Bug 841876 - joining Windows ads domain is broken and undocumented
joining Windows ads domain is broken and undocumented
Product: Fedora Documentation
Classification: Fedora
Component: system-administrator's-guide (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stephen Wadeley
Christopher Antila
Depends On:
  Show dependency treegraph
Reported: 2012-07-20 09:02 EDT by hramrach
Modified: 2016-02-01 04:47 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description hramrach 2012-07-20 09:02:46 EDT
Description of problem:

pretty much all the description of joining Windows domain in 


boils down to:

ads — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm. To operate in this mode, the krb5-server package must be installed, and Kerberos must be configured properly.

There is no explanation of the uniquely named fileds in the authentication configuration tool dialog.

Joining a domain ordinarily requires:

- host name (configured elsewhere)

- domain name (there is domain name and realm - wtf?)

- domain administrator name and password (asked when Join Domain ... is pressed, absolutely no feedback is provided regarding result of joining the domain)

"template shell" and "allow offline login" is understandable.

wtf is "domain controllers" ? No description of the field. Supposedly more than one can be entered but how are they separated? wth are they used for? You have the domain name already, even two of them.

wtf is Kerberos configured properly?

filling in some details does not produce a working setup nor does it produce any errors in logs
Comment 1 Jaromir Hradilek 2012-07-23 07:03:49 EDT
Thank you very much for taking the time to report this issue, I'll take a closer look at the text and see what I can do to improve it.
Comment 2 hramrach 2012-07-23 07:43:52 EDT
Thanks fro looking into this.

According th samba manual the kerberos need not be configured at all, and any configuration is detrimental to its usefulness for samba if anything.

The authentication settings tool does kerberos configuration, however.

I settled for removing all except the default realm setting and verified that I an kinit using domain credentials as suggested in the samba manual (and missing in hte troubleshooting section of the Fedora guide).

However, I can still not log in using domain username and password (without any domain qualification - is any required/supported at all?).

Pam only logs that the user is unknown which may mean that the pam_winbind is not used (and the user does not exist in unix) or that it is used and cannot find the user somehow, or something completely different still.

Note You need to log in before you can comment on or make changes to this bug.