[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server

Michael Evans michael.evans at nor-consult.com
Thu Nov 18 20:31:26 UTC 2021 

> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Patrick
> Goetz via samba
> Sent: Thursday, November 18, 2021 3:05 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Unable to net ads join samba to an active directory
> domain Failed to join domain: failed to connect to AD: Can't contact LDAP
> server
> 
> 
> 
> On 11/18/21 02:15, Michael Evans via samba wrote:
> > [Michael Evans]
> > (added since the previous reply)
> > Who's going to do that if it doesn't look like a hyperlink?
> >
> > It seems to be a deliberate style anti-pattern on the whole wiki.
> > The AD page_also_  has disguised hyperlinks that are thus
> > Skipped because unless you know they/might/  be hyperlinks
> > it would never occur to you that it isn't a
> > single line configuration flag that is required.
> 
> 
> Can you post the URL where you're seeing this? And are you sure this
> isn't an issue with your browser configuration? Hyperlinks in the Samba
> Wiki show up as (clearly formatted) hyperlinks for me.
> 

[Michael Evans]
In both recent Firefox and Chrome browsers.

The lack of underlines is actually everywhere, but in many places a
hyperlink exists it is either expected and thus doesn't matter or it is part
of a paragraph of other text and thus stands out.

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting
_up_a_Basic_smb.conf_File

For example the paragraph at the top just above the warning segments...

"If you need your users to have different login shells and/or Unix home
directory paths, or you want them to have the same ID everywhere, you will
need to use the winbind 'ad' backend and add RFC2307 attributes to AD."

__winbind 'ad' backend__ should probably be a hyperlink to
https://wiki.samba.org/index.php/Idmap_config_ad

__RFC2307 attributes__ should probably be a hyperlink to
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

However on the domain member page's
Choose_backend_for_id_mapping_in_winbindd section:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_
backend_for_id_mapping_in_winbindd

I wasn't cognitively expecting a table of links to a different pages, and
visually digesting the block for 'tell samba to use AD as the backend' it
looked like something that should be a one-line configuration given all of
the configuration details could be in the AD and the three lines in the
table that are highlighted with a different color all look like plausible
configuration values for 'which mechanism should Samba use to map user IDs?'

It seems obvious enough reading over the section now, how over time a
sentence above the table, and a table header try to say what an underline
beneath the text would so much more clearly state.  ''this section is a set
of links to other places''

Maybe something more like...

VVV

Setup how Samba stores the idmap between Windows usernames and Unix UIDs

* (ad)[Idmap_config_ad] uses (RFC2307 attributes in the AD)[Setting up
RFC2307 in AD]

* (rid)[Idmap_config_rid] uses read-only automatic ID assignment calculated
from Domain Controller data

* (autorid)[Idmap_config_autorid] similar to rid, but per member server
unique relative offsets for each Realm / Domain / Workgroup

^^^

Refuse to provide anything that could remotely look like a configuration
value.

Also, someone trying to skip over the rid/autorid section will probably
still miss this data, so duplicate it in the fishbone of the default basic
configuration example on that page.

[global]
   workgroup = SAMDOM
   security = ADS
   realm = SAMDOM.EXAMPLE.COM

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

  # idmap config section
  # (ad)[Idmap_config_ad] uses (RFC2307 attributes in the AD)[Setting up
RFC2307 in AD]
  # (rid)[Idmap_config_rid] uses read-only automatic ID assignment
calculated from Domain Controller data
  # (autorid)[Idmap_config_autorid] similar to rid, but per member server
unique relative offsets for each Realm / Domain / Workgroup

More information about the samba mailing list