samba - Oct 2016 - winbind join ad via the trust forest's child domain user failed.

Hi all,
I want to let linux server join ad by using a trust ad's child domain user,
but failed with error.
below is my env and what I have try

I have 3 domain controller: test.com,demo.com and chn.demo.com

test.com with demo.com is two way trust. and chn.demo.com is the child
domain of demo.com

 demo at demo.com chn at chn.demo.com can  join ad member to test.com

I have tested demo at demo.com chn at chn.demo.com let win server  join the
test.com domain  all is ok.

but when I do this under linux(centos7) via
winbind(samba-winbind-4.2.10-7.el7_2.x86_64)  demo at demo.com is ok,
but chn at chn.demo.com just can't work.

success:
[root at test01 ~]# net ads join -U demo at demo.com%Test123
Using short domain name -- TEST
Joined 'TEST01' to dns domain 'test.com'


with error:
[root at test01 ~]# net ads join -U chn at chn.demo.com%Test123
Failed to join domain: failed to lookup DC info for domain 'TEST.COM
<http://test.com/>' over rpc: Logon failure
[root at test01 ~]# net ads join -U chn\\chn%Demo123
kerberos_kinit_password chn at TEST.COM failed: Client not found in Kerberos
database
Failed to join domain: failed to connect to AD: Client not found in
Kerberos database


Is anybody know weather  I miss something ? or how to use  child domains
user join ad via winbind?

thanks
Firxiao

On Sat, 01 Oct 2016 23:20:01 +0000
Fay zhang via samba <samba at lists.samba.org> wrote:
> Hi all,
> I want to let linux server join ad by using a trust ad's child domain
> user, but failed with error.
> below is my env and what I have try
> 
> I have 3 domain controller: test.com,demo.com and chn.demo.com
> 
> test.com with demo.com is two way trust. and chn.demo.com is the child
> domain of demo.com
> 
>  demo at demo.com chn at chn.demo.com can  join ad member to test.com
> 
> I have tested demo at demo.com chn at chn.demo.com let win server  join the
> test.com domain  all is ok.
> 
> but when I do this under linux(centos7) via
> winbind(samba-winbind-4.2.10-7.el7_2.x86_64)  demo at demo.com is ok,
> but chn at chn.demo.com just can't work.
> 
> success:
> [root at test01 ~]# net ads join -U demo at demo.com%Test123
> Using short domain name -- TEST
> Joined 'TEST01' to dns domain 'test.com'
> 
> 
> with error:
> [root at test01 ~]# net ads join -U chn at chn.demo.com%Test123
> Failed to join domain: failed to lookup DC info for domain 'TEST.COM
> <http://test.com/>' over rpc: Logon failure
> [root at test01 ~]# net ads join -U chn\\chn%Demo123
> kerberos_kinit_password chn at TEST.COM failed: Client not found in
> Kerberos database
> Failed to join domain: failed to connect to AD: Client not found in
> Kerberos database
> 
> 
> Is anybody know weather  I miss something ? or how to use  child
> domains user join ad via winbind?
> 
> thanks
> Firxiao
AS far as I am aware, child domains are not (yet) supported

Rowland

Thanks for reply,  but is there any documents about not support child
domains ?


Thanks
Firxiao

On Sun, Oct 2, 2016 at 4:24 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sat, 01 Oct 2016 23:20:01 +0000
> Fay zhang via samba <samba at lists.samba.org> wrote:
>
> > Hi all,
> > I want to let linux server join ad by using a trust ad's child
domain
> > user, but failed with error.
> > below is my env and what I have try
> >
> > I have 3 domain controller: test.com,demo.com and chn.demo.com
> >
> > test.com with demo.com is two way trust. and chn.demo.com is the child
> > domain of demo.com
> >
> >  demo at demo.com chn at chn.demo.com can  join ad member to test.com
> >
> > I have tested demo at demo.com chn at chn.demo.com let win server 
join the
> > test.com domain  all is ok.
> >
> > but when I do this under linux(centos7) via
> > winbind(samba-winbind-4.2.10-7.el7_2.x86_64)  demo at demo.com is ok,
> > but chn at chn.demo.com just can't work.
> >
> > success:
> > [root at test01 ~]# net ads join -U demo at demo.com%Test123
> > Using short domain name -- TEST
> > Joined 'TEST01' to dns domain 'test.com'
> >
> >
> > with error:
> > [root at test01 ~]# net ads join -U chn at chn.demo.com%Test123
> > Failed to join domain: failed to lookup DC info for domain
'TEST.COM
> > <http://test.com/>' over rpc: Logon failure
> > [root at test01 ~]# net ads join -U chn\\chn%Demo123
> > kerberos_kinit_password chn at TEST.COM failed: Client not found in
> > Kerberos database
> > Failed to join domain: failed to connect to AD: Client not found in
> > Kerberos database
> >
> >
> > Is anybody know weather  I miss something ? or how to use  child
> > domains user join ad via winbind?
> >
> > thanks
> > Firxiao
>
> AS far as I am aware, child domains are not (yet) supported
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba