Red Hat Bugzilla – Bug 841876
joining Windows ads domain is broken and undocumented
Last modified: 2016-02-01 04:47:48 EST
Description of problem:
pretty much all the description of joining Windows domain in
boils down to:
ads — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm. To operate in this mode, the krb5-server package must be installed, and Kerberos must be configured properly.
There is no explanation of the uniquely named fileds in the authentication configuration tool dialog.
Joining a domain ordinarily requires:
- host name (configured elsewhere)
- domain name (there is domain name and realm - wtf?)
- domain administrator name and password (asked when Join Domain ... is pressed, absolutely no feedback is provided regarding result of joining the domain)
"template shell" and "allow offline login" is understandable.
wtf is "domain controllers" ? No description of the field. Supposedly more than one can be entered but how are they separated? wth are they used for? You have the domain name already, even two of them.
wtf is Kerberos configured properly?
filling in some details does not produce a working setup nor does it produce any errors in logs
Thank you very much for taking the time to report this issue, I'll take a closer look at the text and see what I can do to improve it.
Thanks fro looking into this.
According th samba manual the kerberos need not be configured at all, and any configuration is detrimental to its usefulness for samba if anything.
The authentication settings tool does kerberos configuration, however.
I settled for removing all except the default realm setting and verified that I an kinit using domain credentials as suggested in the samba manual (and missing in hte troubleshooting section of the Fedora guide).
However, I can still not log in using domain username and password (without any domain qualification - is any required/supported at all?).
Pam only logs that the user is unknown which may mean that the pam_winbind is not used (and the user does not exist in unix) or that it is used and cannot find the user somehow, or something completely different still.