[Samba] Samba 4 join AD by samba

Krutskikh Ivan stein.hak at gmail.com
Thu Mar 26 23:32:49 MDT 2015


I have a task which requires AD + windows roaming profiles + automatic

I want to use samba 4 AD server (debian jessie) + samba 4 file server for
user's home profiles (opensuse 13.1) + zfs for storage backend.

The reason why I need 2 servers (actually a server with hosted lxc
container) is because opensuse has kerberos mit by default (
samba at lists.samba.org.)

I've succesfully provisioned a samba dc on debian jessie container using
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and samba binary samba
from repo After that I've added a bunch of win machines to it. Everything
is working except for dns resolving of hosts ( i can only ping my dc

After that I wanted to join my 2nd server to AD. I've used the manual from
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server and got
everything working except for user map. Examples:

linux-abx8:/etc/samba # wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
video administrators
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
domain admins
domain guests
schema admins
domain users
video users

linux-abx8:/etc/samba # wbinfo -u

linux-abx8:/etc/samba # wbinfo -i administrator ( waits for a long time,
maybe fails on timeout =( )
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator

linux-abx8:/etc/samba # id administrator
id: administrator:no such user

This is very disappointing.  What can I  do about it?

Some details about the installation:

smb.conf from ad dc server:

root at DC01:/etc/samba# cat ./smb.conf
# Global parameters
        workgroup = OFFICE
        realm = OFFICE.MTT
        netbios name = DC
        server role = active directory domain controller
        dns forwarder =
        idmap_ldb:use rfc2307 = yes
        log level = 2

        path = /var/lib/samba/sysvol/mtt/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

[profiles] # <---- ADD here
   path = /var/lib/samba/sysvol/office.mtt/profiles
   read only = no

 root preexec = mkdir -p /srv/samba/Profiles/%U
 path = /srv/samba/Profiles/%U
 read only = no
 store dos attributes = Yes
 create mask = 0600
 directory mask = 0700
 profile acls = yes
 csc policy = disable

smb.conf from 2nd server with opensuse and zfs:

linux-abx8:/etc/samba # cat ./smb.conf

   netbios name = Melchior
   workgroup = OFFICE
   security = ADS
   realm = OFFICE.MTT
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
#    password server =
    log level = 2
   idmap config *:backend = tdb
   idmap config *:range = 2000-9999
#   idmap config * : base_rid = 0
   idmap config OFFICE:backend = ad
   idmap config OFFICE:schema_mode = rfc2307
   idmap config OFFICE:range = 10000-99999

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = Yes
   winbind normalize names = Yes

        path = /archive/video
        read only = no
        writable = yes
        force user = root

I'll try to provide any other information if needed. Thanks in advance!

More information about the samba mailing list