See inline comments
On Thu, 4 Aug 2016 11:34:38 -0600
Are you by any chance the same Jeff Sadowski that posts on
fedoraforum.org ? The one that knew something I didn't ?
The one that knew that there are unofficial fedora Samba AD DC packages
available?
Same one I got that from Alexander Bokovoy (all credit goes to him) when he
posted that about 6 months ago to the samba mailing list :-) As you can see
I am trying to make this easy to do, you found it. Forums seem to work
better for me. And you can also see I had been waiting a long long long
time for AD DC support in Fedora. Looks like things are getting close.
Post by Jeff SadowskiSee inline comments
And Please keep replies to the list
On Tue, 2 Aug 2016 15:08:26 -0600
Samba's wiki didn't have a walk through working example from A to
Z. It is great don't get me wrong but I followed it and at the
end I was able to do all in the steps in it but still had the
message I started this thread with. It leaves out A-F and R-Z or
there abouts (It might have more or less but there are some
missing parts.) I am still trying to figure out how to try and
properly compile it for Fedora myself (as Fedora is my main
distro of choice and I used a precompiled version from Alexander
Bokovoy for F23 when I stared this thread, I had even gotten that
to work following the samba wiki in the past but seem to had been
having trouble when I built a vm for it).
I installed fedora 23 in a VM (I tried fedora 24 first but gave up on
that horror) and then tried to compile Samba 4.5.0rc1, found that the
package list on the Samba wiki is wrong, installed all the other
packages recommended for RHEL and compiled Samba. However I could
not get the provision to work, it errored out after 'Setting up sam.ldb
ERROR(ldb): uncaught exception - operations error at
../source4/dsdb/samdb/ldb_modules/password_hash.c:2816
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 461, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 2175, in provision
skip_sysvolacl=skip_sysvolacl)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1787, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1447, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py",
line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
line 225, in add_ldif
self.add(msg, controls)
I didn't bother compiling on Fedora 23 As I said on Fedoraforum
I read https://copr.fedorainfracloud.org/co...n/samba_ad_dc/
<https://copr.fedorainfracloud.org/coprs/asn/samba_ad_dc/>
then I ran
dnf copr enable asn/samba_ad_dc
and
dnf install samba-dc
then I was able to follow the samba wiki
and this worked fine on my original machine and up to a point on my VM
I realized a spelling error in my original domain and I wanted to upgrade
to F24 anyways that is why I pushed my domain to a VM
Currently I had been trying to work it out in rawhide and use a spec file
from a src rpm that I had posted about on another thread.
I've been trying to figure out what it is I need to do to compile it with
AD DC support in Fedora but am lost. I think I just need to wait it out a
bit longer.
And use another distro that has it precompiled as an AD DC for now.
http://forums.fedoraforum.org/showthread.php?t=296121
Which led to Samba packages for fedora, installed these and provisioned
Samba following the wiki and it worked.
I guess I just need to try that again but the
nltest /dsgetdc:<domain name>
test was failing for me on my VM I must have had some stuff different on my
main computer.
hmmm
Post by Jeff SadowskiMost of the wiki was written by Marc Muehlfeld, he (as far as I am
aware) uses Centos, so the wiki should be relevant to fedora.
I was wrong to characterize it as missing A-F and R-Z it is more like
it is really only missing A(some more pre install necessities and
testing should probably test that ACL's are working and test named to
make sure it is up to par) and Z (some testing that I'm not sure how
to replicate outside of windows and I'm not sure how to fix the
broken cases, like joining a domain as a test and when failing
occurred all I could do is try a different prepackaged samba) and
more so the samba wiki has B1, B2, B3 .... so many options that it
confused me and I went with a simple example.
If you use ext4, you don't need to test the ACLs as a matter of course,
this is because it is known to work.
If you have problems joining a computer to a Samba domain, then ask
here, this is one of the ways we find out what to put on the wiki.
Post by Jeff SadowskiSpecifically I needed an example with bind as I know bind and use it.
Once it was using bind I could do things like use the samba AD DC's
bind as a master and use my main server as a slave without
interfering with other Domain's I use on my main computer. And I no
longer had to point the DNS to the VM I could use my main computer
without worry.
There is at least one page on the wiki about using Bind with a Samba
AD DC, but you shouldn't be using it in a 'master' 'slave' way. Bind
needs to be authoritative for the domain and forward anything it
doesn't know about to another DNS server.
I had discussed this on ISC's mailing list. At first I was looking for a
non caching DNS but quickly realized I can have a master slave relationship.
I use a master on the DC with the DLZ and push to a slave on my main
computer Fedora24 with bind and other domains
It works nice as I know it will push when a change occurs and I can
actually have multiple domains.
On my main computer I have a lines like so
zone "samdom.example.com" IN { type slave; masters { <address of my
samdom.example.com DC>; }; file "db.samdom.example.com"; };
zone "test.test.test" IN { type slave; masters { <address of my
test.test.test DC>; }; file "db.test.test.test"; };
on my DCs I have in the options section
notify yes;
also-notify { <main server's ip>; };
allow-transfer { <main server's ip>; };
If I point all machines to my main server's ip
I can get up to date records for all my domains as the DC's will push to it.
DNS didn't seem to be why mine was failing. I can verify DNS with nslookup,
dig, or host
Post by Jeff SadowskiThe windows test to run (after reading the error message from windows
I was told by it to run:) "nltest /dsgetdc:<domain name>"
Another good test is to run "dcdiag /s:<domain controller name>"
Also on windows I installed the AD tools on my Windows 10 machine to
create accounts and GPOs
For Fedora the samba wiki worked on my main machine I used
bind_flatfile as bind on Fedora did not support DLZ but on a vm
following the same instructions did not work. I must not have had
some options installed that I need for it to work properly. If and
when I fix it maybe then I can update the wiki.
Please do not use flatfiles with Samba, they are not recommended or
supported.
Flat files worked OK on my main server. Yeah it duplicates the databases
but it worked without me having to recompile bind. As you saw compiling can
be hairy I don't want to think about it. I guess I can download the src rpm
and edit the spec file but flat file worked for me. I had been using a
successful AD DC on Fedora 23 from about a month before posting that forum
entry till a few days ago. And it still allowed me to do other things I
want to do with bind instead of having to use samba's DNS server. Things
like the also-notify and allow transfer that are critical for slaves that I
can use with multiple domains. Also with bind I can override by making a
subdomain that I can do whatever I want with.
Post by Jeff SadowskiFor now I have a working Ubuntu 16.04 AD DC Samba server following the
instructions on that linked page. I modified it with what you told
me. I removed the forwarder in the smb.conf file, I set fstab back to
how it was originally by the OS install, and I moved krb5.conf to
krb5.conf.org. and linked to the one created by samba.
Most of what was on that linked page where the same tests as on the
samba wiki.
Samba's seems to leave out some important parts of setting up
AppArmor or Selinux
The setup of these could be improved on the wiki, care to help by
posting your files ?
That is why I went to some other wiki I don't know this well enough I
just copied the rules I saw on the linked page.
And after ten years of selinux in fedora I just use the defaults that
the package maintainers put in. since I suspected selinux I disabled
it and rebooted but the problems where still there.
Add the following apparmor rules to the end of
/etc/apparmor.d/usr.sbin.named inside the {..}
sudo nano /etc/apparmor.d/usr.sbin.named
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab r,
/var/tmp/* rw,
/dev/urandom rw,
That worked well enough for me on the Ubuntu 16.04 install I did on a
VM. For all I know this makes the machine super vulnerable so I am
only testing with it and keeping an eye on it.
That is similar to what is on the wiki, one of the problems is the
different paths, another is that you are not sure if your settings are
final, once you are sure they are, then would be the time to add them
to the wiki.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba