[Samba] How to join join Ubuntu desktop to AD
lingpanda101 at gmail.com
Wed Dec 7 13:33:54 UTC 2016
On 12/6/2016 3:09 PM, Rowland Penny via samba wrote:
> On Tue, 6 Dec 2016 14:52:20 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
>>> On Tue, 6 Dec 2016 19:38:49 +0100
>>> Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
>>>> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
>>>>> Does the wiki contain documentation on how to join a Linux
>>>>> workstation to Samba? I can't seem to find it. I do see this
>>>>> but this appears to use SSH to login. I'm looking to login
>>>> This is the documentation you're looking for.
>>>> SSH is just an example in the documentation how to use pam_winbind.
>>>> Have a look at your PAM configuration files and the PAM
>>>> documentation to see which file you have to add pam_winbind to for
>>>> local logins.
>>> libpam-winbind, libpam-krb5 and libnss-winbind on Debian, presumably
>>> the same on Ubuntu.
>> OK thanks. I'm a bit stuck at the part where I configure my smb.conf.
>> I'm going with the winbind ad backend.
>> security = ADS
>> workgroup = MYDOMAIN
>> realm = MYDOMAIN.LOCAL (Yes I know about .local)
>> log file = /var/log/samba/%m.log
>> log level = 1
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999 (This is the range for local
>> users on the workstation?)
>> winbind nss info = rfc2307
>> idmap config MYDOMAIN:backend = ad
>> idmap config MYDOMAIN:schema_mode = rfc2307
>> idmap config MYDOMAIN:range = 10000-999999 (This is the default
>> range samba uses correct?)
>> If I # cat /etc/adduser.conf I see
>> Is this the range I should use for 'idmap config * : range =
> No, the '*' range is for the 'well known SIDs' (see here:
> https://support.microsoft.com/en-us/kb/243330) and anything outside
> your domain (aka workgroup).
> The suggested ranges on the samba wiki are known to work (well, they
> work for me). They allow for local Unix users & groups in the range
> 1000-1999, for the well known SIDs in the range 2000-9999 and domain
> users & groups in the range 10000-999999
> The local Unix users & groups will get their IDs when they are added
> and they will be created in /etc/passwd and /etc/group.
> The well known SIDs will be allocated an ID, starting from 2000 i.e.
> the start number for the range
> You will have to add unique uidNumber attributes to each user, starting
> from 10000, you must also give 'Domain Users' a gidNumber attribute,
> you can use 10000 for this (yes, you can have a user with uidNumber
> 10000 and a group with the same number)
> If everything is installed and setup correctly and you run 'getent
> passwd auser' you should get something like this:
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> Any further questions, just ask ;-)
OK, unable to get anything back from 'getent'. Using Ubuntu 16.04.1,
Samba 4.5.1 built from tar.
*# /usr/local/samba/bin/net ads join -U administrator*
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'DR210' to dns domain 'domain.local'
DNS update failed: NT_STATUS_UNSUCCESSFUL (I manually added the DNS A RR.)
security = ADS
workgroup = DOMAIN
realm = DOMAIN.LOCAL
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
winbind nss info = rfc2307
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-999999
lrwxrwxrwx 1 root root 41 Dec 7 07:51 libnss_winbind.so ->
lrwxrwxrwx 1 root root 40 Dec 7 07:51 libnss_winbind.so.2 ->
*root at DR210:/# cat /etc/nsswitch.conf*
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns
protocols: db files
services: db files
ethers: db files
rpc: db files
*root at DR210:/# cat /etc/resolv.conf *
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
*root at DR210:/# cat /var/log/samba/winbindd.log *
[2016/12/07 08:12:17.545371, 0]
STATUS=daemon 'winbindd' finished starting up and ready to serve
[2016/12/07 08:14:32.678686, 1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
tdb(/usr/local/samba/var/lock/mutex.tdb): tdb_lock failed on list 63
ltype=1 (Interrupted system call)
[2016/12/07 08:14:32.678743, 0]
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
PFDC1 in tdb /usr/local/samba/var/lock/mutex.tdb
[2016/12/07 08:14:32.678796, 1]
Could not get the lock for PFDC1
[2016/12/07 08:14:32.678860, 0]
cm_prepare_connection: mutex grab failed for PFDC1
[2016/12/07 08:18:13.433118, 1]
trustdom_list_done: Could not receive trusts for domain DOMAIN
More information about the samba