Wayne Andersen
2015-Jan-14  19:14 UTC
[Samba] Domain Computer not showing up in domain utilities
> > I am running Samba Version 4.1.6. > > > > I have a PDC and two BDC setup. > > > > I have a specific computer named eds, it is a Windows 7 Pro box, When > > I add it to the domain everything works normally and it works well. > > Domain users can login, and they have the proper permissions, but am > > seeing two problems. > > > > 1) Every once in a while I get: "The trust relationship between this > > workstation and the primary domain failed". > > If I unplug the network cable or remove the machine from the domain > > and re-add it then all is good. > > Obviously the cached info on the PC is good. > > > > I see "The processing of Group Policy failed. Windows could not > > authenticate to the Active Directory service on a domain controller. > > (LDAP Bind function call failed). Look in the details tab for error > > code and description." In the system log. > > > > Clearly the computer account is not being created properly. > > > > 2) I don't see the computer in AD user and computer tools. > > Or > > net ads dn 'CN=eds,CN=Computers,DC=corp,DC=mydomain,DC=com' > > search failed: No such object > > > > I have added many machines both before and after this one. > > Unfortunately I have an app on this PC that requires the name not > > change as it is registered to the machine name. > > > > > > > > > >> Bit confused here, you have 'I have a PDC and two BDC setup.' then at thebottom, there is this: 'I don't see the computer in AD user and computer tools.'> > So, do you have an NT PDC & 2 NT BDC's or do you have 3 AD DC's ? > > which ever, can you post the smb.conf from the machine that you call thePDC.> > RowlandI have no windows servers just work stations, I have three SAMBA AD DC, one is the primary and the other two are backups. Here is the smb.conf # Global parameters [global] workgroup = CORP realm = CORP.MYDOMAIN.COM netbios name = DC1 server role = active directory domain controller server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns forwarder = 10.10.1.8 template shell = /bin/bash # allow dns updates = nonsecure # panic action = /bin/sleep 99999 dsdb:schema update allowed = yes ldap debug level = 10 idmap_ldb:use rfc2307 = yes # Force this server to be the master preferred master = yes os level = 255 # Enable TLS for ldaps tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile # Important: The ranges of the default (*) backend # and the domain(s) must not overlap! # Retrieve UIDs/GIDs for domain CORP from AD, via RFC2307. # The range value defines the lowest RID up to the highest, # that will ever be used in this domain. Ask your AD Domain # Administrator, if you don't know which range to define. idmap config CORP:backend = ad idmap config CORP:schema_mode = rfc2307 idmap config CORP:range = 1000-40000 # Store UIDs/GIDs for all other domains (including local # accounts/groups of this server) in a tdb file idmap config *:backend = tdb idmap config *:range = 50001-60000 # Use home directory and shell information from AD winbind nss info = rfc2307 [netlogon] path = /usr/local/samba/var/locks/sysvol/corp.mydomain.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [test] path = /export/test comment = Test Share read only = no
Rowland Penny
2015-Jan-14  19:25 UTC
[Samba] Domain Computer not showing up in domain utilities
On 14/01/15 19:14, Wayne Andersen wrote:>>> I am running Samba Version 4.1.6. >>> >>> I have a PDC and two BDC setup. >>> >>> I have a specific computer named eds, it is a Windows 7 Pro box, When >>> I add it to the domain everything works normally and it works well. >>> Domain users can login, and they have the proper permissions, but am >>> seeing two problems. >>> >>> 1) Every once in a while I get: "The trust relationship between this >>> workstation and the primary domain failed". >>> If I unplug the network cable or remove the machine from the domain >>> and re-add it then all is good. >>> Obviously the cached info on the PC is good. >>> >>> I see "The processing of Group Policy failed. Windows could not >>> authenticate to the Active Directory service on a domain controller. >>> (LDAP Bind function call failed). Look in the details tab for error >>> code and description." In the system log. >>> >>> Clearly the computer account is not being created properly. >>> >>> 2) I don't see the computer in AD user and computer tools. >>> Or >>> net ads dn 'CN=eds,CN=Computers,DC=corp,DC=mydomain,DC=com' >>> search failed: No such object >>> >>> I have added many machines both before and after this one. >>> Unfortunately I have an app on this PC that requires the name not >>> change as it is registered to the machine name. >>> >>> >>> >>> >>> >> Bit confused here, you have 'I have a PDC and two BDC setup.' then at the > bottom, there is this: 'I don't see the computer in AD user and computer > tools.' >> So, do you have an NT PDC & 2 NT BDC's or do you have 3 AD DC's ? >> >> which ever, can you post the smb.conf from the machine that you call the > PDC. >> Rowland > I have no windows servers just work stations, I have three SAMBA AD DC, one > is the primary and the other two are backups.No, they are not backups, they are just DC's, in AD *all* DC's are equal.> > Here is the smb.conf > > # Global parameters > [global] > workgroup = CORP > realm = CORP.MYDOMAIN.COM > netbios name = DC1 > server role = active directory domain controller > server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind > ntp_signd kcc dnsupdate > dns forwarder = 10.10.1.8 > template shell = /bin/bash > # allow dns updates = nonsecure > # panic action = /bin/sleep 99999 > dsdb:schema update allowed = yesremove the next line> ldap debug level = 10> idmap_ldb:use rfc2307 = yesRemove these three lines> # Force this server to be the master > preferred master = yes > os level = 255> # Enable TLS for ldaps > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/myCert.pem > tls cafileRemove from here to the [netlogon] share> # Important: The ranges of the default (*) backend > # and the domain(s) must not overlap! > > # Retrieve UIDs/GIDs for domain CORP from AD, via RFC2307. > # The range value defines the lowest RID up to the highest, > # that will ever be used in this domain. Ask your AD Domain > # Administrator, if you don't know which range to define. > idmap config CORP:backend = ad > idmap config CORP:schema_mode = rfc2307 > idmap config CORP:range = 1000-40000 > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 50001-60000 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/corp.mydomain.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [test] > path = /export/test > comment = Test Share > read only = no >Turn your third DC into a member server and use that as the fileserver, see the wiki: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland
Rowland, yes, they are equal except for FSMO. These can be only dedicated to one DC. Wayne, why do you use parameters for AD DC (use rfc2307 yes) and for member servers (idmap schema etc) in one conf? Tim Am 14. Januar 2015 20:25:50 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 14/01/15 19:14, Wayne Andersen wrote: >>>> I am running Samba Version 4.1.6. >>>> >>>> I have a PDC and two BDC setup. >>>> >>>> I have a specific computer named eds, it is a Windows 7 Pro box, >When >>>> I add it to the domain everything works normally and it works well. >>>> Domain users can login, and they have the proper permissions, but >am >>>> seeing two problems. >>>> >>>> 1) Every once in a while I get: "The trust relationship between >this >>>> workstation and the primary domain failed". >>>> If I unplug the network cable or remove the machine from the domain >>>> and re-add it then all is good. >>>> Obviously the cached info on the PC is good. >>>> >>>> I see "The processing of Group Policy failed. Windows could not >>>> authenticate to the Active Directory service on a domain >controller. >>>> (LDAP Bind function call failed). Look in the details tab for error >>>> code and description." In the system log. >>>> >>>> Clearly the computer account is not being created properly. >>>> >>>> 2) I don't see the computer in AD user and computer tools. >>>> Or >>>> net ads dn 'CN=eds,CN=Computers,DC=corp,DC=mydomain,DC=com' >>>> search failed: No such object >>>> >>>> I have added many machines both before and after this one. >>>> Unfortunately I have an app on this PC that requires the name not >>>> change as it is registered to the machine name. >>>> >>>> >>>> >>>> >>>> >>> Bit confused here, you have 'I have a PDC and two BDC setup.' then >at the >> bottom, there is this: 'I don't see the computer in AD user and >computer >> tools.' >>> So, do you have an NT PDC & 2 NT BDC's or do you have 3 AD DC's ? >>> >>> which ever, can you post the smb.conf from the machine that you call >the >> PDC. >>> Rowland >> I have no windows servers just work stations, I have three SAMBA AD >DC, one >> is the primary and the other two are backups. > >No, they are not backups, they are just DC's, in AD *all* DC's are >equal. > >> >> Here is the smb.conf >> >> # Global parameters >> [global] >> workgroup = CORP >> realm = CORP.MYDOMAIN.COM >> netbios name = DC1 >> server role = active directory domain controller >> server services = s3fs rpc nbt wrepl ldap cldap kdc drepl >winbind >> ntp_signd kcc dnsupdate >> dns forwarder = 10.10.1.8 >> template shell = /bin/bash >> # allow dns updates = nonsecure >> # panic action = /bin/sleep 99999 >> dsdb:schema update allowed = yes > >remove the next line >> ldap debug level = 10 > > >> idmap_ldb:use rfc2307 = yes > >Remove these three lines >> # Force this server to be the master >> preferred master = yes >> os level = 255 > > >> # Enable TLS for ldaps >> tls enabled = yes >> tls keyfile = tls/myKey.pem >> tls certfile = tls/myCert.pem >> tls cafile > >Remove from here to the [netlogon] share >> # Important: The ranges of the default (*) backend >> # and the domain(s) must not overlap! >> >> # Retrieve UIDs/GIDs for domain CORP from AD, via RFC2307. >> # The range value defines the lowest RID up to the highest, >> # that will ever be used in this domain. Ask your AD Domain >> # Administrator, if you don't know which range to define. >> idmap config CORP:backend = ad >> idmap config CORP:schema_mode = rfc2307 >> idmap config CORP:range = 1000-40000 >> >> # Store UIDs/GIDs for all other domains (including local >> # accounts/groups of this server) in a tdb file >> idmap config *:backend = tdb >> idmap config *:range = 50001-60000 >> >> # Use home directory and shell information from AD >> winbind nss info = rfc2307 >> >> [netlogon] >> path >/usr/local/samba/var/locks/sysvol/corp.mydomain.com/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> [test] >> path = /export/test >> comment = Test Share >> read only = no >> > >Turn your third DC into a member server and use that as the fileserver, > >see the wiki: > >https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Domain Computer not showing up in domain utilities
- Domain Computer not showing up in domain utilities
- Domain Computer not showing up in domain utilities
- on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
- Samba Bind DLZ Slow queries