[Samba] Joining Linux Domain Member to Samba DC, issues

Rowland Penny rpenny at samba.org
Mon May 20 08:40:30 UTC 2024 

On Mon, 20 May 2024 00:07:38 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> OK, I'm going to try baby-steps working back to a wipe/reinstall if 
> necessary. First, I removed the three old 2018 files:
> local_password.so, simple_dn.so and simple_ldap_map.so. Then I
> attempted to re-join the domain. I got:
> 
> # net ads join -U administrator
> Password for [HPRS\administrator]:
> Using short domain name -- HPRS
> Joined 'WEBSERVER' to dns domain 'hprs.local'
> DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> I'm guessing (hoping) the DNS errors were because WEBSERVER already
> had an A record configured. I did the following to verify there was a
> A record:
> 
> # samba-tool dns query mail.hprs.local hprs.local
> webserver.hprs.local A -Uadministrator
>    Name=, Records=1, Children=0
>      A: 192.168.0.3 (flags=f0, serial=119, ttl=900)
> 
> Which looks like it worked. I further verified that WEBSERVER was a 
> domain member (on the DC):
> 
> # ldbsearch -H /var/lib/samba/private/sam.ldb
> '(objectclass=computer)' dn # record 13
> dn: CN=WEBSERVER,CN=Computers,DC=hprs,DC=local
> 
> So, I *think* the join worked. I now have the following smb.conf,
> adding a share (xfer):
> 
> [global]
>          max log size = 10000
>          realm = HPRS.LOCAL
>          security = ADS
>          server role = member server
>          server string = HPRS WEBSERVER server
>          template homedir = /home/%U
>          template shell = /bin/bash
>          workgroup = HPRS
>          idmap config hprs : range = 10000-999999
>          idmap config hprs : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
> 
> vfs objects = acl_xattr
> map acl inherit = yes
> 
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> [xfer]
> path = /home/ohprs/xfer
> public = yes
> readonly = no
> locking = yes
> printable = no
> create mask = 0660
> directory mask = 0771
> 
> I updated nsswitch.conf to add winbind to passwd: and group: then
> fired up smbd, nmbd and winbindd -- and it worked! I can map the xfer
> share from Windows which silently uses domain credentials. I added
> several more shares and was able to map them all! I may have to tweak 
> permissions somewhere, but that should be a minor problem.
> 
> Thus far it seems that simply removing those old files did the trick 
> without having to uninstall/reinstall Samba, or wipe/install the
> whole system. I'll keep my fingers crossed on this one.
> 
> Thanks --Mark
> 

Yes, that will work, provided you know what files to remove, it is easier to start with a new install if you don't know what to remove.

Lets take a walk through your share:

[xfer]
path = /home/ohprs/xfer
public = yes

Why 'public' ?
A) this is an AD domain and all your users should be known.
B) You haven't set 'map to guest = bad user' in global, so it will be ignored.

readonly = no
locking = yes # default
printable = no # default

'locking' & 'printable' are set to the defaults, so are not really required.

create mask = 0660
directory mask = 0771

You will be a lot better off setting the permissions from Windows,
rather than getting Samba to do it for you.

Rowland

More information about the samba mailing list