Topic: Samba as an Active Directory Domain Member

[RupertTHEbare]

Can anyone tell me if there is a How-To anywhere which will show me the simple way (if there is one) to set up my Advanced Samba SME Server as an Active Directory Domain Member on a Windows 2003 Server domain?

Currently my configuration looks like this...

# config show smb
    smb=service
    DeadTime=10080
    DomainMaster=no
    KeepVersions=enabled
    OpLocks=enabled
    OsLevel=35
    RecycleBin=enabled
    RoamingProfiles=no
    ServerName=mumbojumbo
    ServerRole=WS
    ShadowCopy=enabled
    ShadowCount=10
    ShadowDir=/home/e-smith/files/.shadow
    UnixCharSet=UTF8
    UseClientDriver=no
    WINSServer=192.168.1.12
    Workgroup=asapcleaningltd.local
    status=enabled

But when I issue an "net rpc join -U Admin_name%password" I get "cannot join as standalone machine".

What am I doing wrong or not doing?

RTB.

[cactus]

Can anyone tell me if there is a How-To anywhere which will show me the simple way (if there is one) to set up my Advanced Samba SME Server as an Active Directory Domain Member on a Windows 2003 Server domain?

Not possible at the moment, but work in that direction is done. Greg Zartman has launched development in this direction. He is also in the forums, I will direct him to this thread, perhaps he has some usefull comments or estimates when this might be possible.

[gzartman]

Can anyone tell me if there is a How-To anywhere which will show me the simple way (if there is one) to set up my Advanced Samba SME Server as an Active Directory Domain Member on a Windows 2003 Server domain?

Currently not possible with SME unless you do quite abit of hacking.  There is an effort underway to add this functionality to SME here:  http://bugs.contribs.org/show_bug.cgi?id=4666    And a wiki document here:  http://wiki.contribs.org/Advanced_Samba

Greg

[RupertTHEbare]

Thanks for the heads-up cactus, even if it wasn't quite what I wanted to hear.

And Greg... keep up the good work.  As I wrote, I am using the Advanced Samba contrib at the moment.

RTB.

[turandot]

Hi,

I don't have the contrib installed yet, but I was searching for options to configure the SME server to become a Domain Member (DM) quite a while. This contrib is really important for more advanced SME usage.

@Greg,

I would assume that DM was the most wanted option, and I think that it should pave the way to implement the other options as well. Are there any (ideas on) time plans to overcome the limitations with regard to access control as described here http://wiki.contribs.org/Advanced_Samba#Known_issues ?

turandot

[Confucius]

Are there any (ideas on) time plans to overcome the limitations with regard to access control as described here http://wiki.contribs.org/Advanced_Samba#Known_issues ?

turandot

Most of the work is already done in a test-setup I'm using for almost a year now.
I'm between jobs right now and that limits me in rounding up this issue since I already promised Greg a solution.

I would say : stay tuned.... it's a work in progress.

Harro

[gzartman]

Hi,

I don't have the contrib installed yet, but I was searching for options to configure the SME server to become a Domain Member (DM) quite a while. This contrib is really important for more advanced SME usage.

Domain membership in an NT4 type domain works fine with the contrib.

@Greg,
I would assume that DM was the most wanted option, and I think that it should pave the way to implement the other options as well. Are there any (ideas on) time plans to overcome the limitations with regard to access control as described here http://wiki.contribs.org/Advanced_Samba#Known_issues ?

Functionality needed to provide activate directory membership won't help with SME becoming a backup domain controller or an active directory domain controller.  Backup domain controller functionality won't happen until we get a solid LDAP authentication backend to SME.  My understanding is that most of the pieces are in place to deploy and LDAP auth backend to SME.

SME as an Active Directory PDC won't happen until we get Samba 4, which is a ways off yet.

How's that for timelines.

[turandot]

Hi Greg,

many thanks for your update. I know that Samba 4 may take more than a while, but currently I am not too much hoping on Active Directory support. I am primarily interested  in full support of the Domain Member (NT4 style) including access control of shares based on domain users and groups...

Hope this clarifies.

Thanks a lot, turandot

[gzartman]

I am primarily interested  in full support of the Domain Member (NT4 style) including access control of shares based on domain users and groups...

All of this is available with smeserver-adv-samba, via winbindd. 

However, domain groups currently are not recognized by the ibays server-manager panel; therefore, there is no way to control access to ibays by domain group using the server-manager.  At this point, this is intentional because the domain member server role is not supported in the core SME distro.

To implement access control to ibays by domain group, you'll need to create a custom template fragment.

[mgb]

1 is not login
 net rpc join -U administrator@passwordserver2003
Password:
Could not connect to server T1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILUR


2 is login join
#net rpc join -U adminisrtators
#password :
join to domain  DOMAIN

l login from xp to server2003Active Directory Domain Member user1@password activ Directory
is ok


type from xp
net use f: //mysem7.3/user1
is ok

net use g: //myserve2003/user1
is not work
net use g: //ip=server2003/user1   (ping myserver2003  is ok)
is work

help ?


Currently my configuration looks like this...

# config show smb
    smb=service
    DeadTime=10080
    DomainMaster=no
    KeepVersions=enabled
    OpLocks=enabled
    OsLevel=35
    RecycleBin=enabled
    RoamingProfiles=no
    ServerName=mysme7.3
    ServerRole==DM
    ShadowCopy=enabled
    ShadowCount=10
    ShadowDir=/home/e-smith/files/.shadow
    UnixCharSet=UTF8
    UseClientDriver=no
     DOMAIN=domain
    Workgroup=domain
    status=enabled

[gzartman]

The net command in the current version of Samba isn't working correctly.  You'll need to use the following syntax to join a domain:

net rpc join -U pdc_admin_username%pdc_admin_password

[mgb]

ok  (@ %)
 net rpc join -U administrator%password
Joined domain T10.
[root@linux  ~]#
 is work good

[mgb]

howto   stop join to domain   

for join to new domain  ?

[cactus]

howto   stop join to domain   

for join to new domain  ?

Please do some research your self (you have been told multiple times). These are general linux commands from the samba package. For instance this would give you a detailed list of commands and their functions when entered on the command line of your server:

Code: [Select]

man net

[mgb]

Very good!
Thank you
is work Active Directory    users  and groups
i open only groups in sme is work (groups = Active Directory =sme 7.3)
if you  make new grous It is necessary to signal-event workgroup-update

[gzartman]

is work Active Directory    users  and groups
i open only groups in sme is work (groups = Active Directory =sme 7.3)
if you  make new grous It is necessary to signal-event workgroup-update

No, SME 7.4 cannot read active directory domain users nor groups.  SME 7.4 will join the domain, however it can't use the AD auth mechanisms, so the membership is basically useless.

[mgb]

Very good!
Thank you
is work Active Directory    users  and groups
i open only groups in sme is work (groups = Active Directory =sme 7.3)
if you  make new grous It is necessary to signal-event workgroup-update

  to  stop join to domain    del /etc/lpd/*.*

config new smb
join to new domain