centos
2020-Jun-17 15:30 UTC
[Samba] CentOS 7.8 samba member server does not join and populate with correct FQDN
Joining member Centos 7.8 Linux server with 4.10.4-10.el7 or higher appears to ignore client FQDN when AD domain does not match client domain name.? For example Active Directory Domain is ad1.testdomain.com and the client member server FQDN is? testhost.clients.testdomain.com.? When joining the domain? DNSHostName attribute in AD shows testhost.ad1.testdomain.com when it should be testhost.clients.testdomain.com.? This also makes ServicePrincipalNames incorrect in AD.? This join has been working correctly for years with last version working correctly being 4.9.1-10.el7_7.? I have other software that relies on this clients FQDN as it looks in ldap for the correct name.? Nothing changed on the join command(net ads join ad1.testdomain.com -U admin%somepassword --no-dns-updates) or config files. Unfortunately I'm stuck in an environment where the client FQDN does not match the FQDN of Active Directory.
Rowland penny
2020-Jun-17 16:03 UTC
[Samba] CentOS 7.8 samba member server does not join and populate with correct FQDN
On 17/06/2020 16:30, centos via samba wrote:> Joining member Centos 7.8 Linux server with 4.10.4-10.el7 or higher appears to ignore client FQDN when AD domain does not match client domain name.? For example Active Directory Domain is ad1.testdomain.com and the client member server FQDN is? testhost.clients.testdomain.com.? When joining the domain? DNSHostName attribute in AD shows testhost.ad1.testdomain.com when it should be testhost.clients.testdomain.com.? This also makes ServicePrincipalNames incorrect in AD.? This join has been working correctly for years with last version working correctly being 4.9.1-10.el7_7.? I have other software that relies on this clients FQDN as it looks in ldap for the correct name.? Nothing changed on the join command(net ads join ad1.testdomain.com -U admin%somepassword --no-dns-updates) or config files. Unfortunately I'm stuck in an environment where the client FQDN does not match the FQDN of Active Directory.ER, no, if it was working, it was working incorrectly. AD relies on a few things, two of these are DNS and Kerberos. Kerberos uses a REALM and this is the dns domain in uppercase, so the clients should be in the same dns domain. I think you will find it is now working correctly. Rowland
Rowland penny
2020-Jun-17 17:34 UTC
[Samba] CentOS 7.8 samba member server does not join and populate with correct FQDN
On 17/06/2020 18:13, Richard Walker wrote:> > We have thousands of Windows devices setup and joining the same exact > way.? They are joined? with different DNS FQDN names on the clients.? > It basically only changes AD attributes DNSHostName and > servicePrincipalName/servicePrincipalNames to match FQDN.? I > understand comparing apples to oranges.? On the CentOS with samba > prior to 4.10 it worked correctly and when doing a klist -ke the > Kerberos keytab shows both names for the tickets.? Five matching the > Active Directory Domain name + client host name and five matching the > clients FQDN. Five being one for each encryption algorithm.Sorry, but as I said, I do not think it worked correctly before, but now it does, you seem to have depended on an unknown bug. Rowland