You are here
Michael H. - Wed, 2023/07/19 - 05:47
Hello,
I am working on migrating from Windows servers to Linux servers. So far, I have a domain controller and a file server configured via Turnkey. They both seem to be working properly, except I cannot manage to bind the file server to the domain controller. When attempting to join, I receive the following error:
cannot join as standalone machine
I am looking to create a few shares and have them be managed via ACLs, so they are accessible via some Windows 10 machines.
Both systems are containers on Proxmox and are v17.1. I verified the DC user to bind with, the firewalls and samba configuration, but have not been able to figure out what I am doing wrong.
Can someone point me in the direction of some good documentation for completing this procedure?
Forum:
You should be able to join the AD via CLI
To join your fileserver to the AD you'll need to use the CLI to link it. We do have intention to make that easier, but we have a todo list a mile long and unfortunately haven't got to that yet...
Please see the relevant Samba doc page for instructions.
Or is that what you were trying when you say you get the 'cannot join as standalone machine' message? If so, please share the full commands that you've run (perhaps you missed a step? Perhaps you missed an argument from one of the commands?). FWIW 'cannot join as standalone machine' often occurs when you try to add a machine as a Samba/Windows user who does not have adequate permissions on the AD domain you are trying to join.
Got the FS joined... now there are permissions issues.
Thank you for the link... I have visited it many times today. I was able to get the domain joined today. I had a typo in some config files. smh...
The issue I am having now is that I am unable to create a folder, share it and assign permissions to a domain user. The users appear to be syncing properly between the DC and FS, but the user is prompted for credentials when attempting to navigate to the share. They are using a domain joined Windows machine and are logged in as the correct user too. For some reason, the only credentials that allow access to the share are DC\root.
Is the Fileserver on a system that supports ACLs?
The default Fileserver config is as a standalone legacy Samba set up (aka Samba3 style config). I.e. not intended as a domain member.
The old way of doing things was for each Samba user to be mapped to a Linux user account. So by default Windows/SMB permissions are mapped relatively directly to Linux permissions (Windows file permissions are more granular than default Linux ones, but good enough).
The new way things are done is that all Samba users are managed under a single Linux "samba" user. ACLs (Access Control Lists) are used to differentiate between individual Windows/Samba users.
So the first thing I'd recommend is ensuring that your Fileserver is running on a filesystem that supports extended ACLs. IIRC on Proxmox, assuming a default filesystem that supports ACLs they are auto configured for LXC containers. Here is the Arch wiki ACL page which may be useful? (Note TurnKey is based on Debian - not Arch - but Arch wiki is awesome and generally relevant).
Assuming that is correctly set up, be sure to grant samba:samba ownership to the relevant directories.
TBH, I haven't tested any of this, I'm just working from memory and/or info I've read and/or google results. I do hope to make this much easier in the future (i.e. join a Fileserve directly to an existing domain and adjust as required) but I'm not sure when I'll have time to test this out a bit more. As such, please do share any info you find, especially if/wehn you get it working!
Hopefully that provides some value!?
Add new comment