[Samba] Joining Domain

Andre Kruger Andre.Kruger at TRW.COM
Wed Aug 27 05:17:41 MDT 2014


I made the change that you suggest but I still get the exact same error message. Just to clarify:

1. I added " idmap config DOMAIN : schema_mode = rfc2307"
1. Yes, the krugersa account has the rights required. I join other machines to my domain using this account. Administrator isn't used.
2. idmap config DOMAIN : backend = ad/rid  <-  I assume this does not impact joining the domain? It is used after the domain has been joined successfully.

The is my global section as it is now:

[global]
        workgroup = DOMAIN
        realm = AD.DOMAIN.COM
        server string = Samba
        security = ADS
        log file = /var/samba/log/log.%m
        max log size = 50000
        client ldap sasl wrapping = sign
        load printers = No
        local master = No
        domain master = No
        dns proxy = No
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config DOMAIN : range = 20000-800000
        idmap config DOMAIN : backend = ad
        idmap config DOMAIN : schema_mode = rfc2307
        idmap config * : backend = tdb      <-   I don't get this line, it is not in my smb.conf file but when I parse the file with testparm it is in the output. Why?


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: 27 August 2014 11:31
To: samba at lists.samba.org
Subject: Re: [Samba] Joining Domain

On 27/08/14 10:21, Andre Kruger wrote:
> I have successfully compiled and installed Samba 4.1.11 from source on OpenIndiana 151a8.
>
> I tested the server by creating a folder and adding a local samba user (smbpasswd -a) and mapping a drive from my Windows machine which successded. I was able to access the test file in the folder as well as edit and save it.
>
> Now I am trying to join my samba server to my domain but it is failing and the error messages are not helping much and google's responses aren't really helping.
>
> Can anybody on the list help? When I try and join the domain I get the following error message:
>
> ./net ads join -U krugersa
> Enter krugersa's password:

Does 'krugersa' have the required permissions to join to the domain ? 
have you tried with 'Administrator' ?

> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit 
> succeeded but ads_sasl_spnego_krb5_bind failed: 
> NT_STATUS_NOT_SUPPORTED Failed to join domain: failed to connect to 
> AD: NT_STATUS_NOT_SUPPORTED
>
>
> What causes samba to output this particular error message? "NT_STATUS_NOT_SUPPORTED" is very general...
>
> A copy of my smb.conf file:
>
> [global]
>          workgroup = DOMAIN
>          realm = AD.DOMAIN.COM
>          server string = Samba
>          security = ADS
>          log file = /var/samba/log/log.%m
>          max log size = 50000
>          client ldap sasl wrapping = sign
>          load printers = No
>          local master = No
>          domain master = No
>          dns proxy = No
>          winbind separator = +
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          idmap config * : range = 20000-800000
>          idmap config * : backend = tdb

You appear to have a portion missing:

         idmap config DOMAIN : backend  = ad
         idmap config DOMAIN : range = 10000-999999
         idmap config DOMAIN : schema_mode = rfc2307

Adjust the range to suit your setup, if your AD users do not have uidNumber's change 'ad' to 'rid'

Rowland

>
> [homes]
>          comment = Home Directories
>          read only = No
>          browseable = No
>
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          printable = Yes
>          print ok = Yes
>          browseable = No
>
> [testperm]
>          path = /testperm
>          valid users = @DOMAIN+Admins
>          read only = No
>          create mask = 0770
>          directory mask = 0770

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list