[Samba] Samba AD and adding a Windows 2008R2 DC

Wed Mar 27 11:53:40 UTC 2019

Hi,

On Mon, 2019-03-25 at 12:28 +0000, Rowland Penny via samba wrote:
> On Mon, 25 Mar 2019 11:24:03 +0000
> "Deventer-2, M.S.J. van via samba" <samba at lists.samba.org> wrote:
> 
> > Hi,
> > 
> > we now have an old Windows NT4.0 domain served by Samba 4.2.x
> > (using
> > Samba and LDAP) and want to move to Windows AD. 
> > The reason we need to do that is because of the clients (Windows 10
> > and MacOS) and because of a third party device which does not want
> > to
> > talk to Samba AD (Isilon OneFS).
> 
> Possibly if Isilon would accept that Samba AD works in the same way
> as
> Windows AD, it might be made to work.
> 
> In one of their PDF's is this:
> 
> Active Directory with RFC 2307 and Windows Services for UNIX
> A best practice is to use Microsoft Active Directory with Windows
> Services for UNIX and RFC 2307 attributes
> to manage Linux, UNIX, and Windows systems. Integrating UNIX and
> Linux systems with Active Directory
> centralizes identity management and eases interoperability, reducing
> the need for user mapping rules. Make
> sure your domain controllers are running Windows Server 2003 or
> later. For more information on RFC 2307,
> refer to the following KB:
> How to configure OneFS and Active Directory for RFC2307 compliance:
> https://support.emc.com/kb/335338
> 
> Samba AD matches all of the above, it uses the 2008R2 schema and the
> SFU ldif.
> The problem I have is that the KB: 335338 is behind a login page,
> perhaps if this could be seen, it might be possible to see where the
> problem lies.
I know this KB article and it just shows you to switch on the RFC2307
extensions on OneFS. But as EMC (Isilon manufacturer) refuses to help
and just tells us : " do not use Samba AD " we gave up on connecting
Samba AD to this device, hence we need to go to Windows AD.
For the record, OneFS (based on FreeBSD) does not use Samba to supply
the clients with SMB protocol and AD joining. They instead use
'likewise'.

>  
> > I did a 'classicupgrade' to Samba AD from our Samba/LDAP config and
> > then I use this guide : 
> > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD
> > to add the Windows 2008R2 DC to the Samba AD. This all worked out
> > but
> > I encountered an error on the Windows AD integrated DNS (error 4014
> > :
> > The DNS server was unable to initialize AD security interfaces).
> > The
> > wiki page does not mention this and I was wondering which version
> > of
> > Samba was used when this page was created ?
Any answer on this question Rowland ?

> > Looking for a solution on the Microsoft side sends you from one
> > link
> > to another and back again...
> > 
> > Anyone here who did a succesfull join of Windows 2008R2 DC to an
> > Samba
> > AD domain ?
> 
> I have added a 2012 and it worked, but I use Bind9, perhaps if you
> tried adding Bind9 to your Samba AD ?
You added a 2012, to which samba version ? And how ? 2012 requires an
adprep and that does not work because of WMI.

Regards,

   Michel

> 
> Rowland
> 
-- 
Michel van Deventer

Integratie Specialist | Divisie Laboratoria, Apotheek en Biomedische
Genetica, Infra Services & Integration

------------------------------------------------------------------------------

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht
ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct
te informeren door het bericht te retourneren. Het Universitair Medisch
Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W.
(Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij
de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.

Denk s.v.p aan het milieu voor u deze e-mail afdrukt.

------------------------------------------------------------------------------

This message may contain confidential information and is intended exclusively
for the addressee. If you receive this message unintentionally, please do not
use the contents but notify the sender immediately by return e-mail. University
Medical Center Utrecht is a legal person by public law and is registered at
the Chamber of Commerce for Midden-Nederland under no. 30244197.

Please consider the environment before printing this e-mail.