Jonathan Barber
2010-Jun-17 15:08 UTC
[Samba] Joining an AD domain when hostname != netbios name
I'm trying to join a RHEL5 host to an AD domain, and can do this successfully when I set those hostname to the same value as the samba "netbios name" parameter. However, when I try with a hostname !netbios name, it fails. Is it possible to join a machine when the hostname isn't the same as the netbios name? The reason for wanting this is because I have a whole load of servers with hostnames > 15 characters in length and changing the hostname isn't realistic. Details as follows: # hostname yet-another-joining-test # hostname -f yet-another-joining-test.ptin.corppt.com # hostname -s yet-another-joining-test # cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 10.112.28.54?yet-another-joining-test.ptin.corppt.com?yet-another-joining-test # testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER [global] ??workgroup = PTIN ??realm = PTIN.CORPPT.com ??netbios name = YETANOTHERTEST1 ??security = ADS # net ads join -U x01024 x01024's password: Using short domain name -- PTIN Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Failed to disable machine account for 'YETANOTHERTEST1' in realm 'PTIN.CORPPT.COM' Failed to disable machine account in AD. ?Please do so manually. Failed to join domain: Type or value exists This creates the entry for the machine in AD ("net ads status" shows it) but doesn't populate the dNSHostName or servicePrincipalName attributes. Running "net ads join" with "-d 10" shows: ??name_to_fqdn(): lookup for YETANOTHERTEST1 failed If I add the netbios name to my /etc/hosts then name_to_fqdn() succeeds and returns the FQDN - but the join still fails with the same message. If I run wireshark during an attempted join, then I can see that an ldapmodify operation on the existing machine entry is failing with a?constraintViolation on the?dNSHostName attribute. If I then change the hostname to "yetanothertest1" and update /etc/hosts to: # cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 10.112.28.54?yetanothertest1.ptin.corppt.com?yetanothertest1 then the join works and the entry has the?dNSHostName attribute populated with the netbios name. If I then change the hostname back to the longer version and revert /etc/hosts, then I can join again - but it always uses the netbios name as the hostname and seems to be resolving the hostname via AD. The OS is x86_64 RHEL5.4 and samba from the RPM samba-common-3.0.33-3.14.el5, winbind is not running when I try to join. So; am I doing something wrong, or is it not possible? Many thanks. -- Jonathan Barber <jonathan.barber at gmail.com>
Robert Freeman-Day
2010-Jun-17 15:59 UTC
[Samba] Joining an AD domain when hostname != netbios name
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/17/2010 11:08 AM, Jonathan Barber wrote:> I'm trying to join a RHEL5 host to an AD domain, and can do this > successfully when I set those hostname to the same value as the samba > "netbios name" parameter. However, when I try with a hostname !> netbios name, it fails. Is it possible to join a machine when the > hostname isn't the same as the netbios name? > > The reason for wanting this is because I have a whole load of servers > with hostnames > 15 characters in length and changing the hostname > isn't realistic. > > Details as follows: > # hostname > yet-another-joining-test > > # hostname -f > yet-another-joining-test.ptin.corppt.com > > # hostname -s > yet-another-joining-test > > # cat /etc/hosts > 127.0.0.1 localhost.localdomain localhost > 10.112.28.54 yet-another-joining-test.ptin.corppt.com yet-another-joining-test > > # testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > [global] > workgroup = PTIN > realm = PTIN.CORPPT.com > netbios name = YETANOTHERTEST1 > security = ADS > > # net ads join -U x01024 > x01024's password: > Using short domain name -- PTIN > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > Failed to disable machine account for 'YETANOTHERTEST1' in realm > 'PTIN.CORPPT.COM' > Failed to disable machine account in AD. Please do so manually. > Failed to join domain: Type or value exists > > This creates the entry for the machine in AD ("net ads status" shows > it) but doesn't populate the dNSHostName or servicePrincipalName > attributes. > > Running "net ads join" with "-d 10" shows: > name_to_fqdn(): lookup for YETANOTHERTEST1 failed > > If I add the netbios name to my /etc/hosts then name_to_fqdn() > succeeds and returns the FQDN - but the join still fails with the same > message. If I run wireshark during an attempted join, then I can see > that an ldapmodify operation on the existing machine entry is failing > with a constraintViolation on the dNSHostName attribute. > > If I then change the hostname to "yetanothertest1" and update /etc/hosts to: > # cat /etc/hosts > 127.0.0.1 localhost.localdomain localhost > 10.112.28.54 yetanothertest1.ptin.corppt.com yetanothertest1 > > then the join works and the entry has the dNSHostName attribute > populated with the netbios name. If I then change the hostname back to > the longer version and revert /etc/hosts, then I can join again - but > it always uses the netbios name as the hostname and seems to be > resolving the hostname via AD. > > The OS is x86_64 RHEL5.4 and samba from the RPM > samba-common-3.0.33-3.14.el5, winbind is not running when I try to > join. > > So; am I doing something wrong, or is it not possible? > > Many thanks. > -- > Jonathan Barber <jonathan.barber at gmail.com>One thing to note is that a machine can have more than one hostname as well as more than one DNS record. I was able to get someone joined by putting everything in the /etc/hosts file: 127.0.0.1 localhost.localdomain localhost 10.112.28.54 yet-another-joining-test.ptin.corppt.com yet-another-joining-test yetanothertest1.ptin.corppt.com yetanothertest1 #note the above is all one line starting from 10.112.28.54 The smb.conf setup you have should not need to be modified. You will likely want to either reset or completely delete the yetanothertest1 machine account in ADUC, as one of your messages says the value exists. Tell us if that works for you! ________ Robert Freeman-Day launchpad.net/~presgas GPG Public Key: keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - enigmail.mozdev.org iEYEARECAAYFAkwaRl4ACgkQup357T5MfTY7nACg0r5wXXu/1QBHH6rlBhF8IwKV tegAoJI71CfWDmLPkKMmD8C4nhx2eiL/ =1gKS -----END PGP SIGNATURE-----