Web lists-archives.com

Re: [Samba] DC's are unavailable when PDC halted




Hi Rowland,

many thanks for your help,

On Wed, Nov 08, 2017 at 11:00:59AM +0000, Rowland Penny wrote:
> 
> On Wed, 8 Nov 2017 11:18:10 +0100
> Ervin Hegedüs <airween@xxxxxxxxx> wrote:
> 
>  
> > ========
> > open-ldap:
...

> > --------
> > /etc/resolv.conf
> > search core.mydomain.hu
> > nameserver 127.0.0.1
> > nameserver 10.10.10.1
> 
> You would be better using the DCs ipaddress rather than '127.0.0.1'.
> You should also remove '10.10.0.1' it doesn't seem to be a DC.

yes, that's the forwarder (see in smb.conf). Most documents
notives that keep it in resolv.conf.
 
> > --------
> > /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > 	netbios name = OPEN-LDAP
> > 	realm = CORE.MYDOMAIN.HU
> > 	workgroup = CORE
> > 	dns forwarder = 10.10.10.1
> > 	server role = active directory domain controller
> > 	idmap_ldb:use rfc2307 = yes
> > 
> > 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > 	ntlm auth = yes
> > 	lanman auth = yes
> > 	client ntlmv2 auth = yes
> 
> I would investigate upgrading security on the clients, rather than
> turning it down on the DC

I'm sorry, what do you think about exactly?
  
> > 
> > 	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
>
> The above line contains all the defaults, so you can remove it.

ok, I just missed up to remove, I just tested it... now I removed
it.
 
> > ========
> > open-ldap2:
> > 
...

everything is done,

> > ========
> > client:
> > 
> > --------
> > /etc/krb5.conf
> 
> The krb5.conf only needs to match the ones on the DCs, so you don't
> need all of the following.

does it mean that the krb5.conf should be empty?
 
> > --------
> > /etc/samba/smb.conf
> > 
> > [global]
> > 
> >    workgroup = CORE
> >    security = ads
> >    realm = CORE.MYDOMAIN.HU
> >    idmap config * : backend = tdb
> >    idmap config * : range = 3000-7999
> 
> Are you using sssd ?
no,

> If not, good, but you need to READ all of this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

I've followed this page (may be I forgot something - I review it
again)
 
> and probably this:
> 
> https://wiki.samba.org/index.php/Idmap_config_rid

I'm afraid I don't need to that :)
 
> You are trying to put EVERYTHING into the '*' domain, this is wrong.

right,
 
> >    syslog = 0
> >    panic action = /usr/share/samba/panic-action %d
> > 
> >    server role = standalone server
> 
> Oh no its not, it is a Unix domain member, remove the above line.

ok, removed,
 
> >    passdb backend = tdbsam
> >    obey pam restrictions = yes
> >    unix password sync = yes
> 
> You CANNOT have a user in /etc/passwd and in AD with the same username,
> so you cannot have the above line.

this condition is met - line removed,
 
> > [homes]
> >    comment = Home Directories
> >    browseable = no
> >    read only = yes
> >    create mask = 0700
> >    directory mask = 0700
> >    valid users = %S
> > 
> > [printers]
> >    comment = All Printers
> >    browseable = no
> >    path = /var/spool/samba
> >    printable = yes
> >    guest ok = no
> >    read only = yes
> >    create mask = 0700
> > 
> > [print$]
> >    comment = Printer Drivers
> >    path = /var/lib/samba/printers
> >    browseable = yes
> >    read only = yes
> >    guest ok = no
> > 
> You would be better setting the permissions from windows, see here:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I don't want to build the fileserver, I just need the user
management - these blocks stayed from the previous install.
 
> > Sorry again for the confusing post.
> 
> No problem, just don't refer to your first DC as a 'PDC' again, it just
> confuses things, every DC is equal ;-)

yes, in meantime I've discussed with a Windows engineer, he said
that there aren't primary and backup roles.


Thanks again, I'll review the client config, and check it again.


Just one thing remains: what do you mean about here:

> I would investigate upgrading security on the clients, rather
> than turning it down on the DC

and is it enough an empty krb5.conf file on client?


Regards,

a.

   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba