Bug 841876 - joining Windows ads domain is broken and undocumented
Summary: joining Windows ads domain is broken and undocumented
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: system-administrator's-guide
Version: devel
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Stephen Wadeley
QA Contact: Christopher Antila
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-20 13:02 UTC by hramrach
Modified: 2016-02-01 09:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description hramrach 2012-07-20 13:02:46 UTC
Description of problem:

pretty much all the description of joining Windows domain in 

http://docs.fedoraproject.org/en-US/Fedora/17/html/System_Administrators_Guide/ch-Configuring_Authentication.html#sect-The_Authentication_Configuration_Tool

boils down to:

ads — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm. To operate in this mode, the krb5-server package must be installed, and Kerberos must be configured properly.

There is no explanation of the uniquely named fileds in the authentication configuration tool dialog.

Joining a domain ordinarily requires:

- host name (configured elsewhere)

- domain name (there is domain name and realm - wtf?)

- domain administrator name and password (asked when Join Domain ... is pressed, absolutely no feedback is provided regarding result of joining the domain)

"template shell" and "allow offline login" is understandable.

wtf is "domain controllers" ? No description of the field. Supposedly more than one can be entered but how are they separated? wth are they used for? You have the domain name already, even two of them.

wtf is Kerberos configured properly?

filling in some details does not produce a working setup nor does it produce any errors in logs

Comment 1 Jaromir Hradilek 2012-07-23 11:03:49 UTC
Thank you very much for taking the time to report this issue, I'll take a closer look at the text and see what I can do to improve it.

Comment 2 hramrach 2012-07-23 11:43:52 UTC
Thanks fro looking into this.

According th samba manual the kerberos need not be configured at all, and any configuration is detrimental to its usefulness for samba if anything.

The authentication settings tool does kerberos configuration, however.

I settled for removing all except the default realm setting and verified that I an kinit using domain credentials as suggested in the samba manual (and missing in hte troubleshooting section of the Fedora guide).

However, I can still not log in using domain username and password (without any domain qualification - is any required/supported at all?).

Pam only logs that the user is unknown which may mean that the pam_winbind is not used (and the user does not exist in unix) or that it is used and cannot find the user somehow, or something completely different still.


Note You need to log in before you can comment on or make changes to this bug.