Deventer-2, M.S.J. van
2019-Mar-25 11:24 UTC
[Samba] Samba AD and adding a Windows 2008R2 DC
Hi, we now have an old Windows NT4.0 domain served by Samba 4.2.x (using Samba and LDAP) and want to move to Windows AD. The reason we need to do that is because of the clients (Windows 10 and MacOS) and because of a third party device which does not want to talk to Samba AD (Isilon OneFS). I did a 'classicupgrade' to Samba AD from our Samba/LDAP config and then I use this guide : https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD to add the Windows 2008R2 DC to the Samba AD. This all worked out but I encountered an error on the Windows AD integrated DNS (error 4014 : The DNS server was unable to initialize AD security interfaces). The wiki page does not mention this and I was wondering which version of Samba was used when this page was created ? Looking for a solution on the Microsoft side sends you from one link to another and back again... Anyone here who did a succesfull join of Windows 2008R2 DC to an Samba AD domain ? Thanks, Michel -- Michel van Deventer Integratie Specialist | Divisie Laboratoria, Apotheek en Biomedische Genetica, Infra Services & Integration Universitair Medisch Centrum Utrecht ------------------------------------------------------------------------------ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Het Universitair Medisch Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197. Denk s.v.p aan het milieu voor u deze e-mail afdrukt. ------------------------------------------------------------------------------ This message may contain confidential information and is intended exclusively for the addressee. If you receive this message unintentionally, please do not use the contents but notify the sender immediately by return e-mail. University Medical Center Utrecht is a legal person by public law and is registered at the Chamber of Commerce for Midden-Nederland under no. 30244197. Please consider the environment before printing this e-mail.
On Mon, 25 Mar 2019 11:24:03 +0000 "Deventer-2, M.S.J. van via samba" <samba at lists.samba.org> wrote:> Hi, > > we now have an old Windows NT4.0 domain served by Samba 4.2.x (using > Samba and LDAP) and want to move to Windows AD. > The reason we need to do that is because of the clients (Windows 10 > and MacOS) and because of a third party device which does not want to > talk to Samba AD (Isilon OneFS).Possibly if Isilon would accept that Samba AD works in the same way as Windows AD, it might be made to work. In one of their PDF's is this: Active Directory with RFC 2307 and Windows Services for UNIX A best practice is to use Microsoft Active Directory with Windows Services for UNIX and RFC 2307 attributes to manage Linux, UNIX, and Windows systems. Integrating UNIX and Linux systems with Active Directory centralizes identity management and eases interoperability, reducing the need for user mapping rules. Make sure your domain controllers are running Windows Server 2003 or later. For more information on RFC 2307, refer to the following KB: How to configure OneFS and Active Directory for RFC2307 compliance: https://support.emc.com/kb/335338 Samba AD matches all of the above, it uses the 2008R2 schema and the SFU ldif. The problem I have is that the KB: 335338 is behind a login page, perhaps if this could be seen, it might be possible to see where the problem lies.> > I did a 'classicupgrade' to Samba AD from our Samba/LDAP config and > then I use this guide : > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD > to add the Windows 2008R2 DC to the Samba AD. This all worked out but > I encountered an error on the Windows AD integrated DNS (error 4014 : > The DNS server was unable to initialize AD security interfaces). The > wiki page does not mention this and I was wondering which version of > Samba was used when this page was created ? > Looking for a solution on the Microsoft side sends you from one link > to another and back again... > > Anyone here who did a succesfull join of Windows 2008R2 DC to an Samba > AD domain ?I have added a 2012 and it worked, but I use Bind9, perhaps if you tried adding Bind9 to your Samba AD ? Rowland
Deventer-2, M.S.J. van
2019-Mar-27 11:53 UTC
[Samba] Samba AD and adding a Windows 2008R2 DC
Hi, On Mon, 2019-03-25 at 12:28 +0000, Rowland Penny via samba wrote:> On Mon, 25 Mar 2019 11:24:03 +0000 > "Deventer-2, M.S.J. van via samba" <samba at lists.samba.org> wrote: > > > Hi, > > > > we now have an old Windows NT4.0 domain served by Samba 4.2.x > > (using > > Samba and LDAP) and want to move to Windows AD. > > The reason we need to do that is because of the clients (Windows 10 > > and MacOS) and because of a third party device which does not want > > to > > talk to Samba AD (Isilon OneFS). > > Possibly if Isilon would accept that Samba AD works in the same way > as > Windows AD, it might be made to work. > > In one of their PDF's is this: > > Active Directory with RFC 2307 and Windows Services for UNIX > A best practice is to use Microsoft Active Directory with Windows > Services for UNIX and RFC 2307 attributes > to manage Linux, UNIX, and Windows systems. Integrating UNIX and > Linux systems with Active Directory > centralizes identity management and eases interoperability, reducing > the need for user mapping rules. Make > sure your domain controllers are running Windows Server 2003 or > later. For more information on RFC 2307, > refer to the following KB: > How to configure OneFS and Active Directory for RFC2307 compliance: > https://support.emc.com/kb/335338 > > Samba AD matches all of the above, it uses the 2008R2 schema and the > SFU ldif. > The problem I have is that the KB: 335338 is behind a login page, > perhaps if this could be seen, it might be possible to see where the > problem lies.I know this KB article and it just shows you to switch on the RFC2307 extensions on OneFS. But as EMC (Isilon manufacturer) refuses to help and just tells us : " do not use Samba AD " we gave up on connecting Samba AD to this device, hence we need to go to Windows AD. For the record, OneFS (based on FreeBSD) does not use Samba to supply the clients with SMB protocol and AD joining. They instead use 'likewise'.> > > I did a 'classicupgrade' to Samba AD from our Samba/LDAP config and > > then I use this guide : > > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD > > to add the Windows 2008R2 DC to the Samba AD. This all worked out > > but > > I encountered an error on the Windows AD integrated DNS (error 4014 > > : > > The DNS server was unable to initialize AD security interfaces). > > The > > wiki page does not mention this and I was wondering which version > > of > > Samba was used when this page was created ?Any answer on this question Rowland ?> > Looking for a solution on the Microsoft side sends you from one > > link > > to another and back again... > > > > Anyone here who did a succesfull join of Windows 2008R2 DC to an > > Samba > > AD domain ? > > I have added a 2012 and it worked, but I use Bind9, perhaps if you > tried adding Bind9 to your Samba AD ?You added a 2012, to which samba version ? And how ? 2012 requires an adprep and that does not work because of WMI. Regards, Michel> > Rowland >-- Michel van Deventer Integratie Specialist | Divisie Laboratoria, Apotheek en Biomedische Genetica, Infra Services & Integration ------------------------------------------------------------------------------ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Het Universitair Medisch Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197. Denk s.v.p aan het milieu voor u deze e-mail afdrukt. ------------------------------------------------------------------------------ This message may contain confidential information and is intended exclusively for the addressee. If you receive this message unintentionally, please do not use the contents but notify the sender immediately by return e-mail. University Medical Center Utrecht is a legal person by public law and is registered at the Chamber of Commerce for Midden-Nederland under no. 30244197. Please consider the environment before printing this e-mail.