samba - Apr 2014 - changing server role = standalone server to 'member server'

I am testing a Samba v4.1.3 instance on Ubuntu 14.04 prerelease.
I set it up as a standalone server on a test network, and it was easy to set
up and worked fine. Now I am trying to migrate it to a different network and
join it to a Windows 2008 AD server.

When I try to join it to the domain, I get this error:

root at samba-4:/etc/samba# net ads join -U administrator 
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.

I've gotten a Kerberos ticket already with kinit, so I know it can connect
to the AD server.

If I try 'testparm -s' I see that it shows "Server role:
ROLE_STANDALONE"
even tho I have "server role = member server" in the config file.

Is there some database I need to clobber when changing the "server role
="
value?

root at samba-4:/etc/samba# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[cad-test]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
	workgroup = EXAMPLEAD
	realm = AD.EXAMPLE.COM
	server string = samba-4.example.com
	server role = member server
	obey pam restrictions = Yes
	restrict anonymous = 2
	syslog = 0
	log file = /var/log/samba/%m.log
	load printers = No
	logon script = %U.bat
	logon path = 
	logon home = 
	local master = No
	wins server = 192.XX.XX.XX
	template shell = /bin/bash
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind refresh tickets = Yes
	winbind offline logon = Yes
	winbind max domain connections = 10
	idmap config * : range = 600-20000
	idmap config * : backend = tdb

[homes]
	comment = Home Directories
	path = /home/%D/%U
	valid users = %S
	read only = No
	create mask = 0700
	directory mask = 0700
	browseable = No

[cad-test]
	comment = CAD DepartShared Space
	path = /var/samba/cadshare
	valid users = rte
	force group = rte
	read only = No
	create mask = 0666
	directory mask = 0777

-- 
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

On 02/04/14 20:12, Carl Wilhelm Soderstrom wrote:
> I am testing a Samba v4.1.3 instance on Ubuntu 14.04 prerelease.
> I set it up as a standalone server on a test network, and it was easy to
set
> up and worked fine. Now I am trying to migrate it to a different network
and
> join it to a Windows 2008 AD server.
>
> When I try to join it to the domain, I get this error:
>
> root at samba-4:/etc/samba# net ads join -U administrator
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
>
> I've gotten a Kerberos ticket already with kinit, so I know it can
connect
> to the AD server.
>
> If I try 'testparm -s' I see that it shows "Server role:
ROLE_STANDALONE"
> even tho I have "server role = member server" in the config file.
>
> Is there some database I need to clobber when changing the "server
role ="
> value?
>
> root at samba-4:/etc/samba# testparm -s
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[cad-test]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> [global]
> 	workgroup = EXAMPLEAD
> 	realm = AD.EXAMPLE.COM
> 	server string = samba-4.example.com
> 	server role = member server
> 	obey pam restrictions = Yes
> 	restrict anonymous = 2
> 	syslog = 0
> 	log file = /var/log/samba/%m.log
> 	load printers = No
> 	logon script = %U.bat
> 	logon path > 	logon home > 	local master = No
> 	wins server = 192.XX.XX.XX
> 	template shell = /bin/bash
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	winbind refresh tickets = Yes
> 	winbind offline logon = Yes
> 	winbind max domain connections = 10
> 	idmap config * : range = 600-20000
> 	idmap config * : backend = tdb
>
> [homes]
> 	comment = Home Directories
> 	path = /home/%D/%U
> 	valid users = %S
> 	read only = No
> 	create mask = 0700
> 	directory mask = 0700
> 	browseable = No
>
> [cad-test]
> 	comment = CAD DepartShared Space
> 	path = /var/samba/cadshare
> 	valid users = rte
> 	force group = rte
> 	read only = No
> 	create mask = 0666
> 	directory mask = 07b77
>
Unfortunately, the only server role that works at present is 'dc', you 
cannot provision as a 'member', you need to use the 'classic'
way of
running samba, i.e. do not run the samba daemon, run the smbd, nmbd and 
winbind daemons instead. There is also a problem with samba 4.1.3 on 
ubuntu 14.04 (unless they have fixed it in the last few days, but I 
haven't heard anything about my bug report), you cannot get samba-tool 
to export a keytab.

Rowland

Carl Wilhelm Soderstrom schreef:
> I am testing a Samba v4.1.3 instance on Ubuntu 14.04 prerelease.
> I set it up as a standalone server on a test network, and it was easy to
set
> up and worked fine. Now I am trying to migrate it to a different network
and
> join it to a Windows 2008 AD server.
>
> When I try to join it to the domain, I get this error:
>
> root at samba-4:/etc/samba# net ads join -U administrator
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
>
> I've gotten a Kerberos ticket already with kinit, so I know it can
connect
> to the AD server.
>
> If I try 'testparm -s' I see that it shows "Server role:
ROLE_STANDALONE"
> even tho I have "server role = member server" in the config file.
>
> Is there some database I need to clobber when changing the "server
role ="
> value?
>
> root at samba-4:/etc/samba# testparm -s
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[cad-test]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
> [global]
> 	workgroup = EXAMPLEAD
> 	realm = AD.EXAMPLE.COM
> 	server string = samba-4.example.com
> 	server role = member server
> 	obey pam restrictions = Yes
> 	restrict anonymous = 2
> 	syslog = 0
> 	log file = /var/log/samba/%m.log
> 	load printers = No
> 	logon script = %U.bat
> 	logon path > 	logon home > 	local master = No
> 	wins server = 192.XX.XX.XX
> 	template shell = /bin/bash
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	winbind refresh tickets = Yes
> 	winbind offline logon = Yes
> 	winbind max domain connections = 10
> 	idmap config * : range = 600-20000
> 	idmap config * : backend = tdb
>
> [homes]
> 	comment = Home Directories
> 	path = /home/%D/%U
> 	valid users = %S
> 	read only = No
> 	create mask = 0700
> 	directory mask = 0700
> 	browseable = No
>
> [cad-test]
> 	comment = CAD DepartShared Space
> 	path = /var/samba/cadshare
> 	valid users = rte
> 	force group = rte
> 	read only = No
> 	create mask = 0666
> 	directory mask = 0777
>
I think you need security = ADS in your global settings.
Then a net ads join -U administrator should work
Also testparm will tell you that samba is configured as a member server.

regards

On Wed, 2014-04-02 at 15:12 -0400, Carl Wilhelm Soderstrom
wrote:
> I am testing a Samba v4.1.3 instance on Ubuntu 14.04 prerelease.
> I set it up as a standalone server on a test network, and it was easy to
set
> up and worked fine. Now I am trying to migrate it to a different network
and
> join it to a Windows 2008 AD server.
> 
> When I try to join it to the domain, I get this error:
> 
> root at samba-4:/etc/samba# net ads join -U administrator 
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
> 
> I've gotten a Kerberos ticket already with kinit, so I know it can
connect
> to the AD server.
> 
> If I try 'testparm -s' I see that it shows "Server role:
ROLE_STANDALONE"
> even tho I have "server role = member server" in the config file.
I did intend that this would work, and would behave the same as
'security=ads'.  However, I mucked that up in the leadup to Samba 4.0,
and we really can't change this kind of thing mid-cycle.  In Samba 4.2,
this will work.

As others have pointed out, the server role parameter was added for the
AD DC, however it was not meant to be this confusing. 

Sorry about that,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba