Web lists-archives.com

Re: [Samba] Samba4 on Ubuntu 18.04 Howto setup ADDC with bind9_DLZ (extra part 4.8.1 samba)




Hai, 

I detected a minor error and i added a quick fix. 
And i'm testing my 4.8.1 debian package on ubuntu 18.04, see below.. 

Syslog shows.
May  9 14:50:26 ubuntu1804 systemd[9448]: /lib/systemd/system-generators/netplan failed with exit status 1. 
The fix is:  editor /etc/netplan/01-netcfg.yaml
The last adresses: needs a server adres. 

cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses: [ 192.168.249.31/24 ]
      gateway4: 192.168.249.1
      nameservers:
          search: [ internal.example.com ]
          addresses: 

The corrected version is :
cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses: [ 192.168.249.31/24 ]
      gateway4: 192.168.249.1
      nameservers:
          search: [ internal.example.com ]
          addresses: [ 192.168.249.31 ]		<<<< IP OF THE AD-DC. 

When this is set run the following.
netplan --debug generate

Reboot and check you logs again. 

And i took out my magic hat... if you follow this setup and you want ... Samba 4.8.1 ..  

Just add.. 
echo "deb http://apt.van-belle.nl/debian stretch-samba48 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
apt-get update 
apt-get dist-upgrade

Im testing now how the 4.8.1 is on ubuntu and sofar this looks good. 
Please do remember the following. 
I dont build ubuntu packages normaly, we are just lucky these work. 
But you can use my source to modify these to make better ubuntu packages.

PLEASE NOTE, samba 4.8.1 on a new server is fine, but DONT UPGRADE.. 
Except, the upgrade of a clean, just installed samba 4.7.6 to 4.8.1 works (on this setup)
I could not detect errors sofar. 

See below some outputs.. 

apt-cache policy samba
samba:
  Installed: 2:4.8.1+dfsg-1.1
  Candidate: 2:4.8.1+dfsg-1.1
  Version table:
 *** 2:4.8.1+dfsg-1.1 500
        500 http://apt.van-belle.nl/debian stretch-samba48/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.7.6+dfsg~ubuntu-0ubuntu2 500
        500 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


root@ubuntu1804:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04 LTS
Release:        18.04
Codename:       bionic

root@ubuntu1804:~# samba -V
Version 4.8.1-Debian

root@ubuntu1804:~# samba-tool dbcheck
Checking 263 objects
Checked 263 objects (0 errors)
root@ubuntu1804:~# samba-tool dbcheck --cross-nc
Checking 3483 objects
Checked 3483 objects (0 errors)

 9414 ?        Ss     0:00 samba: root process
 9415 ?        S      0:00  \_ samba: task[s3fs_parent]
 9417 ?        S      0:00  |   \_ samba: tfork waiter process
 9419 ?        Ss     0:00  |       \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 9437 ?        S      0:00  |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 9438 ?        S      0:00  |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 9440 ?        S      0:00  |           \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 9416 ?        S      0:00  \_ samba: task[dcesrv]
 9418 ?        S      0:00  \_ samba: task[nbtd]
 9420 ?        S      0:00  \_ samba: task[wrepl]
 9421 ?        S      0:00  \_ samba: task[ldapsrv]
 9422 ?        S      0:00  \_ samba: task[cldapd]
 9423 ?        S      0:00  \_ samba: task[kdc]
 9424 ?        S      0:00  \_ samba: task[dreplsrv]
 9425 ?        S      0:00  \_ samba: task[winbindd_parent]
 9427 ?        S      0:00  |   \_ samba: tfork waiter process
 9428 ?        Ss     0:00  |       \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
 9426 ?        S      0:00  \_ samba: task[ntp_signd]
 9429 ?        S      0:00  \_ samba: task[kccsrv]
 9430 ?        S      0:00  \_ samba: task[dnsupdate]


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> L.P.H. van Belle via samba
> Verzonden: woensdag 9 mei 2018 13:55
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Samba4 on Ubuntu 18.04 Howto setup 
> ADDC with bind9_DLZ
> 
> I was rereading this i missing one thing, my dislectic got me again.. 
> 
> In the last part.
> Just before all systemctl's. 
> This : 
> 
> and we change the systemd-resolved and point it to the IP ( 
> NOT localhost ) of the server
> now change the systemd-resolvd DNS.
> sed "s/DNS=8.8.8.8/DNS=$(hostname -i)/g" /etc/systemd/resolved.conf 
> 
> The sed line should be : 
> sed -i "s/DNS=8.8.8.8/DNS=$(hostname -i)/g" 
/etc/systemd/resolved.conf 
> Or 
> sed "s/DNS=8.8.8.8/DNS=192.168.0.10/g" /etc/systemd/resolved.conf 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> > L.P.H. van Belle via samba
> > Verzonden: woensdag 9 mei 2018 13:46
> > Aan: samba@xxxxxxxxxxxxxxx
> > Onderwerp: [Samba] Samba4 on Ubuntu 18.04 Howto setup ADDC 
> > with bind9_DLZ
> > 
> > Hai, 
> > 
> > 
> > @Rowland. 
> > Yes yes, you did say you hate systemd.  :-) 
> > I had a hard(er)time on this one also but i got passed it. ;-) 
> > 
> > But you and everybody else on the list, please review this setup.
> > And a very big thank you Rowland for the start of it. 
> > 
> > This should be a good base to start with as howto for ubuntu 
> > 18.04 systemd based. 
> > 
> > Any suggestion additions please add them, below is also the 
> > order i configured and installed the server.
> > Normaly i dont do ubuntu, apparmor etc. but its all inhere. 
> > Note, apparmor may have to much rights now but it works, 
> > someone with good apparmor knowlidge correct it please.
> > 
> > The setup below is tested and works, i did not look at firewalling. 
> > Try it and tell us the result. 
> > 
> > Installing Ubuntu for a Dedicated Active Directory Domain 
> > Controller server.
> > - boot from CD
> > - Choose the base language, and press F6, choose EXPERT. 
> > 
> > -----Ubuntu Installer Menu  ---- 
> > choose you language and keyboard
> > ( go throught the other options, keep the defaults )
> > load the preconfiguration
> > 
> > configure the network. 
> > - Auto-configure networking   (NO)
> >  and enter your ip. 
> > 	IP 192.168.0.10/24   ( choose your own ip )
> > 	GW 192.168.0.1       ( choose your own gateway)
> > 	NS 8.8.8.8           ( any internet ip for DNS )
> > 
> > 	( my test hostname/domain )
> > 	set the hostname,	( ubuntu1804 )
> > 	set the domainname, ( internal.example.com )
> > 
> > Set up users and passwords.
> > THe first two questions, the defaults are ok. 
> > 
> > The user, full name, what you want but NO username Administrator.
> > i preffer nixadmin 
> > ( this is a user for maintaining the system. )
> > 
> > encrypt homedir, No.
> > configure clock.
> > 	set the clock using NTP. (yes)
> > 	You can keep the defaults ( for now )
> > 
> > Configure the disk.
> > what you want, a AD-DC only server, 10G is more than 
> > sufficient. ( for me ) 
> > My current Debian 9 shows : 
> > Size  Used Avail Use% Mounted on
> > 6.0G  1.8G  3.9G  31% /
> > 
> > This ubuntu setup used ( finished ) 
> > Filesystem      Size  Used Avail Use% Mounted on
> > /dev/root       7.3G  1.8G  5.2G  26% /
> > 
> > So about the same.
> > 
> > WARNING
> > The "use entire disk" option does not include the swap partition.
> > with 10Gb partition i set 2GB swap, rest is for the system. 
> > (tip, separating the log partition helps in less defragmentation )
> > 
> > --- Install the system
> > initrd, DONT select targeted, choose generic.
> > - package manager, use a mirror yes.
> > 
> > - DONT select backported software.
> > - DONT select partner repository, only if you need to.
> > - Dont select sources, its not needed.
> > keep other defaults.
> > 
> > - Select and install software.
> > 	I preffer Install security updated automaticly, but you 
> > might not.
> > 
> > Now, an important part, 
> > Choose software to install. 
> > Select ONLY OpenSSH server.
> > 
> > - install grub. 
> > (keep the defaults)
> > Note, somethimes ubuntu detects you disk wrong if you install 
> > from usb.
> > use ALT-F2 goto and console, type df and check what your disk is.
> > /dev/sda or /dev/xvda  something like that. ( look for the 
> > /target disk )
> > ALT-F1 go back to the installer.
> > Finish the install
> > 
> > first check if you ip is up.
> > type: ip a
> > and what is your "interface name" for me its eth0.
> > All below is base on ETH0 so change this !! 
> > 
> > Now, you might find out that your network isnt working. 
> > lets configure a systemd static ip.
> > 
> > AGAIN: Please dont forget to change the ip and interfacename below!!
> > 
> > cat << EOF >> /etc/systemd/network/50-static.network
> > # /etc/systemd/network/50-static.network
> > 	[Match]
> > 	Name=eth0
> > 
> > 	[Network]
> > 	Address=192.168.0.10/24
> > 	Gateway=192.168.0.1
> > EOF
> > systemctl enable systemd-networkd
> > systemctl start systemd-networkd
> > systemctl status systemd-networkd
> > 
> > 
> > Edit the systemd resolver.
> > 
> > nano /etc/systemd/resolv.conf
> > configure DNS and FallbackDNS ( for now, 8.8.8.8 and 8.8.4.4 
> > google dns. )
> > NOTE set DNSSEC=no also because google does not support DNSSEC.
> > save,exit.
> > 
> > systemctl daemon-reload
> > systemctl restart systemd-resolved
> > 
> > and check if it works
> > nslookup www.google.com
> > 
> > 
> > -- Some Cleanup i did first.  ( optional, but the lesser on 
> > the server the better imo )
> > First, get rid of the "howto make you system slower..." 
> > command-not-found packages
> > but wait a bit because you might miss some packages... 
> > ( remove if you dont use these. )
> > apt remove --purge lxd-client
> > apt remove --purge lxd lxd-client
> > apt remove --purge lxcfs 
> > apt remove --purge command-not-found command-not-found-data 
> > python3-commandnotfound
> > apt remove --purge snapd
> > apt remove --purge laptop-detect 
> > So, now this Ubuntu server performs almost as a Debian server. ;-) 
> > 
> > Optional, as i dont use LVM.  ( i snap shot my virtuals )
> > apt remove --purge lvm2 liblvm2app2.2 liblvm2cmd2.02 dmeventd
> > 
> > Optional, i dont like the check every login for security/load etc. 
> > It just slows down the server imo. 
> > 
> > Optional, remove cpu info at login.
> > rm  /etc/update-motd.d/50-landscape-sysinfo
> > run the command : landscape-sysinfo  to get the info or remove it: 
> > apt remove --purge landscap-sysinfo
> > 
> > Optional, disable the anoying motd messages. 
> > sudo systemctl disable motd
> > sudo systemctl mask motd
> > sudo chmod -R 0644 /etc/update-motd.d/ 
> > if you want you can enable some, just add the Execute bit. 
> > (755) back on a file.
> > 
> > #Optional(2) if you dont want any of above.
> > #apt remove --purge update-notifier-common
> > Adviced just chmod it. 
> > 
> > Results in a server with internet access and ssh. 
> > 
> > --------------------------------------------------
> > 
> > Login with ssh, and prepair for the real work for samba. 
> > 
> > 
> > Prepairing for samba.  
> > # the AD DC, with ntp bind one liner :  
> > apt install samba winbind libnss-winbind libpam-winbind ntp 
> > bind9 binutils ldb-tools krb5-user
> > # Note, i use the defaults for krb5-user ( Kerberos configuration )
> > 
> > #The separated parts. 
> > #apt install samba winbind krb5-user
> > #(optional must often used so install it. )
> > #apt install libnss-winbind  libpam-winbind
> > 
> > for the time sync in samba we need ntp or chrony. 
> > #Prepair time ( I preffer ntp.) 
> > #apt install ntp
> > #Prepair DNS ( I preffer bind9 )
> > #apt install bind9
> > 
> > # and add some tools you might need.
> > #apt install binutils ldb-tools smbclient 
> > #apt install libpam-krb5
> > 
> > 
> > systemctl disable nmbd smbd winbind 
> > systemctl stop nmbd smbd winbind 
> > systemctl unmask samba-ad-dc
> > systemctl enable samba-ad-dc
> > 
> > ---------------------
> > Setup NTP
> > cp /etc/ntp.conf{,.backup}
> > mkdir -p /var/lib/samba/ntp_signd/
> > chmod 750 /var/lib/samba/ntp_signd
> > chown root:ntp /var/lib/samba/ntp_signd
> > 
> > cat << EOF >> /etc/ntp.conf
> > #
> > ######  Needed for Samba 4  ######
> > # extra info, in the restrict -4 or -6 added mssntp.
> > # Location of the samba ntp_signed directory
> > ntpsigndsocket /var/lib/samba/ntp_signd
> > #
> > EOF
> > 
> > # add the mssntp part.
> > sed -i 's/restrict -4 default kod notrap nomodify nopeer 
> > noquery limited/restrict -4 default kod notrap nomodify 
> > nopeer noquery limited mssntp/g' /etc/ntp.conf
> > sed -i 's/restrict -6 default kod notrap nomodify nopeer 
> > noquery limited/restrict -6 default kod notrap nomodify 
> > nopeer noquery limited mssntp/g' /etc/ntp.conf
> > 
> > systemctl restart ntp
> > systemctl status ntp
> > run : ntpq -p
> > and check the output, if ok, ntp is up now and syncing. 
> > 
> > ---------------------
> > Setup kerberos.
> > Backup the original version 
> > cp /etc/krb5.conf{,.backup}
> > cat /etc/krb5.conf | head -n2 > /etc/krb5.conf.new
> > 
> > echo "
> > ; for Windows 2008 with AES
> >         default_tgs_enctypes =  aes256-cts-hmac-sha1-96 
> > aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> >         default_tkt_enctypes = aes256-cts-hmac-sha1-96 
> > aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> >         permitted_enctypes = aes256-cts-hmac-sha1-96 
> > aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> > " >> /etc/krb5.conf.new
> > rm /etc/krb5.conf
> > mv /etc/krb5.conf.new /etc/krb5.conf
> > 
> > 
> > ---------------------
> > # Setup Samba 
> > Prepair for provisioning. 
> > rm /var/lib/samba/*.tdb
> > rm /var/cache/samba/*.tdb
> > rm /var/cache/samba/browse.dat
> > 
> > mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
> > 
> > samba-tool domain provision --use-rfc2307 
> > --realm=INTERNAL.EXAMPLE.COM --domain=INTERNAL 
> --dns-backend=BIND9_DLZ
> > Admin password:        uP9B=H?H#%Mg@R6[H
> > Server Role:           active directory domain controller
> > Hostname:              ubuntu1804
> > NetBIOS Domain:        INTERNAL
> > DNS Domain:            internal.example.com
> > DOMAIN SID:            S-1-5-21-851884449-3694958272-1707027855
> > 
> > # Setup BIND
> > cp -r /etc/bind{,.backup}
> > # enable the forwarders. 
> > sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options
> > sed -i "s[// \t0.0.0.0;[      8.8.8.8; 8.8.4.4;[g" 
> > /etc/bind/named.conf.options
> > sed -i "s[// };[};[g" /etc/bind/named.conf.options
> > sed -i "/listen-on-v6/a \        tkey-gssapi-keytab 
> > \"/var/lib/samba/private/dns.keytab\";" /etc/bind/named.conf.options
> > sed -i "/tkey-gssapi-keytab/i \        // DNS dynamic updates 
> > via Kerberos "/var/lib/samba/private/dns.keytab";" 
> > /etc/bind/named.conf.options
> > sed -i "/listen-on-v6/a \        notify no;" 
> > /etc/bind/named.conf.options
> > sed -i "/notify no/a        empty-zones-enable no;" 
> > /etc/bind/named.conf.options
> > 
> > echo "// adding the Samba dlopen ( Bind DLZ ) module
> > include \"/var/lib/samba/private/named.conf\";" >> 
> > /etc/bind/named.conf.local
> > 
> > 
> > As of this part, apparmor, this might need more optimizing 
> > but this works.
> > echo "# Samba4 DLZ and Active Directory Zones (default source 
> > installation)
> > /var/lib/samba/lib/** rm,
> > /var/lib/samba/private/dns/** rwmk,
> > /var/lib/samba/private/dns.keytab r,
> > /var/lib/samba/private/named.conf r,
> > /var/lib/samba/private/dns/** rwk,
> > /usr/lib/**/samba/bind9/** rmk,
> > /usr/lib/**/samba/gensec/* rmk,
> > /usr/lib/**/samba/ldb/** rmk,
> > /usr/lib/**/ldb/modules/ldb/** rmk,
> > /var/tmp/** rwmk," >> /etc/apparmor.d/local/usr.sbin.named
> > 
> > # add the ntp part to apparmor
> > echo "# samba4 ntp signing socket
> > /var/lib/samba/ntp_signd/socket rw," >> 
> > /etc/apparmor.d/local/usr.sbin.ntpd
> > 
> > ---------------------
> > Correct the resolving. 
> > 
> > Now we link the lan interface to the systemd resolver. 
> > echo "
> > [Match]
> > Name=eth0
> > 
> > [Network]
> > DNS=192.168.0.10
> > DNSSECNegativeTrustAnchors=lan
> > Domains=lan" >> /etc/systemd/network/eth0.network
> > 
> > and we change the systemd-resolved and point it to the IP ( 
> > NOT localhost ) of the server
> > now change the systemd-resolvd DNS.
> > sed "s/DNS=8.8.8.8/DNS=$(hostname -i)/g" /etc/systemd/resolved.conf 
> > # Note, the DNS=$(hostname -i)  that is the ip of the server. 
> > NOT 127.0.0.1. 
> > 
> > systemctl daemon-reload
> > systemctl reload apparmor
> > systemctl restart systemd-networkd
> > systemctl restart systemd-resolved
> > systemctl restart bind9
> > systemctl restart ntp
> > 
> > and reboot.
> > 
> > now go testing.  ;-) 
> > Sofor i see no problems.. And .. 
> > 
> > I did not touch resolv.conf  ;-) 
> > 
> > 
> > Greetz, 
> > 
> > Louis
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba