Problems joining Windows Domain via RODC

mauroda · September 15, 2015, 10:49am

Hey guys,
I’m trying to join my suse server, which is located in a DMZ, to a windows domain.
I configured samba and kerberos. With kinit i get a ticket. The computer object was created on a RWDC, and replicated to the RODC and is in the cachable group. It seems that Samba is trying to set flags while joining the domain, namely: ACB_WSTRUST and ACB_PWNOEXP. These flags cannot be set. That’s how i interpret the output when i use the net join command.

net ads join -S rodcserver -U Administrator -d1
WARNING: The “idmap gid” option is deprecated
WARNING: The “idmap uid” option is deprecated
Enter Administrator’s password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : ‘rodcserver’
machine_name : ‘suseserver’
domain_name : *
domain_name : ‘DOMAIN.COM’
account_ou : NULL
admin_account : ‘Administrator’
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : ‘DOMAIN’
dns_domain_name : ‘domain.com’
forest_name : ‘domain.com’
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-583907252-1425521274-1801674531
modified_config : 0x00 (0)
error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)
’
domain_is_ad : 0x01 (1)
result : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)

My smb.conf:

[global]
workgroup = DOMAIN
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
kerberos method = secrets and keytab
realm = DOMAIN.COM
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes

My krb5.conf:

libdefaults]

    default_realm = DOMAIN.COM
    clockskew = 300

default_realm = EXAMPLE.COM

[realms]
DOMAIN.COM = {
kdc = rodc.domain.com
default_domain = domain.com
admin_server = rodc.domain.com
}

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com

}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.domain.com = DOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}

Samba version: 4.1

How can i resolve this?

Best regards
Mauro

tsu2 · September 16, 2015, 4:27am

Instead of, and before you do any manual configuration,
Have you first joined your machine to your AD using YAST?

The applet to join an AD should be already installed and visible in YAST by default.

TSU

mauroda · September 16, 2015, 6:56am

Yes i tried that, but i couldn’t discover the RODC, even thought i can see him with net ads lookup.

tsu2 · September 16, 2015, 3:58pm

Fairly common problem not specific to openSUSE (happens on Windows machines too).
Try entering the DC name and IP address into the Hosts file temporarily (can remove after joining the Domain, once joined DNS provides proper name resolution mapping).

TSU

mauroda · September 16, 2015, 4:01pm

Yeah, i did that already. No luck either.

tsu2 · September 16, 2015, 5:11pm

After you create your Hosts entry,
You can test your name resolution by PING.

If your name resolution works,
Then you have to consider whether your AD is set up properly because everything should “just work” at that point(Again, using YAST to join the AD).

You can also test by creating another “machine” and trying to join your AD. Try a Windows and another openSUSE. This is a perfect situation where you can use virtualization to create your test machines since virtual machines are so easy to setup (can simply clone an existing if you’ve been using it awhile) and disposable (as easy to create your test, it’s equally easy to destroy when done).
Remember after testing to remove the Machine account from your AD (simple to do).

TSU

tsu2 · September 16, 2015, 5:18pm

Some additional thoughts…

Always fully update your openSUSE shortly after a new install, particularly if you’re installing from a DVD

zypper up

I also recommend making all system modifications before taking the next step joining an AD although there may be exceptions and it may not make a diff in most cases. This might include things like configuring SSD settings like “discard” in the fstab.

TSU

tsu2 · September 16, 2015, 5:23pm

Now I’m thinking… If you’re connecting to a Read Only DC, then how are you going to add a machine account when joining the Domain? Not possible.

So, I’m now thinking…

You need to connect to a RWDC, not a RODC.
or
You need to create the Machine account beforehand in your Domain before you login with your AD User. But, this involves a few extra hurdles, so should not be a preferred choice.
or
You need to configure your RODC to forward to a RWDC. The following is an article on doing this with Win2k8. May not be exactly how you’d do it with Win2012 or other
https://jorgequestforknowledge.wordpress.com/2009/01/01/domain-join-through-an-rodc-instead-of-an-rwdc/

TSU

mauroda · September 16, 2015, 5:51pm

Hey TSU, thanks for the reply.

I already did all this stuff. In fact this thread is kinda my last resort. The machine account is in the RODC replicated group, i get kerberos tickets without a problem. Testjoin is ok. The specific problem is: Samba tries to set flags on the RODC which is by design not possible. ACB_WSTRUST and ACB_PWNOEXP. At least this is what i see in wireshark.
Windows Client can join a domain with the “/readonly” option. AFAIK this is doesn’t work in the net join command. I have no problems joining the domain using the RWDC and Linux.

Any ideas? :\

tsu2 · September 16, 2015, 8:55pm

Maybe uninstall SAMBA client from openSUSE at least temporarily?
If you’re certain the problem appears to be SAMBA related, AFAIK joining the Domain does not require SAMBA. I don’t see any documentation about this and a quick Google search only results in other scenarios, not this.

Of course, you can always re-install SAMBA (at least the client) afterwards.

TSU