Is there any trick to join and use Windows 8/8.1 with Samba 4 (4.1.6)?

windows-8 active-directory samba

It seems that Samba doesn't like me at all. I've followed various tutorials and I can't get Windows 8 to work properly with a Ubuntu Server as domain controller. This week i've downloaded ubuntu 14.04 lts and set a fast domain configuration. As usual all other Windows version (XP and 7) work but the newest M$ nightmare doesn't. In this try it doesn't even join the domain, keeps saying the my username or password are wrong.

My /etc/samba/smb.conf

# Global parameters
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LAN
        netbios name = DOM
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/domain.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[test]
        path = /SHARES/test
        read only = no

Does anyone have a tutorial that really works? Because I've tried many, each one with different configurations that works only with the people that made them.

And is there a way to import my old AD users, computers and ID in a way that I won't need to rejoin all computers?

[Edit]

Now I've tested various versions since 4.0.0 (final version) to 4.1.9, all working with Windows 8.1.

Make sure that acl and attr are installed and are set in the /etc/fstab file:

# / was on /dev/sda1 during installation
/dev/sda1 /               ext4    user_xattr,acl,barrier=1,errors=remount-ro 0       1

Remount using:

mount -o remount,rw /

I also add the wins option to the /etc/nsswitch.conf file:

hosts:          files wins dns

Provisioning a domain with:

$ samba-tool domain provision --domain=domain --adminpass=Abc12345 --server-role=dc --realm=domain.lan --dns-backend=SAMBA_INTERNAL

The /etc/samba/smb.conf:

/etc/samba/smb.conf

# Global parameters
[global]
    workgroup = DOMAIN
    realm = DOMAIN.LAN
    netbios name = DOM
    server role = active directory domain controller
    dns forwarder = 8.8.8.8

[netlogon]
    path = /var/lib/samba/sysvol/domain.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

Setting the complete name in /etc/hosts:

127.0.1.1 dom
192.168.0.2 dom.domain.lan dom

and /etc/hostname:

dom.domain.lan

Setting the static IP address:

auto eth0
 iface eth0 inet static
 address 192.168.0.2
 netmask 255.255.255.0
 network 192.168.0.0
 broadcast 192.168.0.255
 gateway 192.168.0.1
 dns-nameserver 8.8.8.8 208.67.222.222
 dns-search domain.lan

and copying the generated /var/lib/samba/private/krb5.conf to /etc


Assuming there is no version issue with Samba, ensure that your clocks are within the allowable threshold. Time has caused me this exact same issue a number of times. With 4.1.7 my 8 and now 8.1 machine was able to join and login.

looking deeper at your config, the realm could be the issue.

There is a problem with Windows 8, where Microsoft raises new domain name policy. When a domain contain a dot (".") in its name (ie. example.com), Windows 8 treat this name as a Active Directory name and is trying to contact Kerberos/LDAP server even there is none. So this is impossible to join this domain and there is no known fix or workaround yet.

Source: https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains#Windows_8_and_classic_domain_.28NT-4_style.29_with_a_dot_in_its_name


All my test with different version worked. Even the beta versions including the 4.0.0beta2. I manage to upgrade to version 4.1.11 from Debian backports without breaking the system (phew). Solved some problems but not Windows 8/8.1 joins. So tests after tests we found the problem.

The reason that worked on my tests is that I used only the IP address of the samba server as DNS on the VMs. On the production network we have a primary and a secondary DNS this is causing the problem because of the realm. Windows 8/81 have no problem to join the domain if we use only the samba server IP as DNS. This causes a problem were we can not navigate to internal pages/services like intranet and some internal systems.

Now the problem is bigger, nothing to do with Windows 8/8,1. We'll have to change the realm name.

If you have a external site like mysite.com it seams to be wrong:

samba-tool domain provision --realm=**mysite.com** --domain=mysite

instead should be something like:

samba-tool domain provision --realm=ad.mysite.com --domain=mysite

smb.conf

[global]
workgroup = MYSITE
realm = ad.mysite.com
netbios name = SHARES
dns forwarder = <one of your choice>
server role = active directory domain controller

Thanks everyone!

Related

When and where to determine if a USB 3.0 HDD enclosure can actually work at USB 3.0 speeds?
Outlook: apply rules to current message?
MSVCR100.dll missing error even its there
Does having 2 memory of 512 MB improve performance over a single 1 GB Mem?
Notepad++: How to add carriage return (pressing enter key) after certain character
Subdomains for server behind NAT
How to TRIM the whole partition in FreeBSD to save space in VirtualBox
How to edit parameters sent through a form on the Firebug console?
Where are cookies stored in IE11 on Windows 10 (1709)
How do you type the ligature "oe" character œ on a keyboard, without using ALT code?
iwconfig command not showing abgn
Plotting multiple datasets of different lengths on the same scatter graph in Excel 2010