# Samba 4.1 - Member Server - problems with accessing AD



## huehnerhose (Jun 17, 2014)

Hi,

I have difficulties setting up my Samba 4.1 server to act as a domain member server in a MS AD domain. I tried and followed a bunch of tutorials, forum posts, blog entries, but I couldn't get it right. I think(?) my problems are connected to the architecture of this domain. I am only a small member in that domain, which is managed by my university. I have only rights to add computers to a subdomain facX.university.com, but all the users are in university.com.

That's where I stand:

I was (flawlessly) able to add the server to the AD (exactly: OU=Computers in facX.university.com) (via `net ads join`). `wbinfo` gets me all the domain users and groups, from my facX. AND university.com.
`net ads status` shows me my servers AD-entry. `kinit` gets me my Kerberos ticket. 

My problems started with SeDiskOperatorPrivilege. I tried to grant this privilege to a domain user or domain group. I wasn't able to use `net rpc`, _be_cause I always got a NT_STATUS_LOGON_FAILURE. So I added the domain group to BUILTIN/Administrators via `net sam` and also granted the privileges this way. Trying to connect via WIndows Computer Management didn't work - permission denied.

Now i tried all possible things to see what's the problem and came across, that `net ads user info [email=user@university.com]user@university.com[/email]` always ends up with 
	
	



```
ads_pull_uint32 failed
```
. 

While this is my only permanent error (over all the iterations of configurations) I think this is caused by the real root of all evil  

Do you have any ideas or hints what I can do to get this thing working?

Thanks!
Sebastian

Here is my smb4.conf:

```
[global]

  netbiosname = marx-new
  workgroup = FACX
  security = ADS
  realm = FACX.UNIVERSITY.COM
  encrypt passwords = yes

  server role = member server
  passdb backend = samba_dsdb
  dns forwarder = ip.of.local.DNS.Server

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config UNIVERSITY:backend = ad
  idmap config UNIVERSITY:schema_mode = rfc2307
  idmap config UNIVERSITY:range = 500-40000

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config FACX:backend = ad
  idmap config FACX:schema_mode = rfc2307
  idmap config FACX:range = 500-40000


  winbind nss info = rfc2307
  winbind trusted domains only = no
#  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = true

  admin users = @Administrators, 'FACX\adminGroup'

  nsupdate command = /usr/local/bin/samba-nsupdate -g

#  kerberos method = keytab
#  kerberos method = secrets and keytab
```

Here is the /etc/krb5.conf

```
[libdefaults]
#  default_realm = ${REALM}
  default_realm = UNIVERSITY.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  fowardable = yes
```


----------



## huehnerhose (Jun 23, 2014)

Hi there,

I'm really sorry to bother you again, but I don't have any solution, yet. And I am really desperate for any input!

Thanks


----------



## von_Gaden (Jun 30, 2014)

Do you have rfc2307 attributes defined in your AD? (aka SFU, Services for Unix) I'm not sure that Samba 4.x can correctly map UIDs and GIDs without those attributes. Other way I found it working is to make it AD domain controller.


----------



## ab2k (Jul 3, 2014)

Hello,

I had nearly same problems with Samba 4.1 when tried to join it to AD domain.

If in 2 words - switching to Samba 3.6 will solve all your problems.

If in many words - Samba 4.x is still experimental. In my case user and groups lists was not equal to the lists i had in AD. Connection worked for 100%, LDAP (tested and debugged ofc). Time synchronized. After a day of trying to set it up and debugging I just switched to Samba 3.6 and then everything just worked as expected. So just switch it to 3.6.

Ahh, btw, there are some problems inside of your configs

/etc/krb5.conf

you have


```
default_realm = UNIVERSITY.COM
```

but in smb.conf

you have 


```
realm = FACX.UNIVERSITY.COM
```

parameter in smb.conf

must be


```
realm = UNIVERSITY.COM
```

to allow users from AD access a server - add to smb.conf


```
password server = UNIVERSITY.COM
```

"UNIVERSITY.COM" - your AD realm.

Hope that will help you.


----------



## yafgiuk (Nov 25, 2014)

Doubt anybody still needs it, but there's a workaround for this problem - simply comment entry

```
#server role = member server
```
and restart Samba. And, possibly, rejoin the AD.
It will help.


----------



## huehnerhose (Nov 25, 2014)

Thanks for all the replies. I really did get it working. I completely forgot this post  sorry!

I tried a lot on the way. But at last: this is my working configuration:

```
[global]
  netbios name      = hostname
  workgroup         = subdomain
  security          = ADS
  realm             = subdomain.domain
  encrypt passwords = yes


  winbind trusted domains only  = no
  winbind use default domain    = no
  winbind enum users            = yes
  winbind enum groups           = yes

  idmap config *:backend        = tdb
  idmap config *:range          = 1000-2000000
```

The last step, which feels like the one I missed every time, was already indicated by von_Gaden. The domain doesn't provide SFU/RFC2307 attributes. So just ignoring this setting in that winbind/idmap section, got my server working.


----------

