[Samba] [SUCCESS REPORT] Samba4 Domain [Was: Samba4 Domain UP, but no roaming profiles]

Adam Tauno Williams awilliam at whitemice.org
Tue Dec 18 09:37:19 MST 2012


On Tue, 2012-12-18 at 08:52 -0500, Adam Tauno Williams wrote:
> On Tue, 2012-12-18 at 02:45 +1100, Stephen Jones wrote:
> > The problem is your smb.conf [profiles].  The only options you need are
> > the path and read only = no.  Control access from Windows with an ACL
> > applied to the profiles share security properties rather than forcing
> > permissions from Samba.  S4 is different from S3.  I'm not sure if those
> > mask options work in S4 but, if they do, those values will deny all
> > access set through extended ACLs because those are applied through the
> > group class.
> > Fix smb.conf 
> Ok, did that.  

I have to call it a success at this point.  We have transition our
domain from S3/NT4/LDAPSAM to S4/AD.   All the basic domain
functionality appears to be working.  There are a couple things to nail
down but user profiles, logon scripts, authentication, and group
policies appear to be working as expected.  All in all that wasn't
nearly as gnarly as I expected.

Only remaining issues are
 - No DNS auto-registration for Samba hosts, internal DNS
   <https://lists.samba.org/archive/samba/2012-December/170566.html>
   Currently I work around this by just manually adding the host entry
   with samba-tool.
 - Caching enabled on roaming profile share; cannot disable.
   <https://lists.samba.org/archive/samba/2012-December/170578.html>
 - Lots of NTLMSSP NTLM2 errors
   <https://lists.samba.org/archive/samba/2012-December/170558.html>
   I need to try to figure out which hosts these are coming from.
 - WINS Hook not working (or not supported)
   <https://lists.samba.org/archive/samba/2012-December/170572.html>
   We use WINS hook to generate reverse DNS entries, since we have
   an application that requires those [ugly though it may be]. I may
   have to find another way to do this.
 - Since we migrated from LDAPSAM we use RFC2307, which is a little 
   weird and not all of the properties map through winbind.

TIP: For anyone else migrating - make sure you login scripts on the
netlogon share show Read + Execute permissions for Authenticated Users.
Otherwise the specified logon scripts just don't execute, silently, with
no notice.  Under S3/NT4 it appears it didn't care so long as it could
read the script.



More information about the samba mailing list