Hi, I'm using samba just for its "net join" functionality. Computer accounts and kerberos keytabs are created by Samba in Active Directory via "net ads join", then used by UNIX clients to authorise and authenticate via LDAP and Kerberos. Samba works perfectly until the computers hostname is longer than 15 characters. Then any attempt to join the domain fails with: ---- [root@uk1-sysstg-sqlsyslogtest etc]# net ads join -U Administrator Administrator's password: [2006/11/01 13:14:34, 0] libads/ldap.c:ads_join_realm(1763) ads_join_realm: ads_add_machine_acct failed (uk1-sysstg-sqlsyslogtest): Internal (implementation specific) error ads_join_realm: Internal (implementation specific) error ---- Looking at packet trace output suggests it's because of NETBIOS name length limitations. So I specify a legal NETBIOS name in smb.conf, and the join succeeds. The problem is now that this computer is _completely_ identified to AD by this NETBIOS name. Both the kerberos tickets and the DNS name for this computer are linked to the NETBIOS name, even though this is different from the UNIX hostname. If this were a Microsoft AD limitation, I could write this off, but it seems this is a Samba problem. From: http://technet2.microsoft.com/WindowsServer/en/library/8ec96981-6b1a-48ec-bd3e-d8d43bc814311033.mspx?mfr=true ------- ------- To ensure interoperability between NetBIOS and DNS naming in Windows, a new naming parameter called the NetBIOS computer name was introduced. The value of this parameter, which is not required in a Windows 2000 or Windows Server 2003 environment, is derived from the first 15 characters of the DNS full computer name. When the full computer name is a combination of the computer name and the primary DNS suffix for the computer, the impact of renaming and making the transition from a NetBIOS namespace to a DNS namespace can be minimal. Users continue to focus on the short computer name. If this name is 15 characters or less, it can be made identical to the NetBIOS computer name. The administrator can then also assign a DNS domain name for each computer. This can be done using remote administration tools. ------ ------ It seems Windows allows the NETBIOS name and computer DNS name to be separate, but Samba doesn't. A look inside the AD properties for a computer account shows these can be different, but a samba join forces them to be the same. I've also tried pre-creating the computer accounts in AD - this still happens. Is there any way round this issue? (And no "rename 100+ production servers" suggestions please ;-) ) thanks James Masson ------ Redhat EL4 samba-client-3.0.10-1.4E.9 samba-common-3.0.10-1.4E.9 also tried with samba.org samba-3.0.22-1 ------- smb.conf workgroup = TESTING ; netbios name = UK1-SYSSTG-SQLS realm = TESTING.LOCAL.INVALID security = ads use kerberos keytab = True ------- Windows 2003 R2 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author?s employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. _______________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/
Gerald (Jerry) Carter
2006-Nov-13 16:04 UTC
[Samba] Windows != Samba - NETBIOS name handling
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Masson wrote:> [root@uk1-sysstg-sqlsyslogtest etc]# net ads join -U Administrator > Administrator's password: > [2006/11/01 13:14:34, 0] libads/ldap.c:ads_join_realm(1763) > ads_join_realm: ads_add_machine_acct failed (uk1-sysstg-sqlsyslogtest): > Internal (implementation specific) error > ads_join_realm: Internal (implementation specific) error > ---- > > Looking at packet trace output suggests it's because of NETBIOS > name length limitations.IIRC, checks were introduced to inform you of names > 15 characters. Please test a join using the net command from 3.0.23c cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFWJd0IR7qMdg1EfYRAgwcAJ46KkdHyJQ/i3f2BzAQOu39ULnaugCgg0rj tH/PKUwKd1NCU5/Q3SOrhM8=xV4D -----END PGP SIGNATURE-----