[Samba] samba on solaris 11 can not longer join Windows AD domain
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Sep 19 14:31:20 UTC 2017
On 09/19/17 09:28, Rowland Penny via samba wrote:
> On Tue, 19 Sep 2017 08:26:02 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> On 09/19/17 05:30, Rowland Penny via samba wrote:
>>
>>
>> Sorry, meant to copy and paste only the relevant stuff. I think I
>> hit paste twice.
> The problem is that 'testparm -v' prints everything, what is actually
> there plus ALL the default settings.
>
> What you should have done is post the output of
> 'cat /etc/samba/smb.conf' and tell us what version of Samba you are
> using.
>
>
>> /etc/hosts does not include the AD Domain controllers.
> Good, it shouldn't, but it should have the computers info in it, if you
> are not using DHCP.
>
>> /etc/resolv.conf shows 2ndary DNS servers, which in turn sync data
>> from the AD Domain controllers. I don't think this is a DNS issue
>> since "net join" and "net ads join" are locating the AD domain
>> controllers.
> Try pointing the nameservers directly at the DCs.
>
>> /etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the
>> ldapclient and kinit to join the machine to the MYDOMAIN AD realm for
>> "Unix" level user and group lookups (via ldap) and kerberos
>> authentication. I did find that Solaris "native" kerberos and
>> Samba expect krb5.keytab files in different locations , which I
>> resolved with a sym link between /etc/krb5.keytab
>> and /etc/krb5/krb5.keytab.
> Long time since I used Solaris, it is that long it was on an Ultra5,
> but now you remind me it was in a different location.
>
>> #cat /etc/samba/smb.conf
>>
>> [global]
>>
>> private dir = /etc/samba/private
>> smb passwd file = /etc/samba/private/smbpasswd
>>
>>
>> syslog = 3
>>
>> log level = 10
>> client ldap sasl wrapping = plain
>> ldap server require strong auth = no
>> create krb5 conf = no
>>
>> ...
>> # max protocol = used to define the supported protocol. The default
>> is NT1. You # can set it to SMB2 if you want experimental SMB2
>> support. #
>>
>> workgroup = MYDOMAIN
>> server string = Samba Server Version %v
>>
>>
>> netbios name = MYSERVER
>> passdb backend = tdbsam
>> security = ads
>> realm = MYDOMAIN.COM
>>
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-2999
>>
>> idmap config MYDOMAIN:backend = ad
>> idmap config MYDOMAIN:schema_mode = rfc2307
>> idmap config MYDOMAIN:range = 100-1999
> What happens when/if you reach uidNumber 2000 ?
>
>>
>>
>>
>> # Use settings from AD for login shell and home directory
>> winbind nss info = rfc2307
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>>
>>
>> domain master = no
>> domain logons = no
>>
> There doesn't seem to be anything really wrong, so you should be able
> to join AD, try turning up the debug level and see if anything pops out.
>
> Rowland
>
>
>
One of the "fun" things with Solaris is that they would be very slow
about releasing Samba updates. It took a long time until they moved
from Samba 3.0.x to 3.6.x and then onto Samba 4.4.x. And unless
you have updates configured correctly, it would not automatically
update from 3.x to 4.x. This also means that if Microsoft pushed out
a significant security patch , it may be a while until Oracle updates
its packages in its repository. Although they have got better in recent
years. This means that sometimes the smb.conf file has to be tweeked to
handle (or bypass) the changes on the MS side. I found that SMB3 does
not work in the classic domain, and sometimes SMB2 can be an issue.
I went through the smb.conf and added the following lines:
max protocol = SMB2
server min protocol = SMB2
server max protocol = SMB2
I don't know if the server protocol settings really matter when joining
a member server, since I figure it would be a "client" of the domain
controller. I think setting "client min protocol = smb2" would break
joining machines to the classic domain.
I also removed the following entries from smb.conf
client ldap sasl wrapping = plain
ldap server require strong auth = no
dedicated keytab file = /etc/krb5/krb5.keytab
kerberos method = secrets and keytab
The ldap ones were past compatibility fixes with the classic domain.
The keytab ones were to try to force samba to use the default solaris
keytab file, but that parameter seemed to be ignored.
One of these changes seems to have fixed the join issue
# net ads join -S DC1 -U Administrator
Enter Administrator's password:
Using short domain name -- MYDOMAIN
Joined 'testmachine1' to dns domain 'mydomain.com'
#
I don't think I have disabled SMB1 on the domain controllers. I
think setting
the UID range of 100-1999 should be large enough for years. In
Active Directory Users and Computers MMC, I explicitly set the uid and
gid numbers with in that range for users and groups that need to show up
in Samba.
This is samba 4.4.14.
Thanks for your help.
More information about the samba
mailing list