[Samba] AD Controller + File Server + Unix Logins one 1 machine

Rowland penny rpenny at samba.org
Fri Feb 19 17:32:50 UTC 2016 

On 19/02/16 16:48, Max Baker wrote:
> Hi Sambassadors,
>
> I would like to setup one machine that acts as AD Controller, File 
> Server, DNS, and DHCP servers.   I have read the warning against 
> having AD Controller + File Server on the same machine and those are 
> understood.  This is for a very small environment, so I'm ok with the 
> single point of failure.
>
> That said,  I have the AD Controller setup and tested (Very cool!) 
> I've joined a windows machine to the domain and have the home 
> directories setup to autocreate and mount.  This is using Ubuntu 
> 14LTS.  I have compiled and installed into the /usr prefix using the 
> ./configure settings found in the debian packaging files, and so far 
> it seems to be happy.
>
> Well almost...
>
> 1. I am seeing a "Unwilling to Perform" error from ADUC when assigning 
> a GUID to the group "Domain Users".   I'm not sure if this is a real 
> problem or not
> (similar threads: 
> https://lists.samba.org/archive/samba/2014-September/184967.html 
> https://lists.samba.org/archive/samba/2015-October/195281.html)

What are you feelings on using the command line ?
You could always open a terminal on the Samba 4 DC, enter:

ldbedit -e nano -H /usr/local/samba/private/sam.ldb

press enter

press Ctrl+w
type 'dn: cn=domain users'
then add 'gidNumber: <whatever number you want to use>'
I suggest 10000
Press Ctrl+x
Press 'y'
Press 'enter'

That's it, Domain Users now has a gidNumber.


>
> 2. The last component for me is to allow domain users to be able to 
> log into and use the ADC (Ubuntu) machine.     Can someone point me to 
> a way of doing this on the ADC?   I've started with 
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but am 
> not having a lot of luck so far in getting pam to talk to winbind to 
> talk to the ADC.   All documentation I've found so far is not doing it 
> on the ADC itself.
>

Ah, but setting up libnss_winbind is the same as on a domain member, go 
here and read the info:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind

remember to follow the links.

You may need another file, if getent doesn't work after setting up the 
links, just say and I will post the possibly missing file.

Rowland

> Thanks so much,
> -m
>

More information about the samba mailing list