[Samba] ADS Domain Member Workgroup vs Realm

Greg Zartman gzartman at koozali.org
Mon Feb 23 23:28:11 MST 2015 

I'm working to setup Samba as a domain member to a Windows Server active
directory, and I keep hitting road blocks.  There's some real terminology
hurdles in the wiki.

In a nutshell, my problem is this:  I setup a Windows 2012 Essentials ADS
domain and I ended up with zartman.local for my "domain" in Windows.   So,
I've got a dns zone in windows server that is domain.local and my netbios
domain for ADS membership is zartman.local.

On the Samba side, I'm not sure what needs to be specified for "realm" and
"workgroup".   If I set workgroup = zartman.local and realm=ZARTMAN.LOCAL,
samba bellyaches and says I can't have workgroup=zartman.local.   If I set
workgroup = zartman, then the Samba netbios domain is "zartman" and not
zartman.local.

The membership details look find for net ads info:

[root at cos6 ~]# net ads info
LDAP server: 192.168.0.15
LDAP server name: pdc.zartman.local
Realm: ZARTMAN.LOCAL
Bind Path: dc=ZARTMAN,dc=LOCAL
LDAP port: 389
Server time: Mon, 23 Feb 2015 22:25:32 PST
KDC server: 192.168.0.15
Server time offset: 1

If I check the domain with net domain, I get:
[root at cos6 ~]# net domain -U admin
Enter admin's password:

Enumerating domains:

        Domain name          Server name of Browse Master
        -------------        ----------------------------
        ZARTMAN              COS6


This isn't correct.  It thinks my domain member is the master browser.

For completeness sake, here is my smb.conf:

[root at cos6 ~]# cat /etc/samba/smb.conf
[global]
workgroup = zartman
realm = ZARTMAN.LOCAL
security = ads
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config ZARTMAN.LOCAL:backend = ad
idmap config ZARTMAN.LOCAL:schema_mode = rfc2307
idmap config ZARTMAN.LOCAL:range = 10000-99999

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes
winbind refresh tickets = Yes



-- 
Greg J. Zartman
Board Member

Koozali SME Server
www.koozali.org

SME Server user, contributor, and community member since 2000

More information about the samba mailing list