[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command

Rowland Penny rowlandpenny241155 at gmail.com
Tue Dec 1 10:31:57 UTC 2015 

On 30/11/15 22:38, Jonathan S. Fisher wrote:
> Thank you Rowland for the help so far. I followed the directions on 
> that page very precisely. I was able to join the domain, but the RPC 
> stuff still doesn't work and I'm still having the same problem. The 
> actual root problem is that up to this point, winbind works for about 
> a day or so then I start getting NT_STATUS_ACCESS_DENIED.
>
> Anyway, after the join, winbind works right now:
>
> sudo wbinfo -a administrator
> Enter administrator's password:
> plaintext password authentication succeeded
>
> Checking RPC:
>
> sudo net rpc info -Uadministrator
> Unable to find a suitable server for domain WINDOWS
>
> Here is my new config:
>
>  /etc/hosts
> 127.0.0.1   localhost
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
>
> /etc/samba/smb.conf
> [global]
> netbios name=freeradius
> security=ADS
> workgroup=WINDOWS
> realm=WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
>
> log file=/var/log/samba/%m.log
> log level=1
>
> dedicated keytab file=/etc/krb5.keytab
> kerberos method=secrets and keytab
> winbind refresh tickets=yes
>
> winbind trusted domains only=no
> winbind use default domain=yes
> winbind enum users=yes
> winbind enum groups=yes
>
> load printers=no
> template shell=/bin/false
>
> idmap config WINDOWS:backend=rid
> idmap config WINDOWS:range=10000-99999
>
>
>

You still need  a bit more in your smb.conf:

idmap config *:backend = tdb
idmap config *:range = 2000-9999

You need these lines to get the builtin users & groups mapped.

I think your problem is DNS related, you should be able to ping a DC via 
ipaddress & hostname

ping -c1 192.168.127.131
ping -c1 whiskey.windows.corp.XXX.com
ping -c1 whiskey
ping -c1 192.168.112.4
ping -c1 wine.windows.corp.XXX.com
ping -c1 wine

The above commands should all return a reply.

Does your dhcp server deliver the required info?

Does 'hostname -d' return the fully qualified domain name of the client?

Is there a firewall running on the client? if so, try turning it off.

If you follow the Samba wiki, I can assure you that it does work:

rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator
[sudo] password for rowland:
Enter administrator's password:
Domain Name: SAMDOM
Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
Sequence number: 1
Num users: XXXXX
Num domain groups: XXXX
Num local groups: XXXX

If you are having any problems understanding or following the wiki, 
please tell us, otherwise we will just assume everybody understands it :-)

Rowland

More information about the samba mailing list