[Samba] AD integration not working after move/version

Marc Muehlfeld mmuehlfeld at samba.org
Sat Mar 18 16:26:11 UTC 2017

Hi Henrik,

Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

That's not really a step forward to a supported Samba version. :-)

> # Global parameters
> [global]
>         log file = /var/samba/log/clientlog.%m
>         dns proxy = No
>         acl check permissions = False
>         netbios aliases = string1
>         server string = string1
>         name resolve order = hosts bcast
>         realm = DOMAIN.NET
>         password server = server3.string1.net sever4.string1.net
> #       wins server = x.x.x.x
>         local master = no
>         workgroup = WGNAME
>         os level = 0
>         domain master = no
>         encrypt passwords = yes
>         security = DOMAIN
>         unix charset = ISO8859-1
>         max log size = 50
>         # Fix for not to do lpstat since we don't use printers in Samba
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes

First some nitpicks about your smb.conf:
* netbios aliases = string1
   Makes no sense to set an alias to exactly the same name
   as "server string" :-)

* password server: If there is not reason to only request some
   specific servers, I would not limit this. If both are down,
   Samba won't talk to other remaining DCs.

* encrypt passwords = yes
   This is default since a longer time.

This are just some improvement suggestions, but not related to your problem.

Ok. And now the things that are incorrect for a Samba AD domain member:

* realm = DOMAIN.NET   and   workgroup = WGNAME
   In this case, I would expect that "DOMAIN" is your NetBIOS domain
   name ("workgroup" setting), not something different. If this
   really matches your AD setup, it should work - but it's not
   the recommended way how to set up an AD.

* security = DOMAIN
   This setting is for an NT4 domain. Use "security = ADS"

* Your ID mapping configuration is missing completely.
   See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
   No warranty that this works for 3.6. Our documentation only
   covers supported Samba versions.

I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
   Samba 3.6 was released 2011. A lot of things regarding AD were
   improved in later releases.

* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
   I recently rewrote the doc and it works for all supported versions.


More information about the samba mailing list