Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-29 at 19:31 +1300, Pieter De Wit wrote: On 28/12/2012 10:45, Andrew Bartlett wrote: On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 This is 0x11000 #define UF_WORKSTATION_TRUST_ACCOUNT0x1000 #define UF_DONT_EXPIRE_PASSWD 0x0001 If this remains an issue with current management tools, then I guess we can raise a bug to see if we really, really need to set UF_DONT_EXPIRE_PASSWD in that bitmask. Andrew Bartlett Andrew, Is it worth setting the value to 0x1000 and see what the tools show before logging the bug ? It would be a useful data point. What is the correct value for a Member Server ? It just needs UF_WORKSTATION_TRUST_ACCOUNT I've seen contradictory stuff about if workstation accounts can expire. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 28/12/2012 10:45, Andrew Bartlett wrote: On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 This is 0x11000 #define UF_WORKSTATION_TRUST_ACCOUNT0x1000 #define UF_DONT_EXPIRE_PASSWD 0x0001 If this remains an issue with current management tools, then I guess we can raise a bug to see if we really, really need to set UF_DONT_EXPIRE_PASSWD in that bitmask. Andrew Bartlett Andrew, Is it worth setting the value to 0x1000 and see what the tools show before logging the bug ? What is the correct value for a Member Server ? Cheers, Pieter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 Thanks, Pieter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 23/12/2012 03:31, Carlos R. Pena Evertsz wrote: Hi Pieter, I need to do the same, join a Ubuntu 12.04 samba server to an existing Win2k3. Could you post an example of the shares configuration (users and group read and write permitions) to be used in your example of a samba server as a domain member? Thanks. Carlos Pena Santo Domingo, Dominican Republic On 12/21/2012 5:36 PM, Pieter De Wit wrote: On 18/12/2012 10:47, Andrew Bartlett wrote: On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett Hi Andrew, Sorry for the delay in my reply, things has been hectic closing down for the holidays. In a nut shell, there is what I do/did: 1) apt-get install samba winbindd krb5-user 2) Configure smb.conf as per : [global] workgroup = WORK realm = WORK.LOCAL preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups # winbind enum users = Yes # winbind enum groups = Yes # winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash veto files = lost+found 3) Configure krb5.conf: [libdefaults] default_realm = WORK.LOCAL [realms] YPG.LOCAL={ kdc=DC.WORK.LOCAL } [domain_realm] .kerberos.server=WORK.LOCAL 4) Restart Samba/Winbind 5) In /etc/nsswitch.conf add winbind to passwd and group 5) Join the domain : net ads join -U my_admin_account 6) kinit my_admin_account From then, users can connect to the shares on the server using Single Sign On. The issue is that if I look under my Active Directory, the server will state that it is a Domain Controller. Running the usual DC Info tools they seem to think the domain is ok. I would prefer to have the server say Member server, rather than DC :) I would like to send you a screenshot of what Active Directory Users and Computers shows but this will be hard to do remotely. Thanks, Pieter P.S. Good work on the AD integration btw, I am using the above for Squid aswell and it's pretty neat ! :) Hi Carlos, My shares are create like normal shares. The only part that changes is the ref to Domain users. They are WORK+USERNAME, using a previous naming setup, my user account would be as follow: WORK+dewitp So I could have something like: [dump] comment=Data Dump read only=no browseable=yes path=/srv/exports/dump valid user=WORK+user1,WORK+user2 I also noted that if you have ext4 (havn't tried the rest) and you create user permissions on a folder, it is added as extended attribs - WELL DONE SAMBA ! :) HTH, Pieter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: On 22/12/2012 14:56, Andrew Bartlett wrote: On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett Hi Andrew, Finally got time to pull this: userAccountControl: 69632 This is 0x11000 #define UF_WORKSTATION_TRUST_ACCOUNT0x1000 #define UF_DONT_EXPIRE_PASSWD 0x0001 If this remains an issue with current management tools, then I guess we can raise a bug to see if we really, really need to set UF_DONT_EXPIRE_PASSWD in that bitmask. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
Hi Pieter, I need to do the same, join a Ubuntu 12.04 samba server to an existing Win2k3. Could you post an example of the shares configuration (users and group read and write permitions) to be used in your example of a samba server as a domain member? Thanks. Carlos Pena Santo Domingo, Dominican Republic On 12/21/2012 5:36 PM, Pieter De Wit wrote: On 18/12/2012 10:47, Andrew Bartlett wrote: On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett Hi Andrew, Sorry for the delay in my reply, things has been hectic closing down for the holidays. In a nut shell, there is what I do/did: 1) apt-get install samba winbindd krb5-user 2) Configure smb.conf as per : [global] workgroup = WORK realm = WORK.LOCAL preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups # winbind enum users = Yes # winbind enum groups = Yes # winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash veto files = lost+found 3) Configure krb5.conf: [libdefaults] default_realm = WORK.LOCAL [realms] YPG.LOCAL={ kdc=DC.WORK.LOCAL } [domain_realm] .kerberos.server=WORK.LOCAL 4) Restart Samba/Winbind 5) In /etc/nsswitch.conf add winbind to passwd and group 5) Join the domain : net ads join -U my_admin_account 6) kinit my_admin_account From then, users can connect to the shares on the server using Single Sign On. The issue is that if I look under my Active Directory, the server will state that it is a Domain Controller. Running the usual DC Info tools they seem to think the domain is ok. I would prefer to have the server say Member server, rather than DC :) I would like to send you a screenshot of what Active Directory Users and Computers shows but this will be hard to do remotely. Thanks, Pieter P.S. Good work on the AD integration btw, I am using the above for Squid aswell and it's pretty neat ! :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 18/12/2012 10:47, Andrew Bartlett wrote: On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett Hi Andrew, Sorry for the delay in my reply, things has been hectic closing down for the holidays. In a nut shell, there is what I do/did: 1) apt-get install samba winbindd krb5-user 2) Configure smb.conf as per : [global] workgroup = WORK realm = WORK.LOCAL preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups # winbind enum users = Yes # winbind enum groups = Yes # winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash veto files = lost+found 3) Configure krb5.conf: [libdefaults] default_realm = WORK.LOCAL [realms] YPG.LOCAL={ kdc=DC.WORK.LOCAL } [domain_realm] .kerberos.server=WORK.LOCAL 4) Restart Samba/Winbind 5) In /etc/nsswitch.conf add winbind to passwd and group 5) Join the domain : net ads join -U my_admin_account 6) kinit my_admin_account From then, users can connect to the shares on the server using Single Sign On. The issue is that if I look under my Active Directory, the server will state that it is a Domain Controller. Running the usual DC Info tools they seem to think the domain is ok. I would prefer to have the server say Member server, rather than DC :) I would like to send you a screenshot of what Active Directory Users and Computers shows but this will be hard to do remotely. Thanks, Pieter P.S. Good work on the AD integration btw, I am using the above for Squid aswell and it's pretty neat ! :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote: On 18/12/2012 10:47, Andrew Bartlett wrote: On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett Hi Andrew, Sorry for the delay in my reply, things has been hectic closing down for the holidays. In a nut shell, there is what I do/did: 1) apt-get install samba winbindd krb5-user 2) Configure smb.conf as per : [global] workgroup = WORK realm = WORK.LOCAL preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups # winbind enum users = Yes # winbind enum groups = Yes # winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash veto files = lost+found 3) Configure krb5.conf: [libdefaults] default_realm = WORK.LOCAL [realms] YPG.LOCAL={ kdc=DC.WORK.LOCAL } [domain_realm] .kerberos.server=WORK.LOCAL 4) Restart Samba/Winbind 5) In /etc/nsswitch.conf add winbind to passwd and group 5) Join the domain : net ads join -U my_admin_account 6) kinit my_admin_account From then, users can connect to the shares on the server using Single Sign On. The issue is that if I look under my Active Directory, the server will state that it is a Domain Controller. Running the usual DC Info tools they seem to think the domain is ok. I would prefer to have the server say Member server, rather than DC :) I would like to send you a screenshot of what Active Directory Users and Computers shows but this will be hard to do remotely. Many years ago, we found this issue, which was a display but in ADUC. We are almost certainly not registered as an AD DC, but because our account flags in the directory don't match exactly what windows does, then it promotes us to a DC in the GUI. I saw this with Windows 2000 over a decade ago, but perhaps it wasn't fixed in 2003. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 22/12/2012 11:47, Andrew Bartlett wrote: On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote: On 18/12/2012 10:47, Andrew Bartlett wrote: On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett Hi Andrew, Sorry for the delay in my reply, things has been hectic closing down for the holidays. In a nut shell, there is what I do/did: 1) apt-get install samba winbindd krb5-user 2) Configure smb.conf as per : [global] workgroup = WORK realm = WORK.LOCAL preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups # winbind enum users = Yes # winbind enum groups = Yes # winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash veto files = lost+found 3) Configure krb5.conf: [libdefaults] default_realm = WORK.LOCAL [realms] YPG.LOCAL={ kdc=DC.WORK.LOCAL } [domain_realm] .kerberos.server=WORK.LOCAL 4) Restart Samba/Winbind 5) In /etc/nsswitch.conf add winbind to passwd and group 5) Join the domain : net ads join -U my_admin_account 6) kinit my_admin_account From then, users can connect to the shares on the server using Single Sign On. The issue is that if I look under my Active Directory, the server will state that it is a Domain Controller. Running the usual DC Info tools they seem to think the domain is ok. I would prefer to have the server say Member server, rather than DC :) I would like to send you a screenshot of what Active Directory Users and Computers shows but this will be hard to do remotely. Many years ago, we found this issue, which was a display but in ADUC. We are almost certainly not registered as an AD DC, but because our account flags in the directory don't match exactly what windows does, then it promotes us to a DC in the GUI. I saw this with Windows 2000 over a decade ago, but perhaps it wasn't fixed in 2003. Andrew Bartlett Hey Andrew, I suspect it is the same issue. Is it worth logging a bug for it ? In my case I have other people that maintain AD and I would prefer to clean it up. If it is in the too hard to fix basket (I know MS isn't really forth comming with info re AD), then so be it. Cheers, Pieter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote: On 22/12/2012 11:47, Andrew Bartlett wrote: On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote: On 18/12/2012 10:47, Andrew Bartlett wrote: On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett Hi Andrew, Sorry for the delay in my reply, things has been hectic closing down for the holidays. In a nut shell, there is what I do/did: 1) apt-get install samba winbindd krb5-user 2) Configure smb.conf as per : [global] workgroup = WORK realm = WORK.LOCAL preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups # winbind enum users = Yes # winbind enum groups = Yes # winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash veto files = lost+found 3) Configure krb5.conf: [libdefaults] default_realm = WORK.LOCAL [realms] YPG.LOCAL={ kdc=DC.WORK.LOCAL } [domain_realm] .kerberos.server=WORK.LOCAL 4) Restart Samba/Winbind 5) In /etc/nsswitch.conf add winbind to passwd and group 5) Join the domain : net ads join -U my_admin_account 6) kinit my_admin_account From then, users can connect to the shares on the server using Single Sign On. The issue is that if I look under my Active Directory, the server will state that it is a Domain Controller. Running the usual DC Info tools they seem to think the domain is ok. I would prefer to have the server say Member server, rather than DC :) I would like to send you a screenshot of what Active Directory Users and Computers shows but this will be hard to do remotely. Many years ago, we found this issue, which was a display but in ADUC. We are almost certainly not registered as an AD DC, but because our account flags in the directory don't match exactly what windows does, then it promotes us to a DC in the GUI. I saw this with Windows 2000 over a decade ago, but perhaps it wasn't fixed in 2003. Andrew Bartlett Hey Andrew, I suspect it is the same issue. Is it worth logging a bug for it ? In my case I have other people that maintain AD and I would prefer to clean it up. If it is in the too hard to fix basket (I know MS isn't really forth comming with info re AD), then so be it. Microsoft is very forthcoming on info re AD. However, please check if the latest tools from Microsoft also show this incorrectly as a DC. If you want to send me the userAccountControl value it set, I can confirm it doesn't have the DC flag set. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
I stand corrected re the MS comment then. How do I get the userAccountControl? Thx Sent from my iPhone On 22/12/2012, at 12:18, Andrew Bartlett abart...@samba.org wrote: On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote: On 22/12/2012 11:47, Andrew Bartlett wrote: On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote: On 18/12/2012 10:47, Andrew Bartlett wrote: On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett Hi Andrew, Sorry for the delay in my reply, things has been hectic closing down for the holidays. In a nut shell, there is what I do/did: 1) apt-get install samba winbindd krb5-user 2) Configure smb.conf as per : [global] workgroup = WORK realm = WORK.LOCAL preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups # winbind enum users = Yes # winbind enum groups = Yes # winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 2000-2 idmap gid = 2000-2 template shell = /bin/bash veto files = lost+found 3) Configure krb5.conf: [libdefaults] default_realm = WORK.LOCAL [realms] YPG.LOCAL={ kdc=DC.WORK.LOCAL } [domain_realm] .kerberos.server=WORK.LOCAL 4) Restart Samba/Winbind 5) In /etc/nsswitch.conf add winbind to passwd and group 5) Join the domain : net ads join -U my_admin_account 6) kinit my_admin_account From then, users can connect to the shares on the server using Single Sign On. The issue is that if I look under my Active Directory, the server will state that it is a Domain Controller. Running the usual DC Info tools they seem to think the domain is ok. I would prefer to have the server say Member server, rather than DC :) I would like to send you a screenshot of what Active Directory Users and Computers shows but this will be hard to do remotely. Many years ago, we found this issue, which was a display but in ADUC. We are almost certainly not registered as an AD DC, but because our account flags in the directory don't match exactly what windows does, then it promotes us to a DC in the GUI. I saw this with Windows 2000 over a decade ago, but perhaps it wasn't fixed in 2003. Andrew Bartlett Hey Andrew, I suspect it is the same issue. Is it worth logging a bug for it ? In my case I have other people that maintain AD and I would prefer to clean it up. If it is in the too hard to fix basket (I know MS isn't really forth comming with info re AD), then so be it. Microsoft is very forthcoming on info re AD. However, please check if the latest tools from Microsoft also show this incorrectly as a DC. If you want to send me the userAccountControl value it set, I can confirm it doesn't have the DC flag set. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote: Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba3 joining W2k3 as member server
Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? Thanks! Pieter Sent from my iPad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba