Jason Gerfen wrote:
I have a question regarding joining a Samba 3 machine to a Windows 2000
Domain using ADS authentication.
I have been able to join the machine to the domain, enumerate users with
getent and wbinfo -u. The problem I am having is with a Windows 2000
default domain setup an AD object is created:
CN=Users,DC=Domain,DC=Com
Generally all users created belong in this container. I am able to
enumerate every user account in the domain EXCEPT this one? Can someone
help me with this?
[smb.conf]
[global]
workgroup = SCL
realm = SCL.UTAH.EDU
server string = new-odin.domain.com
My experience is the realm is the DC parts of the ldap container.
So your realm should be "DOMAIN.COM", the same as in krb5.conf.
I'm thinking your samba box has an older DNS domain name that's not
the same as your win2000 DNS domain name.
You may be past the planning & testing stage, but I found the
easiest way to introduce the win2000 domain was as a subdomain
of any existing domain I already was authoritative for.
So if you're authoritative for UTAH.EDU than your win2000 domain
and realm would be something like scl.utah.edu or nt.utah.edu
with a legacy domain name of SCL.
Then you can allow windows server to run it's own DNS and delegate
the subdomain with glue from your existing servers. There are
a -lot- of realm subdomains and SRV records generated by windows
that make the system easier to integrate.
Like if you ever get into mail routing with the windows machines,
you'll find MS believes the domain name should be an official
ICANN domain and it's kind of difficult to alias. Not
impossible, but if the windows realm could be a real
delegated domain, since you appear to have one, the future
would be much easier.
Regards, Doug
security = ADS
update encrypted = Yes
password server = *
password level = 20
preferred master = No
domain master = No
idmap uid = 500-500000
idmap gid = 500-500000
winbind separator = /
winbind cache time = 5
winbind use default domain = Yes
winbind nested groups = Yes
[odin]
comment = ODIN
path = /odin
read only = No
inherit acls = Yes
[krb5.conf]
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300
[realms]
DOMAIN.COM = {
kdc = 10.10.1.95
default_domain = domain.com
admin_server = 10.10.1.95
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
Any help is appreciated.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
