Web lists-archives.com

Re: [Samba] Setup a Samba AD DC as an additional DC




Hai, 

I did some re-reading heer and the things i did see. 

Ive'commented some parts below, and some older question i could find it in the thread.

First my question. 
What is the running AD DC its os version/build, it was an MS server? 

From a previous question. 
> I did this and the domain join with a Samba DC succeeded.
> Well these "errors/warnings" were reported even though the command succeeded:
> 
> A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
> 
> I don't know why this warning because the system krb5.conf has the entries in that file they want to be merged.  Maybe the install examined the file in /usr/shar/samba/setup  ??

You can ignore this safely.
The file created is the same as the defaults in /etc/krb5.conf

Then question after this.
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') 

This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself? 
I suspect resolving problems. 

From the collected info. ( commented inbetween the lines ) 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Barry D. Adkins via samba
> Verzonden: dinsdag 27 november 2018 22:06
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> ??Can you also post the output of bind from the point its 
> starting up until samba has started??
> I am not certain how to obtain this.  -- Barry
> 
> Collected config  --- 2018-11-27-14:54 -----------
> 
> Hostname: Sambadc1
> DNS Domain: Mydomain.com
> FQDN: Sambadc1.Mydomain.com
> ipaddress: ##.##.##.##
> -----------
> Samba is not being run as a DC or a Unix domain member.
> Checking file: /etc/os-release 
> NAME="Ubuntu"
> VERSION="18.04.1 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.1 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/";
> SUPPORT_URL="https://help.ubuntu.com/";
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/";
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
> 
> -----------
> 
> Warning, /etc/devuan_version does not exist
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state 
> UNKNOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host 
> 2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> mq state UP group default qlen 1000
>     link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff
>     inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0
>     inet6 fe80::21e:67ff:fe79:11b8/64 scope link 
> 3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state 
> DOWN group default qlen 1000
>     link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff
> -----------
> Checking file: /etc/hosts 
> 127.0.0.1	localhost
> ::1		localhost6

IP_HERE sambadc1.mydomain.tld sambadc1   # for this DC ( optional you can add the other DC also, but wait dont add it now. )

> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
> 
> -----------
> Checking file: /etc/resolv.conf 
> search daram.com
> nameserver ##.##.##.20

Here the ip shown above, where is this one resolving to, i hope the ADDC server. 
If you dont use systemd-resolved, thats fine, but make sure you removed it correctly. 
Thats a choice, the howto shown, works fine with it enabled. 
But here are the steps to remove it, if you want to remove it. 
# but PLEASE, keep this for the last, if we change to much not im not able to find you problem.
# i do suspect resolving problem, yes. 
# systemctl disable systemd-resolved
# systemctl stop systemd-resolved
# systemctl mask systemd-resolved
# rm /etc/resolv.conf and create a new one ( you already did this ) 
# if exists, edit /etc/NetworkManager/NetworkManager.conf 
# in the main section, add : dns=none 
# reboot. 

but again, i want to know all outcomes first before you change this all. 

nslookup hostname
nslookup hostname.domain.tld

What do you see if you run: 
host IP_OF_OTHERDC
host IP_OF_THIS_DC

And 
dig a $(hostname -s)
dig a $(hostname -f)
Repeat but now with @ip_of_OTHER-DC at the end. dig 

dig -x ip_of_this_DC
dig -x ip_of_OTHER-DC
Repeat but now with @ip_of_OTHER-DC at the end.

> 
> 
> -----------
> Checking file: /etc/krb5.conf 
> [libdefaults]
> 	default_realm = MYDOMAIN.COM

#Here add : 
; for Windows 2008 with AES this make sure its matches better with the windows.
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

> 
> # The following krb5.conf variables are only for MIT Kerberos.
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
> 
> # The following encryption type specification will be used by 
> MIT Kerberos
> .... Removed a bit to shorten the e-mail.
> 
> 
> -----------
> Checking file: /etc/nsswitch.conf 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat systemd
> group:          compat systemd
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> Warning,  does not exist

I was expecting output here for the command.
Check_file_exists "${SMBCONF}" 
Can you run these 2 commands : 
samba -b | grep 'CONFIGFILE' | awk '{print $NF}'

smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'



> 
> -----------
> No username map detected.
Fine for a AD DC.


> 
> -----------
> 
> Installed packages, running: dpkg -l | egrep 
> "samba|winbind|krb5|smb|acl|xattr"
> ii  acl                                   2.2.52-3build1      
>               amd64        Access control list utilities
>.......... Removed part to shorten mail.
> SMB/CIFS clients for Unix
> ii  winbind                               
> 2:4.9.3+nmu-1~ubuntu1804          amd64        service to 
> resolve user and group information from Windows NT servers
> -----------

This looks ok to me. 


Last, i'll add this script into the other script in some time.

Get and run this one on the DC. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh 


Now, very important, please dont change to much in the current running config, except where i told to.
If you change more, im unable to find  you problem. 

Basicly, first i want to know how the resolving is setup and working. 


Greetz, 

Louis





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba