user authentication issues with samba4-beta5 as a member server
Jean Raby
jraby at inverse.ca
Wed Sep 5 10:48:33 MDT 2012
On 12-08-31 2:02 AM, Michael Wood wrote:
> On 30 August 2012 18:30, Jean Raby<jraby at inverse.ca> wrote:
>> > On 12-08-30 11:56 AM, Michael Wood wrote:
>>> >>
>>> >> Hi
>>> >>
>>> >> On 30 August 2012 16:58, Jean Raby<jraby at inverse.ca> wrote:
>>>> >>>
>>>> >>> Hi all,
>>>> >>>
>>>> >>> I'm trying to setup samba4 (beta5) as a member server in a 2003 domain
>>>> >>> and I'm struggling to get the user authentication to work.
>>>> >>>
>>>> >>> I ran the provision script with '--server-role=member' and then joined
>>>> >>> the domain using 'samba-tool domain join domainname MEMBER'.
>>> >> [...]
>>> >>
>>> >> Someone will correct me if I'm wrong, but as the release notes say:
>>> >>
>>> >> - Domain member support in the 'samba' binary is in it's infancy, and
>>> >> is not comparable to the support found in winbindd. As such, do not
>>> >> use the 'samba' binary (provided for the AD server) on a member
>>> >> server.
>>> >>
>>> >> i.e. rather do not provision anything and do not run the "samba"
>>> >> binary or "samba-tool domain join"
>>> >>
>>> >> Just use the "net" command (and smbd, nmbd) as if it was Samba 3.
>>> >> (i.e. net ads join ... or something like that.) You'll likely also
>>> >> need winbindd, although there's a discussion about potential issues
>>> >> with that going on on this list at the moment.
>>> >>
>> > I forgot to say, I think I need 'samba' (as opposed to smbd) since this is
>> > for an openchange setup and it requires dcerpc_mapiproxy, which is not
>> > available with smbd.
> Well, in that case I can't help you:)
Alright, I tested this again with beta8 and /usr/sbin/samba won't even
start when configured as a member server.
So I guess the release notes were right ;-)
We've been using samba as a DC along with openchange and sogo and it
works pretty well for our development needs, but we're trying to find a
way to integrate that with existing domains with a windows DC.
At first I thought that we'd simply have to join samba as a member
server, but obviously, that won't work for now.
Are there any other options that we could try to be able to authenticate
users against an existing domain short of joining samba as a DC?
Or if it is not possible at all right now, is this something that might
be implemented in the foreseeable future?
Like I said earlier, we need to use 'samba' instead of smbd since we
need to use the following configuration parameters, which I think are
only available with the samba daemon :
dcerpc endpoint servers = epmapper, mapiproxy
dcerpc_mapiproxy:server = true
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
exchange_ds_rfr
Thanks.
--
Jean
More information about the samba-technical
mailing list