[Samba] changing server role = standalone server to 'member server'
Carl Wilhelm Soderstrom
I set it up as a standalone server on a test network, and it was easy to set
up and worked fine. Now I am trying to migrate it to a different network and
join it to a Windows 2008 AD server.
When I try to join it to the domain, I get this error:
root@samba-4:/etc/samba# net ads join -U administrator
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.
I've gotten a Kerberos ticket already with kinit, so I know it can connect
to the AD server.
If I try 'testparm -s' I see that it shows "Server role: ROLE_STANDALONE"
even tho I have "server role = member server" in the config file.
Is there some database I need to clobber when changing the "server role ="
value?
root@samba-4:/etc/samba# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[cad-test]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
workgroup = EXAMPLEAD
realm = AD.EXAMPLE.COM
server string = samba-4.example.com
server role = member server
obey pam restrictions = Yes
restrict anonymous = 2
syslog = 0
log file = /var/log/samba/%m.log
load printers = No
logon script = %U.bat
logon path =
logon home =
local master = No
wins server = 192.XX.XX.XX
template shell = /bin/bash
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind max domain connections = 10
idmap config * : range = 600-20000
idmap config * : backend = tdb
[homes]
comment = Home Directories
path = /home/%D/%U
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No
[cad-test]
comment = CAD DepartShared Space
path = /var/samba/cadshare
valid users = rte
force group = rte
read only = No
create mask = 0666
directory mask = 0777
--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
>
Unfortunately, the only server role that works at present is 'dc', you
cannot provision as a 'member', you need to use the 'classic' way of
running samba, i.e. do not run the samba daemon, run the smbd, nmbd and
winbind daemons instead. There is also a problem with samba 4.1.3 on
ubuntu 14.04 (unless they have fixed it in the last few days, but I
haven't heard anything about my bug report), you cannot get samba-tool
to export a keytab.
Rowland
Carl Wilhelm Soderstrom
> Try to follow
> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
>
> You need to join ad a domain controller
Thanks for the link!
I ran
# samba-tool domain join AD.EXAMPLE.COM DC -Uadministrator --realm=AD.EXAMPLE.COM
and after removing my old smb.conf file, it created a new one with:
server role = active directory domain controller
when I read the smb.conf man page tho, it really seems to say that this is
for when the samba server is providing all of the AD services. However, I
have a Windows AD server I want to get authentication information from.
Also, syslog now tells me that I should start the 'samba' daemon, and not
the 'smbd' daemon. I thought the 'samba' daemon was only if I wanted to be
the AD server.
If I need to be a DC in order to join the domain, then what is the "server
role = member server" for?
Rowland Penny
> On 04/02 09:28 , Matteo Cangi wrote:
>> Try to follow
>> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
>>
>> You need to join ad a domain controller
> Thanks for the link!
> I ran
> # samba-tool domain join AD.EXAMPLE.COM DC -Uadministrator --realm=AD.EXAMPLE.COM
> and after removing my old smb.conf file, it created a new one with:
>
> server role = active directory domain controller
>
> when I read the smb.conf man page tho, it really seems to say that this is
> for when the samba server is providing all of the AD services. However, I
> have a Windows AD server I want to get authentication information from.
microsoft AD server, so a Samba 4 AD server will join to your windows AD
server as just another DC.
> Also, syslog now tells me that I should start the 'samba' daemon, and not
> the 'smbd' daemon. I thought the 'samba' daemon was only if I wanted to be
> the AD server.
fileserver.
> If I need to be a DC in order to join the domain, then what is the "server
> role = member server" for?
that is what a proper member does. Whilst you can provision samba4 as a
'member' and it will seem to work, believe me it doesn't, I know I tried!
Rowland
steve
> On 04/02 09:28 , Matteo Cangi wrote:
> > Try to follow
> > https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
> >
> > You need to join ad a domain controller
>
> Thanks for the link!
> I ran
> # samba-tool domain join AD.EXAMPLE.COM DC -Uadministrator --realm=AD.EXAMPLE.COM
> and after removing my old smb.conf file, it created a new one with:
>
> server role = active directory domain controller
>
> when I read the smb.conf man page tho, it really seems to say that this is
> for when the samba server is providing all of the AD services. However, I
> have a Windows AD server I want to get authentication information from.
>
> Also, syslog now tells me that I should start the 'samba' daemon, and not
> the 'smbd' daemon. I thought the 'samba' daemon was only if I wanted to be
> the AD server.
>
> If I need to be a DC in order to join the domain, then what is the "server
> role = member server" for?
You don't want to join the domain as another DC I don't think. To join
as a member server you need a minimal smb.conf:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
kerberos method = system keytab
now join:
net ads join -UAdministrator
That's it.
You may want to use winbind or nscld or sssd to map uid:gid and other
Unix information e.g.
https://wiki.samba.org/index.php/Samba/Domain_Member
You can now add shares to your smb.conf to serve files to the domain.
HTH
Steve
Johan Hendriks
Then a net ads join -U administrator should work
Also testparm will tell you that samba is configured as a member server.
regards
Carl Wilhelm Soderstrom
> You don't want to join the domain as another DC I don't think.
Almost all the configuration help I find on the web for Samba v4 seems to
be for setting up the Samba server as the AD server, rather than how to join
it to an existing AD server.
> To join
> as a member server you need a minimal smb.conf:
>
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> security = ADS
> kerberos method = system keytab
>
> now join:
> net ads join -UAdministrator
>
> That's it.
root@samba-4:/etc/samba# net ads join -U administrator
Using short domain name -- EXAMPLEAD
Joined 'SAMBA-4' to dns domain 'ad.example.com'
DNS update failed: NT_STATUS_UNSUCCESSFUL
However it seems like I am bound to the domain, based on what I see in 'net
ads info', 'wbinfo -u' and 'wbinfo -t'.
> You may want to use winbind or nscld or sssd to map uid:gid and other
> Unix information e.g.
> https://wiki.samba.org/index.php/Samba/Domain_Member
without reason, and then recovers just as mysteriously, tho I'm not entirely
sure it's winbind). The others I am not, and will have to look at.
Thanks again, your message was really helpful!
Carl Wilhelm Soderstrom
> I think you need security = ADS in your global settings.
lines; and testparm didn't warn about this.
security = ADS
security = user
Thanks for the message tho!
Rowland Penny
it is very very common and is just telling you that the join couldn't
update DNS, you will be joined to the domain ;-)
>> You may want to use winbind or nscld or sssd to map uid:gid and other
>> Unix information e.g.
>> https://wiki.samba.org/index.php/Samba/Domain_Member
> Winbind I'm familiar with (mostly in that it seems to break occasionally and
> without reason, and then recovers just as mysteriously, tho I'm not entirely
> sure it's winbind). The others I am not, and will have to look at.
better if you can add the RFC2307 attributes to your users & groups.
Rowland
>
--
steve
> On 04/02 11:18 , steve wrote:
> > You don't want to join the domain as another DC I don't think.
>
> Thanks for your clarification.
> Almost all the configuration help I find on the web for Samba v4 seems to
> be for setting up the Samba server as the AD server, rather than how to join
> it to an existing AD server.
>
> > To join
> > as a member server you need a minimal smb.conf:
> >
> > [global]
> > workgroup = EXAMPLE
> > realm = EXAMPLE.COM
> > security = ADS
> > kerberos method = system keytab
> >
> > now join:
> > net ads join -UAdministrator
> >
> > That's it.
>
> Thanks. That *mostly* worked. I did get this error:
>
> root@samba-4:/etc/samba# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- EXAMPLEAD
> Joined 'SAMBA-4' to dns domain 'ad.example.com'
> DNS update failed: NT_STATUS_UNSUCCESSFUL
The fqdn of the machine you are joining is not sent over the net
command. It's a good idea to get it registered in DNS as there are
untold errors awaiting you if you do not. . .
-unjoin the domain:
net ads leave -UAdministrator
-remove the keytab:
rm /etc/krb5.keytab
-add fqdn and hostname to /etc/hosts:
127.0.0.1 hostname.domain.name hostname localhost
-ensure that the machine has a static IP
-ensure the primary dns is set to the IP of the DC
-rejoin
Good luck
Steve
Carl Wilhelm Soderstrom
variations, and this is what I think is the relevant data.
To summarize the end, am I having a problem registering
samba-4.ad.example.com with the AD server's DNS instance?
On 04/03 10:31 , steve wrote:
> The fqdn of the machine you are joining is not sent over the net
> command. It's a good idea to get it registered in DNS as there are
> untold errors awaiting you if you do not. . .
Hmm, not sure what you mean here. All the hosts have DNS entries and static
IP addresses. Forward and reverse DNS match (I just double-checked).
> -unjoin the domain:
> net ads leave -UAdministrator
> -remove the keytab:
> rm /etc/krb5.keytab
Thanks for letting me know about that. I was not aware of that file.
> -add fqdn and hostname to /etc/hosts:
> 127.0.0.1 hostname.domain.name hostname localhost
Before I had in /etc/hosts:
127.0.0.1 localhost
192.XXX.XXX.77 ad.example.com ad
192.XXX.XXX.30 samba-4.example.com samba-4
Are you sure you mean that I should have it like this?
127.0.0.1 samba-4.example.com samba-4 localhost
192.XXX.XXX.77 ad.example.com ad
192.XXX.XXX.30 samba-4.example.com samba-4
since that doesn't square with DNS. (Also, if I do 'net ads join -U
Administrator -S ad.example.com -d 10, I find that I get an LDAP connection
error).
The AD server is my only DNS source apart from /etc/hosts. I've tested both
with and without avahi running.
root@samba-4:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
# resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.XXX.XXX.77
search example.com
root@samba-4:~# grep hosts /etc/nsswitch.conf
#hosts: files mdns4_minimal [NOTFOUND=return] dns
hosts: files dns
Leaving the domain:
root@samba-4:~# net ads leave -UAdministrator
Enter Administrator's password:
Deleted account for 'SAMBA-4' in realm 'AD.EXAMPLE.COM'
root@samba-4:~# wbinfo -t
checking the trust secret for domain EXAMPLEAD via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
root@samba-4:~# rm /etc/krb5.keytab
rm: remove regular file ‘/etc/krb5.keytab’? y
Now rejoining the domain, with debugging, it seems to all work except for
the DNS business:
root@samba-4:~# net ads join -U Administrator -d 5
<snip>
rpccli_netlogon_setup_creds: server AD.ad.example.com credential chain
established.
Bind RPC Pipe: host AD.ad.example.com auth_type 68, auth_level 6
rpc_api_pipe: host AD.ad.example.com
rpc_read_send: data_to_read: 72
check_bind_response: accepted!
seed 153e7d56:1ba8aab6
seed+time 687c514c:1ba8aab6
CLIENT c4d2cfb4:7c9d763b
seed+time+1 687c514d:1ba8aab6
SERVER 903a2b01:26ceaf0f
rpc_api_pipe: host AD.ad.example.com
rpc_read_send: data_to_read: 104
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'EXAMPLEAD'
dns_domain_name : 'ad.example.com'
forest_name : 'ad.example.com'
dn :
'CN=samba-4,CN=Computers,DC=ad,DC=example,DC=com'
domain_sid : *
domain_sid :
S-1-5-21-3579304287-3829738268-3886208222
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- EXAMPLEAD
Joined 'SAMBA-4' to dns domain 'ad.example.com'
added interface eth0 ip=192.XXX.XXX.30 bcast=192.XXX.XXX.255
netmask=255.255.255.0
ads_dns_lookup_ns: 2 records returned in the answer section.
retrying DNS update with next nameserver after receiving
ERROR_DNS_CONNECTION_FAILED
retrying DNS update with next nameserver after receiving
ERROR_DNS_CONNECTION_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
return code = 0
root@samba-4:~# wbinfo -t
checking the trust secret for domain EXAMPLEAD via RPC calls succeeded
Am I having a problem registering the host's name with the AD server's DNS
instance?
root@samba-4:~# host samba-4.ad.example.com
Host samba-4.ad.example.com not found: 3(NXDOMAIN)
Some workstations are registered with the AD server's DNS (but not all).
root@samba-4:~# host workstation.ad.example.com
workstation.ad.example.com has address 192.77.113.119
But I'm not a Windows guy, so I have little idea what correct behavior
should be.
--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com
steve
bind or internal dns? the join only works with bind for Linux boxes.
Steve
L.P.H. van Belle
i've seen this behavor multiple times the last few days.
This is how i got to fix this.
stop the smbd nmbd winbind processes.
Remove the "old" dns record from your dns use samba-tool
Make sure you restore this this is correct
>127.0.0.1 localhost
>192.XXX.XXX.77 ad.example.com ad
>192.XXX.XXX.30 samba-4.example.com samba-4
( and if unsure, backup this )
/var/lib/samba/*.tdb and /var/lib/samba/private/*.tdb
/var/cache/samba/* ( incl dirs )
this is your error causing this.
thats why you need to remove manualy, and maybe multiple times.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: chr...@real-time.com
>[mailto:samba-...@lists.samba.org] Namens Carl Wilhelm Soderstrom
>Verzonden: donderdag 3 april 2014 23:52
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] changing server role = standalone
>server to 'member server'
Carl Wilhelm Soderstrom
> Remove the "old" dns record from your dns use samba-tool
which is the bit the AD server is responsible for. There is a DNS entry for
samba-4.example.com (served up by a BIND server which the AD server queries
for things other than ad.example.com); but that shouldn't be relevant,
should it?
> this is your error causing this.
> >ads_dns_lookup_ns: 2 records returned in the answer section.
>
> 2 records returned, now samba cant fix it, it dont know which one to fix.
> thats why you need to remove manualy, and maybe multiple times.
IPv6 address?
# host ad.example.com
ad.example.com has address 192.XXX.XXX.77
ad.example.com has IPv6 address XXXX:XXXX:714d::c04d:714d
Carl Wilhelm Soderstrom
rpccli_netlogon_setup_creds: server AD.ad.example.com credential chain
established.
Bind RPC Pipe: host AD.ad.example.com auth_type 68, auth_level 6
rpc_api_pipe: host AD.ad.example.com
rpc_read_send: data_to_read: 72
check_bind_response: accepted!
seed+time d2f95997:dde64e56
CLIENT 414ca8a7:ca84cbce
seed+time+1 d2f95998:dde64e56
SERVER 5e528977:37d4889e
> bind or internal dns? the join only works with bind for Linux boxes.
ad.example.com subdomain. (The example.com domain is served by a BIND
server, which the AD server queries for domains other than ad.example.com).
I use 'net ads join' on Samba v3 servers when joining them to a Windows AD
server. (Admittedly it doesn't update the DNS entries for the Samba v3
machines on the AD server either). Am I doing something wrong?
steve
Samba4 AD running bind dlz if I remove the localhost fqdn line
in /etc/hosts
Cheers,
Steve
Andrew Bartlett
> I am testing a Samba v4.1.3 instance on Ubuntu 14.04 prerelease.
> I set it up as a standalone server on a test network, and it was easy to set
> up and worked fine. Now I am trying to migrate it to a different network and
> join it to a Windows 2008 AD server.
>
> When I try to join it to the domain, I get this error:
>
> root@samba-4:/etc/samba# net ads join -U administrator
> Host is not configured as a member server.
> Invalid configuration. Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
>
> I've gotten a Kerberos ticket already with kinit, so I know it can connect
> to the AD server.
>
> If I try 'testparm -s' I see that it shows "Server role: ROLE_STANDALONE"
> even tho I have "server role = member server" in the config file.
'security=ads'. However, I mucked that up in the leadup to Samba 4.0,
and we really can't change this kind of thing mid-cycle. In Samba 4.2,
this will work.
As others have pointed out, the server role parameter was added for the
AD DC, however it was not meant to be this confusing.
Sorry about that,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba