Hi list, I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. Any pointers please or is this intended as the server does single sign? Thanks! Pieter Sent from my iPad
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:> Hi list, > > I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box. > > Any pointers please or is this intended as the server does single sign?If you can list exactly the steps you took, we might be able to help. But to answer your question: Yes, Samba will happily join Windows 2003 as a domain member. The key command is 'net ads join'. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
On 22/12/2012 14:56, Andrew Bartlett wrote:> On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: >> I stand corrected re the MS comment then. How do I get the userAccountControl? > userAccountControl is an ldap attribute, on the DC object. ldapsearch, > or a GUI LDAP browser (ldp.exe on windows is one) will be able to show > it. > > Andrew Bartlett >Hi Andrew, Finally got time to pull this: userAccountControl: 69632 Thanks, Pieter
On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote:> On 22/12/2012 14:56, Andrew Bartlett wrote: > > On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: > >> I stand corrected re the MS comment then. How do I get the userAccountControl? > > userAccountControl is an ldap attribute, on the DC object. ldapsearch, > > or a GUI LDAP browser (ldp.exe on windows is one) will be able to show > > it. > > > > Andrew Bartlett > > > Hi Andrew, > > Finally got time to pull this: > > userAccountControl: 69632This is 0x11000 #define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000 #define UF_DONT_EXPIRE_PASSWD 0x00010000 If this remains an issue with current management tools, then I guess we can raise a bug to see if we really, really need to set UF_DONT_EXPIRE_PASSWD in that bitmask. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
On 28/12/2012 10:45, Andrew Bartlett wrote:> On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: >> On 22/12/2012 14:56, Andrew Bartlett wrote: >>> On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: >>>> I stand corrected re the MS comment then. How do I get the userAccountControl? >>> userAccountControl is an ldap attribute, on the DC object. ldapsearch, >>> or a GUI LDAP browser (ldp.exe on windows is one) will be able to show >>> it. >>> >>> Andrew Bartlett >>> >> Hi Andrew, >> >> Finally got time to pull this: >> >> userAccountControl: 69632 > This is 0x11000 > > #define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000 > #define UF_DONT_EXPIRE_PASSWD 0x00010000 > > If this remains an issue with current management tools, then I guess we > can raise a bug to see if we really, really need to set > UF_DONT_EXPIRE_PASSWD in that bitmask. > > Andrew Bartlett >Andrew, Is it worth setting the value to 0x1000 and see what the tools show before logging the bug ? What is the "correct" value for a Member Server ? Cheers, Pieter