samba - Feb 2019 - Joining an Active Directory Domain "2016"

Hello,

Has anybody been able to join an Active Directory 2016 using Samba Winbind?

If so, how can this be done?

I've been trying but it fails every time and when it finally shows me 
something using realm list, it won't let me login with any user from the 
domain, therefore, not working.

Thanks,
-- 

Jorge F. Hernandez
IT System Administrator
*GLOSS*
28 West 25th Street, 12th Floor
New York, New York 10010
T 212 229 0009
http://www.glossstudio.com
http://glossvfx.com

On Tue, 19 Feb 2019 12:06:19 -0500
"Jorge F. Hernandez via samba" <samba at lists.samba.org> wrote:
> Hello,
> 
> Has anybody been able to join an Active Directory 2016 using Samba
> Winbind?
> 
> If so, how can this be done?
> 
> I've been trying but it fails every time and when it finally shows me 
> something using realm list, it won't let me login with any user from
> the domain, therefore, not working.
> 
> Thanks,
Sorry, but you are limited to 2012 (and that is experimental), but
things should get better when 4.11 comes out.

Rowland

On Tue, 2019-02-19 at 17:15 +0000, Rowland Penny via samba
wrote:
> On Tue, 19 Feb 2019 12:06:19 -0500
> "Jorge F. Hernandez via samba" <samba at lists.samba.org>
wrote:
> 
> > 
> > Hello,
> > 
> > Has anybody been able to join an Active Directory 2016 using Samba
> > Winbind?
> > 
> > If so, how can this be done?
> > 
> > I've been trying but it fails every time and when it finally shows
> > me 
> > something using realm list, it won't let me login with any user
> > from
> > the domain, therefore, not working.
> > 
> > Thanks,
> Sorry, but you are limited to 2012 (and that is experimental), but
> things should get better when 4.11 comes out.
G'Day Rowland,

This is indeed the line for joining as an AD DC, but we should be able
to join as a member server without difficulty.

I've asked Joe to test Samba against Windows for 
https://gitlab.com/samba-team/samba/merge_requests/242 and hopefully he
can do that against 2016 for me.  That should rule out a generic issue.

Jorge,

I think you will need to turn up the debug level and see exactly what
errors you get.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

> OK I'm trying 2012 R2 and I get this after I join:
>
> # realm list
> example.com
>   type: kerberos
>   realm-name: EXAMPLE.COM
>   domain-name: example.com
>   configured: kerberos-member
>   server-software: active-directory
>   client-software: sssd
>   required-package: oddjob
>   required-package: oddjob-mkhomedir
>   required-package: sssd
>   required-package: adcli
>   required-package: samba-common-tools
>   login-formats: %U at example.com
>   login-policy: allow-realm-logins
>
> But when I run "id user at example.com" I keep getting a user
doesn't exist.
>
> Any ideas?
> On 2/19/19 12:15 PM, Rowland Penny via samba wrote:
>> On Tue, 19 Feb 2019 12:06:19 -0500
>> "Jorge F. Hernandez via samba"<samba at
lists.samba.org>  wrote:
>>
>>> Hello,
>>>
>>> Has anybody been able to join an Active Directory 2016 using Samba
>>> Winbind?
>>>
>>> If so, how can this be done?
>>>
>>> I've been trying but it fails every time and when it finally
shows me
>>> something using realm list, it won't let me login with any user
from
>>> the domain, therefore, not working.
>>>
>>> Thanks,
>> Sorry, but you are limited to 2012 (and that is experimental), but
>> things should get better when 4.11 comes out.
>>
>> Rowland
>>
>

On Fri, 1 Mar 2019 16:54:28 -0500
"Jorge F. Hernandez via samba" <samba at lists.samba.org> wrote:
> > OK I'm trying 2012 R2 and I get this after I join:
> >
> > # realm list
> > example.com
> >   type: kerberos
> >   realm-name: EXAMPLE.COM
> >   domain-name: example.com
> >   configured: kerberos-member
> >   server-software: active-directory
> >   client-software: sssd
> >   required-package: oddjob
> >   required-package: oddjob-mkhomedir
> >   required-package: sssd
> >   required-package: adcli
> >   required-package: samba-common-tools
> >   login-formats: %U at example.com
> >   login-policy: allow-realm-logins
> >
> > But when I run "id user at example.com" I keep getting a
user doesn't
> > exist.
> >
> > Any ideas?
> 
> > On 2/19/19 12:15 PM, Rowland Penny via samba wrote:
> >> On Tue, 19 Feb 2019 12:06:19 -0500
> >> "Jorge F. Hernandez via samba"<samba at
lists.samba.org>  wrote:
> >>
> >>> Hello,
> >>>
> >>> Has anybody been able to join an Active Directory 2016 using
Samba
> >>> Winbind?
> >>>
> >>> If so, how can this be done?
> >>>
> >>> I've been trying but it fails every time and when it
finally
> >>> shows me something using realm list, it won't let me login
with
> >>> any user from the domain, therefore, not working.
> >>>
> >>> Thanks,
> >> Sorry, but you are limited to 2012 (and that is experimental), but
> >> things should get better when 4.11 comes out.
> >>
> >> Rowland
> >>
> >
> 
Just 'what' are you trying to join to the domain and how ?
By 'what', I mean as an AD DC or Unix domain member. 
By 'How', are you using Samba tools or something like realmd ?

Rowland

On Fri, 1 Mar 2019 17:13:01 -0500
"Jorge F. Hernandez" <jorge at glossstudio.com> wrote:
> I'm trying to join a Unix Domain member using "realm join -U 
> Administrator example.com" I don't know if that's Samba Tools
or
> realmd, but it is frustrating.
It isn't a Samba tool and isn't supported by Samba, if you want help
with realmd, you will have to ask Centos or Fedora or RHEL etc.
sssd isn't a Samba tool either.
> 
> I'm also trying net ads join, but it says that it cannot join as
> stand alone server.
Then your smb.conf isn't setup correctly, have you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

It might help if you tell us your distro (probably a red-hat based one)
and post the smb.conf you are trying to join with.

I can assure you that, using Samba tools, it is possible to do what you
require.

Rowland