I don't have anything but Server 2003, 2008 and 2012 to test with. 2003
joins the domain without issue. 2008 and 2012 will not. The registry
has been updated on both:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
Our smb.conf is:
[global]
workgroup = CUST.OMNIS.COM
netbios name = GLEN
server string = GLEN
passdb backend = ldapsam:ldap://ldap-cust.omnis.com
username map = /etc/samba/smbusers
smb ports = 139 445
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
max stat cache size = 16384
wins support = yes
name resolve order = wins lmhosts hosts bcast
dns proxy = yes
encrypt passwords = yes
name cache timeout = 3600
log level = 0
syslog = 0
log file = /var/log/samba/%m
include = /etc/samba/smb.conf.%m
time server = Yes
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -W '%u'
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = auto
domain master = no
wins support = Yes
ldap suffix = ou=System,dc=cust,dc=omnis,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldapsam:trusted = yes
ldap idmap suffix = ou=Idmap
ldap admin dn = uid=CManager, ou=Special Users, dc=omnis, dc=com
idmap backend = ldap:ldap://ldap-cust.omnis.com
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
[home]
comment = Home %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
path = /home/%u
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
read only = yes
guest ok = yes
[profiles]
path = /var/lib/samba/profiles
read only = no
browseable = No
guest ok = Yes
profile acls = yes
valid users = %U "Domain Admins"
You can run Samba 4 as a 'classic' domain. We just haven't upgraded
yet. If Samba4 fixes this, we'll upgrade. However, my understanding is
that Samba4 as AD requires internal LDAP only. We use 4 replicating,
load-balanced LDAP servers so the internal LDAP and AD schema won't work.
Anyone have an idea with 3.6 I can try?
Thanks,
James
On 04/15/2015 09:39 AM, Andrey Repin wrote:> Greetings, James Fromm!
>
>> Is it still possible to join a Windows 2012 Server R2 system as a
member
>> to a 'pre-NT5' Samba (3.6.23) domain controller?
>
> Yes, at least for Win7 Pro.
> You have to disable DNS lookups.
>
> Windows Registry Editor Version 5.00
>
>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
> "DomainCompatibilityMode"=dword:00000001
> "DNSNameResolutionRequired"=dword:00000000
>
>> The Windows 'Domain
>> Change' GUI errors immediately after failing the SRV lookup for the
AD
>> server. Even with the SRV record in place, the GUI fails trying to
>> connect to the non-existent LDAP port.
>
>> Netdom on the command line tries to work if the DC name is supplied on
>> the /Domain argument. The logs for Samba show the authentication for
>> the domain administrator working fine to the Samba controller. The
>> command fails.
>
>> ----
>> C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen
>> /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE
>> Type the password associated with the domain user:
>
>> Joining domain cust.omnis.com\glen
>
>> The computer rename attempt failed with error 50.
>
>> The request is not supported.
>
>> The command failed to complete successfully.
>> ----
>
> This may be caused by a different issue.
>
>> The DNSNameResolutionRequired and DomainCompatibilityMode registry
>> modifications are in place.
>
>> We are trying to stick with an NT domain so we can keep our Windows and
>> Unix users in the same LDAP backend.
>
> You're making no sense. Samba4 uses LDAP even more that before. To the
level
> of having it implemented internally.
> So far, all my users in the domain are successfully logging in, Windows and
> *NIX alike, provided the correct local system setup.
>
>
On Wed, Apr 15, 2015 at 3:23 PM, James Fromm <fromm at omnis.com> wrote:> workgroup = CUST.OMNIS.COMMy understanding is that workgroup names are NetBIOS names and are therefore not hierarchical like domain names (no dots, 15 characters, etc.). Chris
Using wireshark, the last communication between the client and the Samba server is: RPC_NETLOGON 262 DsrGetDcNameEx2 request DCERPC 146 Fault: call_id: 2, Fragment: Single, Ctx: 0, status: nca_op_rng_error Immediately after this the client starts to close the SMB connection. On 04/15/2015 12:23 PM, James Fromm wrote:> I don't have anything but Server 2003, 2008 and 2012 to test with. 2003 > joins the domain without issue. 2008 and 2012 will not. The registry > has been updated on both: > > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] > > "DNSNameResolutionRequired"=dword:00000000 > "DomainCompatibilityMode"=dword:00000001 > > Our smb.conf is: > > > [global] > workgroup = CUST.OMNIS.COM > netbios name = GLEN > server string = GLEN > passdb backend = ldapsam:ldap://ldap-cust.omnis.com > username map = /etc/samba/smbusers > smb ports = 139 445 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > max stat cache size = 16384 > > wins support = yes > name resolve order = wins lmhosts hosts bcast > dns proxy = yes > > encrypt passwords = yes > > name cache timeout = 3600 > log level = 0 > syslog = 0 > log file = /var/log/samba/%m > include = /etc/samba/smb.conf.%m > > time server = Yes > add user script = /usr/sbin/smbldap-useradd -a -m '%u' > delete user script = /usr/sbin/smbldap-userdel %u > add group script = /usr/sbin/smbldap-groupadd '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' > '%g' > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > add machine script = /usr/sbin/smbldap-useradd -W '%u' > logon script = scripts\logon.bat > logon path = \\%L\profiles\%U > logon drive = X: > domain logons = Yes > preferred master = auto > domain master = no > > wins support = Yes > ldap suffix = ou=System,dc=cust,dc=omnis,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > > ldapsam:trusted = yes > > ldap idmap suffix = ou=Idmap > ldap admin dn = uid=CManager, ou=Special Users, dc=omnis, dc=com > idmap backend = ldap:ldap://ldap-cust.omnis.com > idmap uid = 10000-20000 > idmap gid = 10000-20000 > map acl inherit = Yes > > [home] > comment = Home %U, %u > read only = No > create mask = 0644 > directory mask = 0775 > browseable = No > path = /home/%u > > > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > read only = yes > guest ok = yes > > [profiles] > path = /var/lib/samba/profiles > read only = no > browseable = No > guest ok = Yes > profile acls = yes > valid users = %U "Domain Admins" > > You can run Samba 4 as a 'classic' domain. We just haven't upgraded > yet. If Samba4 fixes this, we'll upgrade. However, my understanding is > that Samba4 as AD requires internal LDAP only. We use 4 replicating, > load-balanced LDAP servers so the internal LDAP and AD schema won't work. > > Anyone have an idea with 3.6 I can try? > > Thanks, > James > > > > > > On 04/15/2015 09:39 AM, Andrey Repin wrote: >> Greetings, James Fromm! >> >>> Is it still possible to join a Windows 2012 Server R2 system as a member >>> to a 'pre-NT5' Samba (3.6.23) domain controller? >> >> Yes, at least for Win7 Pro. >> You have to disable DNS lookups. >> >> Windows Registry Editor Version 5.00 >> >> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] >> >> "DomainCompatibilityMode"=dword:00000001 >> "DNSNameResolutionRequired"=dword:00000000 >> >>> The Windows 'Domain >>> Change' GUI errors immediately after failing the SRV lookup for the AD >>> server. Even with the SRV record in place, the GUI fails trying to >>> connect to the non-existent LDAP port. >> >>> Netdom on the command line tries to work if the DC name is supplied on >>> the /Domain argument. The logs for Samba show the authentication for >>> the domain administrator working fine to the Samba controller. The >>> command fails. >> >>> ---- >>> C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen >>> /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE >>> Type the password associated with the domain user: >> >>> Joining domain cust.omnis.com\glen >> >>> The computer rename attempt failed with error 50. >> >>> The request is not supported. >> >>> The command failed to complete successfully. >>> ---- >> >> This may be caused by a different issue. >> >>> The DNSNameResolutionRequired and DomainCompatibilityMode registry >>> modifications are in place. >> >>> We are trying to stick with an NT domain so we can keep our Windows and >>> Unix users in the same LDAP backend. >> >> You're making no sense. Samba4 uses LDAP even more that before. To the >> level >> of having it implemented internally. >> So far, all my users in the domain are successfully logging in, >> Windows and >> *NIX alike, provided the correct local system setup. >> >>
Sonic wrote on 4/15/15 12:34 PM:> On Wed, Apr 15, 2015 at 3:23 PM, James Fromm <fromm at omnis.com> wrote: >> workgroup = CUST.OMNIS.COM > > My understanding is that workgroup names are NetBIOS names and are > therefore not hierarchical like domain names (no dots, 15 characters, > etc.). > > Chris >We encountered this too, when trying to join Win 8 and Win 2012 systems to a S3 domain with a dot in its name. As far as I know it's not possible.