[Samba] AD integration not working after move/version

Rowland Penny rpenny at samba.org
Sat Mar 18 17:27:30 UTC 2017 

On Sat, 18 Mar 2017 17:26:11 +0100
Marc Muehlfeld via samba <samba at lists.samba.org> wrote:

> Hi Henrik,
> 
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> > Old version was 3.5.8 and the new version on the virtual host that
> > does not work is 3.6.25.
> 
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning

Some people cannot upgrade, so they have to use what they have, but
without knowing what OS the OP is using, we don't know if they can
upgrade easily.

> 
> First some nitpicks about your smb.conf:
> * netbios aliases = string1
>    Makes no sense to set an alias to exactly the same name
>    as "server string" :-)

Why ? 

> 
> * password server: If there is not reason to only request some
>    specific servers, I would not limit this. If both are down,
>    Samba won't talk to other remaining DCs.

That is correct and 'man smb.conf' tells you not to do it this way, but
who reads manpages ;-)

> 
> * encrypt passwords = yes
>    This is default since a longer time.

It doesn't matter if there or not.

> 
> Ok. And now the things that are incorrect for a Samba AD domain
> member:
> 
> * realm = DOMAIN.NET   and   workgroup = WGNAME
>    In this case, I would expect that "DOMAIN" is your NetBIOS domain
>    name ("workgroup" setting), not something different. If this
>    really matches your AD setup, it should work - but it's not
>    the recommended way how to set up an AD.

Well, Microsoft says you can use a netbios domain name that is
different from the left part of the DNS name, so I suppose Samba
should as well.
 
 
> * Your ID mapping configuration is missing completely.
>    See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
>    No warranty that this works for 3.6. Our documentation only
>    covers supported Samba versions.

I notice it was missing as well, but the OP could be using something
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.

> I recommend the following:
> 
> * Update Samba to a supported version (recommended: 4.6.0).
>    Samba 3.6 was released 2011. A lot of things regarding AD were
>    improved in later releases.

Why recommend something, that the OP might not be able to do, without
all the facts.

Rowland

More information about the samba mailing list