[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 17 09:43:04 MDT 2015

On 17/04/15 13:49, ivenhov wrote:
> Hi Rowland
> I don't have krb5.conf at hand at the moment but I've checked it multiple
> times and I think is OK since I can get ticket via kinit.
> resolv.conf points to my DNS
> I can resolve AD hostname via
> host serverDC1001.dan2003.sample.domain.com
> and via
> host
> Regarding NetworkManager, my machine is a headless server so dnsmasq does
> not apply I guess?
> Bit of a back story
> Initially I had Samba 3.6 on that machine and it was joined to the domain,
> then removed from domain.
> I've done disk backup of it, then put Samba Sernet 4.1.17 on it and
> attempted to joined which fails.
> After 2 days of struggle I rolled back to the snapshot 3.6 issues join
> command and it worked.
> I haven't changed config files between versions
> Thanks for any suggestions.
> D.
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4684559.html
> Sent from the Samba - General mailing list archive at Nabble.com.

OK, Ubuntu 12.04.5 server with 'sernet-samba sernet-samba-winbind 
krb5-user ntp' installed

set /etc/ntp.conf to point at the DC for time.

Alter smb.conf to be similar to this:

#---- Start ------
     workgroup = EXAMPLE
     security = ADS
     realm = EXAMPLE.COM

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Samba 4 Client %h

     winbind enum users = no
     winbind enum groups = no
     winbind use default domain = yes
     winbind expand groups = 4
     winbind nss info = rfc2307
     winbind refresh tickets = Yes
     winbind offline logon = yes
     winbind normalize names = Yes

     ## map ids outside of domain to tdb files.
     idmap config *:backend = tdb
     idmap config *:range = 2000-9999
     ## map ids from the domain  the ranges may not overlap !
     idmap config EXAMPLE : backend = ad
     idmap config EXAMPLE : schema_mode = rfc2307
     idmap config EXAMPLE : range = 10000-999999

     wins server = # change these for YOUR DCs 

     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no

     # user Administrator workaround, without it you are unable to set 
     username map = /etc/samba/user.map

     # For ACL support on member server
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     # Share Setting Globally
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

     path = /home/%u
     read only = no

#------- End ------------

You may have to change the ranges to match your setup

Create the user map file (it's just one line)

nano /etc/samba/user.map

!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator 

Change /etc/krb5.conf to this:

     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

You should now be able to join the Domain:

net ads join -U Administrator

Obviously, where ever you see 'EXAMPLE' above, change it for YOUR 
workgroup name, the same goes for 'EXAMPLE.COM', change this for YOUR 
Realm name, remember they must be in UPPERCASE.


More information about the samba mailing list