Re: [Samba] Samba AD and adding a Windows 2008R2 DC
- Date: Wed, 27 Mar 2019 12:52:05 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba AD and adding a Windows 2008R2 DC
On Wed, 27 Mar 2019 11:53:40 +0000
"Deventer-2, M.S.J. van via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> On Mon, 2019-03-25 at 12:28 +0000, Rowland Penny via samba wrote:
> > On Mon, 25 Mar 2019 11:24:03 +0000
> > "Deventer-2, M.S.J. van via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > > Hi,
> > >
> > > we now have an old Windows NT4.0 domain served by Samba 4.2.x
> > > (using
> > > Samba and LDAP) and want to move to Windows AD.
> > > The reason we need to do that is because of the clients (Windows
> > > 10 and MacOS) and because of a third party device which does not
> > > want to
> > > talk to Samba AD (Isilon OneFS).
> > Possibly if Isilon would accept that Samba AD works in the same way
> > as
> > Windows AD, it might be made to work.
> > In one of their PDF's is this:
> > Active Directory with RFC 2307 and Windows Services for UNIX
> > A best practice is to use Microsoft Active Directory with Windows
> > Services for UNIX and RFC 2307 attributes
> > to manage Linux, UNIX, and Windows systems. Integrating UNIX and
> > Linux systems with Active Directory
> > centralizes identity management and eases interoperability, reducing
> > the need for user mapping rules. Make
> > sure your domain controllers are running Windows Server 2003 or
> > later. For more information on RFC 2307,
> > refer to the following KB:
> > How to configure OneFS and Active Directory for RFC2307 compliance:
> > https://support.emc.com/kb/335338
> > Samba AD matches all of the above, it uses the 2008R2 schema and the
> > SFU ldif.
> > The problem I have is that the KB: 335338 is behind a login page,
> > perhaps if this could be seen, it might be possible to see where the
> > problem lies.
> I know this KB article and it just shows you to switch on the RFC2307
> extensions on OneFS. But as EMC (Isilon manufacturer) refuses to help
> and just tells us : " do not use Samba AD " we gave up on connecting
> Samba AD to this device, hence we need to go to Windows AD.
> For the record, OneFS (based on FreeBSD) does not use Samba to supply
> the clients with SMB protocol and AD joining. They instead use
That explains it, 'likewise' (now centrify) appears to create ID's
similar to the way the winbind 'rid' backend does, it uses the SID, so
why does onefs need the IDMU schema?
If onefs can use the IDMU schema, then it should be able to use a
Samba AD because the same schema is used by Samba.
It probably comes down to Isilon not wanting to find out just what
they need to do to use Samba AD, very little I would think.
> > > I did a 'classicupgrade' to Samba AD from our Samba/LDAP config
> > > and then I use this guide :
> > > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD
> > > to add the Windows 2008R2 DC to the Samba AD. This all worked out
> > > but
> > > I encountered an error on the Windows AD integrated DNS (error
> > > 4014 :
> > > The DNS server was unable to initialize AD security interfaces).
> > > The
> > > wiki page does not mention this and I was wondering which version
> > > of
> > > Samba was used when this page was created ?
> Any answer on this question Rowland ?
It was written initially when Samba 4 was released and has been updated
since, but it is expected to work with all supported versions of Samba.
> > > Looking for a solution on the Microsoft side sends you from one
> > > link
> > > to another and back again...
> > >
> > > Anyone here who did a succesfull join of Windows 2008R2 DC to an
> > > Samba
> > > AD domain ?
> > I have added a 2012 and it worked, but I use Bind9, perhaps if you
> > tried adding Bind9 to your Samba AD ?
> You added a 2012, to which samba version ? And how ? 2012 requires an
> adprep and that does not work because of WMI.
It was some time ago, I added it to test if it worked and after it did,
I removed it, the Samba version would have been 4.6 or 4.7
To unsubscribe from this list go to the following URL and read the