[Samba] Join 2012 Server R2 as member to NT domain

James Fromm fromm at omnis.com
Wed Apr 15 13:23:01 MDT 2015 

I don't have anything but Server 2003, 2008 and 2012 to test with.  2003 
joins the domain without issue.  2008 and 2012 will not.  The registry 
has been updated on both:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001

Our smb.conf is:


[global]
	workgroup = CUST.OMNIS.COM
	netbios name = GLEN
	server string = GLEN
	passdb backend = ldapsam:ldap://ldap-cust.omnis.com
	username map = /etc/samba/smbusers
	smb ports = 139 445
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	max stat cache size = 16384

	wins support = yes
	name resolve order = wins lmhosts hosts bcast
	dns proxy = yes

	encrypt passwords = yes

	name cache timeout = 3600
	log level = 0
	syslog = 0
	log file = /var/log/samba/%m
	include = /etc/samba/smb.conf.%m

	time server = Yes
	add user script = /usr/sbin/smbldap-useradd -a -m '%u'
	delete user script = /usr/sbin/smbldap-userdel %u
	add group script = /usr/sbin/smbldap-groupadd '%g'
	delete group script = /usr/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
	delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
	add machine script = /usr/sbin/smbldap-useradd -W '%u'
	logon script = scripts\logon.bat
	logon path = \\%L\profiles\%U
	logon drive = X:
	domain logons = Yes
	preferred master = auto
	domain master = no

	wins support = Yes
	ldap suffix = ou=System,dc=cust,dc=omnis,dc=com
	ldap machine suffix = ou=Computers
	ldap user suffix = ou=Users
	ldap group suffix = ou=Groups

	ldapsam:trusted = yes

	ldap idmap suffix = ou=Idmap
	ldap admin dn = uid=CManager, ou=Special Users, dc=omnis, dc=com
	idmap backend = ldap:ldap://ldap-cust.omnis.com
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	map acl inherit = Yes

[home]
         comment = Home %U, %u
         read only = No
         create mask = 0644
         directory mask = 0775
         browseable = No
         path = /home/%u


[netlogon]
         comment = Network Logon Service
         path = /var/lib/samba/netlogon
         read only = yes
         guest ok = yes

[profiles]
         path = /var/lib/samba/profiles
         read only = no
         browseable = No
         guest ok = Yes
         profile acls = yes
         valid users = %U "Domain Admins"

You can run Samba 4 as a 'classic' domain.  We just haven't upgraded 
yet.  If Samba4 fixes this, we'll upgrade.  However, my understanding is 
that Samba4 as AD requires internal LDAP only.  We use 4 replicating, 
load-balanced LDAP servers so the internal LDAP and AD schema won't work.

Anyone have an idea with 3.6 I can try?

Thanks,
James





On 04/15/2015 09:39 AM, Andrey Repin wrote:
> Greetings, James Fromm!
>
>> Is it still possible to join a Windows 2012 Server R2 system as a member
>> to a 'pre-NT5' Samba (3.6.23) domain controller?
>
> Yes, at least for Win7 Pro.
> You have to disable DNS lookups.
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
> "DomainCompatibilityMode"=dword:00000001
> "DNSNameResolutionRequired"=dword:00000000
>
>> The Windows 'Domain
>> Change' GUI errors immediately after failing the SRV lookup for the AD
>> server.  Even with the SRV record in place, the GUI fails trying to
>> connect to the non-existent LDAP port.
>
>> Netdom on the command line tries to work if the DC name is supplied on
>> the /Domain argument.  The logs for Samba show the authentication for
>> the domain administrator working fine to the Samba controller.  The
>> command fails.
>
>> ----
>> C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen
>> /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE
>> Type the password associated with the domain user:
>
>> Joining domain cust.omnis.com\glen
>
>> The computer rename attempt failed with error 50.
>
>> The request is not supported.
>
>> The command failed to complete successfully.
>> ----
>
> This may be caused by a different issue.
>
>> The DNSNameResolutionRequired and DomainCompatibilityMode registry
>> modifications are in place.
>
>> We are trying to stick with an NT domain so we can keep our Windows and
>> Unix users in the same LDAP backend.
>
> You're making no sense. Samba4 uses LDAP even more that before. To the level
> of having it implemented internally.
> So far, all my users in the domain are successfully logging in, Windows and
> *NIX alike, provided the correct local system setup.
>
>

More information about the samba mailing list