[Samba] Joining Linux Domain Member to Samba DC, issues
Mark Foley
mfoley at novatec-inc.com
Mon May 20 17:20:29 UTC 2024
On 5/20/24 04:40, Rowland Penny via samba wrote:
> On Mon, 20 May 2024 00:07:38 -0400
> Mark Foley via samba<samba at lists.samba.org> wrote:
>
>> OK, I'm going to try baby-steps working back to a wipe/reinstall if
>> necessary. First, I removed the three old 2018 files:
>> local_password.so, simple_dn.so and simple_ldap_map.so. Then I
>> attempted to re-join the domain. I got:
>>
>> # net ads join -U administrator
>> Password for [HPRS\administrator]:
>> Using short domain name -- HPRS
>> Joined 'WEBSERVER' to dns domain 'hprs.local'
>> DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> I'm guessing (hoping) the DNS errors were because WEBSERVER already
>> had an A record configured. I did the following to verify there was a
>> A record:
>>
>> # samba-tool dns query mail.hprs.local hprs.local
>> webserver.hprs.local A -Uadministrator
>> Name=, Records=1, Children=0
>> A: 192.168.0.3 (flags=f0, serial=119, ttl=900)
>>
>> Which looks like it worked. I further verified that WEBSERVER was a
>> domain member (on the DC):
>>
>> # ldbsearch -H /var/lib/samba/private/sam.ldb
>> '(objectclass=computer)' dn # record 13
>> dn: CN=WEBSERVER,CN=Computers,DC=hprs,DC=local
>>
>> So, I *think* the join worked. I now have the following smb.conf,
>> adding a share (xfer):
>>
>> [global]
>> max log size = 10000
>> realm = HPRS.LOCAL
>> security = ADS
>> server role = member server
>> server string = HPRS WEBSERVER server
>> template homedir = /home/%U
>> template shell = /bin/bash
>> workgroup = HPRS
>> idmap config hprs : range = 10000-999999
>> idmap config hprs : backend = rid
>> idmap config * : range = 3000-7999
>> idmap config * : backend = tdb
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>>
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> [xfer]
>> path = /home/ohprs/xfer
>> public = yes
>> readonly = no
>> locking = yes
>> printable = no
>> create mask = 0660
>> directory mask = 0771
>>
>> I updated nsswitch.conf to add winbind to passwd: and group: then
>> fired up smbd, nmbd and winbindd -- and it worked! I can map the xfer
>> share from Windows which silently uses domain credentials. I added
>> several more shares and was able to map them all! I may have to tweak
>> permissions somewhere, but that should be a minor problem.
>>
>> Thus far it seems that simply removing those old files did the trick
>> without having to uninstall/reinstall Samba, or wipe/install the
>> whole system. I'll keep my fingers crossed on this one.
>>
>> Thanks --Mark
>>
> Yes, that will work, provided you know what files to remove, it is easier to start with a new install if you don't know what to remove.
>
> Lets take a walk through your share:
>
> [xfer]
> path = /home/ohprs/xfer
> public = yes
>
> Why 'public' ?
> A) this is an AD domain and all your users should be known.
> B) You haven't set 'map to guest = bad user' in global, so it will be ignored.
This is probably just a hold-over from before that host was joined to
the domain, and yes I did have 'map to guest = bad user' set back then.
I'll remove 'public' from the .conf.
> readonly = no
> locking = yes # default
> printable = no # default
>
> 'locking' & 'printable' are set to the defaults, so are not really required.
OK, good to know. I'll mark them as such in the config.
> create mask = 0660
> directory mask = 0771
>
> You will be a lot better off setting the permissions from Windows,
> rather than getting Samba to do it for you.
>
> Rowland
As far as permissions go, the settings shown are what was in there
before joining as a domain member. I will definitely be playing with
permissions since one of the reasons form moving one of the shares to
this server was to be able to let windows set permissions and ownership.
In the meantime, I'm not changing everything at once in order to keep
the variables down. I'll probably start messing with ownership and
permission next week. On the main share that I'm moving, I may keep the
'directory mask = 2771' as that sets the group s-bit on directories
which allows for group ownership inheritance on subdirectories/files.
I'll experiment.
Thanks for the advice.
--Mark
More information about the samba
mailing list