[Samba] samba on solaris 11 can not longer join Windows AD domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Sep 19 14:31:20 UTC 2017 

On 09/19/17 09:28, Rowland Penny via samba wrote:
> On Tue, 19 Sep 2017 08:26:02 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> On 09/19/17 05:30, Rowland Penny via samba wrote:
>>
>>
>> Sorry, meant to copy and paste only the relevant stuff.   I think I
>> hit paste twice.
> The problem is that 'testparm -v' prints everything, what is actually
> there plus ALL the default settings.
>
> What you should have done is post the output of
> 'cat /etc/samba/smb.conf' and tell us what version of Samba you are
> using.
>
>   
>> /etc/hosts does not include the AD Domain controllers.
> Good, it shouldn't, but it should have the computers info in it, if you
> are not using DHCP.
>
>> /etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data
>> from the AD Domain controllers.   I don't think this is a DNS issue
>> since "net join" and "net ads join" are locating the AD domain
>> controllers.
> Try pointing the nameservers directly at the DCs.
>
>> /etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the
>> ldapclient and kinit to join the machine to the MYDOMAIN AD realm for
>> "Unix" level  user and group lookups (via ldap) and kerberos
>> authentication.      I did find that Solaris "native" kerberos  and
>> Samba expect krb5.keytab files in different locations , which I
>> resolved with a sym link between /etc/krb5.keytab
>> and /etc/krb5/krb5.keytab.
> Long time since I used Solaris, it is that long it was on an Ultra5,
> but now you remind me it was in a different location.
>
>> #cat /etc/samba/smb.conf
>>
>> [global]
>>
>>           private dir = /etc/samba/private
>>           smb passwd file = /etc/samba/private/smbpasswd
>>
>>
>> syslog = 3
>>
>> log level = 10
>> client ldap sasl wrapping = plain
>> ldap server require strong auth = no
>> create krb5 conf = no
>>
>> ...
>> # max protocol = used to define the supported protocol. The default
>> is NT1. You # can set it to SMB2 if you want experimental SMB2
>> support. #
>>    
>>           workgroup = MYDOMAIN
>>           server string = Samba Server Version %v
>>
>>
>>           netbios name = MYSERVER
>>           passdb backend = tdbsam
>>           security = ads
>>           realm = MYDOMAIN.COM
>>
>>
>>         idmap config *:backend = tdb
>>         idmap config *:range = 2000-2999
>>
>>         idmap config MYDOMAIN:backend = ad
>>         idmap config MYDOMAIN:schema_mode = rfc2307
>>         idmap config MYDOMAIN:range = 100-1999
> What happens when/if you reach uidNumber 2000 ?
>
>>
>>
>>
>>          # Use settings from AD for login shell and home directory
>>          winbind nss info = rfc2307
>>           winbind enum users = yes
>>           winbind enum groups = yes
>>
>>
>>
>>           domain master = no
>>           domain logons = no
>>
> There doesn't seem to be anything really wrong, so you should be able
> to join AD, try turning up the debug level and see if anything pops out.
>
> Rowland
>
>
>
One of the "fun" things with Solaris is that they would be very slow 
about releasing Samba updates.     It took a long time until they moved 
from Samba 3.0.x to  3.6.x and then onto Samba 4.4.x.        And unless 
you have updates configured correctly, it would not automatically 
update  from 3.x to 4.x.    This also means that if Microsoft pushed out 
a significant security patch , it may be a while until Oracle updates 
its packages in its repository.  Although they have got better in recent 
years. This means that sometimes the smb.conf file has to be tweeked to 
handle (or bypass) the changes on the MS side.   I found that SMB3 does 
not work in the classic domain, and sometimes SMB2 can be an issue.

I went through the smb.conf and added the following lines:

     max protocol = SMB2
     server min protocol = SMB2
     server max protocol = SMB2


I don't know if the server protocol settings really matter when joining 
a member server, since I figure it would be a "client" of the domain 
controller.  I think setting "client min protocol = smb2"  would break 
joining machines to the classic domain.


I also removed the following entries from smb.conf

     client ldap sasl wrapping = plain
     ldap server require strong auth = no
     dedicated keytab file = /etc/krb5/krb5.keytab
     kerberos method = secrets and keytab

The ldap ones were past compatibility fixes with the classic domain.     
The keytab ones were to try to force samba to use the default solaris 
keytab file, but that parameter seemed to be ignored.


One of these changes seems to have fixed the join issue


     #  net ads join -S DC1 -U Administrator
     Enter Administrator's password:
     Using short domain name -- MYDOMAIN
     Joined 'testmachine1' to dns domain 'mydomain.com'
     #


I don't think I have disabled SMB1 on the domain controllers.       I 
think setting


the UID range of 100-1999  should be large enough for years.     In 
Active Directory Users and Computers MMC, I explicitly set the uid and 
gid numbers with in that range for users and groups that need to show up 
in Samba.

This is samba 4.4.14.


Thanks for your help.

More information about the samba mailing list