samba - Feb 2013 - Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC

I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried
both
Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
able to successfully join the client:

[root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123
...
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'DOMAIN'
            dns_domain_name          : 'domain.com'
            forest_name              : 'domain.com'
            dn                       :
'CN=vm-ae67a,CN=Computers,DC=domain,DC=com'
            domain_sid               : *
                domain_sid               :
S-1-5-21-2999212452-478241430-698296220
            modified_config          : 0x00 (0)
            error_string             : NULL
            domain_is_ad             : 0x01 (1)
            result                   : WERR_OK
Using short domain name -- DOMAIN
Joined 'VM-AE67A' to realm 'domain.com'
DNS Update for vm-ae67a.**INTERNAL*** failed: ERROR_DNS_GSS_ERROR
DNS update failed!

[root at vm-ae67a log]# net ads info
LDAP server: 10.100.0.231
LDAP server name: wegsfes19123.domain.com
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Sun, 03 Feb 2013 11:45:05 EST
KDC server: 10.100.0.231
Server time offset: 0

However pointing the same client to a RODC(wegsfes19234), for the same
domain, I'm unable to join (/etc/krb5.conf and /etc/samba/smb.conf were
updated to point to the RODC server for authentication):
[root at vm-ae67a log]# kinit Administrator at DOMAIN.COM
Password for Administrator at DOMAIN.COM:
[root at vm-ae67a log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAIN.COM

Valid starting     Expires            Service principal
02/03/13 12:31:17  02/03/13 22:31:24  krbtgt/DOMAIN.COM at DOMAIN.COM
renew until 02/04/13 12:31:17

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'DOMAIN'
            dns_domain_name          : 'domain.com'
            forest_name              : 'domain.com'
            dn                       : NULL
            domain_sid               : *
                domain_sid               :
S-1-5-21-2999212452-478241430-698296220
            modified_config          : 0x00 (0)
            error_string             : 'Failed to set account flags for
machine account (NT_STATUS_NOT_SUPPORTED)
'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)

Any help with this matter would be greatly appreciated.

Regards,
Matt




Configuration files:

[root at vm-ae67a ~]# grep -v -e "^#" -e "^;"
/etc/samba/smb.conf | uniq
[global]
   workgroup = DOMAIN
   password server = wegsfes19234.domain.com
   realm = DOMAIN.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   idmap backend = nss
   template homedir = /home/%U
   winbind nss info = rfc2307
   winbind use default domain = true
   server string = vm-ae67a
   netbios name = vm-ae67a
   encrypt passwords = true
 # logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
 # the login script name depends on the machine name
# the login script name depends on the unix user used
# disables profiles support by specifing an empty path
 load printers = yes
cups options = raw
#obtain list of printers automatically on SystemV
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes


[root at vm-ae67a ~]# grep -v -e "^#" -e "^;" /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
 clockskew = 300

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 domain.com = {
  kdc = wegsfes19234.domain.com
 }

 DOMAIN.COM = {
  kdc = wegsfes19234.domain.com
  kdc = wegsfes19234.domain.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote:
> I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've
tried both
> Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123)
I'm
> able to successfully join the client:
I think this comes down to a fundamental misunderstanding of what an
RODC can do.  It is indeed 'read only'!  

You don't join Samba to a DC, you join Samba to a domain.  If the RODC
is the most favourable server to use for authentication after that, then
we will use it, but we will need to contact a read-write DC from time to
time. 
> [root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'DOMAIN'
>             dns_domain_name          : 'domain.com'
>             forest_name              : 'domain.com'
>             dn                       : NULL
>             domain_sid               : *
>                 domain_sid               :
> S-1-5-21-2999212452-478241430-698296220
>             modified_config          : 0x00 (0)
>             error_string             : 'Failed to set account flags for
> machine account (NT_STATUS_NOT_SUPPORTED)
> '
>             domain_is_ad             : 0x01 (1)
>             result                   : WERR_NOT_SUPPORTED
> Failed to join domain: Failed to set account flags for machine account
> (NT_STATUS_NOT_SUPPORTED)
You should allow Samba and krb5 to find the closest DC to use, and not
force a particular server.  This not only improves redundancy, it makes
Samba much more likely to 'just work'.

Remove all these configuration lines:
> Configuration files:
> 
> [root at vm-ae67a ~]# grep -v -e "^#" -e "^;"
/etc/samba/smb.conf | uniq
> [global]
>    workgroup = DOMAIN
>    password server = wegsfes19234.domain.com
>  
> 
> [root at vm-ae67a ~]# grep -v -e "^#" -e "^;"
/etc/krb5.conf
> [libdefaults]
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
> [realms]
>  EXAMPLE.COM = {
>   kdc = kerberos.example.com:88
>   admin_server = kerberos.example.com:749
>   default_domain = example.com
>  }
> 
>  domain.com = {
>   kdc = wegsfes19234.domain.com
>  }
> 
>  DOMAIN.COM = {
>   kdc = wegsfes19234.domain.com
>   kdc = wegsfes19234.domain.com
>  }
That is, remove the kdc, dns_lookup_kdc and password server
configuration options from smb.conf and krb5.conf files.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org