[Samba] AD Question

Mon Nov 7 22:43:19 GMT 2005

Jason Gerfen wrote:
> I have a question regarding joining a Samba 3 machine to a Windows 2000 
> Domain using ADS authentication.
> 
> I have been able to join the machine to the domain, enumerate users with 
> getent and wbinfo -u.  The problem I am having is with a Windows 2000 
> default domain setup an AD object is created:
> 
> CN=Users,DC=Domain,DC=Com
> 
> Generally all users created belong in this container.  I am able to 
> enumerate every user account in the domain EXCEPT this one?  Can someone 
> help me with this?
> 
> [smb.conf]
> 
> [global]
>        workgroup = SCL
>        realm = SCL.UTAH.EDU
>        server string = new-odin.domain.com

My experience is the realm is the DC parts of the ldap container.
So your realm should be "DOMAIN.COM", the same as in krb5.conf.
I'm thinking your samba box has an older DNS domain name that's not
the same as your win2000 DNS domain name.

You may be past the planning & testing stage, but I found the
easiest way to introduce the win2000 domain was as a subdomain
of any existing domain I already was authoritative for.

So if you're authoritative for UTAH.EDU than your win2000 domain
and realm would be something like scl.utah.edu or nt.utah.edu
with a legacy domain name of SCL.

Then you can allow windows server to run it's own DNS and delegate
the subdomain with glue from your existing servers.  There are
a -lot- of realm subdomains and SRV records generated by windows
that make the system easier to integrate.

Like if you ever get into mail routing with the windows machines,
you'll find MS believes the domain name should be an official
ICANN domain and it's kind of difficult to alias.  Not
impossible, but if the windows realm could be a real
delegated domain, since you appear to have one, the future
would be much easier.

Regards, Doug

>        security = ADS
>        update encrypted = Yes
>        password server = *
>        password level = 20
>        preferred master = No
>        domain master = No
>        idmap uid = 500-500000
>        idmap gid = 500-500000
>        winbind separator = /
>        winbind cache time = 5
>        winbind use default domain = Yes
>        winbind nested groups = Yes
> 
> [odin]
>        comment = ODIN
>        path = /odin
>        read only = No
>        inherit acls = Yes
> 
> [krb5.conf]
> 
> [libdefaults]
> default_realm = DOMAIN.COM
> clockskew = 300
> 
> [realms]
> DOMAIN.COM = {
> kdc = 10.10.1.95
> default_domain = domain.com
> admin_server = 10.10.1.95
> }
> 
> 
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> 
> [domain_realm]
> .domain.com = DOMAIN.COM
> domain.com = DOMAIN.COM
> 
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> }
> 
> Any help is appreciated.
> 