Web lists-archives.com

Re: [Samba] Samba 4.8 RODC not working




Hai Gaetan, 
 
Can you post the output this this command : netstat -plaunt | egrep "ntp|bind|named|samba|?mbd" 
and iptables -S 
 
 
@Rowland, https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage ;
might need a smal change.  test as followed
The wiki line:  netstat -tulpn | egrep "samba|smbd|nmbd|winbind"  
Now test my line and see the changes. this catches everything a DC might be running. 
netstat -plaunt | egrep "ntp|bind|named|samba|?mbd"
 
 
Greetz, 
 
Louis
 

Van: Gaetan SLONGO [mailto:gslongo@xxxxxxxxxxxxx] 
Verzonden: donderdag 31 mei 2018 11:01
Aan: L.P.H. van Belle
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] Samba 4.8 RODC not working



Hi Louis ! 

Thank you for your time. OK I see.
But I checked, for testing I set an allow all rule,  which doesnt have any effect :-/


Thanks ;-)

De: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
À: samba@xxxxxxxxxxxxxxx
Envoyé: Mercredi 30 Mai 2018 12:24:06
Objet : Re: [Samba] Samba 4.8 RODC not working

That are port you need : 
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage ; 
from the site :  
*** The range matches the port range used by Windows Server 2008 and later. 
Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, 
set the rpc server port parameter in your smb.conf file. 
 
For details, see the parameter description in the smb.conf(5) man page. 
 
What i'll do, go lunching first, then i'll post my rule for ufw for my member server, that is set to 
Default: deny (incoming), deny (outgoing), disabled (routed)
if people want them. 

Greetz, 
 
Louis
 


 
 


Van: Gaetan SLONGO [mailto:gslongo@xxxxxxxxxxxxx] 
Verzonden: woensdag 30 mei 2018 12:13
Aan: L.P.H. van Belle
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] Samba 4.8 RODC not working



Hi Louis ! 
Thanks for suggestion ! What are these ports ?


Thanks !

De: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
À: samba@xxxxxxxxxxxxxxx
Envoyé: Mardi 29 Mai 2018 17:08:21
Objet : Re: [Samba] Samba 4.8 RODC not working

I think you missed these in the firewall, if you allowed the "in" for the DC, you also need the OUT. 

 49152:65535/tcp ALLOW OUT  


Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Gaetan SLONGO via samba
> Verzonden: dinsdag 29 mei 2018 16:40
> Aan: Rowland Penny
> CC: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Samba 4.8 RODC not working
> 
> Hi Rowland, 
> 
> 
> As said into the reply sent to Andrew, Winbind is installed, 
> but not started by samba (this is sernet packages) 
> 
> 
> Thanks 
> 
> ----- Mail original -----
> 
> De: "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx> 
> À: samba@xxxxxxxxxxxxxxx 
> Envoyé: Jeudi 24 Mai 2018 20:48:22 
> Objet : Re: [Samba] Samba 4.8 RODC not working 
> 
> On Thu, 24 May 2018 11:30:40 +0200 (CEST) 
> Gaetan SLONGO via samba <samba@xxxxxxxxxxxxxxx> wrote: 
> 
> > Hi, 
> > 
> > 
> > 
> > 
> > It's my first try to setup RODC using Samba 4.8. We have 
> latest Samba 
> > 4.7 environnement with 2 DC and some file servers. Joining 
> the DC to 
> > the domain is OK using samba-tool domain join command. The domain 
> > controller appears in the DC list (MMC) 
> > 
> > 
> > However, users cannot be authenticated. Samba is running but these 
> > ports are closed : 
> > 
> > 
> > netbios-ssn 139/tcp # NETBIOS session service 
> > netbios-ssn 139/udp 
> > microsoft-ds 445/tcp 
> > microsoft-ds 445/udp 
> > 
> > Some other ports are available : 
> > 
> > 
> > 
> > [root@dmzrodc ~]# netstat -tlpn 
> > Connexions Internet actives (seulement serveurs) 
> > Proto Recv-Q Send-Q Adresse locale Adresse distante Etat 
> PID/Program 
> > name tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 23622/samba 
> > tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 23619/samba 
> > tcp 0 0 0.0.0.0:49153 0.0.0.0:* LISTEN 23619/samba 
> > tcp 0 0 0.0.0.0:49154 0.0.0.0:* LISTEN 23619/samba 
> > tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 23622/samba 
> > tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 23622/samba 
> > tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 23622/samba 
> > tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 23619/samba 
> > tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 23624/samba 
> > tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 23632/samba 
> > tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 23624/samba 
> > 
> > 
> > Winbind is not working : 
> > 
> > [root@dmzrodc ~]# wbinfo -u 
> > could not obtain winbind interface details: 
> > WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! 
> > Error looking up domain users 
> 
> Is winbind actually installed ?? 
> 
> Rowland 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the 
> instructions: https://lists.samba.org/mailman/options/samba 
> 
> 
> 
> -- 
> 
> 
> 
> 
> www.it-optics.com 
>         
> Gaëtan SLONGO | Head of Infrastructure Department 
> Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
> Company :         +32 (0)65 84 23 85 
> Direct :         +32 (0)65 32 85 88 
> Fax :         +32 (0)65 84 66 76 
> Skype ID :         gslongo.pro 
> GPG Key :         gslongo-gpg_key.asc 
>         
> 
> - Please consider your environmental responsibility before 
> printing this e-mail - 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




-- 


www.it-optics.com 

        Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company :         +32 (0)65 84 23 85 
Direct :         +32 (0)65 32 85 88 
Fax :         +32 (0)65 84 66 76 
Skype ID :         gslongo.pro 
GPG Key :         gslongo-gpg_key.asc 

        

- Please consider your environmental responsibility before printing this e-mail -















-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




-- 


www.it-optics.com 

	Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 

	

- Please consider your environmental responsibility before printing this e-mail -













-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba