[Samba] Join Samba4 member server to Windows AD

Ismael Yáñez yanez at bss-services.de
Thu Feb 27 04:42:48 MST 2014 

Hello everybody,

I need to setup a Domain/subdomain environment with Windows AD. All the 
DCs run Windows Server 2012 R2. All domains (root and subdomains) The 
forest and domain functional level are set to Windows 2008 R2.

I want to use Samba 4 server as fileservers in these domains, but up to 
now I have trouble adding Samba 4 member servers to Windows AD.

My test environment is made of 2 Networks, which are connected through a 
VPN site2site tunnel.

On one of this Networks I have the root domain (RD.LAN) with its DC 
rddc1.rd.and and a subdomain 2 (SD2.RD.LAN) with its DC sd2dc.sd2.rd.lan

On the other network I have the subdomain 1 (SD1.RD.LAN) with its DC 
sd1dc1.sd1.rd.lan.

I try the following steps on mserver1.sd1.rd.lan:

first I install these required packages, as written in wiki.samba.org:

build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev 
libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev 
libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev 
git acl

plus I install the packages ntp and winbind

then I add 'user_xattr,acl,barrier=1' to my /etc/fstab and mount all 
filesystems 'mount -a'

then I download the sources with git: 'git clone -b v4-1-stable 
git://git.samba.org/samba.git samba4'

then I install:
# ./configure --with-ads --with-shared-modules=idmap_ad
# make
# make install

then I link the winbind libraries:
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

I configure /etc/krb5.conf:
[libdefaults]
     default_realm = SD1.RD.LAN
     dns_lookup_realm = true
     dns_lookup_kdc = true

[realms]
     SD1.RD.LAN = {
         kdc = sd1dc1.sd1.rd.lan
         admin_server = sd1dc1.sd1.rd.lan
     }

[domain_realm]
     .sd1.rd.lan = SD1.RD.LAN
     sd1.rd.lan = SD1.RD.LAN

I configure /usr/local/samba/etc/smb.conf
[global]

     workgroup = SD1
     security = ADS
     realm = SD1.RD.LAN
     encrypt passwords = yes

#    idmap config *:backend = tdb
#    idmap config *:range = 70001-80000
     idmap config SD1:backend = ad
     idmap config SD1:schema_mode = rfc2307
     idmap config SD1:range = 10000-40000

     winbind nss info = rfc2307
#    winbind separator = +
     winbind trusted domains only = no
     winbind use default domain = yes
     winbind enum users = yes
     winbind enum groups = yes

# Unterstützung für ACLs
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

I join the server to AD: 'net ads join -Uadministrator' and get a 
positive message:
Using short domain name -- SD1
Joined 'mserver1' to dns domain 'sd1.rd.lan'

I edit /etc/nsswitch.conf:
passwd:          compact winbind
group:           compact winbind

start the deamons manually in the following order: nmbd, winbindd, smbd

And here is where it starts to get funny when I execute wbinfo -u this 
is what I get:
administrator
gast
krbtgt
rd$
RD\administrator
RD\gast
RD\krbtgt
RD\sd2$
RD\sd1$
SD2\administrator
SD2\gast
SD2\krbtgt
SD2\rd$

and wbinfo -g:
winrmremotewmiusers__
domänencomputer
domänencontroller
zertifikatherausgeber
domänen-admins
domänen-benutzer
domänen-gäste
richtlinien-ersteller-besitzer
ras- und ias-server
zulässige rodc-kennwortreplikationsgruppe
abgelehnte rodc-kennwortreplikationsgruppe
schreibgeschützte domänencontroller
klonbare domänencontroller
protected users
dnsadmins
dnsupdateproxy
RD\domänencomputer
RD\domänencontroller
RD\schema-admins
RD\organisations-admins
RD\domänen-admins
RD\domänen-benutzer
RD\domänen-gäste
RD\richtlinien-ersteller-besitzer
RD\schreibgeschützte domänencontroller
RD\schreibgeschützte domänencontroller der organisation
RD\klonbare domänencontroller
RD\protected users
RD\dnsupdateproxy
SD2\domänencomputer
SD2\domänencontroller
SD2\domänen-admins
SD2\domänen-benutzer
SD2\domänen-gäste
SD2\richtlinien-ersteller-besitzer
SD2\schreibgeschützte domänencontroller
SD2\klonbare domänencontroller
SD2\protected users
SD2\dnsupdateproxy

As you can see I see the users and groups of the root domain (RD.LAN) 
and subdomain2 (SD2.RD.LAN) but nothing about subdomain1 (SD1.RD.LAN)

also when I execute getent passwd and getent group, I only see the Linux 
users and groups but don't get anything from Windows AD.

I'm really confused and would appreciate if one you could take a look at 
it and tell me what is missing or wrong or even point me in the right 
direction. I don't have much experience with Samba, so please don't be 
too strict with me XD.

Thnank you guys!
Isfelipe

More information about the samba mailing list