[Samba] Join 2012 Server R2 as member to NT domain
James Fromm
fromm at omnis.com
Wed Apr 15 13:35:12 MDT 2015
Using wireshark, the last communication between the client and the Samba
server is:
RPC_NETLOGON 262 DsrGetDcNameEx2 request
DCERPC 146 Fault: call_id: 2, Fragment: Single, Ctx: 0, status:
nca_op_rng_error
Immediately after this the client starts to close the SMB connection.
On 04/15/2015 12:23 PM, James Fromm wrote:
> I don't have anything but Server 2003, 2008 and 2012 to test with. 2003
> joins the domain without issue. 2008 and 2012 will not. The registry
> has been updated on both:
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
>
> "DNSNameResolutionRequired"=dword:00000000
> "DomainCompatibilityMode"=dword:00000001
>
> Our smb.conf is:
>
>
> [global]
> workgroup = CUST.OMNIS.COM
> netbios name = GLEN
> server string = GLEN
> passdb backend = ldapsam:ldap://ldap-cust.omnis.com
> username map = /etc/samba/smbusers
> smb ports = 139 445
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> max stat cache size = 16384
>
> wins support = yes
> name resolve order = wins lmhosts hosts bcast
> dns proxy = yes
>
> encrypt passwords = yes
>
> name cache timeout = 3600
> log level = 0
> syslog = 0
> log file = /var/log/samba/%m
> include = /etc/samba/smb.conf.%m
>
> time server = Yes
> add user script = /usr/sbin/smbldap-useradd -a -m '%u'
> delete user script = /usr/sbin/smbldap-userdel %u
> add group script = /usr/sbin/smbldap-groupadd '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
> '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -W '%u'
> logon script = scripts\logon.bat
> logon path = \\%L\profiles\%U
> logon drive = X:
> domain logons = Yes
> preferred master = auto
> domain master = no
>
> wins support = Yes
> ldap suffix = ou=System,dc=cust,dc=omnis,dc=com
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
>
> ldapsam:trusted = yes
>
> ldap idmap suffix = ou=Idmap
> ldap admin dn = uid=CManager, ou=Special Users, dc=omnis, dc=com
> idmap backend = ldap:ldap://ldap-cust.omnis.com
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> map acl inherit = Yes
>
> [home]
> comment = Home %U, %u
> read only = No
> create mask = 0644
> directory mask = 0775
> browseable = No
> path = /home/%u
>
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> read only = yes
> guest ok = yes
>
> [profiles]
> path = /var/lib/samba/profiles
> read only = no
> browseable = No
> guest ok = Yes
> profile acls = yes
> valid users = %U "Domain Admins"
>
> You can run Samba 4 as a 'classic' domain. We just haven't upgraded
> yet. If Samba4 fixes this, we'll upgrade. However, my understanding is
> that Samba4 as AD requires internal LDAP only. We use 4 replicating,
> load-balanced LDAP servers so the internal LDAP and AD schema won't work.
>
> Anyone have an idea with 3.6 I can try?
>
> Thanks,
> James
>
>
>
>
>
> On 04/15/2015 09:39 AM, Andrey Repin wrote:
>> Greetings, James Fromm!
>>
>>> Is it still possible to join a Windows 2012 Server R2 system as a member
>>> to a 'pre-NT5' Samba (3.6.23) domain controller?
>>
>> Yes, at least for Win7 Pro.
>> You have to disable DNS lookups.
>>
>> Windows Registry Editor Version 5.00
>>
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
>>
>> "DomainCompatibilityMode"=dword:00000001
>> "DNSNameResolutionRequired"=dword:00000000
>>
>>> The Windows 'Domain
>>> Change' GUI errors immediately after failing the SRV lookup for the AD
>>> server. Even with the SRV record in place, the GUI fails trying to
>>> connect to the non-existent LDAP port.
>>
>>> Netdom on the command line tries to work if the DC name is supplied on
>>> the /Domain argument. The logs for Samba show the authentication for
>>> the domain administrator working fine to the Samba controller. The
>>> command fails.
>>
>>> ----
>>> C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen
>>> /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE
>>> Type the password associated with the domain user:
>>
>>> Joining domain cust.omnis.com\glen
>>
>>> The computer rename attempt failed with error 50.
>>
>>> The request is not supported.
>>
>>> The command failed to complete successfully.
>>> ----
>>
>> This may be caused by a different issue.
>>
>>> The DNSNameResolutionRequired and DomainCompatibilityMode registry
>>> modifications are in place.
>>
>>> We are trying to stick with an NT domain so we can keep our Windows and
>>> Unix users in the same LDAP backend.
>>
>> You're making no sense. Samba4 uses LDAP even more that before. To the
>> level
>> of having it implemented internally.
>> So far, all my users in the domain are successfully logging in,
>> Windows and
>> *NIX alike, provided the correct local system setup.
>>
>>
More information about the samba
mailing list