after the last few days playing around with 4.1.17 I decided to start
new and try 4.2
--- Hardware, OS:
Pi B+, Raspbian 2015-02-16
--- Getting packages:
- install packages: build-essential libacl1-dev libattr1-dev
libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev
python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils
libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl libkrb5-dev
- install more packages: acl python-xattr util-linux gnutls-bin
python-setproctitle
- (did NOT install slapd docbook xsltproc cups *)
- wget samba..., tar -xvzf samba-4.2.0.tar.gz (rc5?)
* my previous tests suggest that those packages may cause problems.
- openldap may bind to 389 before samba is started and cause sambaldap
to fail.
- cups installs a LOT of stuff (also avahi-daemon) which did cause
trouble but may have been related to me chosing .local domain. I do not
plan to use the pi as print server.
- without docbook and xsltproc man pages will not be created during
make. with them make aborted for me, at least 4.1.17 did
--- pre-setup:
(will cause pi to lose internet - or rather dns)
- static ip, dns-nameservers [pi ip] [googledns], dns-search my-domain.home
- hostname adserver.my-domain.home
- hosts: 127.0.0.1 localhost localhost.my-domain and [pi ip] adserver
adserver.my-domain.home
- resolv.conf: nameserver [pi ip], domain my-domain.home
- reboot :)
--- building samba:
- configure /--prefix=/usr/local/samba
//--with-piddir=/usr/local/samba/var/run //--with-syslog //--with-quotas
//--with-acl-support
- make
- make install
(together >6 hours...)
--- add /usr/local/samba/bin and /usr/local/samba/sbin to $PATH (see
/etc/profile)
--- samba-tool domain provision --use-rfc230 --interactive
I was able to use default (just press enter) everywhere except for the
DNS forwarder. type in the dns of your router or a public dns like
google (8.8.8.8)
--- copy the krb5.conf provided by samba (in /usr/local/samba/private)
to /etc/krb5.conf
--- run samba
(internet should be back)
--- get init.d script for samba-ad-dc, edit it according to the guide,
make executeable, run update-rc.d
--- reboot
--- test:
- kinit administrator at MY-DOMAIN.HOME: works, no errors
- samba_dnsupdate --verbose: no errors
- samba_upgradedns: no errors
- host -t ... : no errors
- dns forwarder: ping google.com : good
--- test2:
- added win7 pro to domain: no error, login with admin: ok
- download and install rsat: ok
--- further settings to test soon:
- create a testing share
- SeDiskOperatorPrivilege for administrator
(see
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
)
(unclear if required!)
--- test3 (with rsat)
- added user to domain
- added OU to domain, moved pc in new ou
- added gpo (flash player.msi install) to OU
- connect to adserver with computer management, edit share settings
(read/write etc)
- gpupdate /force : looks good
- reboot
--- test4
- login with new user: good
- msi installed: good
- test fileshare settings
--- logs:
- get lots of errors about printer list: as expected without cups
- get lots of errors binding to :::[PORT] failing --> still seems to be
something up with ipv6
--- the end?
further testing and finetuning will definately be required.
I will try to add ntp-server, dhcp (with dynamic dns update), and radius
server next (not in that order)
--- what I learned which was not clear through all the documentation I
found when looking around
- stay clear of the "AD member server" guide, stick with "the ad
dc howto"
- winbindd and stuff seems not to be neccesary (or is configured
correctly out of the box) for "just ad dc"
- openldap/slapd is NOT required
- you guys rock. i had much help to get where it actually works... hope
this summary with "success" helps other people!
/