[Samba] [SUCCESS REPORT] Samba4 Domain [Was: Samba4 Domain UP, but no roaming profiles]
Adam Tauno Williams
awilliam at whitemice.org
Tue Dec 18 09:37:19 MST 2012
On Tue, 2012-12-18 at 08:52 -0500, Adam Tauno Williams wrote:
> On Tue, 2012-12-18 at 02:45 +1100, Stephen Jones wrote:
> > The problem is your smb.conf [profiles]. The only options you need are
> > the path and read only = no. Control access from Windows with an ACL
> > applied to the profiles share security properties rather than forcing
> > permissions from Samba. S4 is different from S3. I'm not sure if those
> > mask options work in S4 but, if they do, those values will deny all
> > access set through extended ACLs because those are applied through the
> > group class.
> > Fix smb.conf
> Ok, did that.
I have to call it a success at this point. We have transition our
domain from S3/NT4/LDAPSAM to S4/AD. All the basic domain
functionality appears to be working. There are a couple things to nail
down but user profiles, logon scripts, authentication, and group
policies appear to be working as expected. All in all that wasn't
nearly as gnarly as I expected.
Only remaining issues are
- No DNS auto-registration for Samba hosts, internal DNS
<https://lists.samba.org/archive/samba/2012-December/170566.html>
Currently I work around this by just manually adding the host entry
with samba-tool.
- Caching enabled on roaming profile share; cannot disable.
<https://lists.samba.org/archive/samba/2012-December/170578.html>
- Lots of NTLMSSP NTLM2 errors
<https://lists.samba.org/archive/samba/2012-December/170558.html>
I need to try to figure out which hosts these are coming from.
- WINS Hook not working (or not supported)
<https://lists.samba.org/archive/samba/2012-December/170572.html>
We use WINS hook to generate reverse DNS entries, since we have
an application that requires those [ugly though it may be]. I may
have to find another way to do this.
- Since we migrated from LDAPSAM we use RFC2307, which is a little
weird and not all of the properties map through winbind.
TIP: For anyone else migrating - make sure you login scripts on the
netlogon share show Read + Execute permissions for Authenticated Users.
Otherwise the specified logon scripts just don't execute, silently, with
no notice. Under S3/NT4 it appears it didn't care so long as it could
read the script.
More information about the samba
mailing list