Difference between revisions of "FAQ"

m
m (What Does ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?: fix link)
 
(48 intermediate revisions by 8 users not shown)
Line 1: Line 1:
The questions and answers on this page have been extracted from the [http://lists.samba.org/archive/samba-technical/ Samba technical mailing list].
+
= Introduction =
  
 +
The questions listed here are frequently asked on the [http://lists.samba.org/archive/samba/ Samba mailing list].
  
  
  
= General =
 
  
== Can I use Samba 4.0 as an AD DC on my production server right now? ==
 
  
We have now released Samba 4.0, and a number of users have it in use in a production environment.  All the features from the Samba 3.6 series are now available, for example, the file server in the smbd binary. 
+
= General Samba Questions =
  
Of course, normal Systems Administration caution is generally advised, as an AD Domain is the central hub for authentication on a network. We also advise participation on our mailing lists to discuss any issues that arise.
+
== When Will the next Samba Version Be Released? ==
  
We do however encourage people to try Samba 4.0 as an AD DC, report bugs, and give feedback.
+
For details, see [[Samba_Release_Planning|Samba Release Planning]].
  
  
  
== When will Samba 4.0 releases be made? ==
+
== Can I Get Help with a Problem in an Unsupported Samba Version? ==
  
For the current Samba 4.0 and 4.x release plans, please see [[Samba Release Planning]].
+
Update to a supported version first. It is likely that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see [[Samba_Release_Planning|Samba Release Planning]].
  
 +
If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.
  
  
== How to do or fix ... in an outdated Samba version? ==
 
  
Often people are asking for help/support for very outdated versions on the mailing lists or other places. You should really consider of moving to a recent version (best would be to the latest version of the current series). See the [[Samba_Release_Planning|Samba Release Planning page]] to get an overview, which versions are still maintainanced.
+
== How Do I Update Samba? ==
  
Every release of Samba improves its features, fixes many bugs and adds more compatibility. In many cases, upgrading fixes the problems people are having with their old versions. Often, not even the developers can say when the requested feature was added to Samba. If your problem turns out to be a bug, then it will only be fixed in maintained version trees. So please consider upgrading, you will have a much better chance of getting a response and help from other users and developers on the mailing lists, etc.
+
See [[Updating_Samba|Updating Samba]].
  
If you are required to run an outdated version that was shipped with your distribution and it is out of maintainance by Samba, you should contact your vendor (Redhat, SuSE, etc.) for support.
 
  
If you were brought here by a response to one of your questions somewhere, please consider this as a first try to help.
 
  
 +
== What Is the Maximum Size of a LDB or TDB Database File? ==
  
 +
The maximum size is 4 GB because the databases use 32-bit structures.
  
== How do I update from Samba 3.x to 4.x? ==
+
Previously, there was a project called <code>NTDB</code> that should address the size limit and other problems. However, the project has been stopped because of problems migrating the databases.
  
See the [[Updating_Samba|Updating Samba HowTo]].
 
  
  
  
== Can I provision a member or a standalone server? ==
 
  
Whilst 'samba-tool domain provision --help' shows this as one of the options:
+
= Samba as an Active Directory Domain Controller =
  
                    --server-role=ROLE    The server role (domain controller | dc | member
+
== General ==
                                          server | member | standalone). Default is dc.
 
  
The only server that you can provision at the moment is a 'domain controller' or 'dc' for short. The other options will not work yet, so if you require a member server, see the [[Setup_a_Samba_AD_Member_Server|Setup_a_Samba_AD_Member_Server]] HowTo.
+
=== Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment? ===
  
 +
Samba AD is stable for production environments. The AD DC support was introduced in the 4.0 version, which was released in December 2012. However, Samba AD has some unimplemented features, such as Sysvol replication.
  
  
  
 +
=== What Does <code>ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required</code> Mean? ===
  
= Samba AD vs. MS AD compatibility =
+
See [[Updating_Samba#New Default for LDAP Connections Requires Strong Authentication|Default for LDAP Connections Requires Strong Authentication]].
  
== Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as DC? ==
+
=== I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest? ===
  
Yes. See [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]]
+
The following Windows server versions are supported as a DC together with a Samba DC:
  
 +
{| class="wikitable"
 +
!Windows Server Version
 +
!Comments
 +
|-
 +
|Windows Server 2016
 +
|Not supported.
 +
|-
 +
|Windows Server 2012 / 2012 R2
 +
|Supported in Samba >=4.5. For details, see [[Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD|Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD]].
 +
|-
 +
|Windows Server 2008 / 2008 R2
 +
|Supported in Samba >=4.0. For details, see [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]].
 +
|-
 +
|Windows Server 2003 / 2003R2
 +
|Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.
 +
|-
 +
|Windows 2000
 +
|Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.
 +
|}
  
 +
One of the limiting items is the AD schema version. For details, see [[AD_Schema_Version_Support|AD Schema Version Support]].
  
== Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as Member Server? ==
 
  
Yes. See [[Joining_a_Windows_Client_to_a_Domain|Joining a Windows Client to a Domain]]. The join is done like for Windows Workstations.
 
  
 +
=== Why Is the Network Neighbourhood empty or Does Not Show All Machines in the Domain? ===
  
 +
The Samba AD DC <code>smbd</code> daemon does not support browsing.
  
== Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as DC? ==
+
It is planned to add this feature. However, there are no development resources and thus no date when this feature will be included.
  
No. See [[#Does_Samba_support_MS_AD_schema_extensions.3F|FAQ 'Does Samba support MS AD schema extensions?' for details]].
 
  
  
 +
=== What Does <code>Warning: No NC replicated for Connection!</code> Mean? ===
  
== Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as Member Server? ==
+
When running the <code>samba-tool drs showrepl</code> command, the following warning is displayed at the end of the output:
  
Yes. See [[Joining_a_Windows_Client_to_a_Domain|Joining a Windows Client to a Domain]]. The join is done like for Windows Workstations.
+
Warning: No NC replicated for Connection!
  
 +
The warning appears because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.
  
  
  
 +
=== Can I Use the Samba AD DC as a Fileserver? ===
  
= Configuration Parameters =
+
Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf
  
== Can I turn off some of the 'server services' options? ==
 
  
The options of 'server services' are set during the Samba AD DC provisioning/join and are based on the choices made during this process. If you don't have the 'server services' in your smb.conf, this only means that the options of this parameter are on its default.
 
  
All of the parameters set are required. The only reasonable changes are:
+
== Configuration ==
  
* Disable spoolss:
+
=== Why Do I Not Have a <code>server services</code> parameter in My <code>smb.conf</code> File? ===
  
server services = ... -spoolss
+
The <code>server services</code> options in the <code>smb.conf</code> file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the <code>[global]</code> section of your <code>smb.conf</code> file, the default values are used.
  
* [[Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ|Change DNS backend from Samba Internal to BIND9_DLZ]]:
+
For details, see the <code>smb.conf (5)</code> man page.
  
server services = ... -dns
 
  
* [[Changing_the_DNS_backend#Changing_from_BIND_DLZ_to_Samba_Internal_DNS|Change DNS backend from BIND9_DLZ to Samba Internal]]:
 
  
server services = ... dns
+
=== Can I Disable Some of the <code>server services</code> options in the <code>smb.conf</code> File? ===
  
 +
The <code>server services</code> options in the <code>smb.conf</code> file are set during provisioning a Samba AD DC based on the settings you made during this process.
  
 +
Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!
  
== If all server services options are required for an AD DC, why is this parameter required at all? ==
+
However, there are a few situations where you can manually update the options:
  
It wasn't ever intended that the 'server services' parameter would be something that admins would even see, but a late change in development (the final merge of the file servers) caused this to gain much more prominence than was ever expected.  
+
* To disable the network printing spooler:
 +
:Change the <code>spoolss</code> option to <code>-spoolss</code>.
  
If you use the internal DNS, then you can remove the 'server services' parameter completely from your smb.conf. All AD required services are started by default automatically.
+
* To switch the DNS back end:
 +
:For details, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]].
  
If you use BIND_DLZ, then it's enough to have the short following version (all other services are started by default automatically):
 
  
server services = -dns
 
  
 +
=== How Do I Enable Guest Access to a Share on a Samba AD DC? ===
  
 +
On non-AD DCs, you can set the <code>map to guest</code> parameter in the <code>smb.conf</code> file to <code>bad user</code> to enable guest access. However, guest access is based on the <code>guest account</code> parameter, that is not implemented in the Samba AD mode.
  
== I keep getting asked for username/password when trying to access a public share on the AD DC. ==
+
=== Can I Change the ID Range on a DC? ===
  
On a non AD domain, you can use 'map to guest = bad user' in smb.conf to allow windows machines that are not part of the domain, to access public shares. This will not work with an AD domain, guest access to the domain needs to be based on the 'guest' account being enabled, but unfortunately, this is not yet implemented.
+
Yes, very easily, just give your users <code>uidNumber</code> attributes containing numbers inside the range you want to use, you should also give <code>Domain Users</code> a <code>gidNumber</code> attribute containing a number inside the same range.
 +
{{Imbox
 +
| type = important
 +
| text = Do not add any of the <code>idmap_ad</code> lines used on a domain member to your Samba AD DC smb.conf. They will have no affect and could lead to problems.  
 +
}}
  
= Replication =
 
  
== Is replication of Active Directory supported by a Samba AD DC? ==
 
  
Yes. Everything that is done inside the Active Directory (user/group management, ACL changes, etc.), is replicated to other DCs.
+
== Directory Schema ==
  
 +
=== Which Active Directory Schema Versions Does Samba Support When Set up as a DC? ===
  
 +
For details, see [[AD_Schema_Version_Support|AD Schema Version Support]].
  
== Is SysVol share replication supported by a Samba AD DC? ==
 
  
It's currently not implemented. But as a workaround you can replicate changes e. g. with rsync. Depending on the kind of workaround you choose, you may have to do changes only on one DC, if your tool doesn't support bi-directional replication. You can find a [[SysVol_Replication|HowTo for a rsync-based replication]] on the Wiki.
 
  
 +
=== Is It Possible to Extend the Samba AD Schema? ===
  
 +
For details, see [[Samba_AD_schema_extensions|Samba AD Schema Extensions]].
  
== Message: Warning: No NC replicated for Connection! ==
 
  
When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.
 
  
 +
== Kerberos ==
  
 +
=== What Does <code>UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT</code> Mean? ===
  
== Is it possible to replicate between Samba AD and an external LDAP server? ==
+
On the first start of a Samba DC in an existing Windows AD forest, the following error message is logged:
  
No. This is currently not supported and is not expected to be supported. The Active Directory LDAP has a different schema layout to the LDAP with which Samba 3.x was traditionally deployed, this is just one of the many serious issues.
+
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for <DC_objectUID>._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
  
== How do I get DNS failover in a Multi-DC environment? ==
+
This error is logged by the knowledge consistency checker (KCC), until the Windows DC has established the connections to the Samba DC.
  
* First set up your additional DC following the [[Samba_AD_DC_HOWTO|Samba AD DC HowTo]]. You just skip the provisioning/upgrading part.
+
To fix the problem, run:
  
* Then join your new DC to the domain. See [[Join_a_domain_as_a_DC|Join Samba as an additional DC]].
+
* on your Windows DC:
  
* In the output of "samba-tool drs showrepl", you should see that the DNS partition was successfully replicated.
+
C:\> repadmin /kcc
  
* Finally you have to configure your clients to also use the DNS on the additional DC.
+
* or alternatively on your Samba DC:
  
 +
# samba-tool drs kcc -Uadministrator Windows_DC.samdom.example.com
  
  
== Why does directory replication fail to Windows servers for git build Samba <= 4.1.13? ==
 
  
Please check
+
== Replication ==
# samba-tool testparm -v --suppress-prompt | grep samba_kcc
 
samba kcc command = /usr/local/samba/sbin/samba_kcc
 
  
If your result is as shown above, add the following line in your smb.conf
+
=== Do Samba AD DCs Support Replication? ===
  
  kccsrv:samba_kcc = false
+
* Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records.
  
= Joining A Domain As Domain Controller =
+
* In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see [[SysVol_replication_(DFS-R)|Sysvol Replication (DFS-R)]].
  
== Error „UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT“ in Logfiles ==
 
  
When you start Samba the first time as a new Domain Controller in an existing Windows domain, you may find errors messages like the following in the Samba logfiles:
 
  
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
+
=== Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server? ===
  
This is caused by the Knowledge Consistency Checker (KCC) not having being
+
Active Directory uses a different schema than other LDAP servers and thus replicating with non-AD DCs is not supported or planned to be supported.
run by the Windows Domain Controller yet, this means it has not yet
 
created connections to the new Samba DC.  
 
  
To fix this, you can either run "repadmin /kcc" on the Windows DC as
 
an Administrator or you can use the samba-tool command to do the same
 
thing, like this:
 
  
# samba-tool drs kcc -Uadministrator windowsdc.samdom.example.com
 
  
 +
== DNS ==
  
 +
=== Can I Set Multiple Forwarder Servers for the Internal DNS Server? ===
  
== Message: "Failed to find our own NTDS Settings invocationId in the ldb!" during joining ==
+
Setting multiple DNS forwarder servers is supported in Samba 4.5 and later versions.
  
Check if you have an existing <tt>smb.conf</tt> and remove it before joining.
+
For details, see [[Samba_Internal_DNS_Back_End#Setting_up_a_DNS_Forwarder|Setting up a DNS Forwarder]].
  
  
  
 +
== How Do I Set up the BIND DNS Server to Replicate AD DNS Zones? ==
  
 +
Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.
  
= DNS =
+
Zone transfers to non-AD DNS servers is not supported.
  
== Can the internal DNS have more than one forwarder? ==
 
  
No. If you require more than one host to forward foreign requests to, you must use BIND_DLZ.
 
  
 +
=== Can I Use the <code>.local</code> Top-level Domain for My AD DNS Zone? ===
  
== Can I use .local in the domain name? ==
+
Using the <code>.local</code> top-level domain is not recommended. For details, see [[Active_Directory_Naming_FAQ#Using_an_Invalid_TLD|Using an Invalid TLD]].
  
No. You will undoubtedly have problems if you do, it will interfere with avahi for one.
 
  
  
 +
== Trust Support ==
  
 +
=== Does Samba AD Supports Trust Relationship? ===
  
 +
The trust feature is experimental and has several limitations, such as:
  
= Trusts =
+
* SID filtering rules are not applied
  
== Does Samba support trust relationship with AD? ==
+
* You cannot add users and groups of a trusted domain into domain groups.
  
Trusts are currently not finished implemented. Samba can be trusted, but can't trust yet.
 
  
But even this is unofficial and should not be relied on, because
 
"[https://lists.samba.org/archive/samba/2014-July/182830.html parts that appear to work are a partial development that just happen to be in our released versions]" (July 2014).
 
  
 +
== Group Policy Support ==
  
 +
=== Is It Possible to Set User Specific Password Policies in Samba AD, Such as on an Organisational Unit? ===
  
== Do trusts only not work in Samba AD only environments, and are fine in Samba AD/Windows environments? ==
+
Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.
  
No. The Samba DC just won't know much about the trust.
+
Use the <code>samba-tool domain passwordsettings</code> command to update password policies on a DC for a domain.
  
  
  
 +
=== What Does <code>The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory</code> Mean? ===
  
 +
When you click in the Group Policy Management Console to a GPO, the following error is displayed:
  
 +
The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.
  
= Kerberos =
+
See the page [[Sysvolreset]] for troubleshooting steps.
  
== How to disable des and rc4 in the AD DC? ==
+
== LDAP ==
  
'samba-tool domain exportkeytab', export keytab files including arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc. The 'allow_weak_keys = false' option (which is the default) in the
+
=== Do Samba AD DCs Support OpenLDAP or Other LDAP Servers as the Back End? ===
krb5.conf is the tool for controlling this. Currently this only disables DES, and only at runtime, not at the layer the keytab export uses.
 
  
When Heimdal will be updated, this have to be done carefully, because arcfour-hmac-md5 has been declared weak, and this will break Windows 2003 and WinXP clients.
+
Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.
  
Additionally, until Samba 4.2, were defaulting to Windows 2003 functional level, so haven't been storing the newer AES keys.
+
One of the main reasons people ask for OpenLDAP as the back end for AD, is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP gets to be a supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you will have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you will have to import attributes manually from the old LDAP server that are not included in the AD schema.
  
  
  
 +
=== Is It Planned to Support OpenLDAP as Back End for Samba AD? ===
  
 +
Currently, there is no active work on this project.
  
= GPO =
+
The biggest problem is that a significant part of the complexity of the AD DC is in the LDB modules. Creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment. 
  
== Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)? ==
+
Specific problems include:
 +
* the metadata required for both DRS replication and dirsync
 +
* schema manipulation
 +
* transactions
 +
* access control lists (ACL)
  
Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level.
+
The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed.
  
Background: The password settings have to be used and validated by the server. Otherwise a modified Windows client or a Unix client (which doesn't handle GPOs) could bypass these settings. But Samba can't evaluate and apply GPO restrictions. It only serves GPOs via the SysVol share.
 
  
  
 +
=== Does the Samba Internal LDAP Server Supports Anonymous Searches? ===
  
== Incompatible permissions of GPO objects and SysVol share ==
+
Samba honours the <code>dSHeuristics</code> flag. For details, see http://support.microsoft.com/kb/326690
  
If you click in GPMC to a GPO, you get a message "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK." Clicking OK won't fix the problem. Instead run
+
However, enabling anonymous access to the AD raises security problems and is not recommended. Configure LDAP authentication or Kerberos support in your client instead.
  
# samba-tool ntacl sysvolreset
 
  
  
  
  
 +
= Samba as an Domain Member =
  
= LDAP backend =
+
== Do I Provision a Samba Domain Member Using <code>samba-tool</code>? ==
  
== Will Samba 4 have a built-in, full fledged LDAP server? ==
+
From the roles the <code>samba-tool domain provision --help</code> command offers, the only supported provision role is <code>DC</code> (Active Directory domain controller).
  
Yes. While we certainly won't compare ourselves with the
+
Provisioning any other role, results in an incorrectly  working version of an AD DC. If you do provision a different role, remove all Samba database files and the generated <code>smb.conf</code> file and join the domain member using the <code>net</code> command. For details, see [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]].
standards-based products from other vendors (our aim is to please AD
 
clients first, and hopefully do so while complying with the standards),
 
it will include an LDAPv3 server.
 
  
  
  
== Why is the LDAP backend (used so successfully in classic Samba domains) not supported with the AD DC?==
+
== Which Windows Server Versions Are Supported as a Domain Member in a Samba AD? ==
  
We certainly appreciate the bind that the LDAP server situation puts our administrators in. We went to great lengths to try and avoid this, but were unable to make it work, while also supporting features such as DRS replication, and many of the finer points of AD's LDAP server. The biggest killer for the feature was the need for runtime schema translation, or for the administrator to load the AD schema and layout on their external LDAP server (which rather defeats the purpose).
+
For details, see [[Joining_a_Windows_Client_or_Server_to_a_Domain#Supported_Windows_Versions|Supported Windows Versions]].
  
The there are three ways out of this difficult situation
 
* continue to use Samba as a 'classic' domain controller as-is using smbd/nmbd (this code remains and remains supported).
 
* Add schema extensions to our LDAP server (disabled by default, but supported), and cope with the AD-specified layout restrictions.
 
* Somehow sync Samba with an existing LDAP server.
 
  
There are major challenges with synchronisation of directories - but it certainly may be an option in some situations.
 
  
We certainly understand that it appears almost rude, on the face of it, to step up from being an equal partner in the unix-LDAP ecosystem supporting a number of different directory servers to demanding that everyone else use only our internal server.  We do wish it didn't have to be this way, and we have left in (with tests) as much of the code we used for the [[Samba4/LDAP Backend|LDAP backend]] experiment as is possible, in case somehow someone builds a workable use case in the future.
+
== I Have Set up a Domain Member Using The <code>idmap_ad</code> Back End, but <code>getent passwd</code> and <code>getent group</code> Do Not Show Users, Computers or Groups ==
  
 +
Try explicitly asking for a user or group i.e. <code>getent passwd auser</code>, this is because winbind doesn't enumerate users & groups by default any more.
  
 +
Computers are never enumerated but only shown when queried explicitly i.e. <code>getent passwd SAMDOM\hostname$</code>.
  
== Is it planned to support openLDAP as backend again? ==
+
If you want to show all users and groups, you will need to add these lines to smb.conf:
 +
    winbind enumerate users = yes
 +
    winbind enumerate groups = yes
  
An LDAP backend to the AD DC is not a viable proposition
+
{{Imbox
at this point in time, as even with the addition of massive extra
+
| type = note
resources trying to revive it would create an incredible distraction. 
+
| text = You should only add the lines for testing purposes
 +
}}
  
The biggest issue is that a significant part of the complexity of the AD
+
If, after trying the above, you still do not get any users, groups or computers, check that:
DC turns out to be in our ldb modules. Creating a general-purpose,
+
* Your users have a <code>uidNumber</code> attribute containing a unique number inside the range set in smb.conf.
OpenLDAP backed AD DC would involve rewriting many of these modules as
+
:: Example: If you have <code>idmap config DOMAIN : range = 10000-999999</code> in smb.conf, your users <code>uidNumber</code> attributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
OpenLDAP overlays, outside the standard Samba programming environment.
+
* The Windows group <code>Domain Users</code> has a <code>gidNumber</code> attribute containing a number inside the same range, if <code>Domain Users</code> does not have a <code>gidNumber</code> ALL users will be ignored.
 +
* Your computers have a <code>uidNumber</code> attribute as outlined above for users. Computers do not need a <code>gidNumber</code>.
 +
* Check that libnss_winbind is setup correctly, see [[Libnss_winbind_Links|here]].
 +
* Check that the <code>passwd</code> and <code>group</code> lines in /etc/nsswitch.conf have had 'winbind' added, see [[Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch|here]].
  
Totally removing the LDAP listener would require rewriting even more code than that,
+
If you set the uidNumber attribute for a computer, also known as the "Windows machine network account" e.g. SAMDOM\hostname$, the computer will have access to samba shares if they permit groups like <code>Domain Computers</code>. This can be useful during startup.
and would (based on the past experience of Luke Howard's XAD) require extensive patches to OpenLDAP.
 
  
Specific issues include the metadata required for both DRS replication
+
= Samba as NT4 Primary Domain Controller =
and dirsync, schema manipulation, transactions, Access Control Lists,
 
impersonation (if Samba still operated as an LDAP proxy) or authentication
 
(if OpenLDAP was the LDAP listener) and AD-specific matching
 
rules.
 
  
The components of LDAP that are left unaltered, after all this is done, are actually the easy bits, as is seen by the relative simplicity of ldb itself.
+
== Do I Have to Migrate to Samba AD? ==
  
Finally, as mentioned in the previous question, even if this was all done, the schema would still be the AD
+
One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!
schema, which removes the advantage of doing all that work in the first
 
place.
 
  
The team has decided not to peruse this as a development avenue, and
+
The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.5.x to 3.6.x. There is no need to migrate an NT4-style domain to an AD.
no viable approach to re-opening this functionality has been proposed, but
 
where it does not compromise development, the technical doors open for some
 
special case development here have been left open, with code and tests remaining in the tree.
 
  
 +
Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.
  
  
== Are anonymous LDAP searches possible? ==
 
  
While there are many good reasons to do or not do this, Samba follows
+
== What Does <code>User Administrator in your existing directory has SID ..., expected it to be ...-500 </code> Mean? ==
AD, including honouring the dsHuristics flag for this.
 
[http://support.microsoft.com/kb/326690 http://support.microsoft.com/kb/326690]
 
  
However, it is better to authenticate and Kerberos if used correctly
+
In your current NT4 domain, the RID of the domain administrator account is not <code>500</code>. For details, see [http://support.microsoft.com/kb/243330/en Windows well-known security identifiers].
can make that transparent.
 
  
 +
To fix:
 +
* Remove the account. It will be recreated automatically during the classic upgrade.
 +
* Update the RID of the account manually to <code>500</code> in your current Samba back end.
  
 +
However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the <code>objectSID</code> attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.
  
  
  
= Migration from a Samba NT4-style domain to Samba AD =
+
= Samba as an standalone server =
  
== User 'Administrator' in your existing directory has SID ..., expected it to be ...-500 ==
+
== Why does Windows Network Neighborhood not show Samba server(s)? ==
  
The error says what's wrong: In your NT4-style domain backend, the RID of the domain administrator account isn't 500, what it should be (see. [http://support.microsoft.com/kb/243330/en Windows well-known security identifiers]). Change it to 500 and start over. You can remove the account, too, as it will be automatically created during the AD provisioning.
+
If you are using SMB2 or SMB3, network browsing uses WSD/LLMNR, which is not yet supported by Samba [https://bugzilla.samba.org/show_bug.cgi?id=11473]. SMB1 is disabled by default on the latest Windows versions for security reasons. It is still possible to access the Samba resources directly via \\name or \\ip.address.
  
 
+
If SMB1 is enabled on Windows, check that NetBIOS over TCP/IP is also
 
+
enabled, and that nmbd is started on the server.
 
 
 
 
= Schemas =
 
 
 
== Will it also be possible in the future to extend the server by loading user defined schema's? ==
 
 
 
Yes, [[Samba_AD_Schema_Extenstions|user-defined schema]] may be loaded into the Samba AD DC. It is experimental, so you must set
 
 
 
dsdb:schema update allowed = yes
 
 
 
in the smb.conf to permit it.
 
 
 
 
 
 
 
== Does Samba support MS AD schema extensions? ==
 
 
 
Samba is shipped with AD schema version 47 (MS Windows Server 2008 R2). Schema updates, as they are required when adding a DC running Windows Server 2012 or newer, are currently not supported by the Samba backend. The schema update against a Samba DC will fail and if done against a Windows 2008 R2 DC in the domain, it will break AD replication with all Samba DCs and makes your AD inconsistent!
 
 
 
 
 
 
 
 
 
 
 
= WINS =
 
 
 
== Why is Network Neighbourhood empty or does not show all machines in an Samba AD environment? ==
 
 
 
The master browser code in smbd does not collect names because the netbios server in the AD DC does not have the browsing code in it. We would like to add that, but it just is a matter of a developer finding it to be a personal (or employer) priority. (Sadly on the AD DC, there isn't spare developer time just floating around).
 
 
 
As a workaround, you can try Samba4Wins: [ftp://ftp.sernet.de/pub/samba4wins/ ftp://ftp.sernet.de/pub/samba4wins/]
 

Latest revision as of 02:12, 31 July 2019

Contents

Introduction

The questions listed here are frequently asked on the Samba mailing list.



General Samba Questions

When Will the next Samba Version Be Released?

For details, see Samba Release Planning.


Can I Get Help with a Problem in an Unsupported Samba Version?

Update to a supported version first. It is likely that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see Samba Release Planning.

If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.


How Do I Update Samba?

See Updating Samba.


What Is the Maximum Size of a LDB or TDB Database File?

The maximum size is 4 GB because the databases use 32-bit structures.

Previously, there was a project called NTDB that should address the size limit and other problems. However, the project has been stopped because of problems migrating the databases.



Samba as an Active Directory Domain Controller

General

Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment?

Samba AD is stable for production environments. The AD DC support was introduced in the 4.0 version, which was released in December 2012. However, Samba AD has some unimplemented features, such as Sysvol replication.


What Does ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?

See Default for LDAP Connections Requires Strong Authentication.

I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest?

The following Windows server versions are supported as a DC together with a Samba DC:

Windows Server Version Comments
Windows Server 2016 Not supported.
Windows Server 2012 / 2012 R2 Supported in Samba >=4.5. For details, see Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD.
Windows Server 2008 / 2008 R2 Supported in Samba >=4.0. For details, see Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD.
Windows Server 2003 / 2003R2 Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.
Windows 2000 Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.

One of the limiting items is the AD schema version. For details, see AD Schema Version Support.


Why Is the Network Neighbourhood empty or Does Not Show All Machines in the Domain?

The Samba AD DC smbd daemon does not support browsing.

It is planned to add this feature. However, there are no development resources and thus no date when this feature will be included.


What Does Warning: No NC replicated for Connection! Mean?

When running the samba-tool drs showrepl command, the following warning is displayed at the end of the output:

Warning: No NC replicated for Connection!

The warning appears because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.


Can I Use the Samba AD DC as a Fileserver?

Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf


Configuration

Why Do I Not Have a server services parameter in My smb.conf File?

The server services options in the smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the [global] section of your smb.conf file, the default values are used.

For details, see the smb.conf (5) man page.


Can I Disable Some of the server services options in the smb.conf File?

The server services options in the smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process.

Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!

However, there are a few situations where you can manually update the options:

  • To disable the network printing spooler:
Change the spoolss option to -spoolss.
  • To switch the DNS back end:
For details, see Changing the DNS Back End of a Samba AD DC.


How Do I Enable Guest Access to a Share on a Samba AD DC?

On non-AD DCs, you can set the map to guest parameter in the smb.conf file to bad user to enable guest access. However, guest access is based on the guest account parameter, that is not implemented in the Samba AD mode.

Can I Change the ID Range on a DC?

Yes, very easily, just give your users uidNumber attributes containing numbers inside the range you want to use, you should also give Domain Users a gidNumber attribute containing a number inside the same range.


Directory Schema

Which Active Directory Schema Versions Does Samba Support When Set up as a DC?

For details, see AD Schema Version Support.


Is It Possible to Extend the Samba AD Schema?

For details, see Samba AD Schema Extensions.


Kerberos

What Does UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT Mean?

On the first start of a Samba DC in an existing Windows AD forest, the following error message is logged:

UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for <DC_objectUID>._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com

This error is logged by the knowledge consistency checker (KCC), until the Windows DC has established the connections to the Samba DC.

To fix the problem, run:

  • on your Windows DC:
C:\> repadmin /kcc
  • or alternatively on your Samba DC:
# samba-tool drs kcc -Uadministrator Windows_DC.samdom.example.com


Replication

Do Samba AD DCs Support Replication?

  • Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records.
  • In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see Sysvol Replication (DFS-R).


Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server?

Active Directory uses a different schema than other LDAP servers and thus replicating with non-AD DCs is not supported or planned to be supported.


DNS

Can I Set Multiple Forwarder Servers for the Internal DNS Server?

Setting multiple DNS forwarder servers is supported in Samba 4.5 and later versions.

For details, see Setting up a DNS Forwarder.


How Do I Set up the BIND DNS Server to Replicate AD DNS Zones?

Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.

Zone transfers to non-AD DNS servers is not supported.


Can I Use the .local Top-level Domain for My AD DNS Zone?

Using the .local top-level domain is not recommended. For details, see Using an Invalid TLD.


Trust Support

Does Samba AD Supports Trust Relationship?

The trust feature is experimental and has several limitations, such as:

  • SID filtering rules are not applied
  • You cannot add users and groups of a trusted domain into domain groups.


Group Policy Support

Is It Possible to Set User Specific Password Policies in Samba AD, Such as on an Organisational Unit?

Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.

Use the samba-tool domain passwordsettings command to update password policies on a DC for a domain.


What Does The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory Mean?

When you click in the Group Policy Management Console to a GPO, the following error is displayed:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

See the page Sysvolreset for troubleshooting steps.

LDAP

Do Samba AD DCs Support OpenLDAP or Other LDAP Servers as the Back End?

Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.

One of the main reasons people ask for OpenLDAP as the back end for AD, is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP gets to be a supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you will have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you will have to import attributes manually from the old LDAP server that are not included in the AD schema.


Is It Planned to Support OpenLDAP as Back End for Samba AD?

Currently, there is no active work on this project.

The biggest problem is that a significant part of the complexity of the AD DC is in the LDB modules. Creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.

Specific problems include:

  • the metadata required for both DRS replication and dirsync
  • schema manipulation
  • transactions
  • access control lists (ACL)

The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed.


Does the Samba Internal LDAP Server Supports Anonymous Searches?

Samba honours the dSHeuristics flag. For details, see http://support.microsoft.com/kb/326690

However, enabling anonymous access to the AD raises security problems and is not recommended. Configure LDAP authentication or Kerberos support in your client instead.



Samba as an Domain Member

Do I Provision a Samba Domain Member Using samba-tool?

From the roles the samba-tool domain provision --help command offers, the only supported provision role is DC (Active Directory domain controller).

Provisioning any other role, results in an incorrectly working version of an AD DC. If you do provision a different role, remove all Samba database files and the generated smb.conf file and join the domain member using the net command. For details, see Setting up Samba as a Domain Member.


Which Windows Server Versions Are Supported as a Domain Member in a Samba AD?

For details, see Supported Windows Versions.


I Have Set up a Domain Member Using The idmap_ad Back End, but getent passwd and getent group Do Not Show Users, Computers or Groups

Try explicitly asking for a user or group i.e. getent passwd auser, this is because winbind doesn't enumerate users & groups by default any more.

Computers are never enumerated but only shown when queried explicitly i.e. getent passwd SAMDOM\hostname$.

If you want to show all users and groups, you will need to add these lines to smb.conf:

   winbind enumerate users = yes
   winbind enumerate groups = yes

If, after trying the above, you still do not get any users, groups or computers, check that:

  • Your users have a uidNumber attribute containing a unique number inside the range set in smb.conf.
Example: If you have idmap config DOMAIN : range = 10000-999999 in smb.conf, your users uidNumber attributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
  • The Windows group Domain Users has a gidNumber attribute containing a number inside the same range, if Domain Users does not have a gidNumber ALL users will be ignored.
  • Your computers have a uidNumber attribute as outlined above for users. Computers do not need a gidNumber.
  • Check that libnss_winbind is setup correctly, see here.
  • Check that the passwd and group lines in /etc/nsswitch.conf have had 'winbind' added, see here.

If you set the uidNumber attribute for a computer, also known as the "Windows machine network account" e.g. SAMDOM\hostname$, the computer will have access to samba shares if they permit groups like Domain Computers. This can be useful during startup.

Samba as NT4 Primary Domain Controller

Do I Have to Migrate to Samba AD?

One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!

The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.5.x to 3.6.x. There is no need to migrate an NT4-style domain to an AD.

Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.


What Does User Administrator in your existing directory has SID ..., expected it to be ...-500 Mean?

In your current NT4 domain, the RID of the domain administrator account is not 500. For details, see Windows well-known security identifiers.

To fix:

  • Remove the account. It will be recreated automatically during the classic upgrade.
  • Update the RID of the account manually to 500 in your current Samba back end.

However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the objectSID attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.


Samba as an standalone server

Why does Windows Network Neighborhood not show Samba server(s)?

If you are using SMB2 or SMB3, network browsing uses WSD/LLMNR, which is not yet supported by Samba [1]. SMB1 is disabled by default on the latest Windows versions for security reasons. It is still possible to access the Samba resources directly via \\name or \\ip.address.

If SMB1 is enabled on Windows, check that NetBIOS over TCP/IP is also enabled, and that nmbd is started on the server.