user authentication issues with samba4-beta5 as a member server

Andrew Bartlett abartlet at samba.org
Wed Sep 5 17:17:42 MDT 2012 

On Wed, 2012-09-05 at 12:48 -0400, Jean Raby wrote:
> On 12-08-31 2:02 AM, Michael Wood wrote:
> > On 30 August 2012 18:30, Jean Raby<jraby at inverse.ca>  wrote:
> >> >  On 12-08-30 11:56 AM, Michael Wood wrote:
> >>> >>
> >>> >>  Hi
> >>> >>
> >>> >>  On 30 August 2012 16:58, Jean Raby<jraby at inverse.ca>   wrote:
> >>>> >>>
> >>>> >>>  Hi all,
> >>>> >>>
> >>>> >>>  I'm trying to setup samba4 (beta5) as a member server in a 2003 domain
> >>>> >>>  and I'm struggling to get the user authentication to work.
> >>>> >>>
> >>>> >>>  I ran the provision script with '--server-role=member' and then joined
> >>>> >>>  the domain using 'samba-tool domain join domainname MEMBER'.
> >>> >>  [...]
> >>> >>
> >>> >>  Someone will correct me if I'm wrong, but as the release notes say:
> >>> >>
> >>> >>  - Domain member support in the 'samba' binary is in it's infancy, and
> >>> >>      is not comparable to the support found in winbindd.  As such, do not
> >>> >>      use the 'samba' binary (provided for the AD server) on a member
> >>> >>      server.
> >>> >>
> >>> >>  i.e. rather do not provision anything and do not run the "samba"
> >>> >>  binary or "samba-tool domain join"
> >>> >>
> >>> >>  Just use the "net" command (and smbd, nmbd) as if it was Samba 3.
> >>> >>  (i.e. net ads join ... or something like that.)  You'll likely also
> >>> >>  need winbindd, although there's a discussion about potential issues
> >>> >>  with that going on on this list at the moment.
> >>> >>
> >> >  I forgot to say, I think I need 'samba' (as opposed to smbd) since this is
> >> >  for an openchange setup and it requires dcerpc_mapiproxy, which is not
> >> >  available with smbd.
> > Well, in that case I can't help you:)
> 
> Alright, I tested this again with beta8 and /usr/sbin/samba won't even 
> start when configured as a member server.
> So I guess the release notes were right ;-)
> 
> We've been using samba as a DC along with openchange and sogo and it 
> works pretty well for our development needs, but we're trying to find a 
> way to integrate that with existing domains with a windows DC.
> 
> At first I thought that we'd simply have to join samba as a member 
> server, but obviously, that won't work for now.

It is meant to still permit a startup in this situation.  Is there any
chance you could debug the code in source4/smbd/server.c that imposes
this restriction and work out why if doesn't allow you to start up?

> Are there any other options that we could try to be able to authenticate 
> users against an existing domain short of joining samba as a DC?
> Or if it is not possible at all right now, is this something that might 
> be implemented in the foreseeable future?
> 
> Like I said earlier, we need to use 'samba' instead of smbd since we 
> need to use the following configuration parameters, which I think are 
> only available with the samba daemon :
> 
>    dcerpc endpoint servers = epmapper, mapiproxy
>    dcerpc_mapiproxy:server = true
>    dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, 
> exchange_ds_rfr

The winbindd issues we still need to sort out, but if the Openchange
folks expect this to work from their end, then we will keep the Samba
side available.  The startup check is just to try and avoid user
confusion from our broader user base. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list