Web lists-archives.com

Re: [Samba] AD integration not working after move/version

Hi Henrik,

Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

That's not really a step forward to a supported Samba version. :-)

# Global parameters
        log file = /var/samba/log/clientlog.%m
        dns proxy = No
        acl check permissions = False
        netbios aliases = string1
        server string = string1
        name resolve order = hosts bcast
        realm = DOMAIN.NET
        password server = server3.string1.net sever4.string1.net
#       wins server = x.x.x.x
        local master = no
        workgroup = WGNAME
        os level = 0
        domain master = no
        encrypt passwords = yes
        security = DOMAIN
        unix charset = ISO8859-1
        max log size = 50
        # Fix for not to do lpstat since we don't use printers in Samba
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

First some nitpicks about your smb.conf:
* netbios aliases = string1
  Makes no sense to set an alias to exactly the same name
  as "server string" :-)

* password server: If there is not reason to only request some
  specific servers, I would not limit this. If both are down,
  Samba won't talk to other remaining DCs.

* encrypt passwords = yes
  This is default since a longer time.

This are just some improvement suggestions, but not related to your problem.

Ok. And now the things that are incorrect for a Samba AD domain member:

* realm = DOMAIN.NET   and   workgroup = WGNAME
  In this case, I would expect that "DOMAIN" is your NetBIOS domain
  name ("workgroup" setting), not something different. If this
  really matches your AD setup, it should work - but it's not
  the recommended way how to set up an AD.

* security = DOMAIN
  This setting is for an NT4 domain. Use "security = ADS"

* Your ID mapping configuration is missing completely.
  See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
  No warranty that this works for 3.6. Our documentation only
  covers supported Samba versions.

I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
  Samba 3.6 was released 2011. A lot of things regarding AD were
  improved in later releases.

* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
  I recently rewrote the doc and it works for all supported versions.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba