Discussion:
[Samba] That domain could not be found
Jeff Sadowski
2016-07-30 17:33:55 UTC
Permalink
I had a working domain and then I realized I was spelling it wrong all this
time.
So I created a VM and installed samba with ad support on it

I used the instructions from
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
all the tests for the DNS entries checked out

kinit checked out
klist shows my key
On other computers even

When I went to join my window 10 machine that I can still connect to my
original machine I get the message in the subject

I don't remember doing anything different originally for my working domain.
I turned off the firewall and selinux on my VM

Windows 10 nslookup sees all the DNS entries I checked on walk trough
nltest /dsgetdc:<domainname>
returns
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I'm not sure what else to check.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-07-30 20:33:51 UTC
Permalink
following here
https://www.samba.org/samba/docs/using_samba/ch12.html
I decided to use explorer to test getting to it and I notice I can connect
to the server using the Administrator user and password and see the
netlogon and sysvol shares but can not go into either.
Post by Jeff Sadowski
I had a working domain and then I realized I was spelling it wrong all
this time.
So I created a VM and installed samba with ad support on it
I used the instructions from
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
all the tests for the DNS entries checked out
kinit checked out
klist shows my key
On other computers even
When I went to join my window 10 machine that I can still connect to my
original machine I get the message in the subject
I don't remember doing anything different originally for my working domain.
I turned off the firewall and selinux on my VM
Windows 10 nslookup sees all the DNS entries I checked on walk trough
nltest /dsgetdc:<domainname>
returns
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I'm not sure what else to check.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jason Waters
2016-07-30 21:06:21 UTC
Permalink
Is the primary DNS on the windows machine set to the AD domain controller?
Post by Jeff Sadowski
following here
https://www.samba.org/samba/docs/using_samba/ch12.html
I decided to use explorer to test getting to it and I notice I can connect
to the server using the Administrator user and password and see the
netlogon and sysvol shares but can not go into either.
Post by Jeff Sadowski
I had a working domain and then I realized I was spelling it wrong all
this time.
So I created a VM and installed samba with ad support on it
I used the instructions from
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Post by Jeff Sadowski
all the tests for the DNS entries checked out
kinit checked out
klist shows my key
On other computers even
When I went to join my window 10 machine that I can still connect to my
original machine I get the message in the subject
I don't remember doing anything different originally for my working domain.
I turned off the firewall and selinux on my VM
Windows 10 nslookup sees all the DNS entries I checked on walk trough
nltest /dsgetdc:<domainname>
returns
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I'm not sure what else to check.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-07-31 03:06:01 UTC
Permalink
It is. I am using bind and include the .../samba/private/named.conf in my
primary bind file and changed the group of .../samba/private to named so
named could read the files.
Post by Jason Waters
Is the primary DNS on the windows machine set to the AD domain controller?
Post by Jeff Sadowski
following here
https://www.samba.org/samba/docs/using_samba/ch12.html
I decided to use explorer to test getting to it and I notice I can connect
to the server using the Administrator user and password and see the
netlogon and sysvol shares but can not go into either.
Post by Jeff Sadowski
I had a working domain and then I realized I was spelling it wrong all
this time.
So I created a VM and installed samba with ad support on it
I used the instructions from
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Post by Jeff Sadowski
all the tests for the DNS entries checked out
kinit checked out
klist shows my key
On other computers even
When I went to join my window 10 machine that I can still connect to my
original machine I get the message in the subject
I don't remember doing anything different originally for my working domain.
I turned off the firewall and selinux on my VM
Windows 10 nslookup sees all the DNS entries I checked on walk trough
nltest /dsgetdc:<domainname>
returns
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I'm not sure what else to check.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-07-31 03:24:20 UTC
Permalink
I tried using samba's internal dns server just to see if this made a
difference, but it did not.
Post by Jeff Sadowski
It is. I am using bind and include the .../samba/private/named.conf in my
primary bind file and changed the group of .../samba/private to named so
named could read the files.
Post by Jason Waters
Is the primary DNS on the windows machine set to the AD domain controller?
Post by Jeff Sadowski
following here
https://www.samba.org/samba/docs/using_samba/ch12.html
I decided to use explorer to test getting to it and I notice I can connect
to the server using the Administrator user and password and see the
netlogon and sysvol shares but can not go into either.
Post by Jeff Sadowski
I had a working domain and then I realized I was spelling it wrong all
this time.
So I created a VM and installed samba with ad support on it
I used the instructions from
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Post by Jeff Sadowski
all the tests for the DNS entries checked out
kinit checked out
klist shows my key
On other computers even
When I went to join my window 10 machine that I can still connect to my
original machine I get the message in the subject
I don't remember doing anything different originally for my working domain.
I turned off the firewall and selinux on my VM
Windows 10 nslookup sees all the DNS entries I checked on walk trough
nltest /dsgetdc:<domainname>
returns
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I'm not sure what else to check.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-08-01 16:48:53 UTC
Permalink
I just installed ubuntu-16.04 and followed the instructions I found for it.
problems I ran into that way
I removed apparmer and I had to use bindflatfile as dlz was not working for
me
I got my machine connected. I'll figure out fedora later.
Post by Jeff Sadowski
I tried using samba's internal dns server just to see if this made a
difference, but it did not.
Post by Jeff Sadowski
It is. I am using bind and include the .../samba/private/named.conf in my
primary bind file and changed the group of .../samba/private to named so
named could read the files.
Post by Jason Waters
Is the primary DNS on the windows machine set to the AD domain controller?
Post by Jeff Sadowski
following here
https://www.samba.org/samba/docs/using_samba/ch12.html
I decided to use explorer to test getting to it and I notice I can connect
to the server using the Administrator user and password and see the
netlogon and sysvol shares but can not go into either.
On Sat, Jul 30, 2016 at 11:33 AM, Jeff Sadowski <
Post by Jeff Sadowski
I had a working domain and then I realized I was spelling it wrong all
this time.
So I created a VM and installed samba with ad support on it
I used the instructions from
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Post by Jeff Sadowski
all the tests for the DNS entries checked out
kinit checked out
klist shows my key
On other computers even
When I went to join my window 10 machine that I can still connect to
my
Post by Jeff Sadowski
original machine I get the message in the subject
I don't remember doing anything different originally for my working domain.
I turned off the firewall and selinux on my VM
Windows 10 nslookup sees all the DNS entries I checked on walk trough
nltest /dsgetdc:<domainname>
returns
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I'm not sure what else to check.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-08-01 19:34:17 UTC
Permalink
Post by Jeff Sadowski
Post by Jeff Sadowski
I just installed ubuntu-16.04 and followed the instructions I found for it.
problems I ran into that way
I removed apparmer and I had to use bindflatfile as dlz was not working for
me
My Samba DCs use the BIND_DLZ backend using the standard Ubuntu packages
with Apparmor enabled. The relevant config options should be as follows:


/etc/apparmor.d/usr.sbin.named (I think this strays slightly from the
default Ubuntu installation. I think there is a bug report about it, if I
remember correctly)


...
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** lrw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
...



/etc/apparmor.d/local/usr.sbin.named (complete file)


# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/run/samba/** rw,
/var/tmp/* rwmk,
/dev/urandom rw,



/etc/bind/named.conf.options

...
include "/var/lib/samba/private/named.conf";
...

options {
...
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
...


/etc/samba/smb.conf
...
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
...

And /var/lib/samba/private/dns.keytab should have the following permissions

-rw-r----- 1 root bind 982 May 6 11:07 /var/lib/samba/private/dns.keytab


Hopefully this helps you get it configured properly.

Mike E.
Post by Jeff Sadowski
I got my machine connected. I'll figure out fedora later.
Post by Jeff Sadowski
I would figure out why dlz doesn't work first, why didn't it work ? what
error messages did you get ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-08-01 21:20:50 UTC
Permalink
I got that working just had to follow the instructions here better
http://blogging.dragon.org.uk/samba4-ad-dc-on-ubuntu-14-04/
I'll look into Fedora later.
Post by Jeff Sadowski
Post by Jeff Sadowski
I just installed ubuntu-16.04 and followed the instructions I found for it.
problems I ran into that way
I removed apparmer and I had to use bindflatfile as dlz was not working for
me
I got my machine connected. I'll figure out fedora later.
I would figure out why dlz doesn't work first, why didn't it work ? what
error messages did you get ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-08-04 17:34:38 UTC
Permalink
See inline comments
And Please keep replies to the list
On Tue, 2 Aug 2016 15:08:26 -0600
Samba's wiki didn't have a walk through working example from A to Z.
It is great don't get me wrong but I followed it and at the end I was
able to do all in the steps in it but still had the message I started
this thread with. It leaves out A-F and R-Z or there abouts (It might
have more or less but there are some missing parts.) I am still
trying to figure out how to try and properly compile it for Fedora
myself (as Fedora is my main distro of choice and I used a
precompiled version from Alexander Bokovoy for F23 when I stared this
thread, I had even gotten that to work following the samba wiki in
the past but seem to had been having trouble when I built a vm for
it).
Most of the wiki was written by Marc Muehlfeld, he (as far as I am
aware) uses Centos, so the wiki should be relevant to fedora.
I was wrong to characterize it as missing A-F and R-Z it is more like it is
really only missing A(some more pre install necessities and testing should
probably test that ACL's are working and test named to make sure it is up
to par) and Z (some testing that I'm not sure how to replicate outside of
windows and I'm not sure how to fix the broken cases, like joining a domain
as a test and when failing occurred all I could do is try a different
prepackaged samba) and more so the samba wiki has B1, B2, B3 .... so many
options that it confused me and I went with a simple example.

Specifically I needed an example with bind as I know bind and use it. Once
it was using bind I could do things like use the samba AD DC's bind as a
master and use my main server as a slave without interfering with other
Domain's I use on my main computer. And I no longer had to point the DNS to
the VM I could use my main computer without worry.

The windows test to run (after reading the error message from windows I was
told by it to run:) "nltest /dsgetdc:<domain name>"
Another good test is to run "dcdiag /s:<domain controller name>"

Also on windows I installed the AD tools on my Windows 10 machine to create
accounts and GPOs

For Fedora the samba wiki worked on my main machine I used bind_flatfile as
bind on Fedora did not support DLZ but on a vm following the same
instructions did not work. I must not have had some options installed that
I need for it to work properly. If and when I fix it maybe then I can
update the wiki.

For now I have a working Ubuntu 16.04 AD DC Samba server following the
instructions on that linked page. I modified it with what you told me. I
removed the forwarder in the smb.conf file, I set fstab back to how it was
originally by the OS install, and I moved krb5.conf to krb5.conf.org. and
linked to the one created by samba.

Most of what was on that linked page where the same tests as on the samba
wiki.
Samba's seems to leave out some important parts of setting up
AppArmor or Selinux
The setup of these could be improved on the wiki, care to help by
posting your files ?
That is why I went to some other wiki I don't know this well enough I just
copied the rules I saw on the linked page.
And after ten years of selinux in fedora I just use the defaults that the
package maintainers put in. since I suspected selinux I disabled it and
rebooted but the problems where still there.


The apparmor rules were as follows:

Add the following apparmor rules to the end of
/etc/apparmor.d/usr.sbin.named inside the {..}

sudo nano /etc/apparmor.d/usr.sbin.named

/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,

/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab r,

/var/tmp/* rw,

/dev/urandom rw,


That worked well enough for me on the Ubuntu 16.04 install I did on a VM.
For all I know this makes the machine super vulnerable so I am only testing
with it and keeping an eye on it.

Should I try and update the wiki with these apparmor instructions?

and installing the necessary steps to install and
test ACL's (that part was pretty good on the linked page).
And it was totally unnecessary, the defaults for ext4 are what the
page you linked to advised adding.
You are correct that the defaults for ext4 do support ACL's however I still
think this is a good thing to test before continuing for people that might
have installed a FS that does not support it. So they know they will need
another partition to mount some place that has ACL's for samba to use.
to test if those are the defaults for mounting ext4. I can try
setting it back. I also didn't like using rm I always was taught to
move the original out of the way that there maybe something in there
you'll want later.
You do not need to bother, take it from me, you do not need to
alter /etc/fstab if you are using ext4.
It also has me wondering how Ubuntu compiled samba to work if they are
using Heimdal or MIT Kerberos and if they are using Heimdal how they
got around other issues vs why Fedora is sticking with MIT? If they
are using MIT why is Fedora still working on this?
Samba comes with a built-in kerberos server, this uses Heimdal. The
red-hat world uses MIT and they want to use this with Samba and a lot
of work is going on to make this happen. Once this work is complete,
Samba will move to using MIT instead of Heimdal.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thank you Rowland you are very helpful.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-08-04 20:51:42 UTC
Permalink
See inline comments
On Thu, 4 Aug 2016 11:34:38 -0600
Are you by any chance the same Jeff Sadowski that posts on
fedoraforum.org ? The one that knew something I didn't ?
The one that knew that there are unofficial fedora Samba AD DC packages
available?
Same one I got that from Alexander Bokovoy (all credit goes to him) when he
posted that about 6 months ago to the samba mailing list :-) As you can see
I am trying to make this easy to do, you found it. Forums seem to work
better for me. And you can also see I had been waiting a long long long
time for AD DC support in Fedora. Looks like things are getting close.
Post by Jeff Sadowski
See inline comments
And Please keep replies to the list
On Tue, 2 Aug 2016 15:08:26 -0600
Samba's wiki didn't have a walk through working example from A to
Z. It is great don't get me wrong but I followed it and at the
end I was able to do all in the steps in it but still had the
message I started this thread with. It leaves out A-F and R-Z or
there abouts (It might have more or less but there are some
missing parts.) I am still trying to figure out how to try and
properly compile it for Fedora myself (as Fedora is my main
distro of choice and I used a precompiled version from Alexander
Bokovoy for F23 when I stared this thread, I had even gotten that
to work following the samba wiki in the past but seem to had been
having trouble when I built a vm for it).
I installed fedora 23 in a VM (I tried fedora 24 first but gave up on
that horror) and then tried to compile Samba 4.5.0rc1, found that the
package list on the Samba wiki is wrong, installed all the other
packages recommended for RHEL and compiled Samba. However I could
not get the provision to work, it errored out after 'Setting up sam.ldb
ERROR(ldb): uncaught exception - operations error at
../source4/dsdb/samdb/ldb_modules/password_hash.c:2816
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 461, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 2175, in provision
skip_sysvolacl=skip_sysvolacl)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1787, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1447, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py",
line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
line 225, in add_ldif
self.add(msg, controls)
I didn't bother compiling on Fedora 23 As I said on Fedoraforum
I read https://copr.fedorainfracloud.org/co...n/samba_ad_dc/
<https://copr.fedorainfracloud.org/coprs/asn/samba_ad_dc/>
then I ran
dnf copr enable asn/samba_ad_dc
and
dnf install samba-dc
then I was able to follow the samba wiki
and this worked fine on my original machine and up to a point on my VM
I realized a spelling error in my original domain and I wanted to upgrade
to F24 anyways that is why I pushed my domain to a VM

Currently I had been trying to work it out in rawhide and use a spec file
from a src rpm that I had posted about on another thread.
I've been trying to figure out what it is I need to do to compile it with
AD DC support in Fedora but am lost. I think I just need to wait it out a
bit longer.
And use another distro that has it precompiled as an AD DC for now.
http://forums.fedoraforum.org/showthread.php?t=296121
Which led to Samba packages for fedora, installed these and provisioned
Samba following the wiki and it worked.
I guess I just need to try that again but the
nltest /dsgetdc:<domain name>
test was failing for me on my VM I must have had some stuff different on my
main computer.
hmmm
Post by Jeff Sadowski
Most of the wiki was written by Marc Muehlfeld, he (as far as I am
aware) uses Centos, so the wiki should be relevant to fedora.
I was wrong to characterize it as missing A-F and R-Z it is more like
it is really only missing A(some more pre install necessities and
testing should probably test that ACL's are working and test named to
make sure it is up to par) and Z (some testing that I'm not sure how
to replicate outside of windows and I'm not sure how to fix the
broken cases, like joining a domain as a test and when failing
occurred all I could do is try a different prepackaged samba) and
more so the samba wiki has B1, B2, B3 .... so many options that it
confused me and I went with a simple example.
If you use ext4, you don't need to test the ACLs as a matter of course,
this is because it is known to work.
If you have problems joining a computer to a Samba domain, then ask
here, this is one of the ways we find out what to put on the wiki.
Post by Jeff Sadowski
Specifically I needed an example with bind as I know bind and use it.
Once it was using bind I could do things like use the samba AD DC's
bind as a master and use my main server as a slave without
interfering with other Domain's I use on my main computer. And I no
longer had to point the DNS to the VM I could use my main computer
without worry.
There is at least one page on the wiki about using Bind with a Samba
AD DC, but you shouldn't be using it in a 'master' 'slave' way. Bind
needs to be authoritative for the domain and forward anything it
doesn't know about to another DNS server.
I had discussed this on ISC's mailing list. At first I was looking for a
non caching DNS but quickly realized I can have a master slave relationship.

I use a master on the DC with the DLZ and push to a slave on my main
computer Fedora24 with bind and other domains
It works nice as I know it will push when a change occurs and I can
actually have multiple domains.

On my main computer I have a lines like so

zone "samdom.example.com" IN { type slave; masters { <address of my
samdom.example.com DC>; }; file "db.samdom.example.com"; };
zone "test.test.test" IN { type slave; masters { <address of my
test.test.test DC>; }; file "db.test.test.test"; };

on my DCs I have in the options section

notify yes;
also-notify { <main server's ip>; };
allow-transfer { <main server's ip>; };

If I point all machines to my main server's ip
I can get up to date records for all my domains as the DC's will push to it.

DNS didn't seem to be why mine was failing. I can verify DNS with nslookup,
dig, or host
Post by Jeff Sadowski
The windows test to run (after reading the error message from windows
I was told by it to run:) "nltest /dsgetdc:<domain name>"
Another good test is to run "dcdiag /s:<domain controller name>"
Also on windows I installed the AD tools on my Windows 10 machine to
create accounts and GPOs
For Fedora the samba wiki worked on my main machine I used
bind_flatfile as bind on Fedora did not support DLZ but on a vm
following the same instructions did not work. I must not have had
some options installed that I need for it to work properly. If and
when I fix it maybe then I can update the wiki.
Please do not use flatfiles with Samba, they are not recommended or
supported.
Flat files worked OK on my main server. Yeah it duplicates the databases
but it worked without me having to recompile bind. As you saw compiling can
be hairy I don't want to think about it. I guess I can download the src rpm
and edit the spec file but flat file worked for me. I had been using a
successful AD DC on Fedora 23 from about a month before posting that forum
entry till a few days ago. And it still allowed me to do other things I
want to do with bind instead of having to use samba's DNS server. Things
like the also-notify and allow transfer that are critical for slaves that I
can use with multiple domains. Also with bind I can override by making a
subdomain that I can do whatever I want with.
Post by Jeff Sadowski
For now I have a working Ubuntu 16.04 AD DC Samba server following the
instructions on that linked page. I modified it with what you told
me. I removed the forwarder in the smb.conf file, I set fstab back to
how it was originally by the OS install, and I moved krb5.conf to
krb5.conf.org. and linked to the one created by samba.
Most of what was on that linked page where the same tests as on the
samba wiki.
Samba's seems to leave out some important parts of setting up
AppArmor or Selinux
The setup of these could be improved on the wiki, care to help by
posting your files ?
That is why I went to some other wiki I don't know this well enough I
just copied the rules I saw on the linked page.
And after ten years of selinux in fedora I just use the defaults that
the package maintainers put in. since I suspected selinux I disabled
it and rebooted but the problems where still there.
Add the following apparmor rules to the end of
/etc/apparmor.d/usr.sbin.named inside the {..}
sudo nano /etc/apparmor.d/usr.sbin.named
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab r,
/var/tmp/* rw,
/dev/urandom rw,
That worked well enough for me on the Ubuntu 16.04 install I did on a
VM. For all I know this makes the machine super vulnerable so I am
only testing with it and keeping an eye on it.
That is similar to what is on the wiki, one of the problems is the
different paths, another is that you are not sure if your settings are
final, once you are sure they are, then would be the time to add them
to the wiki.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...