[Samba] Samba3 joining W2k3 as member server
Andrew Bartlett
abartlet at samba.org
Fri Dec 21 16:18:25 MST 2012
On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote:
> On 22/12/2012 11:47, Andrew Bartlett wrote:
> > On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
> >> On 18/12/2012 10:47, Andrew Bartlett wrote:
> >>> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
> >>>> Hi list,
> >>>>
> >>>> I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box.
> >>>>
> >>>> Any pointers please or is this intended as the server does single sign?
> >>> If you can list exactly the steps you took, we might be able to help.
> >>>
> >>> But to answer your question: Yes, Samba will happily join Windows 2003
> >>> as a domain member. The key command is 'net ads join'.
> >>>
> >>> Andrew Bartlett
> >>>
> >> Hi Andrew,
> >>
> >> Sorry for the delay in my reply, things has been hectic closing down for
> >> the holidays. In a nut shell, there is what I do/did:
> >>
> >> 1) apt-get install samba winbindd krb5-user
> >> 2) Configure smb.conf as per :
> >>
> >> [global]
> >>
> >> workgroup = WORK
> >> realm = WORK.LOCAL
> >> preferred master = no
> >> server string = Linux Test Machine
> >> security = ADS
> >> encrypt passwords = yes
> >> log level = 3
> >> log file = /var/log/samba/%m
> >> max log size = 50
> >> printcap name = cups
> >> printing = cups
> >> # winbind enum users = Yes
> >> # winbind enum groups = Yes
> >> # winbind use default domain = Yes
> >> winbind nested groups = Yes
> >> winbind separator = +
> >> idmap uid = 2000-20000
> >> idmap gid = 2000-20000
> >> template shell = /bin/bash
> >> veto files = lost+found
> >>
> >> 3) Configure krb5.conf:
> >> [libdefaults]
> >> default_realm = WORK.LOCAL
> >>
> >> [realms]
> >> YPG.LOCAL={
> >> kdc=DC.WORK.LOCAL
> >> }
> >> [domain_realm]
> >> .kerberos.server=WORK.LOCAL
> >>
> >> 4) Restart Samba/Winbind
> >> 5) In /etc/nsswitch.conf add winbind to passwd and group
> >> 5) Join the domain : net ads join -U <my_admin_account>
> >> 6) kinit <my_admin_account>
> >>
> >> From then, users can connect to the shares on the server using Single
> >> Sign On. The "issue" is that if I look under my Active Directory, the
> >> server will state that it is a "Domain Controller". Running the usual DC
> >> Info tools they seem to think the domain is ok. I would prefer to have
> >> the server say Member server, rather than DC :)
> >>
> >> I would like to send you a screenshot of what "Active Directory Users
> >> and Computers" shows but this will be hard to do remotely.
> > Many years ago, we found this issue, which was a display but in ADUC.
> > We are almost certainly not registered as an AD DC, but because our
> > account flags in the directory don't match exactly what windows does,
> > then it promotes us to a DC in the GUI. I saw this with Windows 2000
> > over a decade ago, but perhaps it wasn't fixed in 2003.
> >
> > Andrew Bartlett
> >
> Hey Andrew,
>
> I suspect it is the same issue. Is it worth logging a bug for it ? In my
> case I have other people that maintain AD and I would prefer to "clean
> it up". If it is in the "too hard to fix basket" (I know MS isn't really
> forth comming with info re AD), then so be it.
Microsoft is very forthcoming on info re AD. However, please check if
the latest tools from Microsoft also show this incorrectly as a DC.
If you want to send me the userAccountControl value it set, I can
confirm it doesn't have the DC flag set.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list