samba - Jun 2015 - unable to join a SAMBA linux box to MSWindows 2012 AD

On 2015-06-02 11:00, samba-request at lists.samba.org wrote: 
> From: Rowland Penny <rowlandpenny at googlemail.com>
> Precedence: list
> MIME-Version: 1.0
> To: samba at lists.samba.org
> References: <39f4efa684c5c13791542c12a0427582 at rh5.afts.com>
> In-Reply-To: <39f4efa684c5c13791542c12a0427582 at rh5.afts.com>
> Date: Tue, 02 Jun 2015 10:22:47 +0100
> Message-ID: <556D75E7.2030504 at googlemail.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> Subject: Re: [Samba] unable to join a SAMBA linux box to MSWindows 2012 AD
> Message: 23
> 
> On 01/06/15 00:53, tsmafts wrote:
> 
>> Linux debian1 3.2.0-4-686-pae #1 SMP Debian 3.2.68-1+deb7u1 i686
GNU/Linux it is serving as file server for a few windows pcs in a satellite
office. I am trying to join the machine to a AD Domain in our main office.
> 
> It looks like you are using Debian wheezy with the standard 3.6.x 
> version of samba and if you look through what you posted there is this:
> 
> Invalid configuration. Exiting....
> 
> Pretty explicit why it doesn't work, have a look here: 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server [1]
> 
> There is a known working smb.conf on that page, adapt it to your realm, 
> workgroup etc and try again, once you have got samba working again, you 
> could then start adding some of the lines that you have in your 
> original, but be very selective, quite a lot of what you have isn't 
> needed any more. I would suggest you read 'man smb.conf'.
> 
> You can upgrade to a later samba version by using the backports repo or 
> by using the samba packages from sernet, though this would involve 
> registering with sernet (this is free).
> 
> Rowland
Thank you, i had created the smb.conf with the gnome app and then (after
uninstalling that app) with SWAT. 
Took the sample you pointed to and now the global section is: 

 [global]
 log file = /var/log/samba/%U.%m.log
 read raw = no
 write raw = no
 realm = fask.COM
 netbios name = CCSOO
 server string = %h server
 workgroup = fask
 os level = 25
 debug level = 1
 security = ADS
 preferred master = no
 winbind separator = #
 max log size = 99
 log level = 3

 idmap config fask:range = 10000-99999
 idmap config fask:backend = ad
 idmap config *:range = 2000-9999
 idmap config fask:schema_mode = rfc2307
 idmap config *:backend = tdb

 preserve case = yes
 store dos attributes = Yes
 short preserve case = yes
____________________ 

but i think i have a misunderstanding about windbind. 
 I thought the purpose of winbind was to include AD users as if they
were SAMBAusers, but I still had to add SAMBAusers manually in order to
get login to work. 

some info which might help: 
> root at debian1:/var/log/samba# wbinfo -u
> CCSOO#smbguest
> CCSOO#root
> CCSOO#virt_wind_1
> FASK#administrator
> FASK#guest
> FASK#krbtgt
> FASK#ccstac
> FASK#station
> FASK#outin
> FASK#ccsts
> FASK#mtotin
> FASK#opermeter
> FASK#t1
> FASK#peters
> FASK#delegate
but 
> root at debian1:/var/log/samba# wbinfo -i "FASK#peters"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user FASK#peters
Really would like to be able to seamlessly allow AD users to login to a
couple of SAMBA accounts without having to add SAMAusers. 

 

Links:
------
[1] https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server