Hello everybody,
I need to setup a Domain/subdomain environment with Windows AD. All the
DCs run Windows Server 2012 R2. All domains (root and subdomains) The
forest and domain functional level are set to Windows 2008 R2.
I want to use Samba 4 server as fileservers in these domains, but up to
now I have trouble adding Samba 4 member servers to Windows AD.
My test environment is made of 2 Networks, which are connected through a
VPN site2site tunnel.
On one of this Networks I have the root domain (RD.LAN) with its DC
rddc1.rd.and and a subdomain 2 (SD2.RD.LAN) with its DC sd2dc.sd2.rd.lan
On the other network I have the subdomain 1 (SD1.RD.LAN) with its DC
sd1dc1.sd1.rd.lan.
I try the following steps on mserver1.sd1.rd.lan:
first I install these required packages, as written in wiki.samba.org:
build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev
libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev
libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev
git acl
plus I install the packages ntp and winbind
then I add 'user_xattr,acl,barrier=1' to my /etc/fstab and mount all
filesystems 'mount -a'
then I download the sources with git: 'git clone -b v4-1-stable
git://git.samba.org/samba.git samba4'
then I install:
# ./configure --with-ads --with-shared-modules=idmap_ad
# make
# make install
then I link the winbind libraries:
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
I configure /etc/krb5.conf:
[libdefaults]
default_realm = SD1.RD.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
SD1.RD.LAN = {
kdc = sd1dc1.sd1.rd.lan
admin_server = sd1dc1.sd1.rd.lan
}
[domain_realm]
.sd1.rd.lan = SD1.RD.LAN
sd1.rd.lan = SD1.RD.LAN
I configure /usr/local/samba/etc/smb.conf
[global]
workgroup = SD1
security = ADS
realm = SD1.RD.LAN
encrypt passwords = yes
# idmap config *:backend = tdb
# idmap config *:range = 70001-80000
idmap config SD1:backend = ad
idmap config SD1:schema_mode = rfc2307
idmap config SD1:range = 10000-40000
winbind nss info = rfc2307
# winbind separator = +
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# Unterst?tzung f?r ACLs
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
I join the server to AD: 'net ads join -Uadministrator' and get a
positive message:
Using short domain name -- SD1
Joined 'mserver1' to dns domain 'sd1.rd.lan'
I edit /etc/nsswitch.conf:
passwd: compact winbind
group: compact winbind
start the deamons manually in the following order: nmbd, winbindd, smbd
And here is where it starts to get funny when I execute wbinfo -u this
is what I get:
administrator
gast
krbtgt
rd$
RD\administrator
RD\gast
RD\krbtgt
RD\sd2$
RD\sd1$
SD2\administrator
SD2\gast
SD2\krbtgt
SD2\rd$
and wbinfo -g:
winrmremotewmiusers__
dom?nencomputer
dom?nencontroller
zertifikatherausgeber
dom?nen-admins
dom?nen-benutzer
dom?nen-g?ste
richtlinien-ersteller-besitzer
ras- und ias-server
zul?ssige rodc-kennwortreplikationsgruppe
abgelehnte rodc-kennwortreplikationsgruppe
schreibgesch?tzte dom?nencontroller
klonbare dom?nencontroller
protected users
dnsadmins
dnsupdateproxy
RD\dom?nencomputer
RD\dom?nencontroller
RD\schema-admins
RD\organisations-admins
RD\dom?nen-admins
RD\dom?nen-benutzer
RD\dom?nen-g?ste
RD\richtlinien-ersteller-besitzer
RD\schreibgesch?tzte dom?nencontroller
RD\schreibgesch?tzte dom?nencontroller der organisation
RD\klonbare dom?nencontroller
RD\protected users
RD\dnsupdateproxy
SD2\dom?nencomputer
SD2\dom?nencontroller
SD2\dom?nen-admins
SD2\dom?nen-benutzer
SD2\dom?nen-g?ste
SD2\richtlinien-ersteller-besitzer
SD2\schreibgesch?tzte dom?nencontroller
SD2\klonbare dom?nencontroller
SD2\protected users
SD2\dnsupdateproxy
As you can see I see the users and groups of the root domain (RD.LAN)
and subdomain2 (SD2.RD.LAN) but nothing about subdomain1 (SD1.RD.LAN)
also when I execute getent passwd and getent group, I only see the Linux
users and groups but don't get anything from Windows AD.
I'm really confused and would appreciate if one you could take a look at
it and tell me what is missing or wrong or even point me in the right
direction. I don't have much experience with Samba, so please don't be
too strict with me XD.
Thnank you guys!
Isfelipe
Hi Ismael, ---snip---> [global] > > workgroup = SD1 > security = ADS > realm = SD1.RD.LAN > encrypt passwords = yes > > # idmap config *:backend = tdb > # idmap config *:range = 70001-80000 > idmap config SD1:backend = ad > idmap config SD1:schema_mode = rfc2307 > idmap config SD1:range = 10000-40000 > > winbind nss info = rfc2307 > # winbind separator = + > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes >--snip--> > As you can see I see the users and groups of the root domain (RD.LAN) > and subdomain2 (SD2.RD.LAN) but nothing about subdomain1 (SD1.RD.LAN)You specified a idmap configuration for SD1 in your smb.conf file with rfc2307, which tells samba looks for uidnumber and gidnumber in active directory for SID<->uid/gid mapping. Those attributes are not populated by default, so wbinfo does not pick up your SD1 entries.> also when I execute getent passwd and getent group, I only see the Linux > users and groups but don't get anything from Windows AD.In order for getent passwd to work, there have to be a SID<->uid/gid mapping, but have not specified any mapping for SD2 domain, only for SD1, which actually does not work... Try to fix your idmap. You may use rid to get a consistent mapping between your different servers. Hope this helps, Denis> I'm really confused and would appreciate if one you could take a look at > it and tell me what is missing or wrong or even point me in the right > direction. I don't have much experience with Samba, so please don't be > too strict with me XD.> > Thnank you guys! > Isfelipe-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr