Is it still possible to join a Windows 2012 Server R2 system as a member to a 'pre-NT5' Samba (3.6.23) domain controller? The Windows 'Domain Change' GUI errors immediately after failing the SRV lookup for the AD server. Even with the SRV record in place, the GUI fails trying to connect to the non-existent LDAP port. Netdom on the command line tries to work if the DC name is supplied on the /Domain argument. The logs for Samba show the authentication for the domain administrator working fine to the Samba controller. The command fails. ---- C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE Type the password associated with the domain user: Joining domain cust.omnis.com\glen The computer rename attempt failed with error 50. The request is not supported. The command failed to complete successfully. ---- The DNSNameResolutionRequired and DomainCompatibilityMode registry modifications are in place. We are trying to stick with an NT domain so we can keep our Windows and Unix users in the same LDAP backend. Thanks, James
On 04/15/2015 09:14 AM, James Fromm wrote:> Is it still possible to join a Windows 2012 Server R2 system as a member > to a 'pre-NT5' Samba (3.6.23) domain controller? The Windows 'Domain > Change' GUI errors immediately after failing the SRV lookup for the AD > server. Even with the SRV record in place, the GUI fails trying to > connect to the non-existent LDAP port. > > Netdom on the command line tries to work if the DC name is supplied on > the /Domain argument. The logs for Samba show the authentication for > the domain administrator working fine to the Samba controller. The > command fails. > > ---- > C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen > /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE > Type the password associated with the domain user: > > Joining domain cust.omnis.com\glen > > The computer rename attempt failed with error 50. > > The request is not supported. > > The command failed to complete successfully. > ---- > > The DNSNameResolutionRequired and DomainCompatibilityMode registry > modifications are in place. > > We are trying to stick with an NT domain so we can keep our Windows and > Unix users in the same LDAP backend. > > Thanks, > JamesFWIW, I have joined Windows 2012 with Samba3/NT4 domain in the past. However, I'm not sure if it'll work with a NT4 domain that has a dot in the name. That said, we made the upgrade from Samba3 to Samba4 AD, works great on our Linux and Windows machines. But, we only store users in AD, so no automount maps, etc. -- John Yocum, Systems Administrator, DEOHS
Greetings, James Fromm!> Is it still possible to join a Windows 2012 Server R2 system as a member > to a 'pre-NT5' Samba (3.6.23) domain controller?Yes, at least for Win7 Pro. You have to disable DNS lookups. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] "DomainCompatibilityMode"=dword:00000001 "DNSNameResolutionRequired"=dword:00000000> The Windows 'Domain > Change' GUI errors immediately after failing the SRV lookup for the AD > server. Even with the SRV record in place, the GUI fails trying to > connect to the non-existent LDAP port.> Netdom on the command line tries to work if the DC name is supplied on > the /Domain argument. The logs for Samba show the authentication for > the domain administrator working fine to the Samba controller. The > command fails.> ---- > C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen > /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE > Type the password associated with the domain user:> Joining domain cust.omnis.com\glen> The computer rename attempt failed with error 50.> The request is not supported.> The command failed to complete successfully. > ----This may be caused by a different issue.> The DNSNameResolutionRequired and DomainCompatibilityMode registry > modifications are in place.> We are trying to stick with an NT domain so we can keep our Windows and > Unix users in the same LDAP backend.You're making no sense. Samba4 uses LDAP even more that before. To the level of having it implemented internally. So far, all my users in the domain are successfully logging in, Windows and *NIX alike, provided the correct local system setup. -- With best regards, Andrey Repin Wednesday, April 15, 2015 19:28:23 Sorry for my terrible english...
I don't have anything but Server 2003, 2008 and 2012 to test with. 2003
joins the domain without issue. 2008 and 2012 will not. The registry
has been updated on both:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
Our smb.conf is:
[global]
workgroup = CUST.OMNIS.COM
netbios name = GLEN
server string = GLEN
passdb backend = ldapsam:ldap://ldap-cust.omnis.com
username map = /etc/samba/smbusers
smb ports = 139 445
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
max stat cache size = 16384
wins support = yes
name resolve order = wins lmhosts hosts bcast
dns proxy = yes
encrypt passwords = yes
name cache timeout = 3600
log level = 0
syslog = 0
log file = /var/log/samba/%m
include = /etc/samba/smb.conf.%m
time server = Yes
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -W '%u'
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = auto
domain master = no
wins support = Yes
ldap suffix = ou=System,dc=cust,dc=omnis,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldapsam:trusted = yes
ldap idmap suffix = ou=Idmap
ldap admin dn = uid=CManager, ou=Special Users, dc=omnis, dc=com
idmap backend = ldap:ldap://ldap-cust.omnis.com
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
[home]
comment = Home %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
path = /home/%u
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
read only = yes
guest ok = yes
[profiles]
path = /var/lib/samba/profiles
read only = no
browseable = No
guest ok = Yes
profile acls = yes
valid users = %U "Domain Admins"
You can run Samba 4 as a 'classic' domain. We just haven't upgraded
yet. If Samba4 fixes this, we'll upgrade. However, my understanding is
that Samba4 as AD requires internal LDAP only. We use 4 replicating,
load-balanced LDAP servers so the internal LDAP and AD schema won't work.
Anyone have an idea with 3.6 I can try?
Thanks,
James
On 04/15/2015 09:39 AM, Andrey Repin wrote:> Greetings, James Fromm!
>
>> Is it still possible to join a Windows 2012 Server R2 system as a
member
>> to a 'pre-NT5' Samba (3.6.23) domain controller?
>
> Yes, at least for Win7 Pro.
> You have to disable DNS lookups.
>
> Windows Registry Editor Version 5.00
>
>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
> "DomainCompatibilityMode"=dword:00000001
> "DNSNameResolutionRequired"=dword:00000000
>
>> The Windows 'Domain
>> Change' GUI errors immediately after failing the SRV lookup for the
AD
>> server. Even with the SRV record in place, the GUI fails trying to
>> connect to the non-existent LDAP port.
>
>> Netdom on the command line tries to work if the DC name is supplied on
>> the /Domain argument. The logs for Samba show the authentication for
>> the domain administrator working fine to the Samba controller. The
>> command fails.
>
>> ----
>> C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen
>> /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE
>> Type the password associated with the domain user:
>
>> Joining domain cust.omnis.com\glen
>
>> The computer rename attempt failed with error 50.
>
>> The request is not supported.
>
>> The command failed to complete successfully.
>> ----
>
> This may be caused by a different issue.
>
>> The DNSNameResolutionRequired and DomainCompatibilityMode registry
>> modifications are in place.
>
>> We are trying to stick with an NT domain so we can keep our Windows and
>> Unix users in the same LDAP backend.
>
> You're making no sense. Samba4 uses LDAP even more that before. To the
level
> of having it implemented internally.
> So far, all my users in the domain are successfully logging in, Windows and
> *NIX alike, provided the correct local system setup.
>
>