Joining a Windows Server Std 2008 R2 (and Windows 7) system to a Samba (+LDAP) domain

I needed to be able to join a virtual, KVM-hosted Windows Server Std 2008 R2 machine to a CentOS Samba domain with a Centos Directory Server password backend. It took me many hours to get this to work - unfortunately assuming stuff and using OLD information can lead you 'up the garden path'! These are the steps I took :

1. Install a later version of Samba than is available from the CentOS repos. The latest is 3.4.5 as at 19 January 2010. I downloaded and used this extra repo - Download it to /etc/yum.repos.d. I also like to set enabled=0 in non-standard repo files just so that I use stock RPM's as much as possible.
2. Then run yum --enablerepo=sernet-samba update samba

3. Make sure net getlocalsid and net getdomainsid return the same result. See here for more info.

4. By default samba attempts secure connection to your LDAP server using StartTLS. If you don't have this already setup, turn this off with the ldap ssl = none setting in /etc/samba/smb.conf.  If you don't then the join will not work - An 'Access is Denied' message will appear when you attempt to join. Once you have joining working, and you haven't already, then setup up secure connections between Samba and LDAP.

5. *** THIS IS IMPORTANT *** Check, re-check and re-check again the /etc/ldap.conf, /etc/smbldap-tools/smbldap_bind.conf and /etc/smbldap-tools/smbldap.conf config files. These make or break your samba/LDAP setup. Make sure the base dn is correct, the directory manager binddn and binddnpasswd is correct. Make sure the nss_base settings are correct. Make sure the three files are consistent with each other. Then go and check again!!!!

4. In the Windows Registry set/add the following keys. The bottom two are set the way shown by default but some sources on the internet suggest to turn them off - IF you do then the join will happen but you won't be able to login with a domain user - an error about "The trust relationship between this workstation and the primary domain failed" will occur. DO NOT TURN THESE OFF:




5. I also changed the Local Security Policy of the joining Windows workstation, under Security Options. I set "Network Security: LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2 session security if negotiated"

Helpful Sites
Samba's Wiki Page re Windows 7:
Checking SID's are the same: