2

It seems that Samba doesn't like me at all. I've followed various tutorials and I can't get Windows 8 to work properly with a Ubuntu Server as domain controller. This week i've downloaded ubuntu 14.04 lts and set a fast domain configuration. As usual all other Windows version (XP and 7) work but the newest M$ nightmare doesn't. In this try it doesn't even join the domain, keeps saying the my username or password are wrong.

My /etc/samba/smb.conf

# Global parameters
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LAN
        netbios name = DOM
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/domain.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[test]
        path = /SHARES/test
        read only = no

Does anyone have a tutorial that really works? Because I've tried many, each one with different configurations that works only with the people that made them.

And is there a way to import my old AD users, computers and ID in a way that I won't need to rejoin all computers?

[Edit]

Now I've tested various versions since 4.0.0 (final version) to 4.1.9, all working with Windows 8.1.

Make sure that acl and attr are installed and are set in the /etc/fstab file:

# / was on /dev/sda1 during installation
/dev/sda1 /               ext4    user_xattr,acl,barrier=1,errors=remount-ro 0       1

Remount using:

mount -o remount,rw /

I also add the wins option to the /etc/nsswitch.conf file:

hosts:          files wins dns

Provisioning a domain with:

$ samba-tool domain provision --domain=domain --adminpass=Abc12345 --server-role=dc --realm=domain.lan --dns-backend=SAMBA_INTERNAL

The /etc/samba/smb.conf:

/etc/samba/smb.conf

# Global parameters
[global]
    workgroup = DOMAIN
    realm = DOMAIN.LAN
    netbios name = DOM
    server role = active directory domain controller
    dns forwarder = 8.8.8.8

[netlogon]
    path = /var/lib/samba/sysvol/domain.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

Setting the complete name in /etc/hosts:

127.0.1.1 dom
192.168.0.2 dom.domain.lan dom

and /etc/hostname:

dom.domain.lan

Setting the static IP address:

auto eth0
 iface eth0 inet static
 address 192.168.0.2
 netmask 255.255.255.0
 network 192.168.0.0
 broadcast 192.168.0.255
 gateway 192.168.0.1
 dns-nameserver 8.8.8.8 208.67.222.222
 dns-search domain.lan

and copying the generated /var/lib/samba/private/krb5.conf to /etc

Improve this question
4
  • Take a look here: admin-magazine.com/Articles/Linux-with-Windows-8 Help any?
    – Ƭᴇcʜιᴇ007
    Commented May 2, 2014 at 19:23
  • Thank you techie007, but I've already tried that. :(
    – msmafra
    Commented May 2, 2014 at 19:50
  • Thanks for this follow up, i will try this out tomorrow at work. Possibly mark this as solved?
    – user38331
    Commented Aug 27, 2014 at 19:00
  • It is working on my new "provisioned" domains, but the old one continues to present problems with Windows 8.x and I am having problems exporting/importing the users, groups and machines using various methods.
    – msmafra
    Commented Aug 28, 2014 at 3:43

3 Answers 3

Reset to default
1

Assuming there is no version issue with Samba, ensure that your clocks are within the allowable threshold. Time has caused me this exact same issue a number of times. With 4.1.7 my 8 and now 8.1 machine was able to join and login.

looking deeper at your config, the realm could be the issue.

There is a problem with Windows 8, where Microsoft raises new domain name policy. When a domain contain a dot (".") in its name (ie. example.com), Windows 8 treat this name as a Active Directory name and is trying to contact Kerberos/LDAP server even there is none. So this is impossible to join this domain and there is no known fix or workaround yet.

Source: https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains#Windows_8_and_classic_domain_.28NT-4_style.29_with_a_dot_in_its_name

Improve this answer
2
  • Kind of late. Actually I've done tests with various versions 4.0.0, 4.0.19, 4.1.0, 4.1.6, 4.1.7 and now 4.1.9. Did tests with 4.0.x betas found no problem, but, all my tests with exception of 2 or 3 I used SAMBA_INTERNAL backend instead of BIND for DNS. None of my test presented problems like we have with the 4.0.0beta2.
    – msmafra
    Commented Aug 3, 2014 at 2:23
  • What I need now is a safe way of exporting machines, users to a new server with some different configurations. pdbedit exports but have problems importing, samba_backup script the service doesn't start after restoring the files and following the procedures before starting it.
    – msmafra
    Commented Aug 3, 2014 at 2:25
1

All my test with different version worked. Even the beta versions including the 4.0.0beta2. I manage to upgrade to version 4.1.11 from Debian backports without breaking the system (phew). Solved some problems but not Windows 8/8.1 joins. So tests after tests we found the problem.

The reason that worked on my tests is that I used only the IP address of the samba server as DNS on the VMs. On the production network we have a primary and a secondary DNS this is causing the problem because of the realm. Windows 8/81 have no problem to join the domain if we use only the samba server IP as DNS. This causes a problem were we can not navigate to internal pages/services like intranet and some internal systems.

Now the problem is bigger, nothing to do with Windows 8/8,1. We'll have to change the realm name.

If you have a external site like mysite.com it seams to be wrong:

samba-tool domain provision --realm=**mysite.com** --domain=mysite

instead should be something like:

samba-tool domain provision --realm=ad.mysite.com --domain=mysite

smb.conf

[global]
workgroup = MYSITE
realm = ad.mysite.com
netbios name = SHARES
dns forwarder = <one of your choice>
server role = active directory domain controller

Thanks everyone!

Improve this answer
0

Fixed now: I started the samba manually with debug option an found that because of time deviation between client and server the password match failed(Kerberos ticket expired). After fixing the time difference the client joins domain (even with samba 4.1.6)...

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .