[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
rowlandpenny at googlemail.com
Fri Apr 17 09:43:04 MDT 2015
On 17/04/15 13:49, ivenhov wrote:
> Hi Rowland
> I don't have krb5.conf at hand at the moment but I've checked it multiple
> times and I think is OK since I can get ticket via kinit.
> resolv.conf points to my DNS
> I can resolve AD hostname via
> host serverDC1001.dan2003.sample.domain.com
> and via
> host 10.80.8.88
> Regarding NetworkManager, my machine is a headless server so dnsmasq does
> not apply I guess?
> Bit of a back story
> Initially I had Samba 3.6 on that machine and it was joined to the domain,
> then removed from domain.
> I've done disk backup of it, then put Samba Sernet 4.1.17 on it and
> attempted to joined which fails.
> After 2 days of struggle I rolled back to the snapshot 3.6 issues join
> command and it worked.
> I haven't changed config files between versions
> Thanks for any suggestions.
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4684559.html
> Sent from the Samba - General mailing list archive at Nabble.com.
OK, Ubuntu 12.04.5 server with 'sernet-samba sernet-samba-winbind
krb5-user ntp' installed
set /etc/ntp.conf to point at the DC for time.
Alter smb.conf to be similar to this:
#---- Start ------
workgroup = EXAMPLE
security = ADS
realm = EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : schema_mode = rfc2307
idmap config EXAMPLE : range = 10000-999999
wins server = 192.168.0.2 192.168.0.3 # change these for YOUR DCs
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to set
username map = /etc/samba/user.map
# For ACL support on member server
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
path = /home/%u
read only = no
#------- End ------------
You may have to change the ranges to match your setup
Create the user map file (it's just one line)
!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator
Change /etc/krb5.conf to this:
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
You should now be able to join the Domain:
net ads join -U Administrator
Obviously, where ever you see 'EXAMPLE' above, change it for YOUR
workgroup name, the same goes for 'EXAMPLE.COM', change this for YOUR
Realm name, remember they must be in UPPERCASE.
More information about the samba