[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range

Wed Jul 18 16:51:51 UTC 2018

On Wed, 18 Jul 2018 18:18:46 +0200
Thomas Glanzmann <thomas at glanzmann.de> wrote:

> Hello Rowland,
> 
> > These shouldn't be set or are defaults:
> > name resolve order = host
> > passdb backend = tdbsam
> > security = user
> > domain logons = yes
> > log level = 3
> > os level = 64
> > preferred master = yes
> > local master = yes
> > domain master = yes
> > tls keyfile  = key.pem
> > tls certfile = cert.pem
> > tls cafile   = ca.pem
> 
> I kicked these out. I found the config somewhere on the Internet and
> left the stuff I did not understand as provided.
> 
> > time server = yes
> 
> I have ntpd configured on the ip address which serves time. So I leave
> it in.

You DO NOT need it.

> 
> > This is definitely wrong:
> > dns forwarder = 127.0.0.1
> > You do not forward to itself.
> 
> Acutally, I do. I have a recursive bind listening on 127.0.0.1 and
> recursive name lookup works also via the SAMBA internal DNS
> implementation. So I'm happy with it.

This sounds like a recipe for disaster, how do get two dns servers to
listen on port 53 and differentiate between them. Your clients should
use the Samba DNS server for anything inside the domain and then the
samba DNS server should forward anything outside the domain to an
external dns server.

> 
> > This is all 'netlogon' needs:
> 
> > [netlogon]
> > comment = Domain Logon Service
> > path = /local/samba-config/v101/netlogon
> > read only = no
> 
> fixed.
> 
> > 'sysvol' is okay except it needs to be writeable.
> 
> fixed as well.
> 
> > You also do not set the maximum password age with pdbedit.
> 
> I do, but you're saying I should not? I do in the shell script:
> 
> /local/samba/bin/samba-tool user setexpiry Administrator --noexpiry
> -s ${SAMBACONFIG} /local/samba/bin/pdbedit -s ${SAMBACONFIG} -P
> "maximum password age" -C -1

Yes I know you do, but you set the maximum password age in AD and you
can do this with a GPO or samba-tool.

> 
> While my active directories do not survive one week, I thought just
> to be on the safe side, I disable password aging. Is there a better
> way?

Yes, stop disabling password ageing.

> 
> > Yes try reading up on Samba AD more before trying to train others on
> > how to use it. ;-)
> 
> Rest assured, I'm training no one on samba, I just need an active
> directory to be able show a domain join with VMware products. That's
> all. However I was quiet impressed how far samba has become. And how
> good it works. Can you recommend a book or a documentation to get
> more familiar with SAMBA AD?

Yes the samba wiki, it is the only documentation I would recommend

Rowland