Marc, Thank you for taking the time to give me some complete answers. When writing to lists like these I often struggle with how much or little detail to give.... and I am eager to add more detail where you have explicitly asked. On Tue, Mar 10, 2015 at 2:13 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:>> 1. Must "net join" be used? > > If you want to join the domain, yes.I'm sorry for being so daft, but I am asking you if I need/want to join the domain. I do not know the answer. Reminder of my scenario: samba is sharing files and users provide their Active Directory usernames and passwords to log into to samba. I will call this "Scenario A".>> 2. Under what circumstances will samba (and family) require an >> explicit "net join"? > > See 1. > What do you mean with "and family"?By "and family" I was conceding that I do not know what software it is that is requires domain join. Maybe it's samba or windbindd or something else. I can see already your response "no software requires that you join a domain -- that is a personal decision up to a human and not up to a computer." Which brings us back to my original question number 1 above.>> 3a. Is a file added to the hard drive? > > It's written into secrets.tdb for domain members. For DCs more happen in > the background, when joining the domain.Thank you this is the secret sauce I was not able to devine from reading Oreilly Chapter 10. Is there a tool I can use to query the secrets.tdb file to see what is the current "state" respect to domain membership? Perhaps it is "wbinfo -t". I ask this question because I often find myself sitting at a Samba server that is failing to do "Scenario A" and I wonder "Well, has this computer been joined to the domain?" (Not that I even know whether or not the question is important).>> Chapter 10 of the Oreilly 3rd edition book describes domain >> membership, but it leaves me wanting to understand more. For example, >> "net join" has never worked well (generally spews some kind of >> complaint) but things still work. > > Never had problems to join a Samba host yet. Examples?I wish I had a setup that was not working right now to dissect (and learn from) but I do not. However, in the past I have had: net join -U XXXXX\\cstankevitz The command returned what appears to be an error: kerberos_kinit_password XXXXX\cstankevitz at XXXXX.CORP failed: Client not found in Kerberos database Failed to join domain: failed to connect to AD: Client not found in Kerberos database ADS join did not work, falling back to RPC... Unable to find a suitable server for domain XXXXX Unable to find a suitable server for domain XXXXX Thank you again, Chris
On 11/03/15 23:57, Chris Stankevitz wrote:> Marc, > > Thank you for taking the time to give me some complete answers. When > writing to lists like these I often struggle with how much or little > detail to give.... and I am eager to add more detail where you have > explicitly asked. > > On Tue, Mar 10, 2015 at 2:13 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote: >>> 1. Must "net join" be used? >> If you want to join the domain, yes. > I'm sorry for being so daft, but I am asking you if I need/want to > join the domain. I do not know the answer. Reminder of my scenario: > samba is sharing files and users provide their Active Directory > usernames and passwords to log into to samba. I will call this > "Scenario A". >If you want to use usernames & passwords then you can do this at least two ways: A) create all the required users on the computer and run it as a standalone server B) join the computer to the domain and use the DC's for authentication Either way, files etc can be owned by whoever creates them, but there is yet another way in which the files are available by anybody who connects to the server. This would entail setting up the computer with samba, using 'security = user' and 'map to guest = Bad User', if set up this way, anybody that the computer doesn't know would be mapped to guest and allowed access.>>> 2. Under what circumstances will samba (and family) require an >>> explicit "net join"? >> See 1. >> What do you mean with "and family"? > By "and family" I was conceding that I do not know what software it is > that is requires domain join. Maybe it's samba or windbindd or > something else. I can see already your response "no software requires > that you join a domain -- that is a personal decision up to a human > and not up to a computer." Which brings us back to my original > question number 1 above.You do not need to use samba if all your other clients are Unix based, you could use NFS, but if you have windows clients then you have to use something like samba (there are others available). Winbindd is part of samba, but it doesn't have to be used, you could use sssd or nlscd instead, but as this is a samba mailing list we will stick to recommending winbindd.>>> 3a. Is a file added to the hard drive? >> It's written into secrets.tdb for domain members. For DCs more happen in >> the background, when joining the domain. > Thank you this is the secret sauce I was not able to devine from > reading Oreilly Chapter 10. Is there a tool I can use to query the > secrets.tdb file to see what is the current "state" respect to domain > membership? Perhaps it is "wbinfo -t". > > I ask this question because I often find myself sitting at a Samba > server that is failing to do "Scenario A" and I wonder "Well, has this > computer been joined to the domain?" (Not that I even know whether or > not the question is important). >Well you could use 'wbinfo -t', but I use the 'net' command, more specifically 'net ads testjoin' run by root, if the machine is joined to the domain, it prints the reassuring message 'Join is OK'.>>> Chapter 10 of the Oreilly 3rd edition book describes domain >>> membership, but it leaves me wanting to understand more. For example, >>> "net join" has never worked well (generally spews some kind of >>> complaint) but things still work. >> Never had problems to join a Samba host yet. Examples? > I wish I had a setup that was not working right now to dissect (and > learn from) but I do not. However, in the past I have had: > > net join -U XXXXX\\cstankevitz > > The command returned what appears to be an error: > > kerberos_kinit_password XXXXX\cstankevitz at XXXXX.CORP failed: Client > not found in Kerberos database > Failed to join domain: failed to connect to AD: Client not found in > Kerberos database > ADS join did not work, falling back to RPC... > Unable to find a suitable server for domain XXXXX > Unable to find a suitable server for domain XXXXX > > Thank you again, > > ChrisThat could just be because the command is 'net ads join -U Administrator' or it could be more involved, but without seeing the smb.conf you used, I cannot tell. Rowland
On Thu, Mar 12, 2015 at 2:25 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:>> I'm sorry for being so daft, but I am asking you if I need/want to >> join the domain. I do not know the answer. Reminder of my scenario: >> samba is sharing files and users provide their Active Directory >> usernames and passwords to log into to samba. I will call this >> "Scenario A". >> > > If you want to use usernames & passwords then you can do this at least two > ways: > A) create all the required users on the computer and run it as a standalone > server > B) join the computer to the domain and use the DC's for authenticationThank you for educating me. I have my samba setup working as you have described, but I will ask a question for "academic" purposes -- just so I can better understand what is happening. Please feel free to refer me to a book/site/article/source_code that spells out what is happening. Couldn't samba act as a "proxy", not join the windows domain, but still authenticate via AD? 1. samba shares files without joining AD. 2. A user "logs in" to samba by presenting an AD username/password 3. samba, not being joined to the domain still finds a "domain controller" and submits the credentials. 4. the "domain controller" responds PASS or FAIL 5. samba allows access as appropriate, perhaps mapping to a valid UID I am trying to understand what is happening, I am not trying to insult samba or it's code or its way of doing things. Thank you, Chris
On Thu, Mar 12, 2015 at 2:25 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:>> By "and family" I was conceding that I do not know what software it is >> that is requires domain join. Maybe it's samba or windbindd or >> something else. I can see already your response "no software requires >> that you join a domain -- that is a personal decision up to a human >> and not up to a computer." Which brings us back to my original >> question number 1 above. > > > You do not need to use samba if all your other clients are Unix based, you > could use NFS, but if you have windows clients then you have to use > something like samba (there are others available). Winbindd is part of > samba, but it doesn't have to be used, you could use sssd or nlscd instead, > but as this is a samba mailing list we will stick to recommending winbindd.Thank you. In my scenario (which I called "Scenario A") I want samba client to supply windows AD usernames and passwords to the samba server. So I believe in my case samba use is warranted (I understand that much). I was not making a comment about winbindd being an inadequate or inappropriate piece of software -- quite the contrary I have no idea what it does, or what is sssd or nlscd or even nsswitch or pam or ldap or nis or wins or netbios ... it's all just alphabet soup to me. I would love to learn what they are and am happy to spend a day reading a book but I'm not sure which book it is I need to read. Chris