[Samba] Domain Computer not showing up in domain utilities
rowlandpenny at googlemail.com
Wed Jan 14 12:25:50 MST 2015
On 14/01/15 19:14, Wayne Andersen wrote:
>>> I am running Samba Version 4.1.6.
>>> I have a PDC and two BDC setup.
>>> I have a specific computer named eds, it is a Windows 7 Pro box, When
>>> I add it to the domain everything works normally and it works well.
>>> Domain users can login, and they have the proper permissions, but am
>>> seeing two problems.
>>> 1) Every once in a while I get: "The trust relationship between this
>>> workstation and the primary domain failed".
>>> If I unplug the network cable or remove the machine from the domain
>>> and re-add it then all is good.
>>> Obviously the cached info on the PC is good.
>>> I see "The processing of Group Policy failed. Windows could not
>>> authenticate to the Active Directory service on a domain controller.
>>> (LDAP Bind function call failed). Look in the details tab for error
>>> code and description." In the system log.
>>> Clearly the computer account is not being created properly.
>>> 2) I don't see the computer in AD user and computer tools.
>>> net ads dn 'CN=eds,CN=Computers,DC=corp,DC=mydomain,DC=com'
>>> search failed: No such object
>>> I have added many machines both before and after this one.
>>> Unfortunately I have an app on this PC that requires the name not
>>> change as it is registered to the machine name.
>> Bit confused here, you have 'I have a PDC and two BDC setup.' then at the
> bottom, there is this: 'I don't see the computer in AD user and computer
>> So, do you have an NT PDC & 2 NT BDC's or do you have 3 AD DC's ?
>> which ever, can you post the smb.conf from the machine that you call the
> I have no windows servers just work stations, I have three SAMBA AD DC, one
> is the primary and the other two are backups.
No, they are not backups, they are just DC's, in AD *all* DC's are equal.
> Here is the smb.conf
> # Global parameters
> workgroup = CORP
> realm = CORP.MYDOMAIN.COM
> netbios name = DC1
> server role = active directory domain controller
> server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind
> ntp_signd kcc dnsupdate
> dns forwarder = 10.10.1.8
> template shell = /bin/bash
> # allow dns updates = nonsecure
> # panic action = /bin/sleep 99999
> dsdb:schema update allowed = yes
remove the next line
> ldap debug level = 10
> idmap_ldb:use rfc2307 = yes
Remove these three lines
> # Force this server to be the master
> preferred master = yes
> os level = 255
> # Enable TLS for ldaps
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
Remove from here to the [netlogon] share
> # Important: The ranges of the default (*) backend
> # and the domain(s) must not overlap!
> # Retrieve UIDs/GIDs for domain CORP from AD, via RFC2307.
> # The range value defines the lowest RID up to the highest,
> # that will ever be used in this domain. Ask your AD Domain
> # Administrator, if you don't know which range to define.
> idmap config CORP:backend = ad
> idmap config CORP:schema_mode = rfc2307
> idmap config CORP:range = 1000-40000
> # Store UIDs/GIDs for all other domains (including local
> # accounts/groups of this server) in a tdb file
> idmap config *:backend = tdb
> idmap config *:range = 50001-60000
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
> path = /usr/local/samba/var/locks/sysvol/corp.mydomain.com/scripts
> read only = No
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> path = /export/test
> comment = Test Share
> read only = no
Turn your third DC into a member server and use that as the fileserver,
see the wiki:
More information about the samba