Ok this is something I have always wanted to do and eventually given up in frustration because I could never get it to work.
I want to be able to join a suse13.2 server to a windows active directory domain and then log into suse with domain accounts. So far this is what I have done. Im the domain admin so I created a computer account in active directory for my suse computer. I made sure that the network settings uses the same name as its netbios name. I then made sure that under samba identity the same name is in the netbios name field. I can ping and perform nslookup queries from my suse box against my domain controller. I then go into yast and run the Windows Domain Membership application. The first thing this app does is verify my domain membership which fails. I was never asked for an admin password to join the domain. I disabled the firewall (mostly just out of desperation since samba already has an open port in the firewall) and tried the domain membership again, same result.
So then I went onto the samba expert settings and changed a few items there.
wins support=no (I dont have a wins server haven’t used wins in forever)
ldap user suffix=Users
ldap group suffix=User Accounts
security=domain
ldap machine suffix=Computers (This is the default ou where computer accounts get created and where I created the account for this computer)
ldap admin dn=Administrator
This time when I apply the changes it asks me for a domain account info to join the domain. I put in my username and password and get the error. "Failed to join domain: failed to lookup DC for domina %my domina name% over rpc. I then open a bash shell and did an ndlookup for my domain name and got a list of IP addresses for all the servers that are running AD so im not clear as to why it failed?
Does anyone have any suggestions? Thanks in advance.
First,
You’re describing a common problem for all machines (not just Linux, Windows also sometimes) trying to join a Domain and are unable to contact a DC.
Simple solution is to add the IP address (and Hostname) to your Hosts file, then join.
Also, I don’t remember that I always created an AD machine account first… My SOP was to join an AD <without> the machine account already created on the assumption that a machine account would be created and if none was created <then> create the machine account.
I also don’t remember that it’s necessary for a machine account object be created in AD (could be wrong). Machine accounts are mainly used for machine maintenance (updates, pushing configs, etc) and by default although AD can list a non-Windows machine it won’t support maintaining the machine (There are 3rd party solutions that will do this. MS just doesn’t provide that). The critical functionality you want is the ability for a User to login to the machine either locally or remotely using a Domain User account, and that is completely separate from any AD machine configuration.
I got it. For those of you with the same issue heres how I solved it.
First I stripped my samba/smb.conf down to the bare minimums. The only directives I setup were
netbios name = myservername
workgroup = mydomain (just the name of the domain not a FQDN)
server string = Samba %v on %L
encrypt password = yes
password backend = tdbsam
security = domain
domain master = no
local master = no
os level = 35
quest user = local-guest-user
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
Thats it that the entirety of my global config
I also setup one share with minimum directives as well. I dont think this had anything to do with the success because I think it was the global settings that were preventing my joining the domain in the first place.
Then I joined the domain (as root) using the command net join -U administrator@mydomainname MEMBER
I then got three error messages
ignoring unknown encrypt password
ignoring unknown password backend
ignoring unknown guest user
I was then asked for the administrators password which I put in and then got the message domain joined.
I checked active directory and found a new account for my linux box (oh yea I had deleted any accounts I had previously created for this project)
Im tempted to remove the directives that were ignored to see if it will still work but NAW. I finally got it to work so im calling it good.
I have two other servers to setup just like this one so Ill try them without the ignored directives and see what happens.
OK so I wasn’t quite there yet. I had to run the windows domain membership in yast again. I checked use samba information for linux authentication, and create home directories on login.
This added back a great deal of things in my smb.conf file. All of which I just leave alone at this point.
After a reboot I was able to logon with any domain account I wished.
Next I opened the console and typed wbinfo -u and wbinfo -g that showed my domain users and groups.
I then used the information from the output of wbinfo to add the directive valid users = “@MYDOMAIN\group name”, MYDOMAIN\anyusername, etc… to my shares. Note that group names with spaces had to be contained in quotes.
The second server I setup did not work out of the box as well. I had to strip the samba config down to the bare minimums so that I could join the domain.
OK on to my next problem (holy ridiculousness batman)! None of the clients in the domain can find the linux server because there is no DNS record for it. I was using the IP address when testing before but I do need to use the hostname.
On the dns tab of the dhcp scope I have check dynamically update dns A and PTR records for dhcp clients that do not request updates.
I also have allow secure and unsecure dynamic updates enabled on my DNS server.
However still no DNS records are created. Does anyone know why this is?
You might be mixing NETBIOS naming (Often described as max 8 alpha-numeric characters and no suffix) with HOSTNAME naming (The FQDN which has a suffix and supports some special characters).
Be sure you are following the instructions for the version of SAMBA you are running.
If you need NetBIOS name resolution in your network because you’re using an older version of SAMBA, you may need to set up a NetBIOS Name server in your network (aka WINS). A NetBIOS Name server is set up to provide parallel name resolution using NetBIOS names instead of FQDN.
In a tiny network, the alternative to a WINS server is to distribute a LMHosts file to every machine in the network. The hard way to do this is to touch every machine to configure. The easier way is to distribute and install the file using DHCP. As long as you don’t have a name collisions with your Hostnames (ie DNS), this should be sufficient otherwise you can also modify the order of name resolution methods on every client using DHCP options.