[rhelv6-beta-list] How can I join a 2008-R2 domain?

John McNulty johnmcn1 at googlemail.com
Tue Jun 22 09:00:25 UTC 2010 

In addition to that good advise I would recommend a couple of things:


1) Disable nscd.  It doesn't work well with AD and this is recommended
either in the Samba docs or on their web site (I forget which).

# service nscd stop
# chkconfig nscd off


2) If you want Red Hat to create new home directories the first time an AD
user logs in then you can enable that from the "Options" tab in the
system-config-authentication GUI.  Enable “Create home directories on the
first login”.  Alternatively, edit /etc/pam.d/system-auth-ac and add a line
below pam_limits.so that reads:

session optional pam_mkhomedir.so


3) Consider using the user RID part of the SID for generating UIDs.
e.g. S-1-111-222-333-XXX
where XXX is the RID.

The advantage is that for a given user you guarantee the same UID on every
system.  This is especially important in a cluster where you have a shared
cluster filesystem :)

To configure this edit /etc/samba/smb.conf and in the [global] section
replace the tdbsam backend stuff with this:

idmap domains = EXAMPLE
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:base_rid = 0
idmap config EXAMPLE:range  = 1000 - 33554431

Tweak the range to your own needs, then restart winbind.


John



On 21 June 2010 23:03, Colin Coe <colin.coe at gmail.com> wrote:

>  I use:
>
> authconfig --enableshadow \
> --enablemd5 \
> --enablekrb5 \
> --krb5kdc=server.example.com \
> --krb5adminserver=server.example.com \
> --krb5realm=EXAMPLE.COM \
> --enablekrb5kdcdns \
> --enablekrb5realmdns \
> --enablesmbauth \
> --smbservers=server.example.com \
> --smbworkgroup=EXAMPLE \
> --enablewinbind \
> --enablewinbindauth \
> --smbsecurity=ads \
> --smbrealm=EXAMPLE.COM \
> --winbindtemplateshell=/bin/bash \
> --enablewinbindusedefaultdomain \
> --enablewinbindoffline \
> --winbindjoin=administrator \
> --enablecache \
> --enablelocauthorize \
> --enablepamaccess \
> --disablesysnetauth \
> --kickstart
>
> Works for me on RHEL4u8+ and RHEL5.4.+.  Haven't actually tried on RHEL6
> yet.
>
> YMMV
>
> On Mon, Jun 21, 2010 at 7:24 PM, Kirby Zhou <kirbyzhou at sohu-rd.com> wrote:
> > I can do smbclient with the DC, but ads join failed.
> >
> > ]# smbclient //10.10.96.207/sysvol -U Administrator
> > Enter Administrator's password:
> > Domain=[SOHU-TEST] OS=[Windows Server 2008 R2 Enterprise 7600]
> > Server=[Windows Server 2008 R2 Enterprise 6.1]
> > smb: \> ls
> >  .                                   D        0  Mon Jun 21 18:44:29 2010
> >  ..                                  D        0  Mon Jun 21 18:44:29 2010
> >  SOHU-TEST.COM                       D        0  Mon Jun 21 18:44:29
> 2010
> >
> >                65433 blocks of size 1048576. 52832 blocks available
> > smb: \>
> >
> > /usr/bin/net join -w SOHU-TEST -S 10.10.96.207 -U Administrator
> > Enter Administrator's password:
> > Failed to join domain: failed to connect to AD: Operations error
> > ADS join did not work, falling back to RPC...
> > Enter Administrator's password:
> > [2010/06/21 19:21:47,  0] utils/net_rpc_join.c:398(net_rpc_join_newstyle)
> >  Error in domain join verification (credential setup failed):
> > NT_STATUS_INVALID_COMPUTER_NAME
> >
> > Unable to join domain SOHU-TEST.
> >
> >
> >
> > Regards,
> >   Kirby Zhou
> >   from   SOHU-RD   +86-10-6272-8261
> >
> >
> >
> > _______________________________________________
> > rhelv6-beta-list mailing list
> > rhelv6-beta-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/rhelv6-beta-list
> >
>
>
>
> --
> RHCE#805007969328369
>
> _______________________________________________
> rhelv6-beta-list mailing list
> rhelv6-beta-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-beta-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhelv6-beta-list/attachments/20100622/32e64a98/attachment.htm>

More information about the rhelv6-beta-list mailing list