Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-29 at 19:31 +1300, Pieter De Wit wrote: On 28/12/2012 10:45, Andrew Bartlett wrote: On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 This is 0x11000 #define UF_WORKSTATION_TRUST_ACCOUNT0x1000 #define UF_DONT_EXPIRE_PASSWD 0x0001 If this remains an issue with current management tools, then I guess we can raise a bug to see if we really, really need to set UF_DONT_EXPIRE_PASSWD in that bitmask. Andrew Bartlett Andrew, Is it worth setting the value to 0x1000 and see what the tools show before logging the bug ? It would be a useful data point. What is the correct value for a Member Server ? It just needs UF_WORKSTATION_TRUST_ACCOUNT I've seen contradictory stuff about if workstation accounts can expire. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 28/12/2012 10:45, Andrew Bartlett wrote: On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 This is 0x11000 #define UF_WORKSTATION_TRUST_ACCOUNT0x1000 #define UF_DONT_EXPIRE_PASSWD 0x0001 If this remains an issue with current management tools, then I guess we can raise a bug to see if we really, really need to set UF_DONT_EXPIRE_PASSWD in that bitmask. Andrew Bartlett Andrew, Is it worth setting the value to 0x1000 and see what the tools show before logging the bug ? What is the correct value for a Member Server ? Cheers, Pieter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 Thanks, Pieter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 23/12/2012 03:31, Carlos R. Pena Evertsz wrote:
Hi Pieter,
I need to do the same, join a Ubuntu 12.04 samba server to an existing
Win2k3.
Could you post an example of the shares configuration (users and group
read and write permitions) to be used in your example of a samba
server as a domain member?
Thanks.
Carlos Pena
Santo Domingo, Dominican Republic
On 12/21/2012 5:36 PM, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu
12.04.1 LTS) to join a Windows 2003 domain as a member server,
without any luck. I have used,from memory, the official way of
doing this (aka, from the samba.org website). No matter what
settings I use in smb.conf, the server always joins as a domain
controller. This doesn't seem to break the domain how ever. All I
am after is that my users do not need to enter a username/password
for access from a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single
sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down
for the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual
DC Info tools they seem to think the domain is ok. I would prefer to
have the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Thanks,
Pieter
P.S. Good work on the AD integration btw, I am using the above for
Squid aswell and it's pretty neat ! :)
Hi Carlos,
My shares are create like normal shares. The only part that changes is
the ref to Domain users. They are WORK+USERNAME, using a previous
naming setup, my user account would be as follow:
WORK+dewitp
So I could have something like:
[dump]
comment=Data Dump
read only=no
browseable=yes
path=/srv/exports/dump
valid user=WORK+user1,WORK+user2
I also noted that if you have ext4 (havn't tried the rest) and you
create user permissions on a folder, it is added as extended attribs -
WELL DONE SAMBA ! :)
HTH,
Pieter
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 This is 0x11000 #define UF_WORKSTATION_TRUST_ACCOUNT0x1000 #define UF_DONT_EXPIRE_PASSWD 0x0001 If this remains an issue with current management tools, then I guess we can raise a bug to see if we really, really need to set UF_DONT_EXPIRE_PASSWD in that bitmask. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
Hi Pieter,
I need to do the same, join a Ubuntu 12.04 samba server to an existing
Win2k3.
Could you post an example of the shares configuration (users and group
read and write permitions) to be used in your example of a samba server
as a domain member?
Thanks.
Carlos Pena
Santo Domingo, Dominican Republic
On 12/21/2012 5:36 PM, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu
12.04.1 LTS) to join a Windows 2003 domain as a member server,
without any luck. I have used,from memory, the official way of doing
this (aka, from the samba.org website). No matter what settings I
use in smb.conf, the server always joins as a domain controller.
This doesn't seem to break the domain how ever. All I am after is
that my users do not need to enter a username/password for access
from a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down
for the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual
DC Info tools they seem to think the domain is ok. I would prefer to
have the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Thanks,
Pieter
P.S. Good work on the AD integration btw, I am using the above for
Squid aswell and it's pretty neat ! :)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to
join a Windows 2003 domain as a member server, without any luck. I have
used,from memory, the official way of doing this (aka, from the samba.org
website). No matter what settings I use in smb.conf, the server always joins as
a domain controller. This doesn't seem to break the domain how ever. All I am
after is that my users do not need to enter a username/password for access from
a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Thanks,
Pieter
P.S. Good work on the AD integration btw, I am using the above for Squid
aswell and it's pretty neat ! :)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS)
to join a Windows 2003 domain as a member server, without any luck. I have
used,from memory, the official way of doing this (aka, from the samba.org
website). No matter what settings I use in smb.conf, the server always
joins as a domain controller. This doesn't seem to break the domain how
ever. All I am after is that my users do not need to enter a
username/password for access from a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Many years ago, we found this issue, which was a display but in ADUC.
We are almost certainly not registered as an AD DC, but because our
account flags in the directory don't match exactly what windows does,
then it promotes us to a DC in the GUI. I saw this with Windows 2000
over a decade ago, but perhaps it wasn't fixed in 2003.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 22/12/2012 11:47, Andrew Bartlett wrote:
On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to
join a Windows 2003 domain as a member server, without any luck. I have
used,from memory, the official way of doing this (aka, from the samba.org
website). No matter what settings I use in smb.conf, the server always joins as
a domain controller. This doesn't seem to break the domain how ever. All I am
after is that my users do not need to enter a username/password for access from
a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Many years ago, we found this issue, which was a display but in ADUC.
We are almost certainly not registered as an AD DC, but because our
account flags in the directory don't match exactly what windows does,
then it promotes us to a DC in the GUI. I saw this with Windows 2000
over a decade ago, but perhaps it wasn't fixed in 2003.
Andrew Bartlett
Hey Andrew,
I suspect it is the same issue. Is it worth logging a bug for it ? In my
case I have other people that maintain AD and I would prefer to clean
it up. If it is in the too hard to fix basket (I know MS isn't really
forth comming with info re AD), then so be it.
Cheers,
Pieter
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote:
On 22/12/2012 11:47, Andrew Bartlett wrote:
On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu 12.04.1
LTS) to join a Windows 2003 domain as a member server, without any luck.
I have used,from memory, the official way of doing this (aka, from the
samba.org website). No matter what settings I use in smb.conf, the
server always joins as a domain controller. This doesn't seem to break
the domain how ever. All I am after is that my users do not need to
enter a username/password for access from a domain PC to shares on my
Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Many years ago, we found this issue, which was a display but in ADUC.
We are almost certainly not registered as an AD DC, but because our
account flags in the directory don't match exactly what windows does,
then it promotes us to a DC in the GUI. I saw this with Windows 2000
over a decade ago, but perhaps it wasn't fixed in 2003.
Andrew Bartlett
Hey Andrew,
I suspect it is the same issue. Is it worth logging a bug for it ? In my
case I have other people that maintain AD and I would prefer to clean
it up. If it is in the too hard to fix basket (I know MS isn't really
forth comming with info re AD), then so be it.
Microsoft is very forthcoming on info re AD. However, please check if
the latest tools from Microsoft also show this incorrectly as a DC.
If you want to send me the userAccountControl value it set, I can
confirm it doesn't have the DC flag set.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
I stand corrected re the MS comment then. How do I get the userAccountControl?
Thx
Sent from my iPhone
On 22/12/2012, at 12:18, Andrew Bartlett abart...@samba.org wrote:
On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote:
On 22/12/2012 11:47, Andrew Bartlett wrote:
On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu 12.04.1
LTS) to join a Windows 2003 domain as a member server, without any luck.
I have used,from memory, the official way of doing this (aka, from the
samba.org website). No matter what settings I use in smb.conf, the
server always joins as a domain controller. This doesn't seem to break
the domain how ever. All I am after is that my users do not need to
enter a username/password for access from a domain PC to shares on my
Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Many years ago, we found this issue, which was a display but in ADUC.
We are almost certainly not registered as an AD DC, but because our
account flags in the directory don't match exactly what windows does,
then it promotes us to a DC in the GUI. I saw this with Windows 2000
over a decade ago, but perhaps it wasn't fixed in 2003.
Andrew Bartlett
Hey Andrew,
I suspect it is the same issue. Is it worth logging a bug for it ? In my
case I have other people that maintain AD and I would prefer to clean
it up. If it is in the too hard to fix basket (I know MS isn't really
forth comming with info re AD), then so be it.
Microsoft is very forthcoming on info re AD. However, please check if
the latest tools from Microsoft also show this incorrectly as a DC.
If you want to send me the userAccountControl value it set, I can
confirm it doesn't have the DC flag set.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba3 joining W2k3 as member server
Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? Thanks! Pieter Sent from my iPad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
