Web lists-archives.com

Re: [Samba] samba on solaris 11 can not longer join Windows AD domain




On Tue, 19 Sep 2017 08:26:02 -0400
Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On 09/19/17 05:30, Rowland Penny via samba wrote:
> 
> 
> Sorry, meant to copy and paste only the relevant stuff.   I think I
> hit paste twice.

The problem is that 'testparm -v' prints everything, what is actually
there plus ALL the default settings.

What you should have done is post the output of
'cat /etc/samba/smb.conf' and tell us what version of Samba you are
using.

 
> /etc/hosts does not include the AD Domain controllers.

Good, it shouldn't, but it should have the computers info in it, if you
are not using DHCP.

> /etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data
> from the AD Domain controllers.   I don't think this is a DNS issue
> since "net join" and "net ads join" are locating the AD domain
> controllers.

Try pointing the nameservers directly at the DCs.

> 
> /etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the
> ldapclient and kinit to join the machine to the MYDOMAIN AD realm for
> "Unix" level  user and group lookups (via ldap) and kerberos
> authentication.      I did find that Solaris "native" kerberos  and
> Samba expect krb5.keytab files in different locations , which I
> resolved with a sym link between /etc/krb5.keytab
> and /etc/krb5/krb5.keytab.

Long time since I used Solaris, it is that long it was on an Ultra5,
but now you remind me it was in a different location.

> 
> #cat /etc/samba/smb.conf
> 
> [global]
> 
>          private dir = /etc/samba/private
>          smb passwd file = /etc/samba/private/smbpasswd
> 
> 
> syslog = 3
> 
> log level = 10
> client ldap sasl wrapping = plain
> ldap server require strong auth = no
> create krb5 conf = no
> 
> ...
> # max protocol = used to define the supported protocol. The default
> is NT1. You # can set it to SMB2 if you want experimental SMB2
> support. #
>   
>          workgroup = MYDOMAIN
>          server string = Samba Server Version %v
> 
> 
>          netbios name = MYSERVER
>          passdb backend = tdbsam
>          security = ads
>          realm = MYDOMAIN.COM
> 
> 
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-2999
> 
>        idmap config MYDOMAIN:backend = ad
>        idmap config MYDOMAIN:schema_mode = rfc2307
>        idmap config MYDOMAIN:range = 100-1999

What happens when/if you reach uidNumber 2000 ?

> 
> 
> 
> 
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>          winbind enum users = yes
>          winbind enum groups = yes
> 
> 
> 
>          domain master = no
>          domain logons = no
> 

There doesn't seem to be anything really wrong, so you should be able
to join AD, try turning up the debug level and see if anything pops out.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba