I stand corrected re the MS comment then. How do I get the userAccountControl?
Thx Sent from my iPhone On 22/12/2012, at 12:18, Andrew Bartlett <[email protected]> wrote: > On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote: >> On 22/12/2012 11:47, Andrew Bartlett wrote: >>> On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote: >>>> On 18/12/2012 10:47, Andrew Bartlett wrote: >>>>> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: >>>>>> Hi list, >>>>>> >>>>>> I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 >>>>>> LTS) to join a Windows 2003 domain as a member server, without any luck. >>>>>> I have used,from memory, the official way of doing this (aka, from the >>>>>> samba.org website). No matter what settings I use in smb.conf, the >>>>>> server always joins as a domain controller. This doesn't seem to break >>>>>> the domain how ever. All I am after is that my users do not need to >>>>>> enter a username/password for access from a domain PC to shares on my >>>>>> Linux box. >>>>>> >>>>>> Any pointers please or is this intended as the server does single sign? >>>>> If you can list exactly the steps you took, we might be able to help. >>>>> >>>>> But to answer your question: Yes, Samba will happily join Windows 2003 >>>>> as a domain member. The key command is 'net ads join'. >>>>> >>>>> Andrew Bartlett >>>> Hi Andrew, >>>> >>>> Sorry for the delay in my reply, things has been hectic closing down for >>>> the holidays. In a nut shell, there is what I do/did: >>>> >>>> 1) apt-get install samba winbindd krb5-user >>>> 2) Configure smb.conf as per : >>>> >>>> [global] >>>> >>>> workgroup = WORK >>>> realm = WORK.LOCAL >>>> preferred master = no >>>> server string = Linux Test Machine >>>> security = ADS >>>> encrypt passwords = yes >>>> log level = 3 >>>> log file = /var/log/samba/%m >>>> max log size = 50 >>>> printcap name = cups >>>> printing = cups >>>> # winbind enum users = Yes >>>> # winbind enum groups = Yes >>>> # winbind use default domain = Yes >>>> winbind nested groups = Yes >>>> winbind separator = + >>>> idmap uid = 2000-20000 >>>> idmap gid = 2000-20000 >>>> template shell = /bin/bash >>>> veto files = lost+found >>>> >>>> 3) Configure krb5.conf: >>>> [libdefaults] >>>> default_realm = WORK.LOCAL >>>> >>>> [realms] >>>> YPG.LOCAL={ >>>> kdc=DC.WORK.LOCAL >>>> } >>>> [domain_realm] >>>> .kerberos.server=WORK.LOCAL >>>> >>>> 4) Restart Samba/Winbind >>>> 5) In /etc/nsswitch.conf add winbind to passwd and group >>>> 5) Join the domain : net ads join -U <my_admin_account> >>>> 6) kinit <my_admin_account> >>>> >>>> From then, users can connect to the shares on the server using Single >>>> Sign On. The "issue" is that if I look under my Active Directory, the >>>> server will state that it is a "Domain Controller". Running the usual DC >>>> Info tools they seem to think the domain is ok. I would prefer to have >>>> the server say Member server, rather than DC :) >>>> >>>> I would like to send you a screenshot of what "Active Directory Users >>>> and Computers" shows but this will be hard to do remotely. >>> Many years ago, we found this issue, which was a display but in ADUC. >>> We are almost certainly not registered as an AD DC, but because our >>> account flags in the directory don't match exactly what windows does, >>> then it promotes us to a DC in the GUI. I saw this with Windows 2000 >>> over a decade ago, but perhaps it wasn't fixed in 2003. >>> >>> Andrew Bartlett >> Hey Andrew, >> >> I suspect it is the same issue. Is it worth logging a bug for it ? In my >> case I have other people that maintain AD and I would prefer to "clean >> it up". If it is in the "too hard to fix basket" (I know MS isn't really >> forth comming with info re AD), then so be it. > > Microsoft is very forthcoming on info re AD. However, please check if > the latest tools from Microsoft also show this incorrectly as a DC. > > If you want to send me the userAccountControl value it set, I can > confirm it doesn't have the DC flag set. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
