[Samba] security = ads parameter not working in samba 4.9.5

Rowland penny rpenny at samba.org
Tue Nov 26 14:04:54 UTC 2019

On 26/11/2019 13:41, Sac Isilia via samba wrote:
> Hi Team,
> I need to join the server in AD domain using winbind . Below are the
> package version for reference. The server runs Debian 10 and the default
> install of samba is 4.9.5.
> ii  samba                                 2:4.9.5+dfsg-5+deb10u1
>      amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                          2:4.9.5+dfsg-5+deb10u1
>      all          common files used by both the Samba server and client
> ii  winbind                               2:4.9.5+dfsg-5+deb10u1
>      amd64        service to resolve user and group information from Windows
> NT servers
>     I searched the internet and few samba mailing list and found that it was
> a bug and security = ads will produce error if you start winbind . The
> moment i put in smb.conf  "security = user" the winbind starts
> successfully but the server is not joined to domain when i run the command
> net ads join -U xxx I get the below error.
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
> I just couldn't find any solution to the above if samba runs on 4.9.5.
> Please help me so that I can join the server to AD domain.
I take it that you haven't read the Samba wiki ?


I would go and read that and then return with any questions you might 
have ;-)

But in the mean time, 'security = ADS' clashes with 'server role = 
standalone server'

The other question is, is sssd installed ?

If it is, then remove it, you cannot use sssd with winbind.

You are also probably going to need a few extra packages:

acl attr libpam-winbind libpam-krb5 libnss-winbind krb5-config krb5-user ntp


More information about the samba mailing list