[Samba] AD DC lost sub.conf

Callum MacEwan callum at pegasusnz.com
Mon Dec 5 02:54:29 UTC 2022

>> On 03/12/2022 09:59, Callum MacEwan via samba wrote:
>> Is this looking better?
>> [global]
>> #samba-tool provision configs
>> dns forwarder =
>> netbios name = CAPSICUM
>> server role = active directory domain controller
>> workgroup = BALEWAN
>> idmap_ldb:use rfc2307 = yes
>> #local config
>> vfs objects = dfs_samba4 acl_xattr recycle
>> template shell = /bin/bash
>> #temporary test configs
>> #System Volumes and logon
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> browse = No
>> [netlogon]
>> path = /var/lib/samba/sysvol/balewan.pegasusnz.com/scripts
>> read only = No
>> browse = No
> That looks okay, I take it that is your router.

Yes is the router it is replaced with which is the isp DNS
>>>>>>> I think you need to post the smb.conf from the DC and the Unix domain member.
>>>>>> AD DC sub.conf minus two system volume mounts
>>>>>> These configs might not be exactly what the working confs were I lost some lines due to a sticky keyboard and lag
>>>>>> [global]
>>>>>> bind interfaces only = Yes
>>>>>> dns forwarder =
>>>>>> interfaces =
>>>>>> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>>>>>> netbios name = SAND
>>>>>> realm = BEACH.PEGASUSNZ.COM
>>>>>> workgroup = BEACH
>>>>>> server role = active directory domain controller
>>>>>> apply group policies = yes
>>>>>> template shell = /bin/bash
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>> I keep telling people this, but nobody seems to listen, you only need the 'winbind enum' lines for testing purposes, Samba works perfectly well without them.
>>>> I only added them when my trouble began they are commented out
>>>>>> log level = 4
>>>>>> Dom Member
>>>>>> [global]
>>>>>> bind interfaces only = Yes
>>>>>> interfaces = lo
>>>>>> netbios name = DUNE
>>>>>> workgroup = BEACH
>>>>>> realm = BEACH.PEGASUSNZ.COM
>>>>>> server role = member server
>>>>>> security = ADS
>>>>>> #kerberos method = secrets and keytab
>>>>>> #dedicated keytab file = /etc/krb5.keytab
>>>>>> #winbind refresh tickets = Yes
>>>>>> log file - /var/log/samba/%m.log
>>>>>> log level = 4
>>>>>> idmap config *: backend = autorid
>>>>>> idmap config *: range = 100000-2999999
>>>>>> idmap config BEACH : backend = rid
>>>>>> idmap config BEACH : range =10000-99999
>>>>>> #idmap config BEACH : unix_nss_info = yes
>>>>> If you are going to use the 'autorid' idmap backend, you only use the 'autorid' idmap backend, the other 'rid' lines should be removed (I take it you have set up a two trust to BALEWAN), also, you only use 'unix nss info' with the 'ad' idmap backend. To put it bluntly, you couldn't have got it more wrong.
>>>> Sorry to upset you!
>>>> BALEWAN was actually BEACH
>>> Doesn't really matter, the 'autorid' idmap backend is meant for multiple domains, you do not use it with any other idmap backend. You should either change 'autorid' to 'tdb' (or remove the entire line, tdb is the default), or remove the 'idmap config BEACH' lines. This will of course probably change all the user & group ID's.
>> Okay I will remove them all
> I take it that you are referring to the 'idmap config BEACH' lines.
Yes I went back to the basic default settings and worked forward
>>>>>> template shell = /bin/bash
>>>>>> #template homedir = /media/home/%U
>>>>>> username map = /usr/local/samba/etc/user.map
>>>>> I take that you you used to compile Samba yourself.
>>>> No I used the Debian package
>>>> When I use a windows box to look at the Domain Controller it does not find the domain controller if I select manually the DC it status changes from pending to online but the DC column is blank?
>>> Are the Windows machines using a DC for their nameserver ?
>> The windows boxes do use the DC for nameserver but they are not used very often
> If the Windows machines are joined to the domain (and there wouldn't be much point to the AD domain if they aren't), they must use the DC as their nameserver, unless the nameserver they are using forwards everything for the AD domain to the DC.
Yess the AD DC is  the DNS for everyone using Samba internal there is a backup DNS on a Debian box
>> The only thing that is not working at them moment is the domain member on Debian
>> Net commands error NT_STATUS_NO_LOGON_SERVERS…
> You should point 'net' to a DC, at the moment it is trying to ask itself ''.
Okay I see, I thought that was a temporary work around but now I realise that is what happens

I could not get the Domain member to use the AD uid gid even when using the config from your wiki! I worked around that by making the AD uid and gid match the domain member and all is up and running again

Thank you for your assistance 

> Rowland
> -- aTo unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list