I wanted to follow up to the list in hopes it will help others with similar configuration. Per previous posts -- OS: CentOS 7.153 Samba: Version 4.1.17-SerNet-RedHat-11.el7 Samba provisioned to act as: AD DC following Samba Wiki: Samba AD DC HOWTO Samba Internal DNS daemon deployed. 1. Disable selinux. Unless you have a solid understanding of how to configure it for your environment, please turn it off. It is defaulted ON/Engaged in CentOS 7. If you don't understand how selinux filters calls to/from the linux kernel, you may be chasing ghosts in relation to your Samba 4.x.y AD DC. For clarification, my sysadmin and security skills are not expert level. 2. The following information may have lurked under my nose, but I did not find mention of it: There is a configuration file /etc/default/sernet-samba which requires one small edit for samba to function. The setting is defaulted to NONE, but it needs to be set to "ad". # SAMBA_START_MODE defines how Samba should be started. Valid options are one of # "none" to not enable it at all, # "classic" to use the classic smbd/nmbd/winbind daemons # "ad" to use the Active Directory server (which starts the smbd on its own) # (Be aware that you also need to enable the services/init scripts that # automatically start up the desired daemons.) SAMBA_START_MODE="ad" #SAMBA_START_MODE="none" 3. Upon initial provisioning Samba objects when the machine name (netbios name?) and the domain/workgroup name are the same so I changed the machine name to make them different. It appears necessary to edit the /etc/hosts file and include both of them in the hosts file: 10.10.10.100 mymachine.example.com mymachine 10.10.10.100 mydomain.example.com mydomain 4. Gotta deal with firewalld. Either uninstall it and use the iptables commands you've fought to finally understand over the years; or, use firewalld and zones, etc. Open all those scary ports to make sure all the complex AD DC components work: firewall-cmd --permanent --add-service=samba firewall-cmd --permanent --add-port=53/tcp firewall-cmd --permanent --add-port=53/udp firewall-cmd --permanent --add-port=88/tcp firewall-cmd --permanent --add-port=88/udp firewall-cmd --permanent --add-port=135/tcp firewall-cmd --permanent --add-port=137/tcp firewall-cmd --permanent --add-port=137/udp firewall-cmd --permanent --add-port=138/udp firewall-cmd --permanent --add-port=139/tcp firewall-cmd --permanent --add-port=389/tcp firewall-cmd --permanent --add-port=389/udp firewall-cmd --permanent --add-port=445/tcp firewall-cmd --permanent --add-port=464/tcp firewall-cmd --permanent --add-port=464/udp firewall-cmd --permanent --add-port=636/tcp firewall-cmd --permanent --add-port=1024-5000/tcp firewall-cmd --permanent --add-port=1024-5000/udp firewall-cmd --permanent --add-port=3268/tcp firewall-cmd --permanent --add-port=3269/tcp firewall-cmd --permanent --add-port=5353/tcp firewall-cmd --permanent --add-port=5353/udp firewall-cmd --reload 5. So far, the following works: smbclient -L localhost -U% smbclient //mydomain.example.com/netlogon -U Administrator>From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to theSamba4 AD DC box by entering \\10.10.10.100 in the address bar. I can also provide UserID: Administrator and Password: PaSsW8*rD and see netlogon, sysvol, and all demo directory shares I created. I can also read/write to all of them - - - - I was surprised this was possible without actually joining the domain via (from windows): Control Panel ---> System and Security ---> System ---> Change Settings. It's possible I was able to read/write to the demo shares because they were previously set -- chmod -R 0777 /demo/share/directory. I still need to understand samba-tool user creation, settings, and options, as I cannot yet figure out how to connect to the AD DC box via RSAT Server Manager app. 6. Testing DNS -- The suggested tests in the AD DC HOWTO produce errors but the samba log seems to indicate DNS is okay: [2015/04/28 17:29:48.986108, 3] ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names) Calling DNS name update script [2015/04/28 17:29:48.989054, 3] ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names) Calling SPN name update script [2015/04/28 17:29:49.505209, 3] ../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done) Completed SPN update check OK [2015/04/28 17:29:49.576183, 3] ../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done) Completed DNS update check OK 7. Kerberos -- I don't believe this is working yet and will need to RTFM to figure out how to chase it down. [root at a10 etc]# ls -alh krb5.conf lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf -> /var/lib/samba/private/krb5.conf [root at a10 etc]# klist klist: Credentials cache file '/tmp/krb5cc_0' not found [root at a10 etc]# [root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting initial credentials [root at a10 etc]#
On 28/04/15 22:41, Mike wrote:> I wanted to follow up to the list in hopes it will help others with similar > configuration. > Per previous posts -- > OS: CentOS 7.153 > Samba: Version 4.1.17-SerNet-RedHat-11.el7 > Samba provisioned to act as: AD DC following Samba Wiki: Samba AD DC HOWTO > Samba Internal DNS daemon deployed. > > 1. Disable selinux. Unless you have a solid understanding of how to > configure it for your environment, please turn it off. It is defaulted > ON/Engaged in CentOS 7. If you don't understand how selinux filters calls > to/from the linux kernel, you may be chasing ghosts in relation to your > Samba 4.x.y AD DC. For clarification, my sysadmin and security skills are > not expert level. > > 2. The following information may have lurked under my nose, but I did not > find mention of it: There is a configuration file > /etc/default/sernet-samba which requires one small edit for samba to > function. > The setting is defaulted to NONE, but it needs to be set to "ad". > > # SAMBA_START_MODE defines how Samba should be started. Valid options are > one of > # "none" to not enable it at all, > # "classic" to use the classic smbd/nmbd/winbind daemons > # "ad" to use the Active Directory server (which starts the smbd on > its own) > # (Be aware that you also need to enable the services/init scripts that > # automatically start up the desired daemons.) > SAMBA_START_MODE="ad" > #SAMBA_START_MODE="none" > > 3. Upon initial provisioning Samba objects when the machine name (netbios > name?) and the domain/workgroup name are the same so I changed the machine > name to make them different. > It appears necessary to edit the /etc/hosts file and include both of them > in the hosts file: > > 10.10.10.100 mymachine.example.com mymachine > 10.10.10.100 mydomain.example.com mydomain > > 4. Gotta deal with firewalld. Either uninstall it and use the iptables > commands you've fought to finally understand over the years; or, use > firewalld and zones, etc. > Open all those scary ports to make sure all the complex AD DC components > work: > > firewall-cmd --permanent --add-service=samba > firewall-cmd --permanent --add-port=53/tcp > firewall-cmd --permanent --add-port=53/udp > firewall-cmd --permanent --add-port=88/tcp > firewall-cmd --permanent --add-port=88/udp > firewall-cmd --permanent --add-port=135/tcp > firewall-cmd --permanent --add-port=137/tcp > firewall-cmd --permanent --add-port=137/udp > firewall-cmd --permanent --add-port=138/udp > firewall-cmd --permanent --add-port=139/tcp > firewall-cmd --permanent --add-port=389/tcp > firewall-cmd --permanent --add-port=389/udp > firewall-cmd --permanent --add-port=445/tcp > firewall-cmd --permanent --add-port=464/tcp > firewall-cmd --permanent --add-port=464/udp > firewall-cmd --permanent --add-port=636/tcp > firewall-cmd --permanent --add-port=1024-5000/tcp > firewall-cmd --permanent --add-port=1024-5000/udp > firewall-cmd --permanent --add-port=3268/tcp > firewall-cmd --permanent --add-port=3269/tcp > firewall-cmd --permanent --add-port=5353/tcp > firewall-cmd --permanent --add-port=5353/udp > firewall-cmd --reload > > > 5. So far, the following works: > > smbclient -L localhost -U% > smbclient //mydomain.example.com/netlogon -U Administrator > > From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the > Samba4 AD DC box by entering \\10.10.10.100 in the address bar. > I can also provide UserID: Administrator and Password: PaSsW8*rD and see > netlogon, sysvol, and all demo directory shares I created. > I can also read/write to all of them - - - - I was surprised this was > possible without actually joining the domain via (from windows): Control > Panel ---> System and Security ---> System ---> Change Settings. > It's possible I was able to read/write to the demo shares because they were > previously set -- chmod -R 0777 /demo/share/directory. > > I still need to understand samba-tool user creation, settings, and options, > as I cannot yet figure out how to connect to the AD DC box via RSAT Server > Manager app. > > 6. Testing DNS -- > The suggested tests in the AD DC HOWTO produce errors but the samba log > seems to indicate DNS is okay: > > [2015/04/28 17:29:48.986108, 3] > ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names) > Calling DNS name update script > [2015/04/28 17:29:48.989054, 3] > ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names) > Calling SPN name update script > [2015/04/28 17:29:49.505209, 3] > ../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done) > Completed SPN update check OK > [2015/04/28 17:29:49.576183, 3] > ../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done) > Completed DNS update check OK > > 7. Kerberos -- > I don't believe this is working yet and will need to RTFM to figure out how > to chase it down. > [root at a10 etc]# ls -alh krb5.conf > lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf -> > /var/lib/samba/private/krb5.conf > [root at a10 etc]# klist > klist: Credentials cache file '/tmp/krb5cc_0' not found > [root at a10 etc]# > [root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM > kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting > initial credentials > [root at a10 etc]#OK, you posted this: It appears necessary to edit the /etc/hosts file and include both of them in the hosts file: 10.10.10.100 mymachine.example.com mymachine 10.10.10.100 mydomain.example.com mydomain One of those lines is wrong! Your kerberos realm *has* to be the same as your DNS domain, so your machines FQDN would be 'mymachine.mydomain' i.e. if the hostname of your machine is 'samba' and your domain name 'internal.example.com' & your machines ip is '10.10.10.100', you would need this line in /etc/hosts: 10.10.10.100 samba.internal.example.com samba you would need to use the kerberos name 'INTERNAL.EXAMPLE.COM' in /etc/krb5 and you could use 'INTERNAL' as the workgroup/domain name in smb.conf, though you could use anything you like. Rowland
Louis and Rowland -- thank you, Gents! Making progress. Kerberos is operational and handing out tickets, but I was only able to test using: kinit administrator at EXAMPLE.COM vs. the Samba AD DC HOWTO: administrator at SAMDOM.EXAMPLE.COM - - - - - - - - - - - - - - - - - - - - - - - Per Rowland's dns naming example - my hostname output: ~]# hostname -s samba ~]# hostname -f samba.internal.example.com ~]# hostname -d internal.example.com But, this appears incorrect: ~]# host -t SRV _ldap._tcp.example.com _ldap._tcp.example.com has SRV record 0 100 389 samba.example.com. ~]# host -t SRV _ldap._tcp.internal.example.com Host _ldap._tcp.internal.example.com not found: 3(NXDOMAIN) ~]# host -t SRV _ldap._tcp.samba.internal.example.com Host _ldap._tcp.samba.internal.example.com not found: 3(NXDOMAIN) ~]# host -t SRV _ldap._tcp.samba.example.com Host _ldap._tcp.samba.example.com not found: 3(NXDOMAIN) - - - - - - - - - - - - - - - - - - - - - - - - The same results as above when tesing: ~]# host -t SRV _kerberos._udp.example.com _kerberos._udp.mwllc.info has SRV record 0 100 88 samba.example.com. and the other combinations report "not found: 3 (NXDOMAIN) Did I simply provision the REALM or domain incorrectly from the start? testparm -v output shows I provided the following: workgroup = INTERNAL realm = EXAMPLE.COM netbios name = SAMBA