samba - Mar 2006 - Joining samba server to Windows AD OU when OU has slashes in OU name

I'm attempting to join a samba server to a Windows 2003 Active Directory
on a network I do not control. The admins are working to help me on
this, but I am also attempting to be as inobtrusive as possible. To that
end, I have set up a Windows PDC and another samba server (with the same
configuration) on a private network to do my own testing without having
to hassle the Windows admins and ask them to tweak things on their live
setup.

The problem is that it appears the "net" command ('net ads
join',
specifically) translates forward slashes as OU name separators, when in
fact, they can actually be part of an OU name. Example: I want to join
my system, TEST001, to the OU 'IT Systems/Admins' in the realm
EXAMPLE.COM (KDC: EXAMPLE.EXAMPLE.COM). I can successfully get a
kerberos ticket (and hence, authenticate), but cannot actually create a
computer account in the desired OU using net, as detailed in the following:

# kinit testuser@EXAMPLE.EXAMPLE.COM
(confirm success with klist)
# net ads join 'IT Systems/Admins' -U testuser@EXAMPLE.EXAMPLE.COM
ads_join_realm: organizational unit IT Systems/Admins does not exist
(dn:ou=Admins,ou=IT Systems,dc=EXAMPLE,dc=EXAMPLE,dc=COM)

On the permissions side, I'm logged in as root on the samba server, and
have domain admin rights on the Windows test server.
If the slash is removed from the OU name (e.g. 'IT Systems Admins'),
then the samba server successfully joins the Windows AD.

I've tried everything I can think of to explain to the net command
explicitly what I want - single quotes, double quotes, escaping the
forward slashes with backslashes, etc., all for naught. This suggests to
me that the net command doesn't consider slashes to be valid for Windows
AD OU names, which they most assuredly are, unfortunately. The one thing
I have yet to do is edit the samba source code and attempt to modify
net's behaviour... and since I'm not a programmer, that isn't a good
option for me, in my opinion.
Yes, the simple thing to do is to convince the Windows admins to remove
all slashes from the OU names, which they likely will, but that still
leaves this issue unresolved. 

All this to say, and correct me if I'm wrong, that the net command
considers some legal Windows OU characters to be illegal and/or
translates them as OU separators improperly. Any thoughts, suggestions,
etc.?

Config files from the test samba server:
smb.conf
WORKGROUP = EXAMPLE.COM
realm = example.example.com
security = ADS
encrypt passwords = yes
password server = example.example.com

krb5.conf
[libdefaults]
 default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
}

[domain_realms]
 .kerberos_server = EXAMPLE.EXAMPLE.COM


(Side note: commas in OU names appear to be legal inside OU names from
the Windows side, but throw an "ads_join_realm: Invalid DN syntax"
error
when using 'net ads join "IT Systems,Admins" -U
testuser@EXAMPLE.EXAMPLE.COM'. Same issue with trying to escape the
character with backslashes, quotes, etc. as above.)
-
David

david.lists.samba.org@neo-neural.net wrote:
> The problem is that it appears the "net" command ('net ads
join',
> specifically) translates forward slashes as OU name separators, when in
> fact, they can actually be part of an OU name. Example: I want to join
> my system, TEST001, to the OU 'IT Systems/Admins' 
IMO, regardless of whether it is technically legal or not, it was/is a
bad idea to use /'s in the OU name in question.

-- Rex