Hi, i have a LDAP+Kerberos+nfs+samba server and Windows 7 workstation joined to domain now i have some new workstation to join samba AD, but unable to join them i try and try many solution, but no success need some help
Hi Marco, Am 14.09.2017 um 10:31 schrieb Marco Gemignani via samba:> i have a LDAP+Kerberos+nfs+samba server and Windows 7 workstation joined > to domain > > now i have some new workstation to join samba AD, but unable to join themSince you don't give us any details on your client/server configuration and the error message, I refer to our documentation, which is verified on Win10: https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain Regards, Marc
On Thu, 14 Sep 2017 10:31:42 +0200 Marco Gemignani via samba <samba at lists.samba.org> wrote:> Hi, > > i have a LDAP+Kerberos+nfs+samba server and Windows 7 workstation > joined to domain > > now i have some new workstation to join samba AD, but unable to join > them > > i try and try many solution, but no success > > need some help > >And we need some help to try and help you ;-) How is Samba set up ? Please post your smb.conf What have you tried, no point in asking you to try something you already have tried ;-) Rowland
On Thu, 14 Sep 2017 11:40:13 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> > > Il 14/09/2017 11:24, Rowland Penny via samba ha scritto: > > On Thu, 14 Sep 2017 10:31:42 +0200 > > Marco Gemignani via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> i have a LDAP+Kerberos+nfs+samba server and Windows 7 workstation > >> joined to domain > >> > >> now i have some new workstation to join samba AD, but unable to > >> join them > >> > >> i try and try many solution, but no success > >> > >> need some help > >> > >> > > And we need some help to try and help you ;-) > > > > How is Samba set up ? > install in this way > > sudo apt-get install samba > Version 4.3.11-Ubuntu > server configured as that guide: > https://www.danbishop.org/2015/01/30/ubuntu-14-04-ultimate-server-guide/Hmm, you do realise that should be called the 'Ubuntu 14.04 Ultimate Old Type Server Guide', quite a few of the stages could be removed if you set it up as an AD DC instead. Why have you set up Samba as an NT4-Style PDC ? Why haven't you set up an AD DC instead ? Rowland
If you have set an "classic" NT4 style domain, you may need to set the
signorseal registry key
My 
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal=0
(same as Windows 7.)
I would also check samba parameters to make sure that NTLM v2 is enabled 
for authentication.  I don't know if Windows 10 supports NTLM v1.
Also, for Windows 10 you MAY want to disable smb v3.     Windows 7 does 
not use SMB v3, but Windows 10 does,  but the SMB3 compatibility between 
windows 10 and Samba 4.x is not very good. However, I don't think that 
would affect login.
I would also look at upgrading to Ubuntu 16 -   I think Samba 4.3.11 is 
EOL which means that at some point a Windows security patch may  break 
compatibility with Samba.
Obviously if you already have kerberos and ldap backend used for other 
stuff besides samba, switch to samba AD is a significant decision.  
While Samba in classic mode can use your OpenLDAP (or whatever) LDAP 
server, Samba in AD will expect to use its own LDAP server, and I think 
still expects Heimdal KRB server not MIT.        Which means any LDAP 
and kerberos stuff used by your linux machines will need to be reconfigured.
My classic PDC (version 4.1.14) is configured with the following settings
         server max protocol = NT1
         server min protocol = NT1
          server signing = default
         ntlm auth = Yes
         ldap server require strong auth = Yes
         allow dcerpc auth level connect = No
On 09/14/17 06:36, Rowland Penny via samba wrote:> On Thu, 14 Sep 2017 11:40:13 +0200
> Marco Gemignani <marko.gem at inwind.it> wrote:
>
>>
>> Il 14/09/2017 11:24, Rowland Penny via samba ha scritto:
>>> On Thu, 14 Sep 2017 10:31:42 +0200
>>> Marco Gemignani via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> i have a LDAP+Kerberos+nfs+samba server and Windows 7
workstation
>>>> joined to domain
>>>>
>>>> now i have some new workstation to join samba AD, but unable to
>>>> join them
>>>>
>>>> i try and try many solution, but no success
>>>>
>>>> need some help
>>>>
>>>>
>>> And we need some help to try and help you ;-)
>>>
>>> How is Samba set up ?
>> install in this way
>>
>> sudo apt-get install samba
>> Version 4.3.11-Ubuntu
>> server configured as that guide:
>>
https://www.danbishop.org/2015/01/30/ubuntu-14-04-ultimate-server-guide/
> Hmm, you do realise that should be called the 'Ubuntu 14.04 Ultimate
> Old Type Server Guide', quite a few of the stages could be removed if
> you set it up as an AD DC instead.
>
> Why have you set up Samba as an NT4-Style PDC ?
> Why haven't you set up an AD DC instead ?
>
> Rowland
>
Hi Marco,> i have a LDAP+Kerberos+nfs+samba server and Windows 7 workstation joined > to domain > > now i have some new workstation to join samba AD, but unable to join them > > i try and try many solution, but no success > > need some helpThe best solution would be for you to switch to a AD domain. It is much easier to install and manage compared to a NT4 classic domain. If you really need to stick to your NT4 domain, you need to restrict protocol to SMB1 for win10 to authenticate on your PDC [1] in addition to the usual registry modifications : [global] ... server max protocol = NT1 And restart Samba. Cheers, Denis [1] https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request> >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
On Mon, 18 Sep 2017 09:27:44 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> Hi, > > in order to a new server using AD-DC domain,can i use LDAP (users)? > Or samba 4 need his internal LDAP server for users? >I think you are asking if you can have a Samba AD DC based on Openldap instead of the Built in Samba LDAP. The answer is no. Can I ask why you feel that you need Openldap ? Rowland
On Mon, 18 Sep 2017 10:03:52 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> Because i'm using this it now, and i not know how to use built in > LDAP in samba, and olso use it for linux users > >You use it much the same way that you use Openldap, it is just that some of the syntax is different. A Samba AD DC comes with 'samba-tool', you can add users and groups with this, but this is just the tip of the iceberg, running 'samba-tool --help' produces this: Usage: samba-tool <subcommand> Main samba administration tool. Options: -h, --help show this help message and exit Version Options: -V, --version Display version number Available subcommands: dbcheck - Check local AD database for errors. delegation - Delegation management. dns - Domain Name Service (DNS) management. domain - Domain management. drs - Directory Replication Services (DRS) management. dsacl - DS ACLs manipulation. fsmo - Flexible Single Master Operations (FSMO) roles management. gpo - Group Policy Object (GPO) management. group - Group management. ldapcmp - Compare two ldap databases. ntacl - NT ACLs manipulation. processes - List processes (to aid debugging on systems without setproctitle). rodc - Read-Only Domain Controller (RODC) management. sites - Sites management. spn - Service Principal Name (SPN) management. testparm - Syntax check the configuration file. time - Retrieve the time on a server. user - User management. For more help on a specific subcommand, please type: samba-tool <subcommand> (-h|--help) You can also do most of these things from Windows. You can use the ldaptools (ldapsearch etc) against the database, but Samba comes with ldbtools which work in much the same way. I think however, you may be concerned about extending the schema for things like email, all of this is possible. So, next question ? Rowland
On Mon, 18 Sep 2017 13:19:57 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> Thanks, > > and is possible use my external (running in another host in same LAN) > bind server? > >I understand that some users have managed to make this work, but you will probably find it easier to use a subdomain of the external dns server for your DC and then run Bind9 on the DC. Rowland
On Wed, 20 Sep 2017 16:05:11 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> Hi again, i'm testing the new samba, > > but in Ubuntu Server 16 tls, samba version is 4.3.11, this is old, is > better use last version (4.7?) >Yes 4.3.x is old, it is EOL as far as Samba is concerned, but 4.7.0 has not not been released yet, it is still an RC, but when it is released, 4.4.x will go EOL, 4.5.x will only get security fixes. 4.6.x will go into maintenance mode. The problem with Ubuntu is that you will probably have to compile Samba yourself if you want a later version that isn't EOL. Have you considered using Debian instead ? this way you could use Louis's packages. Rowland
On Wed, 20 Sep 2017 17:41:26 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> Uh, i have a lot of script based on ubuntu so i prefer use ubuntu > > i'm testing it on a VM, and is so simple now create an AD, and now > w10 join this new domain with no problem. > But now how i can let samba user log locally on the server? I have to > join the sistem to the domain? > > > Sorry for my stupids question.... >So I take it you now have a Samba AD DC running in a VM and have joined a Win10 machine to the domain. You now want a domain user to be able to login directly into the Samba AD DC. Provided you have installed the right packages, it may just be as simple as telling /etc/nsswitch.conf to use winbind for the passwd & group lines. You will also have to add a couple of lines to the smb.conf: template shell = /bin/bash template homedir = /home/%U The last line isn't that important, the default is: template homedir = /home/%D/%U With this you will have to create a directory in /home named after your WORKGROUP (it has to be in uppercase) Finally, add this line to /etc/pam.d/common-session : session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 So, what packages did you install before you provisioned Samba ? i.e. apt-get install samba ???????????????? Rowland
On Thu, 21 Sep 2017 14:53:22 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> > > Il 20/09/2017 18:11, Rowland Penny via samba ha scritto: > > On Wed, 20 Sep 2017 17:41:26 +0200 > > Marco Gemignani <marko.gem at inwind.it> wrote: > > > >> Uh, i have a lot of script based on ubuntu so i prefer use ubuntu > >> > >> i'm testing it on a VM, and is so simple now create an AD, and now > >> w10 join this new domain with no problem. > >> But now how i can let samba user log locally on the server? I have > >> to join the sistem to the domain? > >> > >> > >> Sorry for my stupids question.... > >> > > So I take it you now have a Samba AD DC running in a VM and have > > joined a Win10 machine to the domain. You now want a domain user to > > be able to login directly into the Samba AD DC. > > > > Provided you have installed the right packages, it may just be as > > simple as telling /etc/nsswitch.conf to use winbind for the passwd & > > group lines. > > > > You will also have to add a couple of lines to the smb.conf: > > > > template shell = /bin/bash > > template homedir = /home/%U > > > > The last line isn't that important, the default is: > > > > template homedir = /home/%D/%U > > > > With this you will have to create a directory in /home named after > > your WORKGROUP (it has to be in uppercase) > > > > Finally, add this line to /etc/pam.d/common-session : > > > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > > > So, what packages did you install before you provisioned Samba ? > > i.e. apt-get install samba ???????????????? > > > > Rowland > > Yes, do as you told me and works like a charm > > istalled as > sudo apt-get install samba krb5-user krb5-config winbind > libpam-winbind libnss-winbind > > Created some users and can login from w10 macchines and olso logon > locally to the serve, this useful for me for ssh access and ftp. > > Now, the next questions, how to mount use home folder (windows > profile)? In old samba > > logon drive = H: > logon home = \\server\users\%U > > > With the new samba?There are a couple of attributes in AD for that: homeDrive and homeDirectory Hopefully you work out which is which ;-) Rowland
On Mon, 25 Sep 2017 15:37:53 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> AH, ok.. > > by default (with any configuration) windows profiles are not saved > during users logoff? > >There is also an attribute for users profiles ;-) You may find this Samba wiki page useful: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Rowland
Hi, i have a small server with centos 7 samba 4.8.3 done domain provision, joined some windows 10 PCs and i'm happy i prefer manage it from RSAT and i created a lot of policy, and all seem fine! main problem is how to set ACL on User folders, i'm unable to set share permissions from Windows on samba users share, when appy changes i receive an error like permission denied. edited pam allowing domain user logon locally but i not know how i can give root privileges on Domain Admins user, i try a lot of configurations bu visudo and no reply, i think i'm unable to set permission because the user logged on windows have Domain Admins group but it not have root privileges on linux so cant' change samba config, i think sorry for my bad english, any help will be apprecciated