Web lists-archives.com

Re: [Samba] samba on solaris 11 can not longer join Windows AD domain

On 09/19/17 09:28, Rowland Penny via samba wrote:
On Tue, 19 Sep 2017 08:26:02 -0400
Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:

On 09/19/17 05:30, Rowland Penny via samba wrote:

Sorry, meant to copy and paste only the relevant stuff.   I think I
hit paste twice.
The problem is that 'testparm -v' prints everything, what is actually
there plus ALL the default settings.

What you should have done is post the output of
'cat /etc/samba/smb.conf' and tell us what version of Samba you are

/etc/hosts does not include the AD Domain controllers.
Good, it shouldn't, but it should have the computers info in it, if you
are not using DHCP.

/etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data
from the AD Domain controllers.   I don't think this is a DNS issue
since "net join" and "net ads join" are locating the AD domain
Try pointing the nameservers directly at the DCs.

/etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the
ldapclient and kinit to join the machine to the MYDOMAIN AD realm for
"Unix" level  user and group lookups (via ldap) and kerberos
authentication.      I did find that Solaris "native" kerberos  and
Samba expect krb5.keytab files in different locations , which I
resolved with a sym link between /etc/krb5.keytab
and /etc/krb5/krb5.keytab.
Long time since I used Solaris, it is that long it was on an Ultra5,
but now you remind me it was in a different location.

#cat /etc/samba/smb.conf


          private dir = /etc/samba/private
          smb passwd file = /etc/samba/private/smbpasswd

syslog = 3

log level = 10
client ldap sasl wrapping = plain
ldap server require strong auth = no
create krb5 conf = no

# max protocol = used to define the supported protocol. The default
is NT1. You # can set it to SMB2 if you want experimental SMB2
support. #
workgroup = MYDOMAIN
          server string = Samba Server Version %v

          netbios name = MYSERVER
          passdb backend = tdbsam
          security = ads
          realm = MYDOMAIN.COM

        idmap config *:backend = tdb
        idmap config *:range = 2000-2999

        idmap config MYDOMAIN:backend = ad
        idmap config MYDOMAIN:schema_mode = rfc2307
        idmap config MYDOMAIN:range = 100-1999
What happens when/if you reach uidNumber 2000 ?

         # Use settings from AD for login shell and home directory
         winbind nss info = rfc2307
          winbind enum users = yes
          winbind enum groups = yes

          domain master = no
          domain logons = no

There doesn't seem to be anything really wrong, so you should be able
to join AD, try turning up the debug level and see if anything pops out.


One of the "fun" things with Solaris is that they would be very slow about releasing Samba updates. It took a long time until they moved from Samba 3.0.x to 3.6.x and then onto Samba 4.4.x. And unless you have updates configured correctly, it would not automatically update from 3.x to 4.x. This also means that if Microsoft pushed out a significant security patch , it may be a while until Oracle updates its packages in its repository. Although they have got better in recent years. This means that sometimes the smb.conf file has to be tweeked to handle (or bypass) the changes on the MS side. I found that SMB3 does not work in the classic domain, and sometimes SMB2 can be an issue.

I went through the smb.conf and added the following lines:

    max protocol = SMB2
    server min protocol = SMB2
    server max protocol = SMB2

I don't know if the server protocol settings really matter when joining a member server, since I figure it would be a "client" of the domain controller. I think setting "client min protocol = smb2" would break joining machines to the classic domain.

I also removed the following entries from smb.conf

    client ldap sasl wrapping = plain
    ldap server require strong auth = no
    dedicated keytab file = /etc/krb5/krb5.keytab
    kerberos method = secrets and keytab

The ldap ones were past compatibility fixes with the classic domain. The keytab ones were to try to force samba to use the default solaris keytab file, but that parameter seemed to be ignored.

One of these changes seems to have fixed the join issue

    #  net ads join -S DC1 -U Administrator
    Enter Administrator's password:
    Using short domain name -- MYDOMAIN
    Joined 'testmachine1' to dns domain 'mydomain.com'

I don't think I have disabled SMB1 on the domain controllers. I think setting

the UID range of 100-1999 should be large enough for years. In Active Directory Users and Computers MMC, I explicitly set the uid and gid numbers with in that range for users and groups that need to show up in Samba.

This is samba 4.4.14.

Thanks for your help.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba