[Samba] Join 2012 Server R2 as member to NT domain
fromm at omnis.com
Wed Apr 15 13:23:01 MDT 2015
I don't have anything but Server 2003, 2008 and 2012 to test with. 2003
joins the domain without issue. 2008 and 2012 will not. The registry
has been updated on both:
Windows Registry Editor Version 5.00
Our smb.conf is:
workgroup = CUST.OMNIS.COM
netbios name = GLEN
server string = GLEN
passdb backend = ldapsam:ldap://ldap-cust.omnis.com
username map = /etc/samba/smbusers
smb ports = 139 445
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
max stat cache size = 16384
wins support = yes
name resolve order = wins lmhosts hosts bcast
dns proxy = yes
encrypt passwords = yes
name cache timeout = 3600
log level = 0
syslog = 0
log file = /var/log/samba/%m
include = /etc/samba/smb.conf.%m
time server = Yes
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -W '%u'
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = auto
domain master = no
wins support = Yes
ldap suffix = ou=System,dc=cust,dc=omnis,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldapsam:trusted = yes
ldap idmap suffix = ou=Idmap
ldap admin dn = uid=CManager, ou=Special Users, dc=omnis, dc=com
idmap backend = ldap:ldap://ldap-cust.omnis.com
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
comment = Home %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
path = /home/%u
comment = Network Logon Service
path = /var/lib/samba/netlogon
read only = yes
guest ok = yes
path = /var/lib/samba/profiles
read only = no
browseable = No
guest ok = Yes
profile acls = yes
valid users = %U "Domain Admins"
You can run Samba 4 as a 'classic' domain. We just haven't upgraded
yet. If Samba4 fixes this, we'll upgrade. However, my understanding is
that Samba4 as AD requires internal LDAP only. We use 4 replicating,
load-balanced LDAP servers so the internal LDAP and AD schema won't work.
Anyone have an idea with 3.6 I can try?
On 04/15/2015 09:39 AM, Andrey Repin wrote:
> Greetings, James Fromm!
>> Is it still possible to join a Windows 2012 Server R2 system as a member
>> to a 'pre-NT5' Samba (3.6.23) domain controller?
> Yes, at least for Win7 Pro.
> You have to disable DNS lookups.
> Windows Registry Editor Version 5.00
>> The Windows 'Domain
>> Change' GUI errors immediately after failing the SRV lookup for the AD
>> server. Even with the SRV record in place, the GUI fails trying to
>> connect to the non-existent LDAP port.
>> Netdom on the command line tries to work if the DC name is supplied on
>> the /Domain argument. The logs for Samba show the authentication for
>> the domain administrator working fine to the Samba controller. The
>> command fails.
>> C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen
>> /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE
>> Type the password associated with the domain user:
>> Joining domain cust.omnis.com\glen
>> The computer rename attempt failed with error 50.
>> The request is not supported.
>> The command failed to complete successfully.
> This may be caused by a different issue.
>> The DNSNameResolutionRequired and DomainCompatibilityMode registry
>> modifications are in place.
>> We are trying to stick with an NT domain so we can keep our Windows and
>> Unix users in the same LDAP backend.
> You're making no sense. Samba4 uses LDAP even more that before. To the level
> of having it implemented internally.
> So far, all my users in the domain are successfully logging in, Windows and
> *NIX alike, provided the correct local system setup.
More information about the samba