+++ This bug was initially created as a clone of Bug #229466 +++ Description of problem: The Fedora machine is set up as a Samba PDC, but trying to join a Windows machine in the domain fails if SELinux is in enforcing mode, the samba log shows that machine account creation failed. In permissive mode joining succeeds, but with a large number of SELinux alerts. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-30.el5 How reproducible: always Steps to Reproduce: 1. Setup Samba as a primary domain controller 2. Log in a Windows machine and try to join the domain created in step 1. Actual results: The machine account isn't created and joining fails. Expected results: The Windows macine is added to the domain and a machine account created. Additional info: Changed our Samba PDC from Fedora 6 to CentOS 5, and the SELinux problems from bug #229466 re-appeared. I'm attaching the AVC messages generated when joining a machine with SELinux in permissive mode.
Created attachment 191661 [details] AVC messages from audit.log
Fixed in u1 selinux-policy-2.4.6-89 Currently a preview is available on ftp://people.redhat.com/dwalsh/SELinux/RHEL5 You need to turn on the samba_domain_controller boolean setsebool -P samba_domain_controller=1