[Samba] samba on solaris 11 can not longer join Windows AD domain

Rowland Penny rpenny at samba.org
Tue Sep 19 13:28:02 UTC 2017 

On Tue, 19 Sep 2017 08:26:02 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:

> On 09/19/17 05:30, Rowland Penny via samba wrote:
> 
> 
> Sorry, meant to copy and paste only the relevant stuff.   I think I
> hit paste twice.

The problem is that 'testparm -v' prints everything, what is actually
there plus ALL the default settings.

What you should have done is post the output of
'cat /etc/samba/smb.conf' and tell us what version of Samba you are
using.

 
> /etc/hosts does not include the AD Domain controllers.

Good, it shouldn't, but it should have the computers info in it, if you
are not using DHCP.

> /etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data
> from the AD Domain controllers.   I don't think this is a DNS issue
> since "net join" and "net ads join" are locating the AD domain
> controllers.

Try pointing the nameservers directly at the DCs.

> 
> /etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the
> ldapclient and kinit to join the machine to the MYDOMAIN AD realm for
> "Unix" level  user and group lookups (via ldap) and kerberos
> authentication.      I did find that Solaris "native" kerberos  and
> Samba expect krb5.keytab files in different locations , which I
> resolved with a sym link between /etc/krb5.keytab
> and /etc/krb5/krb5.keytab.

Long time since I used Solaris, it is that long it was on an Ultra5,
but now you remind me it was in a different location.

> 
> #cat /etc/samba/smb.conf
> 
> [global]
> 
>          private dir = /etc/samba/private
>          smb passwd file = /etc/samba/private/smbpasswd
> 
> 
> syslog = 3
> 
> log level = 10
> client ldap sasl wrapping = plain
> ldap server require strong auth = no
> create krb5 conf = no
> 
> ...
> # max protocol = used to define the supported protocol. The default
> is NT1. You # can set it to SMB2 if you want experimental SMB2
> support. #
>   
>          workgroup = MYDOMAIN
>          server string = Samba Server Version %v
> 
> 
>          netbios name = MYSERVER
>          passdb backend = tdbsam
>          security = ads
>          realm = MYDOMAIN.COM
> 
> 
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-2999
> 
>        idmap config MYDOMAIN:backend = ad
>        idmap config MYDOMAIN:schema_mode = rfc2307
>        idmap config MYDOMAIN:range = 100-1999

What happens when/if you reach uidNumber 2000 ?

> 
> 
> 
> 
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>          winbind enum users = yes
>          winbind enum groups = yes
> 
> 
> 
>          domain master = no
>          domain logons = no
> 

There doesn't seem to be anything really wrong, so you should be able
to join AD, try turning up the debug level and see if anything pops out.

Rowland

More information about the samba mailing list