Web lists-archives.com

Re: [Samba] DC's are unavailable when PDC halted




See inline comments:

On Wed, 8 Nov 2017 11:18:10 +0100
Ervin Hegedüs <airween@xxxxxxxxx> wrote:

 
> ========
> open-ldap:
> 
> --------
> /etc/hostname
> open-ldap.core.mydomain.hu

This should just be the short hostname not the fqdn

> 
> --------
> /etc/hosts
> 127.0.0.1	localhost
> 
> #10.10.20.202	open-ldap.core.mydomain.hu

Uncomment the above line

> #10.10.20.204	open-ldap2.core.mydomain.hu
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> --------
> /etc/resolv.conf
> search core.mydomain.hu
> nameserver 127.0.0.1
> nameserver 10.10.10.1

You would be better using the DCs ipaddress rather than '127.0.0.1'.
You should also remove '10.10.0.1' it doesn't seem to be a DC.

> 
> --------
> /etc/krb5.conf
> [libdefaults]
> 	default_realm = CORE.MYDOMAIN.HU
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 

You don't need the rest of the krb5.conf

> [realms]
> 	CORE.MYDOMAIN.HU = {
> 	    kdc = OPEN-LDAP.CORE.MYDOMAIN.HU
> 	    kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU
> 	    admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU
> 	    admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU
> 	}
> 
> 
> --------
> /etc/samba/smb.conf
> # Global parameters
> [global]
> 	netbios name = OPEN-LDAP
> 	realm = CORE.MYDOMAIN.HU
> 	workgroup = CORE
> 	dns forwarder = 10.10.10.1
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
> 
> 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> 	ntlm auth = yes
> 	lanman auth = yes
> 	client ntlmv2 auth = yes

I would investigate upgrading security on the clients, rather than
turning it down on the DC
 
> 
> 	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

The above line contains all the defaults, so you can remove it.

> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/core.mydomain.hu/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> ========
> open-ldap2:
> 
> --------
> /etc/hostname
> open-ldap2
> 
> --------
> /etc/hosts
> 127.0.0.1	localhost
> 
> 10.10.20.204	open-ldap2.core.mydomain.hu
> 10.10.20.202	open-ldap.core.mydomain.hu

Remove the above line, the other DC should be found by DNS

> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> --------
> /etc/resolv.conf
> search core.mydomain.hu
> nameserver 127.0.0.1
> nameserver 10.10.10.1

As the other DC, but use this DCs ipaddress

> 
> --------
> /etc/krb5.conf
> [libdefaults]
> 	default_realm = CORE.MYDOMAIN.HU
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 

As the other DC, you don't need the rest of krb5.conf

> [realms]
> 	CORE.MYDOMAIN.HU = {
> 	    kdc = OPEN-LDAP.CORE.MYDOMAIN.HU
> 	    kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU
> 	    admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU
> 	    admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU
> 	}
> 
> 
> --------
> /etc/samba/smb.conf
> # Global parameters
> [global]
> 	netbios name = OPEN-LDAP2
> 	realm = CORE.MYDOMAIN.HU
> 	workgroup = CORE
> 	dns forwarder = 10.10.10.1
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
> 	ntlm auth = yes
> 	lanman auth = yes
> 	client ntlmv2 auth = yes
> 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> 
> 	#server runs = -dns
> 	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

As the other DC, you don't need the above line

> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/core.mydomain.hu/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> ========
> client:
> 
> --------
> /etc/hostname
> open-client
> 
> --------
> /etc/hosts
> 127.0.0.1	localhost
> 
> 10.10.20.205	open-client.core.mydomain.hu	open-client
> 
> 
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> --------
> /etc/resolv.conf
> search core.mydomain.hu
> nameserver 10.10.20.202
> nameserver 10.10.20.204
> 
> --------
> /etc/krb5.conf

The krb5.conf only needs to match the ones on the DCs, so you don't
need all of the following.

> [libdefaults]
> 	default_realm = CORE.MYDOMAIN.HU
> 
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
> 	fcc-mit-ticketflags = true
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> [realms]
> 	ATHENA.MIT.EDU = {
> 		kdc = kerberos.mit.edu
> 		kdc = kerberos-1.mit.edu
> 		kdc = kerberos-2.mit.edu:88
> 		admin_server = kerberos.mit.edu
> 		default_domain = mit.edu
> 	}
> 	ZONE.MIT.EDU = {
> 		kdc = casio.mit.edu
> 		kdc = seiko.mit.edu
> 		admin_server = casio.mit.edu
> 	}
> 	CSAIL.MIT.EDU = {
> 		admin_server = kerberos.csail.mit.edu
> 		default_domain = csail.mit.edu
> 	}
> 	IHTFP.ORG = {
> 		kdc = kerberos.ihtfp.org
> 		admin_server = kerberos.ihtfp.org
> 	}
> 	1TS.ORG = {
> 		kdc = kerberos.1ts.org
> 		admin_server = kerberos.1ts.org
> 	}
> 	ANDREW.CMU.EDU = {
> 		admin_server = kerberos.andrew.cmu.edu
> 		default_domain = andrew.cmu.edu
> 	}
>         CS.CMU.EDU = {
>                 kdc = kerberos-1.srv.cs.cmu.edu
>                 kdc = kerberos-2.srv.cs.cmu.edu
>                 kdc = kerberos-3.srv.cs.cmu.edu
>                 admin_server = kerberos.cs.cmu.edu
>         }
> 	DEMENTIA.ORG = {
> 		kdc = kerberos.dementix.org
> 		kdc = kerberos2.dementix.org
> 		admin_server = kerberos.dementix.org
> 	}
> 	stanford.edu = {
> 		kdc = krb5auth1.stanford.edu
> 		kdc = krb5auth2.stanford.edu
> 		kdc = krb5auth3.stanford.edu
> 		master_kdc = krb5auth1.stanford.edu
> 		admin_server = krb5-admin.stanford.edu
> 		default_domain = stanford.edu
> 	}
>         UTORONTO.CA = {
>                 kdc = kerberos1.utoronto.ca
>                 kdc = kerberos2.utoronto.ca
>                 kdc = kerberos3.utoronto.ca
>                 admin_server = kerberos1.utoronto.ca
>                 default_domain = utoronto.ca
> 	}
> 
> [domain_realm]
> 	.mit.edu = ATHENA.MIT.EDU
> 	mit.edu = ATHENA.MIT.EDU
> 	.media.mit.edu = MEDIA-LAB.MIT.EDU
> 	media.mit.edu = MEDIA-LAB.MIT.EDU
> 	.csail.mit.edu = CSAIL.MIT.EDU
> 	csail.mit.edu = CSAIL.MIT.EDU
> 	.whoi.edu = ATHENA.MIT.EDU
> 	whoi.edu = ATHENA.MIT.EDU
> 	.stanford.edu = stanford.edu
> 	.slac.stanford.edu = SLAC.STANFORD.EDU
>         .toronto.edu = UTORONTO.CA
>         .utoronto.ca = UTORONTO.CA
> 
> --------
> /etc/samba/smb.conf
> 
> [global]
> 
>    workgroup = CORE
>    security = ads
>    realm = CORE.MYDOMAIN.HU
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999

Are you using sssd ?
If not, good, but you need to READ all of this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and probably this:

https://wiki.samba.org/index.php/Idmap_config_rid

You are trying to put EVERYTHING into the '*' domain, this is wrong.


>    username map = /etc/samba/user.map
> 
>    dns proxy = no
> 
>    log file = /var/log/samba/log.%m
>    max log size = 1000
> 
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
> 
>    server role = standalone server

Oh no its not, it is a Unix domain member, remove the above line.

>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes

You CANNOT have a user in /etc/passwd and in AD with the same username,
so you cannot have the above line.

> 
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> 
>    pam password change = yes
>    map to guest = bad user
> 
>    usershare allow guests = yes
> 
> [homes]
>    comment = Home Directories
>    browseable = no
>    read only = yes
>    create mask = 0700
>    directory mask = 0700
>    valid users = %S
> 
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
> 
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
> 
You would be better setting the permissions from windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

> 
> Sorry again for the confusing post.

No problem, just don't refer to your first DC as a 'PDC' again, it just
confuses things, every DC is equal ;-)

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba