Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Joining an AD domain when hostname != netbios name

673 views
Skip to first unread message

Jonathan Barber

unread,
Jun 17, 2010, 11:10:02 AM6/17/10
to
I'm trying to join a RHEL5 host to an AD domain, and can do this
successfully when I set those hostname to the same value as the samba
"netbios name" parameter. However, when I try with a hostname !=
netbios name, it fails. Is it possible to join a machine when the
hostname isn't the same as the netbios name?

The reason for wanting this is because I have a whole load of servers
with hostnames > 15 characters in length and changing the hostname
isn't realistic.

Details as follows:
# hostname
yet-another-joining-test

# hostname -f
yet-another-joining-test.ptin.corppt.com

# hostname -s
yet-another-joining-test

# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
10.112.28.54 yet-another-joining-test.ptin.corppt.com yet-another-joining-test

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
  workgroup = PTIN
  realm = PTIN.CORPPT.com
  netbios name = YETANOTHERTEST1
  security = ADS

# net ads join -U x01024
x01024's password:
Using short domain name -- PTIN
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Failed to disable machine account for 'YETANOTHERTEST1' in realm
'PTIN.CORPPT.COM'
Failed to disable machine account in AD.  Please do so manually.
Failed to join domain: Type or value exists

This creates the entry for the machine in AD ("net ads status" shows
it) but doesn't populate the dNSHostName or servicePrincipalName
attributes.

Running "net ads join" with "-d 10" shows:
  name_to_fqdn(): lookup for YETANOTHERTEST1 failed

If I add the netbios name to my /etc/hosts then name_to_fqdn()
succeeds and returns the FQDN - but the join still fails with the same
message. If I run wireshark during an attempted join, then I can see
that an ldapmodify operation on the existing machine entry is failing
with a constraintViolation on the dNSHostName attribute.

If I then change the hostname to "yetanothertest1" and update /etc/hosts to:
# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
10.112.28.54 yetanothertest1.ptin.corppt.com yetanothertest1

then the join works and the entry has the dNSHostName attribute
populated with the netbios name. If I then change the hostname back to
the longer version and revert /etc/hosts, then I can join again - but
it always uses the netbios name as the hostname and seems to be
resolving the hostname via AD.

The OS is x86_64 RHEL5.4 and samba from the RPM
samba-common-3.0.33-3.14.el5, winbind is not running when I try to
join.

So; am I doing something wrong, or is it not possible?

Many thanks.
--
Jonathan Barber <jonatha...@gmail.com>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Robert Freeman-Day

unread,
Jun 17, 2010, 12:10:02 PM6/17/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing to note is that a machine can have more than one hostname as
well as more than one DNS record.

I was able to get someone joined by putting everything in the /etc/hosts
file:


127.0.0.1 localhost.localdomain localhost
10.112.28.54 yet-another-joining-test.ptin.corppt.com

yet-another-joining-test yetanothertest1.ptin.corppt.com yetanothertest1
#note the above is all one line starting from 10.112.28.54

The smb.conf setup you have should not need to be modified.

You will likely want to either reset or completely delete the
yetanothertest1 machine account in ADUC, as one of your messages says
the value exists.

Tell us if that works for you!
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwaRl4ACgkQup357T5MfTY7nACg0r5wXXu/1QBHH6rlBhF8IwKV
tegAoJI71CfWDmLPkKMmD8C4nhx2eiL/
=1gKS
-----END PGP SIGNATURE-----

Christoph Beyer

unread,
Jun 17, 2010, 1:10:01 PM6/17/10
to
hi,

yes this should work you may need a DNS alias entry for the netbios name
though. If it does not work maybe you can in addition set the hostname as
netbios alias, but this should not be necessary ...

cheers
christoph

best regards
~christoph


--
/* Christoph Beyer | Office: Building 2b / 23 *\
* DESY | Phone: 040-8998-2317 *
* - IT - | Fax: 040-8998-4060 *
\* 22603 Hamburg | http://www.desy.de */

Jonathan Barber

unread,
Jun 17, 2010, 1:30:02 PM6/17/10
to
On 17 June 2010 16:59, Robert Freeman-Day <pre...@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/17/2010 11:08 AM, Jonathan Barber wrote:
>> I'm trying to join a RHEL5 host to an AD domain, and can do this
>> successfully when I set those hostname to the same value as the samba
>> "netbios name" parameter. However, when I try with a hostname !=
>> netbios name, it fails. Is it possible to join a machine when the
>> hostname isn't the same as the netbios name?
>>
>> The reason for wanting this is because I have a whole load of servers
>> with hostnames > 15 characters in length and changing the hostname
>> isn't realistic.

[snip]

>> So; am I doing something wrong, or is it not possible?
>>
>> Many thanks.
>> --
>> Jonathan Barber <jonatha...@gmail.com>
>
> One thing to note is that a machine can have more than one hostname as
> well as more than one DNS record.
>
> I was able to get someone joined by putting everything in the /etc/hosts
> file:
> 127.0.0.1 localhost.localdomain localhost
> 10.112.28.54 yet-another-joining-test.ptin.corppt.com
> yet-another-joining-test yetanothertest1.ptin.corppt.com yetanothertest1
> #note the above is all one line starting from 10.112.28.54
>
> The smb.conf setup you have should not need to be modified.
>
> You will likely want to either reset or completely delete the
> yetanothertest1 machine account in ADUC, as one of your messages says
> the value exists.
>
> Tell us if that works for you!

Unfortunately it doesn't. However, I do get a slightly different error message:


Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.

Failed to disable machine account for 'YETANOTHERTEST4' in realm


'PTIN.CORPPT.COM'
Failed to disable machine account in AD. Please do so manually.

Failed to join domain: Constraint violation

I've also tried Christoph's suggestion of adding the hostname (first
just the hostname, then the hostname and the FQDN) to the "netbios
aliases" parameter, but that gave the same error as above.

I don't have access rights to delete entries in AD, so I'm upto
yetanothertest6 now :)

I'll try samba-latest tomorrow to see if it's a problem with the RHEL package.

Thanks for your suggestions, knowing it should be possible is half the battle.

Cheers

> ________
>
> Robert Freeman-Day
>
> https://launchpad.net/~presgas
> GPG Public Key:
> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwaRl4ACgkQup357T5MfTY7nACg0r5wXXu/1QBHH6rlBhF8IwKV
> tegAoJI71CfWDmLPkKMmD8C4nhx2eiL/
> =1gKS
> -----END PGP SIGNATURE-----
>

--
Jonathan Barber <jonatha...@gmail.com>

christo...@desy.de

unread,
Jun 17, 2010, 1:30:01 PM6/17/10
to
Hi,

so you should just find someone to delete the old entry and then you
should be able to join under the different name...

cheers
christoph

best regards
~christoph


--
/* Christoph Beyer | Office: Building 2b / 23 *\
* DESY | Phone: 040-8998-2317 *
* - IT - | Fax: 040-8998-4060 *
\* 22603 Hamburg | http://www.desy.de */

0 new messages