[Samba] Join Samba4 member server to Windows AD
Ismael Yáñez
yanez at bss-services.de
Thu Feb 27 04:42:48 MST 2014
Hello everybody,
I need to setup a Domain/subdomain environment with Windows AD. All the
DCs run Windows Server 2012 R2. All domains (root and subdomains) The
forest and domain functional level are set to Windows 2008 R2.
I want to use Samba 4 server as fileservers in these domains, but up to
now I have trouble adding Samba 4 member servers to Windows AD.
My test environment is made of 2 Networks, which are connected through a
VPN site2site tunnel.
On one of this Networks I have the root domain (RD.LAN) with its DC
rddc1.rd.and and a subdomain 2 (SD2.RD.LAN) with its DC sd2dc.sd2.rd.lan
On the other network I have the subdomain 1 (SD1.RD.LAN) with its DC
sd1dc1.sd1.rd.lan.
I try the following steps on mserver1.sd1.rd.lan:
first I install these required packages, as written in wiki.samba.org:
build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev
libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev
libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev
git acl
plus I install the packages ntp and winbind
then I add 'user_xattr,acl,barrier=1' to my /etc/fstab and mount all
filesystems 'mount -a'
then I download the sources with git: 'git clone -b v4-1-stable
git://git.samba.org/samba.git samba4'
then I install:
# ./configure --with-ads --with-shared-modules=idmap_ad
# make
# make install
then I link the winbind libraries:
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
I configure /etc/krb5.conf:
[libdefaults]
default_realm = SD1.RD.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
SD1.RD.LAN = {
kdc = sd1dc1.sd1.rd.lan
admin_server = sd1dc1.sd1.rd.lan
}
[domain_realm]
.sd1.rd.lan = SD1.RD.LAN
sd1.rd.lan = SD1.RD.LAN
I configure /usr/local/samba/etc/smb.conf
[global]
workgroup = SD1
security = ADS
realm = SD1.RD.LAN
encrypt passwords = yes
# idmap config *:backend = tdb
# idmap config *:range = 70001-80000
idmap config SD1:backend = ad
idmap config SD1:schema_mode = rfc2307
idmap config SD1:range = 10000-40000
winbind nss info = rfc2307
# winbind separator = +
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# Unterstützung für ACLs
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
I join the server to AD: 'net ads join -Uadministrator' and get a
positive message:
Using short domain name -- SD1
Joined 'mserver1' to dns domain 'sd1.rd.lan'
I edit /etc/nsswitch.conf:
passwd: compact winbind
group: compact winbind
start the deamons manually in the following order: nmbd, winbindd, smbd
And here is where it starts to get funny when I execute wbinfo -u this
is what I get:
administrator
gast
krbtgt
rd$
RD\administrator
RD\gast
RD\krbtgt
RD\sd2$
RD\sd1$
SD2\administrator
SD2\gast
SD2\krbtgt
SD2\rd$
and wbinfo -g:
winrmremotewmiusers__
domänencomputer
domänencontroller
zertifikatherausgeber
domänen-admins
domänen-benutzer
domänen-gäste
richtlinien-ersteller-besitzer
ras- und ias-server
zulässige rodc-kennwortreplikationsgruppe
abgelehnte rodc-kennwortreplikationsgruppe
schreibgeschützte domänencontroller
klonbare domänencontroller
protected users
dnsadmins
dnsupdateproxy
RD\domänencomputer
RD\domänencontroller
RD\schema-admins
RD\organisations-admins
RD\domänen-admins
RD\domänen-benutzer
RD\domänen-gäste
RD\richtlinien-ersteller-besitzer
RD\schreibgeschützte domänencontroller
RD\schreibgeschützte domänencontroller der organisation
RD\klonbare domänencontroller
RD\protected users
RD\dnsupdateproxy
SD2\domänencomputer
SD2\domänencontroller
SD2\domänen-admins
SD2\domänen-benutzer
SD2\domänen-gäste
SD2\richtlinien-ersteller-besitzer
SD2\schreibgeschützte domänencontroller
SD2\klonbare domänencontroller
SD2\protected users
SD2\dnsupdateproxy
As you can see I see the users and groups of the root domain (RD.LAN)
and subdomain2 (SD2.RD.LAN) but nothing about subdomain1 (SD1.RD.LAN)
also when I execute getent passwd and getent group, I only see the Linux
users and groups but don't get anything from Windows AD.
I'm really confused and would appreciate if one you could take a look at
it and tell me what is missing or wrong or even point me in the right
direction. I don't have much experience with Samba, so please don't be
too strict with me XD.
Thnank you guys!
Isfelipe
More information about the samba
mailing list