[Samba] security = ads parameter not working in samba 4.9.5
Sac Isilia
udaypratap.singh65 at gmail.com
Tue Nov 26 13:41:13 UTC 2019
Hi Team,
I need to join the server in AD domain using winbind . Below are the
package version for reference. The server runs Debian 10 and the default
install of samba is 4.9.5.
ii samba 2:4.9.5+dfsg-5+deb10u1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1
all common files used by both the Samba server and client
ii winbind 2:4.9.5+dfsg-5+deb10u1
amd64 service to resolve user and group information from Windows
NT servers
I searched the internet and few samba mailing list and found that it was
a bug and security = ads will produce error if you start winbind . The
moment i put in smb.conf "security = user" the winbind starts
successfully but the server is not joined to domain when i run the command
net ads join -U xxx I get the below error.
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.
I just couldn't find any solution to the above if samba runs on 4.9.5.
Please help me so that I can join the server to AD domain.
Below is my smb.conf
------------------------------------
[global]
passdb backend = tdbsam
security = user
password server = 10.34.54.46
idmap config EMEA-MEDIA : backend = ad
idmap config EMEA-MEDIA : range = 16777216-33554431
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
allow trusted domains = yes
winbind nested groups = yes
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos
"" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
; include = /home/samba/etc/smb.conf.%m
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
; write list = root, @lpadmin
Regards
Sachin Kumar
More information about the samba
mailing list