[Samba] Samba3 joining W2k3 as member server

Pieter De Wit pieter at insync.za.net
Fri Dec 21 18:28:08 MST 2012 

I stand corrected re the MS comment then. How do I get the userAccountControl?

Thx

Sent from my iPhone

On 22/12/2012, at 12:18, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote:
>> On 22/12/2012 11:47, Andrew Bartlett wrote:
>>> On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
>>>> On 18/12/2012 10:47, Andrew Bartlett wrote:
>>>>> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
>>>>>> Hi list,
>>>>>> 
>>>>>> I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box.
>>>>>> 
>>>>>> Any pointers please or is this intended as the server does single sign?
>>>>> If you can list exactly the steps you took, we might be able to help.
>>>>> 
>>>>> But to answer your question:  Yes, Samba will happily join Windows 2003
>>>>> as a domain member.  The key command is 'net ads join'.
>>>>> 
>>>>> Andrew Bartlett
>>>> Hi Andrew,
>>>> 
>>>> Sorry for the delay in my reply, things has been hectic closing down for
>>>> the holidays. In a nut shell, there is what I do/did:
>>>> 
>>>> 1) apt-get install samba winbindd krb5-user
>>>> 2) Configure smb.conf as per :
>>>> 
>>>> [global]
>>>> 
>>>>     workgroup = WORK
>>>>     realm = WORK.LOCAL
>>>>     preferred master = no
>>>>     server string = Linux Test Machine
>>>>     security = ADS
>>>>     encrypt passwords = yes
>>>>     log level = 3
>>>>     log file = /var/log/samba/%m
>>>>     max log size = 50
>>>>     printcap name = cups
>>>>     printing = cups
>>>> #   winbind enum users = Yes
>>>> #   winbind enum groups = Yes
>>>> #   winbind use default domain = Yes
>>>>     winbind nested groups = Yes
>>>>     winbind separator = +
>>>>     idmap uid = 2000-20000
>>>>     idmap gid = 2000-20000
>>>>     template shell = /bin/bash
>>>>     veto files = lost+found
>>>> 
>>>> 3) Configure krb5.conf:
>>>> [libdefaults]
>>>>          default_realm = WORK.LOCAL
>>>> 
>>>> [realms]
>>>>          YPG.LOCAL={
>>>>          kdc=DC.WORK.LOCAL
>>>>          }
>>>> [domain_realm]
>>>>          .kerberos.server=WORK.LOCAL
>>>> 
>>>> 4) Restart Samba/Winbind
>>>> 5) In /etc/nsswitch.conf add winbind to passwd and group
>>>> 5) Join the domain : net ads join -U <my_admin_account>
>>>> 6) kinit <my_admin_account>
>>>> 
>>>>  From then, users can connect to the shares on the server using Single
>>>> Sign On. The "issue" is that if I look under my Active Directory, the
>>>> server will state that it is a "Domain Controller". Running the usual DC
>>>> Info tools they seem to think the domain is ok. I would prefer to have
>>>> the server say Member server, rather than DC :)
>>>> 
>>>> I would like to send you a screenshot of what "Active Directory Users
>>>> and Computers" shows but this will be hard to do remotely.
>>> Many years ago, we found this issue, which was a display but in ADUC.
>>> We are almost certainly not registered as an AD DC, but because our
>>> account flags in the directory don't match exactly what windows does,
>>> then it promotes us to a DC in the GUI.  I saw this with Windows 2000
>>> over a decade ago, but perhaps it wasn't fixed in 2003.
>>> 
>>> Andrew Bartlett
>> Hey Andrew,
>> 
>> I suspect it is the same issue. Is it worth logging a bug for it ? In my 
>> case I have other people that maintain AD and I would prefer to "clean 
>> it up". If it is in the "too hard to fix basket" (I know MS isn't really 
>> forth comming with info re AD), then so be it.
> 
> Microsoft is very forthcoming on info re AD.  However, please check if
> the latest tools from Microsoft also show this incorrectly as a DC.
> 
> If you want to send me the userAccountControl value it set, I can
> confirm it doesn't have the DC flag set. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
>

More information about the samba mailing list