Discussion:
[Samba] Fwd: Good installation documentation on samba4?
Léon van der Kaap
2016-07-28 20:55:55 UTC
Permalink
Hello,

I am looking for good installation instructions for an active directory
domain controller installation of samba4. The only source I have reliably
found is
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
which is unfortunately both incomplete in certain sections and incorrect in
others.

A good example of incomplete information is the guide on the name server.
In the org that I work for, we've chosen the samba_internal dns server.
However, the guide is not clear on making sure that the machine needs to
refer to itself for dns queries, something that is quite essential.

An example of incorrect information is that copying the example krb5.conf
file should do the trick. In practice, I have traversed the far corners of
the internet for an actual working example of the krb5.conf file.

Furthermore, there is no "what to do when things fail" fall back option. I
do not know when to continue with the guide and when to test the actual
working state of the installation at a certain state.

In all desperation, I have written my own guide to samba4 installation, but
I have no idea if what I did was sufficient, only that it looks ok when
testing some functionality.

Is there a mythical samba4 guide or are people doomed to endlessly google
their questions?

Kind regards,

Léon
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Lee Brown
2016-07-28 22:07:20 UTC
Permalink
It's been about 6 months since I setup my DC plus 2 file servers and I
found that guide to be particularly helpful. In fact the only problems I
had were due to jailing the components and shooting myself in the foot.
Sorry this doesn't help the OP, but I felt a contrary point of view should
be presented.
Post by Léon van der Kaap
Hello,
I am looking for good installation instructions for an active directory
domain controller installation of samba4. The only source I have reliably
found is
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
which is unfortunately both incomplete in certain sections and incorrect in
others.
A good example of incomplete information is the guide on the name server.
In the org that I work for, we've chosen the samba_internal dns server.
However, the guide is not clear on making sure that the machine needs to
refer to itself for dns queries, something that is quite essential.
Configure /etc/resolv.conf
Your Domain Controller requires a name server that is able to resolve
queries to Active Directory zones. Because this is your first Domain
Controller in your AD forest, use the DCs IP and domain name in your
domain samdom.example.com
nameserver 10.99.0.1
Post by Léon van der Kaap
An example of incorrect information is that copying the example krb5.conf
file should do the trick. In practice, I have traversed the far corners of
the internet for an actual working example of the krb5.conf file.
The example one should work, this is all I have in /etc/krb5.conf on my
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Post by Léon van der Kaap
Furthermore, there is no "what to do when things fail" fall back option. I
do not know when to continue with the guide and when to test the actual
working state of the installation at a certain state.
Troubleshooting
If you encounter any problems when using this documentation, see the Samba
AD DC Troubleshooting <
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting> page.
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
Post by Léon van der Kaap
In all desperation, I have written my own guide to samba4 installation, but
I have no idea if what I did was sufficient, only that it looks ok when
testing some functionality.
Is there a mythical samba4 guide or are people doomed to endlessly google
their questions?
Most (if not all) of the info is on the Samba wiki and if you are still
struggling, try asking here.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jim Seymour
2016-07-29 10:47:13 UTC
Permalink
On Thu, 28 Jul 2016 22:55:55 +0200
Post by Léon van der Kaap
Hello,
I am looking for good installation instructions for an active
directory domain controller installation of samba4. The only source I
have reliably found is
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
which is unfortunately both incomplete in certain sections and
incorrect in others.
[snip]

Unfortunately, that's it :(

I noted the same issues a year ago, when I tried to get Samba AD
working for us. I was invited to help improve the docs. I like
writing docs, and probably would have, except we weren't able to get
Samba working as an AD the way we needed it to, so I dropped the
project.

Your only hope, beyond that, is this mailing list. The regulars here
are very helpful and very patient, to which I can attest :)

DO NOT be tempted to go searching for help elsewhere on the 'net. Much
of what you'll find will be wildly inaccurate and will only lead you to
grief. Ask me how I know ;)

Good luck,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-07-29 12:42:34 UTC
Permalink
Post by Jim Seymour
On Thu, 28 Jul 2016 22:55:55 +0200
Post by Léon van der Kaap
Hello,
I am looking for good installation instructions for an active
directory domain controller installation of samba4. The only source I
have reliably found is
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
which is unfortunately both incomplete in certain sections and
incorrect in others.
[snip]
Unfortunately, that's it :(
I noted the same issues a year ago, when I tried to get Samba AD
working for us. I was invited to help improve the docs. I like
writing docs, and probably would have, except we weren't able to get
Samba working as an AD the way we needed it to, so I dropped the
project.
Your only hope, beyond that, is this mailing list. The regulars here
are very helpful and very patient, to which I can attest :)
DO NOT be tempted to go searching for help elsewhere on the 'net. Much
of what you'll find will be wildly inaccurate and will only lead you to
grief. Ask me how I know ;)
Good luck,
Jim
OK, I have had another look at the Samba wikipage and apart from it
only describing how to do an interactive provision and not showing the
example /etc/krb5.conf, I cannot see anything really wrong with it.
So if you have problems with the page, speak up now and I will attempt
to address your problems.
After all, if we do not know there is a problem, how can we fix it.
Rowland
My two cents. I find the wiki very informative and helpful. If I find
something difficult to understand, I post here and it's usually updated
on the wiki.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Léon van der Kaap
2016-07-29 19:50:13 UTC
Permalink
I figured out the resolv.conf bit fidgeting around. Thanks for the tip
anyway.

Regarding the krb5.conf I have never got it working with the example files.
I have always added at least a "kdc = samdom.example.com" to the lines, but
my file is actually still a bit more complex(and possibly redundant).

Regarding the troubleshooting page, it is *far* from complete. At the very
least, the documentation should at a check for a succesful 'kinit' command
to see if the system is going to work.

Maybe I sound a bit angry, but I severely dislike documentation that leaves
you with an unfinished installation. Compare the monstrously sized Samba
3.5 with Samba 4 kind of illustrates the point that not all bases are
covered which is a shame to me.
Post by Léon van der Kaap
Hello,
I am looking for good installation instructions for an active directory
domain controller installation of samba4. The only source I have reliably
found is
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
which is unfortunately both incomplete in certain sections and incorrect in
others.
A good example of incomplete information is the guide on the name server.
In the org that I work for, we've chosen the samba_internal dns server.
However, the guide is not clear on making sure that the machine needs to
refer to itself for dns queries, something that is quite essential.
Configure /etc/resolv.conf
Your Domain Controller requires a name server that is able to resolve
queries to Active Directory zones. Because this is your first Domain
Controller in your AD forest, use the DCs IP and domain name in your
domain samdom.example.com
nameserver 10.99.0.1
Post by Léon van der Kaap
An example of incorrect information is that copying the example krb5.conf
file should do the trick. In practice, I have traversed the far corners of
the internet for an actual working example of the krb5.conf file.
The example one should work, this is all I have in /etc/krb5.conf on my
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Post by Léon van der Kaap
Furthermore, there is no "what to do when things fail" fall back option. I
do not know when to continue with the guide and when to test the actual
working state of the installation at a certain state.
Troubleshooting
If you encounter any problems when using this documentation, see the Samba
AD DC Troubleshooting <
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting> page.
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
Post by Léon van der Kaap
In all desperation, I have written my own guide to samba4 installation, but
I have no idea if what I did was sufficient, only that it looks ok when
testing some functionality.
Is there a mythical samba4 guide or are people doomed to endlessly google
their questions?
Most (if not all) of the info is on the Samba wiki and if you are still
struggling, try asking here.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-07-29 20:13:51 UTC
Permalink
Post by Léon van der Kaap
I figured out the resolv.conf bit fidgeting around. Thanks for the tip
anyway.
Regarding the krb5.conf I have never got it working with the example files.
I have always added at least a "kdc = samdom.example.com" to the lines, but
my file is actually still a bit more complex(and possibly redundant).
The standard four line krb5.conf that is generated during provisioning and
listed on the wiki page about setting up an AD DC works fine for me.
Post by Léon van der Kaap
Regarding the troubleshooting page, it is *far* from complete. At the very
least, the documentation should at a check for a succesful 'kinit' command
to see if the system is going to work.
Once again, these steps are listed on the main wiki page about creating an
AD DC.
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos
Post by Léon van der Kaap
Maybe I sound a bit angry, but I severely dislike documentation that leaves
you with an unfinished installation. Compare the monstrously sized Samba
3.5 with Samba 4 kind of illustrates the point that not all bases are
covered which is a shame to me.
I setup my Samba Active Directory Domain with multiple DCs at multiple
remote sites connected via VPN with both Linux and Windows clients using
the documentation and found it quite complete and clear.
Post by Léon van der Kaap
Post by Léon van der Kaap
Hello,
I am looking for good installation instructions for an active directory
domain controller installation of samba4. The only source I have
reliably
Post by Léon van der Kaap
found is
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Post by Léon van der Kaap
which is unfortunately both incomplete in certain sections and incorrect in
others.
A good example of incomplete information is the guide on the name
server.
Post by Léon van der Kaap
In the org that I work for, we've chosen the samba_internal dns server.
However, the guide is not clear on making sure that the machine needs to
refer to itself for dns queries, something that is quite essential.
Configure /etc/resolv.conf
Your Domain Controller requires a name server that is able to resolve
queries to Active Directory zones. Because this is your first Domain
Controller in your AD forest, use the DCs IP and domain name in your
domain samdom.example.com
nameserver 10.99.0.1
Post by Léon van der Kaap
An example of incorrect information is that copying the example
krb5.conf
Post by Léon van der Kaap
file should do the trick. In practice, I have traversed the far corners
of
Post by Léon van der Kaap
the internet for an actual working example of the krb5.conf file.
The example one should work, this is all I have in /etc/krb5.conf on my
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Post by Léon van der Kaap
Furthermore, there is no "what to do when things fail" fall back
option. I
Post by Léon van der Kaap
do not know when to continue with the guide and when to test the actual
working state of the installation at a certain state.
Troubleshooting
If you encounter any problems when using this documentation, see the
Samba
AD DC Troubleshooting <
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting> page.
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
Post by Léon van der Kaap
In all desperation, I have written my own guide to samba4 installation, but
I have no idea if what I did was sufficient, only that it looks ok when
testing some functionality.
Is there a mythical samba4 guide or are people doomed to endlessly
google
Post by Léon van der Kaap
their questions?
Most (if not all) of the info is on the Samba wiki and if you are still
struggling, try asking here.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Léon van der Kaap
2016-07-29 20:28:09 UTC
Permalink
Post by Data Control Systems - Mike Elkevizth
The standard four line krb5.conf that is generated during provisioning and
listed on the wiki page about setting up an AD >DC works fine for me.

And that's great, but it has never worked for me and it is very
demoralizing to follow the instructions and not get a result.
Post by Data Control Systems - Mike Elkevizth
Regarding the troubleshooting page, it is *far* from complete. At the very
least, the documentation should at a check for a succesful 'kinit' command
to see if the system is going to work.
Once again, these steps are listed on the main wiki page about creating an
AD DC. https://wiki.samba.org/index.
<https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos>
Post by Data Control Systems - Mike Elkevizth
php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos
<https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos>

I misspoke on that one. Indeed, the information is there but when I tried
it I was greeted with a washlist of errors and no idea how to solve it. At
that point I was out of luck(and I was not the only one as I have found
others on the internet with the same issue).
Post by Data Control Systems - Mike Elkevizth
Maybe I sound a bit angry, but I severely dislike documentation that leaves
you with an unfinished installation. Compare the monstrously sized Samba
3.5 with Samba 4 kind of illustrates the point that not all bases are
covered which is a shame to me.
I setup my Samba Active Directory Domain with multiple DCs at multiple
remote sites connected via VPN with both
Post by Data Control Systems - Mike Elkevizth
Linux and Windows clients using the documentation and found it quite
complete and clear.

And that's great assuming it works that is. Yet, if following the
instructions actually worked, I wouldn't be here posting my frustrations.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-07-29 20:48:41 UTC
Permalink
Post by Data Control Systems - Mike Elkevizth
The standard four line krb5.conf that is generated during provisioning
and listed on the wiki page about setting up an AD >DC works fine for me.
And that's great, but it has never worked for me and it is very
demoralizing to follow the instructions and not get a result.
Post by Data Control Systems - Mike Elkevizth
Regarding the troubleshooting page, it is *far* from complete. At the very
least, the documentation should at a check for a succesful 'kinit' command
to see if the system is going to work.
Once again, these steps are listed on the main wiki page about creating
an AD DC. https://wiki.samba.org/index.
<https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos>
Post by Data Control Systems - Mike Elkevizth
php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos
<https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos>
I misspoke on that one. Indeed, the information is there but when I tried
it I was greeted with a washlist of errors and no idea how to solve it. At
that point I was out of luck(and I was not the only one as I have found
others on the internet with the same issue).
Post by Data Control Systems - Mike Elkevizth
Maybe I sound a bit angry, but I severely dislike documentation that leaves
you with an unfinished installation. Compare the monstrously sized Samba
3.5 with Samba 4 kind of illustrates the point that not all bases are
covered which is a shame to me.
I setup my Samba Active Directory Domain with multiple DCs at multiple
remote sites connected via VPN with both
Post by Data Control Systems - Mike Elkevizth
Linux and Windows clients using the documentation and found it quite
complete and clear.
And that's great assuming it works that is. Yet, if following the
instructions actually worked, I wouldn't be here posting my frustrations.
My setup is working great, and my point is that I obtained my setup by
following my interpretation of the existing wiki (actually, I thinks it's
been improved upon since I used it for my setup). If you're having
trouble, maybe you are interpreting things differently than I did. I think
I interpreted things as the writers of the wiki intended, since I obtained
the desired results. Perhaps it would be better if you post your smb.conf,
the Samba packages you're using, and the steps you took to set it up. That
way someone can help you get it working and if we can see what the problem
is, then the wiki can be "fixed" so someone else doesn't run into the same
issue.

Mike E.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Léon van der Kaap
2016-07-29 20:43:05 UTC
Permalink
The OS I'm using is Ubuntu 16.04. The previous OS I was working with was
Ubuntu 14.04. The krb issue I had was that the kdc server

" RuntimeError: kinit for DOMAINCONTROLLER$@SAMDOM.EXAMPLE.COM failed
(Cannot contact any KDC for requested realm)".

The modified krb5.conf file I distilled out of information on the internet
helped to create a working version.

When comparing the documentation of samba4 vs. samba 3.5 I find that the
samba3.5 documentation is a lot more complete and a lot bigger. Comparing
the samba4 documentation to the samba3.5, makes me think the newer
documentation of more of an afterthought than a similarly constructed
document.
Post by Léon van der Kaap
I figured out the resolv.conf bit fidgeting around. Thanks for the tip
anyway.
Regarding the krb5.conf I have never got it working with the example
files. I have always added at least a "kdc = samdom.example.com <
http://samdom.example.com>" to the lines, but my file is actually still
a bit more complex(and possibly redundant).
If you have to add that line to krb5.conf on a DC, then I think you are
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
The other two lines are defaults.
What OS did you try it on ?
Post by Léon van der Kaap
Regarding the troubleshooting page, it is /far/ from complete. At the
very least, the documentation should at a check for a succesful 'kinit'
command to see if the system is going to work.
It doesn't have to be on the troubleshooting page, because it is on the DC
howto page, did you somehow miss this ?
Post by Léon van der Kaap
Maybe I sound a bit angry, but I severely dislike documentation that
leaves you with an unfinished installation. Compare the monstrously sized
Samba 3.5 with Samba 4 kind of illustrates the point that not all bases are
covered which is a shame to me.
I am sure that if you follow the Samba wiki page you will end up with a
basic DC, but if it doesn't work for you, just what do you feel is missing
? as I said, if we don't know what is wrong, how can we fix it ?
I also don't understand what you mean by 'Compare the monstrously sized
Samba 3.5 with Samba 4', just what are you trying to compare ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Léon van der Kaap
2016-07-29 21:09:17 UTC
Permalink
Thanks, I think I found the issue now. My system loves to be stubborn about
DNS. The fact that /etc/resolv.conf is automatically generated from
configuration probably didn't help either. I was convinced the DNS worked,
but the system decided otherwise. It readily explains the Kerberos issue.

The reboot of the system probably reset the DNS and it showed up as a
Kerberos issue.

You've all been very helpful with your comments. Thanks for helping me find
out where the issues were.
Post by Léon van der Kaap
The OS I'm using is Ubuntu 16.04. The previous OS I was working with was
Ubuntu 14.04. The krb issue I had was that the kdc server
http://SAMDOM.EXAMPLE.COM> failed (Cannot contact any KDC for requested
realm)".
The modified krb5.conf file I distilled out of information on the
internet helped to create a working version.
When comparing the documentation of samba4 vs. samba 3.5 I find that the
samba3.5 documentation is a lot more complete and a lot bigger. Comparing
the samba4 documentation to the samba3.5, makes me think the newer
documentation of more of an afterthought than a similarly constructed
document.
I think I understand this a bit better now, the kinit didn't work until
you added a line to krb5.conf that told kerberos where the DC was, this
sounds very like a dns problem. Did you alter your /etc/resolv.conf after
the provision, so it pointed the nameserver to itself and seeing as you are
using Ubuntu, did you remove 127.0.1.1 from /etc/hosts and stop Network
Manager from using dnsmasq.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marcel de Reuver
2016-07-29 20:27:51 UTC
Permalink
Post by Léon van der Kaap
Regarding the krb5.conf I have never got it working with the example files.
I have always added at least a "kdc = samdom.example.com" to the lines, but
my file is actually still a bit more complex(and possibly redundant).
Mine is just as in the wiki and it works as expected If you share your
krb5.conf maybe someone can tell what is going wrong. If kinit cannot find
the kdc maybe something is wrong with DNS.

Do you have other services running on your server that depend on kerberos?
Post by Léon van der Kaap
Regarding the troubleshooting page, it is *far* from complete. At the very
least, the documentation should at a check for a succesful 'kinit' command
to see if the system is going to work.
See the wiki *https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos
<https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos>*
Post by Léon van der Kaap
Maybe I sound a bit angry, but I severely dislike documentation that leaves
you with an unfinished installation. Compare the monstrously sized Samba
3.5 with Samba 4 kind of illustrates the point that not all bases are
covered which is a shame to me.
My first Samba AD DC was a VirtualBox running Ubuntu with Samba self
complied and setup according to the wiki. Maybe that is the best way to get
to know Samba.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marcel de Reuver
2016-07-29 20:37:20 UTC
Permalink
I also don't understand what you mean by 'Compare the monstrously sized
Samba 3.5 with Samba 4', just what are you trying to compare ?
See www.samba.org > Learn Samba is completely devoted to Samba 3.5......
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...