[Samba] Samba 4 join AD by samba

L.P.H. van Belle belle at bazuin.nl
Fri Mar 27 01:45:14 MDT 2015

Hai Ivan, 
sofare what i see is correct. 

for you profiles .. both these : 
>[profiles] # <---- ADD here
>   path = /var/lib/samba/sysvol/office.mtt/profiles
>   read only = no
> root preexec = mkdir -p /srv/samba/Profiles/%U
> path = /srv/samba/Profiles/%U
> read only = no
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> profile acls = yes
> csc policy = disable

are not good. 

the second is better, 
but i suggest this : 

## the profiles share is hidden
        path = /srv/samba/Profiles/%U
        browseable = Yes
        read only = No
	  acl_xattr:ignore system acl = yes	## windows only rights, better support for profiles.. 

and optional. if acl_xattr not is used.. 
chmod the srv/samba/Profiles 1777 BEFORE setting the rights on the share.

setup the rights as the wiki says, and then you can hide the profiles share, by setting browsable = No
when you read: https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles 
choose or AD ACL style, OR NT POSTIX stile.. not both..  

On the DC.. 
the "no id administrator"
set /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind

and on the AD DC's then you wil see something like. 
uid=0(root) gid=10000(OFFICE\Domain Users) groups=0(root),10000(OFFICE\Domain Users),3000009(OFFICE\Group Policy Creator Owners),3000007(OFFICE\Enterprise Admins),3000008(OFFICE\Domain Admins),3000017(OFFICE\Schema Admins)
read here : https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC 

but on the MEMBER SERVER, id adminstrator, wont give results back. 
for that. 
1) or dont use administrator, and map user root to adminstrator and set the SE Provileges.
2) or set the backend to RID 
this wil give automaticly the id's. this works fine if you 
	- only use the DC as DC ( and dns/time server ) 
	( profiles share wil work ok also, but better to put this on the member server ) 
	- only have 1 member server. 
	- you dont copy files from DC to member server.

why, the ID's on DC wil be different then on the member server. 
About this is lots to find in the samba list. 

For the DNS.
i guest this ip: is a router or something
if not, than what is it.. 

for the DC, set resolv.conf like 
search yourdomain.tld.
nameserver IP_OF_AD_DC_SERVER  ( or ) 
nameserver dns_of_provider.
make user your server is first in resolv.conf
2 DC's 
the set it like this. 
search yourdomain.tld.
nameserver IP_OF_AD_DC2_SERVER  ( or ) 
nameserver IP_OF_AD_DC1_SERVER  ( or ) 

search yourdomain.tld.
nameserver IP_OF_AD_DC1_SERVER  ( or ) 
nameserver IP_OF_AD_DC2_SERVER  ( or ) 

Point the member server to the DC's 
Point the PC's tot the DC's 

AND. for you pcs 
you can set the search domain of needed, if you use pc's with static  ip.s
ping pc_name
and  pc_name.domain.tld

if only the last resolves then your : domain/search is nog correct setup. 

If you have more questions, 
mail the list again..



>-----Oorspronkelijk bericht-----
>Van: stein.hak at gmail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Krutskikh Ivan
>Verzonden: vrijdag 27 maart 2015 6:33
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba 4 join AD by samba
>I have a task which requires AD + windows roaming profiles + automatic
>I want to use samba 4 AD server (debian jessie) + samba 4 file 
>server for
>user's home profiles (opensuse 13.1) + zfs for storage backend.
>The reason why I need 2 servers (actually a server with hosted lxc
>container) is because opensuse has kerberos mit by default (
>samba at lists.samba.org.)
>I've succesfully provisioned a samba dc on debian jessie 
>container using
>https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO and samba 
>binary samba
>from repo After that I've added a bunch of win machines to it. 
>is working except for dns resolving of hosts ( i can only ping my dc
>After that I wanted to join my 2nd server to AD. I've used the 
>manual from
>https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server and got
>everything working except for user map. Examples:
>linux-abx8:/etc/samba # wbinfo -g
>allowed rodc password replication group
>enterprise read-only domain controllers
>denied rodc password replication group
>read-only domain controllers
>group policy creator owners
>video administrators
>ras and ias servers
>domain controllers
>enterprise admins
>domain computers
>cert publishers
>domain admins
>domain guests
>schema admins
>domain users
>video users
>linux-abx8:/etc/samba # wbinfo -u
>linux-abx8:/etc/samba # wbinfo -i administrator ( waits for a 
>long time,
>maybe fails on timeout =( )
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user administrator
>linux-abx8:/etc/samba # id administrator
>id: administrator:no such user
>This is very disappointing.  What can I  do about it?
>Some details about the installation:
>smb.conf from ad dc server:
>root at DC01:/etc/samba# cat ./smb.conf
># Global parameters
>        workgroup = OFFICE
>        realm = OFFICE.MTT
>        netbios name = DC
>        server role = active directory domain controller
>        dns forwarder =
>        idmap_ldb:use rfc2307 = yes
>        log level = 2
>        path = /var/lib/samba/sysvol/mtt/scripts
>        read only = No
>        path = /var/lib/samba/sysvol
>        read only = No
>[profiles] # <---- ADD here
>   path = /var/lib/samba/sysvol/office.mtt/profiles
>   read only = no
> root preexec = mkdir -p /srv/samba/Profiles/%U
> path = /srv/samba/Profiles/%U
> read only = no
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> profile acls = yes
> csc policy = disable
>smb.conf from 2nd server with opensuse and zfs:
>linux-abx8:/etc/samba # cat ./smb.conf
>   netbios name = Melchior
>   workgroup = OFFICE
>   security = ADS
>   realm = OFFICE.MTT
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>#    password server =
>    log level = 2
>   idmap config *:backend = tdb
>   idmap config *:range = 2000-9999
>#   idmap config * : base_rid = 0
>   idmap config OFFICE:backend = ad
>   idmap config OFFICE:schema_mode = rfc2307
>   idmap config OFFICE:range = 10000-99999
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind refresh tickets = Yes
>   winbind normalize names = Yes
>        path = /archive/video
>        read only = no
>        writable = yes
>        force user = root
>I'll try to provide any other information if needed. Thanks in advance!
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list