On 2012-03-11 21:56, tsu2 wrote:
>
> robin_listas;2447354 Wrote:
>> And joining a domain is not an operation easy to reverse, if you also
>> want to use that Linux machine in a normal way later.
>>
>
> Am curious what issues you ran into (leaving a Windows Domain), what
> changes need to be made on the client machine. For the most part,
> leaving a Domain is mainly a Domain Admin task, disjoining and if
> desired purging AD records, not a client-side issue. I should think the
> main issue for the the Localmachine User is to logon with a Local
> Machine account, not a Domain User account.
At the client side the login is different, it uses a different pam module
(I don’t remember the name). You can also login locally to the Linux
machine, but it has a “different” appearance at GDM. I can not describe it
better.
I’ll be using that machine on Monday, I can have a look then (I’m taking a
training course). What I did was to compare configuration files on that
machine to another one that was not joined to a W.domain, and undo the
changes. I have used the same machine to create a Domain to which Windows
machine connected, so I needed that undoing.
Separating a Windows 7 client machine from a domain can also be difficult:
mine crashed so badly I had to reinstall it.
>> It is possible, and easier perhaps, to simply use the needed resources
>> when needed and authenticate as required.
>>
> But, it’s a big headache to configure individual connections, so unless
> the connections are very temporary and few, it’s not recommended
Nautilus should remember the credentials for the session. But you are
right, it can become a nuisance.
> Actually, Windows Domains <can> be renamed but can be an enormous
> chore, and in certain situations it’s also possible to create a Domain
> alias (alternative name) and depending on what you mean by “from
> scratch” is probably not the case (The process of Domain renaming
> involves breaking down and rebuilding a significant amount of AD, but
> does not necessarily mean loss of structure or data). AFAIK a dotLocal
> Domain suffix should not ordinarily be a problem except and unless there
> is a zeroconfig conflict/bug as you describe.
I had to do this several times these days, in the training course I’m
taking. To undo the domain we run “dcpromo.exe”, but on the 15 machines
that we are using it crashed on about a third and we had to reinstall
Windows server again. In fact, I have an image of Win 2008 R 2, with the AD
role installed, without configuring it (dcpromo not run). I did the image
with partimage to another partition, so that I can get to that point faster.
I didn’t know about the alias trick. Interesting.
> Also, AFAIK shorter names are required only for backwards
> compatibility with NT4/older SAMBA which should not be implemented
> nowadays. If your logs are complaining, I’d look for an option that
> disables backwards compatibility.
Could be that, I know little about samba. I thought that it was trying to
use netbios names, which are shorter.
I was trying several configuration changes. First I tried using Yast samba
server module, no go. Then I attempted a howto designed for Ubuntu that my
partners were using (and failing). No go. So I returned to YaST.
I was initially attempting to see the shares in Nautilus and using them,
and then in Windows 7. I noticed the long name problem (about one entry in
the log per second about this problem), so I shortened it (from
carloser.localnet to carloser.lnet (it wanted carloser.localn)). No go.
Then I noticed entries in the log referring to the older names I had used
in the test: so I stopped samba (smb, nmb and winbind?), deleted all
temporary files *.tdb, restarted samba and… it worked instantly! At least
I could see the domain in both Nautilus, a W7 machine running inside Vmware
player, and also at the machines from my partners.
Partial success!
So I tried to join the W7 machine to the domain. I did not found how, that
was somebody else in the group. It was documented in the samba wiki: a
hotfix from Microsoft has to be applied (it is interesting that M$ does
publish patches to solve problems with Samba), and then 2 changes to the
windows registry.
Success!
We all could join our W7 virtual machines to our domains, and then logged
in (I am the only one using openSUSE, the rest are using Ubuntu or Kubuntu).
All this took the entire afternoon, from 16 hours to 20 hours. A joint
effort of 15 people, including the teacher (he is a Windows chap, but Linux
interests him).
(if you think that 15 AD domains in a single room is a nightmare,
then consider when we practice with dhcp. The entire center goes
nuts, “they” can not browse internet. I can not imagine why! ;-P)
Of course, it makes difficulties for us as well. Once I had
strange problems with my domain. It came out that I was
getting DNS from another windows domain machine, not mine
What we have not done is adding kerberos or ldap to the mixture, we don’t
know how. I have noticed in my Linux firewall that W7 client is querying
the master on the LDAP port. I guess that SLES does have an integration
module for all this.
(A clarification: this training I mention it is not a school for
the young. It is for adults. Training for possible employment.
I can’t be considered young any longer. I wish I were )
Next week we’ll try asterisk, I think. I still have to get a SIP client
that works in gnome with Pulse. I have one on 14.1, but it is broken in
12.1
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)