longer works here and no one else knows how to reproduce how he did it. Are you using the built-in Samba 3.0.33, the available samba3x tool that is Samba 3.6.6, or a hand-built up-to-date Samba toolsuite? If you're using the built-in Samba 3.0.33 or the samba3x package, you should be able to use authconfig to set all of this in PAM,a nd only need net ads to register the particular host with AD credentials. And are you making sure to use net ads join -U 'admin@remotedomain' -w 'remotedomain', if the DNS domain does not match the AD domain? You might also install, and try working with, the X-based version of the system-config-authentication command which provides reasonable GUI options for most of this. I know this email is scarce on helpfull information. I simply don't know what information to supply (I have the output of join with -d 4 and -d 10 debug levels). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
