[Samba] Samba 3 to Samba 4 [Solved]

Shem Pasamba shemgp at aiias.edu
Mon Jan 20 23:39:46 MST 2014 

On 1/15/2014 7:32 PM, Rowland Penny wrote:
> OK, try this smb.conf on your Ubuntu machine:
>
> [global]
>    workgroup = AIIASSAMBA4
>    realm = aiias.samba4.edu
>    server string = %h server
>    log file = /var/log/samba/log.%m
>    log level = 3
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    security = ADS
>    invalid users = root
>    winbind  cache time = 100
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind use default domain = Yes
>    winbind expand groups = 4
>    winbind nss info = rfc2307
>    winbind refresh tickets = Yes
>    winbind normalize names = Yes
>    idmap config * : backend = tdb
>    idmap config * : range = 1100-5000
>    idmap config AIIASSAMBA4:backend = ad
>    idmap config AIIASSAMBA4:range = 15000-30000
>    idmap config AIIASSAMBA4:schema_mode = rfc2307
>    winbind offline logon = yes
>
> [homes]
>    comment = Home Directories
>    browseable = no
>    # the line below will not allow the user to write to their own 
> homedirectory, I think you meant 'read only = No'
>    # writable = no
>    read only = No
>    create mask = 0700
>    directory mask = 0700
>    valid users = %S
>
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    public = no
>    writable = no
>    create mode = 0700
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
>
> It will only work if your users have the uidNumber & gidNumber 
> attributes in AD and they must also fall inside the range 15000-30000
>
> Install the new smb.conf and restart samba, then join the machine to 
> the domain with:
>
> sudo net ads join -U Administrator at AIIAS.SAMBA4.EDU
>
> When asked, enter the password you used during provision.
>
> You will probably have to add 'winbind' to the passwd & group lines in 
> /etc/nsswitch.conf, but wbinfo should now work correctly and getent 
> passwd should display all your local & domain users.
>
> Rowland
Thank you for this configuration. My connection to samba 4 from samba 3 
is now working. Here's what I did in the client (samba 3):
1. Added my proper computer name in /etc/hosts

127.0.0.1       sambatest.local sambatest.aiias.samba4.edu sambatest

2. Edited my resolv.conf to this:

domain aiias.samba4.edu

search aiias.samba4.edu

nameserver 172.16.0.242

3. Here's my smb.conf

[global]

    workgroup = AIIAS.SAMBA4

    realm = AIIAS.SAMBA4.EDU

    server string = %h server

    log file = /var/log/samba/log.%m

    log level = 3

    max log size = 1000

    syslog = 0

    panic action = /usr/share/samba/panic-action %d

    security = ADS

    invalid users = root

    winbind  cache time = 100

    winbind enum users = Yes

    winbind enum groups = Yes

    winbind use default domain = Yes

    winbind expand groups = 4

    winbind nss info = rfc2307

    winbind refresh tickets = Yes

    winbind normalize names = Yes

    idmap config * : backend = tdb

    idmap config * : range = 1100-5000

    idmap config AIIAS.SAMBA4:backend = ad

    idmap config AIIAS.SAMBA4:range = 15000-30000

    idmap config AIIAS.SAMBA4:schema_mode = rfc2307

    winbind offline logon = yes

    password server = 172.16.0.242

    encrypt passwords = true

    obey pam restrictions = yes

    unix password sync = yes

    passwd program = /usr/bin/passwd %u

    pam password change = yes

    netbios name = sambatest

    idmap uid = 10000-20000

    idmap gid = 10000-20000

    usershare allow guests = yes

[homes]

    comment = Home Directories

    browseable = no

    # the line below will not allow the user to write to their own homedirectory, I think you meant 'read only = No'

    # writable = no

    read only = No

    create mask = 0700

    directory mask = 0700

    valid users = %S


Here's how I joined the ADS:

net ads join AIIAS.SAMBA4 -W AIIAS.SAMBA4 -S SAMBA4.AIIAS.SAMBA4.EDU -I 172.16.0.242 -U administrator

Some things to take note while joining.

If the error is:

Failed to join domain: failed to connect to AD: Operations error

the resolv.conf is wrong. Edit it like in above.

If the error is:

[2014/01/21 14:34:04,  0] libads/sasl.c:ads_sasl_spnego_bind(819)

   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database

Failed to join domain: failed to connect to AD: Server not found in Kerberos database

Then the make sure that the -S server name includes the DC name. In my 
instance, I needed to use

SAMBA4.AIIAS.SAMBA4.EDU

instead of

AIIAS.SAMBA4.EDU

I got SAMBA4 from the OU=Domain Controllers of the samba4 ldap.

Also, take note it works even if workgroup has a dot.

Thanks again. Have a great day!

More information about the samba mailing list