Problems joining Windows Domain via RODC

Hey guys,
I’m trying to join my suse server, which is located in a DMZ, to a windows domain.
I configured samba and kerberos. With kinit i get a ticket. The computer object was created on a RWDC, and replicated to the RODC and is in the cachable group. It seems that Samba is trying to set flags while joining the domain, namely: ACB_WSTRUST and ACB_PWNOEXP. These flags cannot be set. That’s how i interpret the output when i use the net join command.

net ads join -S rodcserver -U Administrator -d1
WARNING: The “idmap gid” option is deprecated
WARNING: The “idmap uid” option is deprecated
Enter Administrator’s password:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : ‘rodcserver’
machine_name : ‘suseserver’
domain_name : *
domain_name : ‘DOMAIN.COM
account_ou : NULL
admin_account : ‘Administrator’
machine_password : NULL
join_flags : 0x00000023 (35)
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : ‘DOMAIN’
dns_domain_name : ‘
forest_name : ‘
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-583907252-1425521274-1801674531
modified_config : 0x00 (0)
error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

domain_is_ad : 0x01 (1)
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

My smb.conf:

workgroup = DOMAIN
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
kerberos method = secrets and keytab
realm = DOMAIN.COM
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes

My krb5.conf:


    default_realm = DOMAIN.COM
    clockskew = 300

default_realm = EXAMPLE.COM

kdc =
default_domain =
admin_server =


kdc =

admin_server =


kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
[domain_realm] = DOMAIN.COM
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1

Samba version: 4.1

How can i resolve this?

Best regards

Instead of, and before you do any manual configuration,
Have you first joined your machine to your AD using YAST?

The applet to join an AD should be already installed and visible in YAST by default.


Yes i tried that, but i couldn’t discover the RODC, even thought i can see him with net ads lookup.

Fairly common problem not specific to openSUSE (happens on Windows machines too).
Try entering the DC name and IP address into the Hosts file temporarily (can remove after joining the Domain, once joined DNS provides proper name resolution mapping).


Yeah, i did that already. No luck either.

After you create your Hosts entry,
You can test your name resolution by PING.

If your name resolution works,
Then you have to consider whether your AD is set up properly because everything should “just work” at that point(Again, using YAST to join the AD).

You can also test by creating another “machine” and trying to join your AD. Try a Windows and another openSUSE. This is a perfect situation where you can use virtualization to create your test machines since virtual machines are so easy to setup (can simply clone an existing if you’ve been using it awhile) and disposable (as easy to create your test, it’s equally easy to destroy when done).
Remember after testing to remove the Machine account from your AD (simple to do).


Some additional thoughts…

Always fully update your openSUSE shortly after a new install, particularly if you’re installing from a DVD

zypper up

I also recommend making all system modifications before taking the next step joining an AD although there may be exceptions and it may not make a diff in most cases. This might include things like configuring SSD settings like “discard” in the fstab.


Now I’m thinking… If you’re connecting to a Read Only DC, then how are you going to add a machine account when joining the Domain? Not possible.

So, I’m now thinking…


Hey TSU, thanks for the reply.

I already did all this stuff. In fact this thread is kinda my last resort. The machine account is in the RODC replicated group, i get kerberos tickets without a problem. Testjoin is ok. The specific problem is: Samba tries to set flags on the RODC which is by design not possible. ACB_WSTRUST and ACB_PWNOEXP. At least this is what i see in wireshark.
Windows Client can join a domain with the “/readonly” option. AFAIK this is doesn’t work in the net join command. I have no problems joining the domain using the RWDC and Linux.

Any ideas? :\

Maybe uninstall SAMBA client from openSUSE at least temporarily?
If you’re certain the problem appears to be SAMBA related, AFAIK joining the Domain does not require SAMBA. I don’t see any documentation about this and a quick Google search only results in other scenarios, not this.

Of course, you can always re-install SAMBA (at least the client) afterwards.