Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Samba] Problems after PC is joined to the domain - Samba 4
339 views
Skip to first unread message
Theodotos Andreou
Jun 2, 2014, 1:24:26 AM6/2/14
to
On 05/30/2014 02:40 PM, steve wrote:
> On Fri, 2014-05-30 at 14:08 +0300, Theodotos Andreou wrote:
>> On 05/30/2014 01:53 PM, steve wrote:
>>> On Fri, 2014-05-30 at 13:13 +0300, Theodotos Andreou wrote:
>>>> Hello SAMBA community,
>>>>
>>>> I used this guide to join a PC to the domain as member using samba 4:
>>>> https://wiki.samba.org/index.php/Samba4/Domain_Member
>>>>
>>>> I am using Ubuntu 14.04 64 bit and I installed samba from the repos. The
>>>> stock samba version is:
>>>>
>>>> # samba --version
>>>> Version 4.1.6-Ubuntu
>>>>
>>>> When I tried to join the PC to the domain I got:
>>>>
>>>> # net ads join -U admin
>>>> kerberos_kinit_password DOM\ad...@DOM.FOREST.INT failed: Client not found in Kerberos database
>>>> Failed to join domain: failed to connect to AD: Client not found in Kerberos database
>>>>
>>>> Nevertheless the PC was joined to the domain despite the above error and
>>>> proceeded with the following steps. But when I try the lists the users
>>>> using 'wbinfo -u' I get some strange behavior. The command takes too
>>>> long to complete and it then gives:
>>>>
>>>> # wbinfo -u --verbose
>>>> FOREST\usbms_somepcname
>>>>
>>>> The second time I run the command it takes again too long but it gives
>>>> out the complete list of AD users. But when I try to login as a
>>>> particular user though I get:
>>>>
>>>> # su - myusername
>>>> No passwd entry for user 'myusername'
>>>> # id myusername
>>>> id: myusername: no such user
>>>>
>>>> This is my smb.conf:
>>>>
>>>> # cat /etc/samba/smb.conf
>>>> [global]
>>>>
>>>> netbios name = MYPCNAME
>>>> workgroup = DOM
>>>> security = ADS
>>>> realm = DOM.FOREST.INT
>>>> encrypt passwords = yes
>>> Hi
>>> try:
>>> add
>>> kerberos method = system keytab
>>> to [global]
>>> and issue:
>>> net ads keytab create -Uadmin
>>> (ru sure admin has sufficient privs to add machines?)?
>>>
>>>
>> I added that line and it gives:
>>
>> # net ads keytab create -U 'DOM\admin'
>> Enter DOM\admin's password:
>> kerberos_kinit_password DOM\admin@DOM..INT failed: Client not found in Kerberos database
>> kerberos_kinit_password DOM\ad...@LIM.TEPAK.INT failed: Client not found in Kerberos database
>>
>> After omitting 'DOM\' from the username it gives:
>>
>> # net ads keytab create -U 'admin'
>> Enter admin's password:
>> ads_get_dnshostname: No dNSHostName attribute!
>> ../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
>>
>> I have changed the true username and domain name for reason of paranoia
>> :) but I am certain that the user I use is a domain admin.
> DNS on Ubuntu:
> http://linuxcostablanca.blogspot.com.es/2014/05/dns-good-enough-for-kerberos.html
>
>
Ok now I have this configuration:
# grep 127 /etc//hosts
127.0.0.1 localhost
127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME
and this:
# cat /etc/hostname
MYPCNAME
Testing:
# hostname -d
dom.forest.int
# domainname
(none)
I have no idea why domainname gives different results than hostname -d
The PC name resolves correctly on DNS:
# host MYPCNAME.dom.forest.int
MYPCNAME.dom.forest.int has address 10.10.10.156
The problem persists:
# net ads keytab create -U admin
Enter admin's password:
ads_get_dnshostname: No dNSHostName attribute!
../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
Could the problem with the domainname command be related to this? Any
idea why that happens?
How can I troubleshoot this issue deeper?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
> On Fri, 2014-05-30 at 14:08 +0300, Theodotos Andreou wrote:
>> On 05/30/2014 01:53 PM, steve wrote:
>>> On Fri, 2014-05-30 at 13:13 +0300, Theodotos Andreou wrote:
>>>> Hello SAMBA community,
>>>>
>>>> I used this guide to join a PC to the domain as member using samba 4:
>>>> https://wiki.samba.org/index.php/Samba4/Domain_Member
>>>>
>>>> I am using Ubuntu 14.04 64 bit and I installed samba from the repos. The
>>>> stock samba version is:
>>>>
>>>> # samba --version
>>>> Version 4.1.6-Ubuntu
>>>>
>>>> When I tried to join the PC to the domain I got:
>>>>
>>>> # net ads join -U admin
>>>> kerberos_kinit_password DOM\ad...@DOM.FOREST.INT failed: Client not found in Kerberos database
>>>> Failed to join domain: failed to connect to AD: Client not found in Kerberos database
>>>>
>>>> Nevertheless the PC was joined to the domain despite the above error and
>>>> proceeded with the following steps. But when I try the lists the users
>>>> using 'wbinfo -u' I get some strange behavior. The command takes too
>>>> long to complete and it then gives:
>>>>
>>>> # wbinfo -u --verbose
>>>> FOREST\usbms_somepcname
>>>>
>>>> The second time I run the command it takes again too long but it gives
>>>> out the complete list of AD users. But when I try to login as a
>>>> particular user though I get:
>>>>
>>>> # su - myusername
>>>> No passwd entry for user 'myusername'
>>>> # id myusername
>>>> id: myusername: no such user
>>>>
>>>> This is my smb.conf:
>>>>
>>>> # cat /etc/samba/smb.conf
>>>> [global]
>>>>
>>>> netbios name = MYPCNAME
>>>> workgroup = DOM
>>>> security = ADS
>>>> realm = DOM.FOREST.INT
>>>> encrypt passwords = yes
>>> Hi
>>> try:
>>> add
>>> kerberos method = system keytab
>>> to [global]
>>> and issue:
>>> net ads keytab create -Uadmin
>>> (ru sure admin has sufficient privs to add machines?)?
>>>
>>>
>> I added that line and it gives:
>>
>> # net ads keytab create -U 'DOM\admin'
>> Enter DOM\admin's password:
>> kerberos_kinit_password DOM\admin@DOM..INT failed: Client not found in Kerberos database
>> kerberos_kinit_password DOM\ad...@LIM.TEPAK.INT failed: Client not found in Kerberos database
>>
>> After omitting 'DOM\' from the username it gives:
>>
>> # net ads keytab create -U 'admin'
>> Enter admin's password:
>> ads_get_dnshostname: No dNSHostName attribute!
>> ../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
>>
>> I have changed the true username and domain name for reason of paranoia
>> :) but I am certain that the user I use is a domain admin.
> DNS on Ubuntu:
> http://linuxcostablanca.blogspot.com.es/2014/05/dns-good-enough-for-kerberos.html
>
>
Ok now I have this configuration:
# grep 127 /etc//hosts
127.0.0.1 localhost
127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME
and this:
# cat /etc/hostname
MYPCNAME
Testing:
# hostname -d
dom.forest.int
# domainname
(none)
I have no idea why domainname gives different results than hostname -d
The PC name resolves correctly on DNS:
# host MYPCNAME.dom.forest.int
MYPCNAME.dom.forest.int has address 10.10.10.156
The problem persists:
# net ads keytab create -U admin
Enter admin's password:
ads_get_dnshostname: No dNSHostName attribute!
../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
Could the problem with the domainname command be related to this? Any
idea why that happens?
How can I troubleshoot this issue deeper?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Jun 2, 2014, 8:06:25 AM6/2/14
to
quote.
>
> The PC name resolves correctly on DNS:
>
> # host MYPCNAME.dom.forest.int
> MYPCNAME.dom.forest.int has address 10.10.10.156
>
> The problem persists:
>
> # net ads keytab create -U admin
> Enter admin's password:
> ads_get_dnshostname: No dNSHostName attribute!
> ../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
it correctly.
HTH
Steve
L.P.H. van Belle
Jun 2, 2014, 8:49:53 AM6/2/14
to
domainname ( looks in kernel info )
hostname -d ( is from resolving subsystems )
2 different things, read on, this is good info about this subject.
The primary source of confusion seems to be the distinction between
the hostname and the domain name which are set and determined in different ways, not simultaneously.
The kernel maintains the current hostname which is set (in a distribution-specific way) at boot time
and can be changed on the fly.
The domain name is determined by the resolver system, usually from the static hosts database (/etc/hosts) or via DNS
The kernel maintains the current (unqualified) hostname of the system.
Here are a few of the numerous ways to obtain it:
hostname
uname -n
cat /proc/sys/kernel/hostname
sysctl kernel.hostname
The hostname can be changed temporarily by running
hostname MyTempHostName
Each distribution has a script that runs at boot time which sets the hostname.
The way to change the hostname permanently thus differs by distribution.
- Debian has an init script, /etc/init.d/hostname.sh, which is called at boot time and sets the hostname
what is given in /etc/hostname. To change the hostname, place only the unqualified hostname (e.g., MyTempHostName)
in /etc/hostname and run sudo /etc/init.d/hostname.sh.
- Ubuntu, like Debian, also uses /etc/hostname, but to update the hostname after making a change,
run sudo service hostname start.
As of ubuntu 14.XX it is allowed to put the hostname.domain.tld in /etc/hostname
( For debian I did not look this up )
The domain name is distinct from the hostname and is determined by the resolver subsystem
The current FQDN of the system can be found as follows:
hostname -f MyTempHostName.example.com
To obtain this information the system first finds asks for the hostname: MyTempHostName
Then it asks for the IP address of MyTempHostName : (example 192.168.1.111 )
Finally, it asks for the full hostname and domain that corresponds to the IP adres 192.168.1.111
Here the man hostname also says..
in case of hostname -f
A FQDN consists of a short host name and the DNS domain name.
Unless you are using bind or NIS for host lookups you can change the FQDN and
the DNS domain name (which is part of the FQDN) in the /etc/hosts file.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: maandag 2 juni 2014 14:06
>Aan: Theodotos Andreou
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Problems after PC is joined to the
>domain - Samba 4
hostname -d ( is from resolving subsystems )
2 different things, read on, this is good info about this subject.
The primary source of confusion seems to be the distinction between
the hostname and the domain name which are set and determined in different ways, not simultaneously.
The kernel maintains the current hostname which is set (in a distribution-specific way) at boot time
and can be changed on the fly.
The domain name is determined by the resolver system, usually from the static hosts database (/etc/hosts) or via DNS
The kernel maintains the current (unqualified) hostname of the system.
Here are a few of the numerous ways to obtain it:
hostname
uname -n
cat /proc/sys/kernel/hostname
sysctl kernel.hostname
The hostname can be changed temporarily by running
hostname MyTempHostName
Each distribution has a script that runs at boot time which sets the hostname.
The way to change the hostname permanently thus differs by distribution.
- Debian has an init script, /etc/init.d/hostname.sh, which is called at boot time and sets the hostname
what is given in /etc/hostname. To change the hostname, place only the unqualified hostname (e.g., MyTempHostName)
in /etc/hostname and run sudo /etc/init.d/hostname.sh.
- Ubuntu, like Debian, also uses /etc/hostname, but to update the hostname after making a change,
run sudo service hostname start.
As of ubuntu 14.XX it is allowed to put the hostname.domain.tld in /etc/hostname
( For debian I did not look this up )
The domain name is distinct from the hostname and is determined by the resolver subsystem
The current FQDN of the system can be found as follows:
hostname -f MyTempHostName.example.com
To obtain this information the system first finds asks for the hostname: MyTempHostName
Then it asks for the IP address of MyTempHostName : (example 192.168.1.111 )
Finally, it asks for the full hostname and domain that corresponds to the IP adres 192.168.1.111
Here the man hostname also says..
in case of hostname -f
A FQDN consists of a short host name and the DNS domain name.
Unless you are using bind or NIS for host lookups you can change the FQDN and
the DNS domain name (which is part of the FQDN) in the /etc/hosts file.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: maandag 2 juni 2014 14:06
>Aan: Theodotos Andreou
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Problems after PC is joined to the
>domain - Samba 4
Theodotos Andreou
Jun 3, 2014, 1:38:23 AM6/3/14
to
# grep 127 /etc/hosts
127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
# cat /etc/hostname
MYPCNAME.dom.forest.int
# grep hosts /etc/nsswitch.conf
hosts: files dns
# cat /etc/krb5.conf
[libdefaults]
default_realm = DOM.FOREST.INT
dns_lookup_realm = false
dns_lookup_kdc = true
The network interface is configured for DHCP
I don't think /etc/krb5.conf does anything useful because (correct me if
I am wrong) samba 4 has its own kerberos implementation?
I still get the same behavior:
Now what?
Theodotos Andreou
Jun 3, 2014, 1:45:24 AM6/3/14
to
Very informative but still I am not sure what I am supposed to do to get
the command 'domainname' right. This is my configuration according to
steve's suggestions:
# grep 127 /etc/hosts
127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
# cat /etc/hostname
MYPCNAME.dom.forest.int
# grep hosts /etc/nsswitch.conf
hosts: files dns
# cat /etc/krb5.conf
[libdefaults]
default_realm = DOM.FOREST.INT
dns_lookup_realm = false
dns_lookup_kdc = true
But I still get:
What is the necessary configuration to get domainname right?
On 06/02/2014 03:49 PM, L.P.H. van Belle wrote:
>>> # hostname -d
>>> dom.forest.int
>>>
>>> # domainname
>>> (none)
the command 'domainname' right. This is my configuration according to
steve's suggestions:
# grep 127 /etc/hosts
127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
# cat /etc/hostname
MYPCNAME.dom.forest.int
# grep hosts /etc/nsswitch.conf
hosts: files dns
# cat /etc/krb5.conf
[libdefaults]
default_realm = DOM.FOREST.INT
dns_lookup_realm = false
dns_lookup_kdc = true
What is the necessary configuration to get domainname right?
On 06/02/2014 03:49 PM, L.P.H. van Belle wrote:
>>> # hostname -d
>>> dom.forest.int
>>>
>>> # domainname
>>> (none)
steve
Jun 3, 2014, 6:18:24 AM6/3/14
to
On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
> >
> OK I followed the guide blindly:
>
> >
> OK I followed the guide blindly:
>
> # grep 127 /etc/hosts
> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
>
> # cat /etc/hostname
> MYPCNAME.dom.forest.int
>
> # grep hosts /etc/nsswitch.conf
> hosts: files dns
>
> # cat /etc/krb5.conf
> [libdefaults]
> default_realm = DOM.FOREST.INT
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
>
> # cat /etc/hostname
> MYPCNAME.dom.forest.int
>
> # grep hosts /etc/nsswitch.conf
> hosts: files dns
>
> # cat /etc/krb5.conf
> [libdefaults]
> default_realm = DOM.FOREST.INT
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> The network interface is configured for DHCP
>
> I don't think /etc/krb5.conf does anything useful because (correct me if
> I am wrong) samba 4 has its own kerberos implementation?
You are wrong. /etc/krb5.conf does useful things because Samba4 has its
>
> I don't think /etc/krb5.conf does anything useful because (correct me if
> I am wrong) samba 4 has its own kerberos implementation?
own Kerberos implementation.
>
> I still get the same behavior:
>
Still wrong. Look again. You're close, but not close enough.
What do you have at:
/etc/resolv.conf
/etc/samba/smb.conf
Is nscd running?
ping MYPCNAME
ping mypcname
getent hosts MYPCNAME
etc.
Theodotos Andreou
Jun 4, 2014, 6:34:20 AM6/4/14
to
# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search dom.forest.int
Ubuntu is using the dnsmasq-base on all recent version hence the
127.0.0.1 above
smb.conf:
# cat /etc/samba/smb.conf
[global]
netbios name = MYPCNAME
workgroup = DOM
security = ADS
realm = DOM.FOREST.INT
encrypt passwords = yes
idmap config *:range = 70001-80000
idmap config DOM:backend = ad
idmap config DOM:schema_mode = rfc2307
idmap config DOM:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
kerberos method = system keytab
ping replies correctly in the PC hostname for both lower case and
uppercase. Also true for other computers in the network
getent replies correctly as well
nscd is not installed (It is not mentioned in the guide).
So probably the problem is nscd? Should I install it?
steve
Jun 4, 2014, 6:46:08 AM6/4/14
to
On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
> On 06/03/2014 01:18 PM, steve wrote:
> > On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
> >
> >> OK I followed the guide blindly:
> >>
> >> # grep 127 /etc/hosts
> >> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
> >>
Please correct this line.
> On 06/03/2014 01:18 PM, steve wrote:
> > On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
> >
> >> OK I followed the guide blindly:
> >>
> >> # grep 127 /etc/hosts
> >> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
> >>
> >> The network interface is configured for DHCP
The DHCP configuration is also in the dns howto.
> >>
> >
> resolv.conf:
>
> # cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 127.0.1.1
> search dom.forest.int
>
No. Set the IP of the DC as the only nameserver. The dns configuration
> >
> resolv.conf:
>
> # cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 127.0.1.1
> search dom.forest.int
>
is also in the howto.
> Ubuntu is using the dnsmasq-base on all recent version hence the
> 127.0.0.1 above
>
> nscd is not installed (It is not mentioned in the guide).
> So probably the problem is nscd?
> Should I install it?
No.
Now un-join and then rejoin.
How are you updating the dns?
HTH
Steve
Theodotos Andreou
Jun 5, 2014, 3:15:16 AM6/5/14
to
On 06/04/2014 01:46 PM, steve wrote:
> On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
>> On 06/03/2014 01:18 PM, steve wrote:
>>> On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
>>>
>>>> OK I followed the guide blindly:
>>>>
>>>> # grep 127 /etc/hosts
>>>> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
>>>>
> Please correct this line.
But this follows exactly the guide you send me previously
> On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
>> On 06/03/2014 01:18 PM, steve wrote:
>>> On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
>>>
>>>> OK I followed the guide blindly:
>>>>
>>>> # grep 127 /etc/hosts
>>>> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
>>>>
> Please correct this line.
>>>> The network interface is configured for DHCP
> The DHCP configuration is also in the dns howto.
dhcp client config is ok:
> The DHCP configuration is also in the dns howto.
root@ENT01LP628:~# cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
>> resolv.conf:
>>
>> # cat /etc/resolv.conf
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
>> nameserver 127.0.1.1
>> search dom.forest.int
>>
> No. Set the IP of the DC as the only nameserver. The dns configuration
> is also in the howto.
the zones on the DCs are secondary.
>> Ubuntu is using the dnsmasq-base on all recent version hence the
>> 127.0.0.1 above
>>
> Disable dnsmasq just in case.
>
>> nscd is not installed (It is not mentioned in the guide).
>> So probably the problem is nscd?
> No.
>> Should I install it?
> No.
OK I won't :)
>> 127.0.0.1 above
>>
> Disable dnsmasq just in case.
>
>> nscd is not installed (It is not mentioned in the guide).
>> So probably the problem is nscd?
> No.
>> Should I install it?
> No.
> Now un-join and then rejoin.
> How are you updating the dns?
> HTH
> Steve
>
>
Our DNS setup is rather peculiar. The domain controllers have only
> How are you updating the dns?
> HTH
> Steve
>
>
secondary zones that update our IPAM (which is the master), when a PC
joins the domain. So you need to get the domain, PC hostnames, etc from
the master.
Also it appears that having the FQDN in /etc/hostname is a bad idea:
$ nslookup mypcname.dom.forest.int
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: mypcname.dom.forest.int.dom.forest.int
Address: 10.100.1.190
It seems that having the FQDN in /etc/hostname makes ubuntu believe that
this is a simple hostname. Not sure what to think of it. According to
the man page:
//etc/hostname Historically this file was supposed to only contain the
hostname and not the full canonical FQDN.*Nowadays most software is able
to cope with a full FQDN here*. This file is read at boot time by the
system initialization scripts to set the hostname.
/
Apparently DNS and DHCP are not onw of those software :)
I fixed /etc/hostname to the actual hostname and continued.
Leaving domain was OK. Joining again gave:
# net ads join -U 'admin'
Enter admin's password:
Using short domain name -- DOM
Joined 'MYPCNAME' to dns domain 'dom.forest.int'
DNS Update for MYPCNAME. failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
'net ads keytab' stopped giving errors though. 'wbinfo -u' still takes
long to output the names and 'id username' fails to retrieve the username
Looking at the configuration I was puzzled by this:
idmap config LIM:schema_mode = rfc2307
the man page of idmap_ad says
The idmap_ad plugin provides a way for Winbind to read id mappings from an AD server that uses RFC2307/SFU schema extensions.
We don't have SFU installed on our domain controllers. Is it possible to
join a samba 4 pc as a member in Win2k2003 AD without SFU? Guides?
L.P.H. van Belle
Jun 5, 2014, 3:37:57 AM6/5/14
to
and more complete.
auto eth0
iface eth0 inet dhcp.
these are more for the static ip adress with overrides.
dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
dns-search your.domain.tld ( optional extra search domains domain.tld )
dns-domain your.domain.tld
and to make it even more complete.
this one is used when you use DHCP Client.
see /etc/dhcp/dhclient.conf
and configure teh options here.
#send host-name "andare.fugue.com";
send host-name = gethostname();
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
#prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;
#require subnet-mask, domain-name-servers;
Now you always have a "correct" resolve.conf
Good luck.
I've tried to help te ubuntu users with the "wrongs" in hostname.domainname.
read the post with subject :
RE: [Samba] Problems after PC is joined to the domain - Samba 4
ma 2-6-2014 14:51
its usefull info.
Good luck.
Louis
>-----Oorspronkelijk bericht-----
>Van: th...@ubuntucy.org [mailto:samba-...@lists.samba.org]
>Namens Theodotos Andreou
>Verzonden: donderdag 5 juni 2014 9:15
>Aan: steve
auto eth0
iface eth0 inet dhcp.
these are more for the static ip adress with overrides.
dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
dns-domain your.domain.tld
and to make it even more complete.
this one is used when you use DHCP Client.
see /etc/dhcp/dhclient.conf
and configure teh options here.
#send host-name "andare.fugue.com";
send host-name = gethostname();
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
#prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;
#require subnet-mask, domain-name-servers;
Now you always have a "correct" resolve.conf
Good luck.
I've tried to help te ubuntu users with the "wrongs" in hostname.domainname.
read the post with subject :
RE: [Samba] Problems after PC is joined to the domain - Samba 4
ma 2-6-2014 14:51
its usefull info.
Good luck.
Louis
>-----Oorspronkelijk bericht-----
>Van: th...@ubuntucy.org [mailto:samba-...@lists.samba.org]
>Namens Theodotos Andreou
>Verzonden: donderdag 5 juni 2014 9:15
>Aan: steve
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Problems after PC is joined to the
>domain - Samba 4
>
>Onderwerp: Re: [Samba] Problems after PC is joined to the
>domain - Samba 4
>
Theodotos Andreou
Jun 5, 2014, 3:45:59 AM6/5/14
to
"Defines the schema that idmap_ad should use when querying Active
Directory regarding user and group information. *This can be either the
RFC2307 schema support included in Windows 2003 R2* or the Service for
Unix (SFU) schema. For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
please choose"
Harry Jede
Jun 5, 2014, 4:00:39 AM6/5/14
to
On 09:54:39 wrote Theodotos Andreou:
I have had similiary problems with samba and interfaces with dhcp. It
seems that samba is starting before the interface is fully working.
Either restart samba after boot is complete or use static interface
stanzas.
--
Regards
Harry Jede
> On 06/04/2014 01:46 PM, steve wrote:
> > On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
> >> On 06/03/2014 01:18 PM, steve wrote:
> > Please correct this line.
>
> But this follows exactly the guide you send me previously
>
> > On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
> >> On 06/03/2014 01:18 PM, steve wrote:
> > Please correct this line.
>
> But this follows exactly the guide you send me previously
>
> > The DHCP configuration is also in the dns howto.
>
> dhcp client config is ok:
>
> root@ENT01LP628:~# cat /etc/network/interfaces
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet dhcp
> dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
Looks like debian/ubuntu
>
> dhcp client config is ok:
>
> root@ENT01LP628:~# cat /etc/network/interfaces
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet dhcp
> dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
I have had similiary problems with samba and interfaces with dhcp. It
seems that samba is starting before the interface is fully working.
Either restart samba after boot is complete or use static interface
stanzas.
--
Regards
Harry Jede
L.P.H. van Belle
Jun 5, 2014, 4:10:55 AM6/5/14
to
then change the init script..
something like, and change it to your environment.
### BEGIN INIT INFO
# Provides: samba ldap slapd
# Required-Start: $all
# Should-Start: $syslog cupsd
# Should-Stop: $syslog cupsd
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: initscript for the SAMBA services
and put this in /etc/insserv/overrides/the-same-name-as-the-init-script
run : insserv -v -n -d 2
look if you see:
insserv: Loading /etc/insserv/overrides/the-same-name-as-the-init-script
and check in /etc/rd2.d if samba moved more to the end.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: walk...@arcor.de [mailto:samba-...@lists.samba.org]
>Namens Harry Jede
>Verzonden: donderdag 5 juni 2014 10:01
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Problems after PC is joined to the
>domain - Samba 4
>
>domain - Samba 4
>
steve
Jun 5, 2014, 5:47:22 AM6/5/14
to
On Thu, 2014-06-05 at 10:15 +0300, Theodotos Andreou wrote:
> On 06/04/2014 01:46 PM, steve wrote:
>
> > On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
> > > On 06/03/2014 01:18 PM, steve wrote:
> On 06/04/2014 01:46 PM, steve wrote:
>
> > On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
> > > On 06/03/2014 01:18 PM, steve wrote:
> > > > On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
> > > >
> > > > > OK I followed the guide blindly:
> > > > >
> > > > > # grep 127 /etc/hosts
> > > > > 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
> > > > >
> > > >
> > > > > OK I followed the guide blindly:
> > > > >
> > > > > # grep 127 /etc/hosts
> > > > > 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
> > > > >
> > Please correct this line.
> But this follows exactly the guide you send me previously
No it doesn't. My guide uses 127.0.0.1. That is not what you are using.
> But this follows exactly the guide you send me previously
> > > > > The network interface is configured for DHCP
> > The DHCP configuration is also in the dns howto.
> dhcp client config is ok:
> root@ENT01LP628:~# cat /etc/network/interfaces
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet dhcp
> dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
>
> dhcp client config is ok:
> root@ENT01LP628:~# cat /etc/network/interfaces
> # interfaces(5) file used by ifup(8) and ifdown(8)
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet dhcp
> dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
>
> > > resolv.conf:
> > >
> > > # cat /etc/resolv.conf
> > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> > > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> > > nameserver 127.0.1.1
> > > search dom.forest.int
> > >
> > No. Set the IP of the DC as the only nameserver. The dns configuration
> > is also in the howto.
> I will need to use the master DNS which is our unix based IPAM because
> the zones on the DCs are secondary.
You must use the dns on the DC. You cannot use any other.
> > >
> > > # cat /etc/resolv.conf
> > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> > > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> > > nameserver 127.0.1.1
> > > search dom.forest.int
> > >
> > No. Set the IP of the DC as the only nameserver. The dns configuration
> > is also in the howto.
> I will need to use the master DNS which is our unix based IPAM because
> the zones on the DCs are secondary.
> able to cope with a full FQDN here. This file is read at boot time by
> the system initialization scripts to set the hostname.
>
>
> Apparently DNS and DHCP are not onw of those software :)
>
> I fixed /etc/hostname to the actual hostname and continued.
>
> Leaving domain was OK. Joining again gave:
> # net ads join -U 'admin'
> Enter admin's password:
> Using short domain name -- DOM
> Joined 'MYPCNAME' to dns domain 'dom.forest.int'
> DNS Update for MYPCNAME. failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> 'net ads keytab' stopped giving errors though. 'wbinfo -u' still takes
> long to output the names and 'id username' fails to retrieve the
> username
>
The only way to join the domain is to have the DNS on the same box as
>
> I fixed /etc/hostname to the actual hostname and continued.
>
> Leaving domain was OK. Joining again gave:
> # net ads join -U 'admin'
> Enter admin's password:
> Using short domain name -- DOM
> Joined 'MYPCNAME' to dns domain 'dom.forest.int'
> DNS Update for MYPCNAME. failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> 'net ads keytab' stopped giving errors though. 'wbinfo -u' still takes
> long to output the names and 'id username' fails to retrieve the
> username
>
the DC itself. Any other DNS server does not have access to the dns
databases necessary for AD. Until you do that. . .
> Is it possible to join a samba 4 pc as a member in Win2k2003 AD
> without SFU? Guides?
>
The schema which is shipped with Samba4 has rfc2307 out of the box. You
only need sfu if you wish to manipulate the 2307 attributes from
windows.
Yes, the schema which comes with Samba4 has full rfc2307 support out of
the box. The best guide is the samba wiki.
HTH
Steve
steve
Jun 5, 2014, 6:40:30 AM6/5/14
to
On Thu, 2014-06-05 at 09:37 +0200, L.P.H. van Belle wrote:
> and more complete.
>
> auto eth0
Hi
I don't think this is going to work since the OP is using a dns server
which is external to his AD. We think that his AD must be transferred to
a sub-domain of the main dns first. Machines which then need access
elsewhere should be forwarded to the existing dns setup, NOT the other
way around.
Cheers,
> and more complete.
>
> auto eth0
> iface eth0 inet dhcp.
>
> these are more for the static ip adress with overrides.
>
>
> these are more for the static ip adress with overrides.
>
> dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
I don't think this is going to work since the OP is using a dns server
which is external to his AD. We think that his AD must be transferred to
a sub-domain of the main dns first. Machines which then need access
elsewhere should be forwarded to the existing dns setup, NOT the other
way around.
Cheers,
Theodotos Andreou
Jun 5, 2014, 8:34:11 AM6/5/14
to
On 06/05/2014 12:47 PM, steve wrote:
> On Thu, 2014-06-05 at 10:15 +0300, Theodotos Andreou wrote:
>> On 06/04/2014 01:46 PM, steve wrote:
>>
>>> On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
>>>> On 06/03/2014 01:18 PM, steve wrote:
>>>>> On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
>>>>>
>>>>>> OK I followed the guide blindly:
>>>>>>
>>>>>> # grep 127 /etc/hosts
>>>>>> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
>>>>>>
>>> Please correct this line.
>> But this follows exactly the guide you send me previously
> No it doesn't. My guide uses 127.0.0.1. That is not what you are using.
>
>>>>>> The network interface is configured for DHCP
>>> The DHCP configuration is also in the dns howto.
>> dhcp client config is ok:
>> root@ENT01LP628:~# cat /etc/network/interfaces
>> # interfaces(5) file used by ifup(8) and ifdown(8)
>> auto lo
>> iface lo inet loopback
>>
> On Thu, 2014-06-05 at 10:15 +0300, Theodotos Andreou wrote:
>> On 06/04/2014 01:46 PM, steve wrote:
>>
>>> On Wed, 2014-06-04 at 13:34 +0300, Theodotos Andreou wrote:
>>>> On 06/03/2014 01:18 PM, steve wrote:
>>>>> On Tue, 2014-06-03 at 08:38 +0300, Theodotos Andreou wrote:
>>>>>
>>>>>> OK I followed the guide blindly:
>>>>>>
>>>>>> # grep 127 /etc/hosts
>>>>>> 127.0.1.1 MYPCNAME.dom.forest.int MYPCNAME localhost
>>>>>>
>>> Please correct this line.
>> But this follows exactly the guide you send me previously
> No it doesn't. My guide uses 127.0.0.1. That is not what you are using.
>
>>>>>> The network interface is configured for DHCP
>>> The DHCP configuration is also in the dns howto.
>> dhcp client config is ok:
>> root@ENT01LP628:~# cat /etc/network/interfaces
>> # interfaces(5) file used by ifup(8) and ifdown(8)
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet dhcp
>> iface eth0 inet dhcp
>> dns-nameservers 10.1.11.50 # this is to override 127.0.0.1
>>
>>
Just to feed my curiosity. Is it possible to join a samba 4 as a member
on Windows 2003 (non R2)?
steve
Jun 5, 2014, 8:39:12 AM6/5/14
to
On Thu, 2014-06-05 at 15:34 +0300, Theodotos Andreou wrote:
> >
> So I guess that's it. Maybe I'll revert to samba3.
>
> Just to feed my curiosity. Is it possible to join a samba 4 as a member
> on Windows 2003 (non R2)?
Yes. You can join samba all the way back to NT.
> >
> So I guess that's it. Maybe I'll revert to samba3.
>
> Just to feed my curiosity. Is it possible to join a samba 4 as a member
> on Windows 2003 (non R2)?
hth
sTEVE
Thomas Schulz
Jun 5, 2014, 11:18:59 AM6/5/14
to
This may not be helpfull as I may not have understood everything being
said. But it is possible to get a dns server (bind on Solaris in our
case) to delegate to the dns server on a domain controller.
In our case we have our realm the same as our dns domain (this is a
very old mistake). In our zone file for adi.com we first have all
of our normal soa, ns, mx and A records and then we have:
; For Microsoft domain controller (currently controller).
; Let's just delegate to controller
;
_msdcs in ns controller.adi.com.
_sites in ns controller.adi.com.
_tcp in ns controller.adi.com.
_udp in ns controller.adi.com.
This seems to work well.
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
said. But it is possible to get a dns server (bind on Solaris in our
case) to delegate to the dns server on a domain controller.
In our case we have our realm the same as our dns domain (this is a
very old mistake). In our zone file for adi.com we first have all
of our normal soa, ns, mx and A records and then we have:
; For Microsoft domain controller (currently controller).
; Let's just delegate to controller
;
_msdcs in ns controller.adi.com.
_sites in ns controller.adi.com.
_tcp in ns controller.adi.com.
_udp in ns controller.adi.com.
This seems to work well.
Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
Thomas Schulz
Jun 5, 2014, 11:40:46 AM6/5/14
to
> This may not be helpfull as I may not have understood everything being
> said. But it is possible to get a dns server (bind on Solaris in our
> case) to delegate to the dns server on a domain controller.
>
> In our case we have our realm the same as our dns domain (this is a
> very old mistake). In our zone file for adi.com we first have all
> of our normal soa, ns, mx and A records and then we have:
>
> ; For Microsoft domain controller (currently controller).
> ; Let's just delegate to controller
> ;
> _msdcs in ns controller.adi.com.
> _sites in ns controller.adi.com.
> _tcp in ns controller.adi.com.
> _udp in ns controller.adi.com.
>
> This seems to work well.
Now if our realm had been realm.adi.com then the entry would have been
> said. But it is possible to get a dns server (bind on Solaris in our
> case) to delegate to the dns server on a domain controller.
>
> In our case we have our realm the same as our dns domain (this is a
> very old mistake). In our zone file for adi.com we first have all
> of our normal soa, ns, mx and A records and then we have:
>
> ; For Microsoft domain controller (currently controller).
> ; Let's just delegate to controller
> ;
> _msdcs in ns controller.adi.com.
> _sites in ns controller.adi.com.
> _tcp in ns controller.adi.com.
> _udp in ns controller.adi.com.
>
> This seems to work well.
realm in ns controller.adi.com.
Theodotos Andreou
Jun 6, 2014, 12:42:59 AM6/6/14
to
On 06/05/2014 03:39 PM, steve wrote:
> On Thu, 2014-06-05 at 15:34 +0300, Theodotos Andreou wrote:
>
>> So I guess that's it. Maybe I'll revert to samba3.
>>
>> Just to feed my curiosity. Is it possible to join a samba 4 as a member
>> on Windows 2003 (non R2)?
> Yes. You can join samba all the way back to NT.
> hth
> sTEVE
>
>
Thanks Guys!
> On Thu, 2014-06-05 at 15:34 +0300, Theodotos Andreou wrote:
>
>> So I guess that's it. Maybe I'll revert to samba3.
>>
>> Just to feed my curiosity. Is it possible to join a samba 4 as a member
>> on Windows 2003 (non R2)?
> Yes. You can join samba all the way back to NT.
> hth
> sTEVE
>
>
0 new messages