[Samba] Domain Computer not showing up in domain utilities

Tim lists at kiuni.de
Wed Jan 14 13:23:19 MST 2015 

Rowland, yes, they are equal except for FSMO. These can be only dedicated to one DC.

Wayne, why do you use parameters for AD DC (use rfc2307 yes) and for member servers (idmap schema etc) in one conf?

Tim

Am 14. Januar 2015 20:25:50 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 14/01/15 19:14, Wayne Andersen wrote:
>>>> I am running Samba Version 4.1.6.
>>>>
>>>> I have a PDC and two BDC setup.
>>>>
>>>> I have a specific computer named eds, it is a Windows 7 Pro box,
>When
>>>> I add it to the domain everything works normally and it works well.
>>>> Domain users can login, and they have the proper permissions, but
>am
>>>> seeing two problems.
>>>>
>>>> 1) Every once in a while I get: "The trust relationship between
>this
>>>> workstation and the primary domain failed".
>>>> If I unplug the network cable or remove the machine from the domain
>>>> and re-add it then all is good.
>>>> Obviously the cached info on the PC is good.
>>>>
>>>> I see "The processing of Group Policy failed. Windows could not
>>>> authenticate to the Active Directory service on a domain
>controller.
>>>> (LDAP Bind function call failed). Look in the details tab for error
>>>> code and description." In the system log.
>>>>
>>>> Clearly the computer account is not being created properly.
>>>>
>>>> 2) I don't see the computer in AD user and computer tools.
>>>> Or
>>>>    net ads dn 'CN=eds,CN=Computers,DC=corp,DC=mydomain,DC=com'
>>>> search failed: No such object
>>>>
>>>> I have added many machines both before and after this one.
>>>> Unfortunately I have an app on this PC that requires the name not
>>>> change as it is registered to the machine name.
>>>>
>>>>
>>>>
>>>>
>>>>
>>> Bit confused here, you have 'I have a PDC and two BDC setup.' then
>at the
>> bottom, there is this: 'I don't see the computer in AD user and
>computer
>> tools.'
>>> So, do you have an NT PDC & 2 NT BDC's or do you have 3 AD DC's ?
>>>
>>> which ever, can you post the smb.conf from the machine that you call
>the
>> PDC.
>>> Rowland
>> I have no windows servers just work stations, I have three SAMBA AD
>DC, one
>> is the primary and the other two are backups.
>
>No, they are not backups, they are just DC's, in AD *all* DC's are
>equal.
>
>>
>> Here is the smb.conf
>>
>> # Global parameters
>> [global]
>>          workgroup = CORP
>>          realm = CORP.MYDOMAIN.COM
>>          netbios name = DC1
>>          server role = active directory domain controller
>>          server services = s3fs rpc nbt wrepl ldap cldap kdc drepl
>winbind
>> ntp_signd kcc dnsupdate
>>          dns forwarder = 10.10.1.8
>>          template shell = /bin/bash
>> #       allow dns updates = nonsecure
>> #       panic action = /bin/sleep 99999
>>          dsdb:schema update allowed = yes
>
>remove the next line
>>          ldap debug level = 10
>
>
>>          idmap_ldb:use rfc2307 = yes
>
>Remove these three lines
>> # Force this server to be the master
>>          preferred master = yes
>>          os level = 255
>
>
>> #       Enable TLS for ldaps
>>          tls enabled  = yes
>>          tls keyfile  = tls/myKey.pem
>>          tls certfile = tls/myCert.pem
>>          tls cafile   =
>
>Remove from here to the [netlogon] share
>>    # Important: The ranges of the default (*) backend
>>    # and the domain(s) must not overlap!
>>
>>    # Retrieve UIDs/GIDs for domain CORP from AD, via RFC2307.
>>    # The range value defines the lowest RID up to the highest,
>>    # that will ever be used in this domain. Ask your AD Domain
>>    # Administrator, if you don't know which range to define.
>>    idmap config CORP:backend = ad
>>    idmap config CORP:schema_mode = rfc2307
>>    idmap config CORP:range = 1000-40000
>>
>>    # Store UIDs/GIDs for all other domains (including local
>>    # accounts/groups of this server) in a tdb file
>>    idmap config *:backend = tdb
>>    idmap config *:range = 50001-60000
>>
>>    # Use home directory and shell information from AD
>>    winbind nss info = rfc2307
>>
>> [netlogon]
>>          path =
>/usr/local/samba/var/locks/sysvol/corp.mydomain.com/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /usr/local/samba/var/locks/sysvol
>>          read only = No
>>
>> [test]
>>          path = /export/test
>>          comment = Test Share
>>          read only = no
>>
>
>Turn your third DC into a member server and use that as the fileserver,
>
>see the wiki:
>
>https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list