samba - Aug 2016 - That domain could not be found

On 01/08/16 17:48, Jeff Sadowski wrote:
> I just installed ubuntu-16.04 and followed the instructions I found for it.
> problems I ran into that way
> I removed apparmer and I had to use bindflatfile as dlz was not working for
> me
> I got my machine connected. I'll figure out fedora later.
>
I would figure out why dlz doesn't work first, why didn't it work ? what
error messages did you get ?

Rowland

On Mon, Aug 1, 2016 at 12:55 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 01/08/16 17:48, Jeff Sadowski wrote:
>
>> I just installed ubuntu-16.04 and followed the instructions I found for
>> it.
>> problems I ran into that way
>> I removed apparmer and I had to use bindflatfile as dlz was not working
>> for
>> me
>>
>
My Samba DCs use the BIND_DLZ backend using the standard Ubuntu packages
with Apparmor enabled.  The relevant config options should be as follows:


/etc/apparmor.d/usr.sbin.named (I think this strays slightly from the
default Ubuntu installation.  I think there is a bug report about it, if I
remember correctly)


...
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** lrw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
...



/etc/apparmor.d/local/usr.sbin.named (complete file)


# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/run/samba/** rw,
/var/tmp/* rwmk,
/dev/urandom rw,



/etc/bind/named.conf.options

...
include "/var/lib/samba/private/named.conf";
...

options {
...
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
...


/etc/samba/smb.conf
...
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
...

And /var/lib/samba/private/dns.keytab should have the following permissions

-rw-r----- 1 root bind 982 May  6 11:07 /var/lib/samba/private/dns.keytab


Hopefully this helps you get it configured properly.

Mike E.


> I got my machine connected. I'll figure out fedora later.
>>
>> I would figure out why dlz doesn't work first, why didn't it
work ? what
> error messages did you get ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I got that working just had to follow the instructions here better
http://blogging.dragon.org.uk/samba4-ad-dc-on-ubuntu-14-04/
I'll look into Fedora later.

On Mon, Aug 1, 2016 at 10:55 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 01/08/16 17:48, Jeff Sadowski wrote:
>
>> I just installed ubuntu-16.04 and followed the instructions I found for
>> it.
>> problems I ran into that way
>> I removed apparmer and I had to use bindflatfile as dlz was not working
>> for
>> me
>> I got my machine connected. I'll figure out fedora later.
>>
>> I would figure out why dlz doesn't work first, why didn't it
work ? what
> error messages did you get ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

See inline comments
And Please keep replies to the list

On Tue, 2 Aug 2016 15:08:26 -0600
Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> Samba's wiki didn't have a walk through working example from A to
Z.
> It is great don't get me wrong but I followed it and at the end I was
> able to do all in the steps in it but still had the message I started
> this thread with. It leaves out A-F and R-Z or there abouts (It might
> have more or less but there are some missing parts.) I am still
> trying to figure out how to try and properly compile it for Fedora
> myself (as Fedora is my main distro of choice and I used a
> precompiled version from Alexander Bokovoy for F23 when I stared this
> thread, I had even gotten that to work following the samba wiki in
> the past but seem to had been having trouble when I built a vm for
> it).
> 
Most of the wiki was written by Marc Muehlfeld, he (as far as I am
aware) uses Centos, so the wiki should be relevant to fedora.
> Samba's seems to leave out some important parts of setting up
> AppArmor or Selinux 
The setup of these could be improved on the wiki, care to help by
posting your files ?
 and installing the necessary steps to install and
> test ACL's (that part was pretty good on the linked page).
And it was totally unnecessary, the defaults for ext4 are what the
page you linked to advised adding. 

> to test if those are the defaults for mounting ext4. I can try
> setting it back. I also didn't like using rm I always was taught to
> move the original out of the way that there maybe something in there
> you'll want later.
You do not need to bother, take it from me, you do not need to
alter /etc/fstab if you are using ext4.
> 
> It also has me wondering how Ubuntu compiled samba to work if they are
> using Heimdal or MIT Kerberos and if they are using Heimdal how they
> got around other issues vs why Fedora is sticking with MIT? If they
> are using MIT why is Fedora still working on this?
Samba comes with a built-in kerberos server, this uses Heimdal. The
red-hat world uses MIT and they want to use this with Samba and a lot
of work is going on to make this happen. Once this work is complete,
Samba will move to using MIT instead of Heimdal.
 
Rowland

On Wed, Aug 3, 2016 at 1:43 AM, Rowland Penny <rpenny at samba.org> wrote:
>
> See inline comments
> And Please keep replies to the list
>
> On Tue, 2 Aug 2016 15:08:26 -0600
> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
> > Samba's wiki didn't have a walk through working example from A
to Z.
> > It is great don't get me wrong but I followed it and at the end I
was
> > able to do all in the steps in it but still had the message I started
> > this thread with. It leaves out A-F and R-Z or there abouts (It might
> > have more or less but there are some missing parts.) I am still
> > trying to figure out how to try and properly compile it for Fedora
> > myself (as Fedora is my main distro of choice and I used a
> > precompiled version from Alexander Bokovoy for F23 when I stared this
> > thread, I had even gotten that to work following the samba wiki in
> > the past but seem to had been having trouble when I built a vm for
> > it).
> >
>
> Most of the wiki was written by Marc Muehlfeld, he (as far as I am
> aware) uses Centos, so the wiki should be relevant to fedora.
>
I was wrong to characterize it as missing A-F and R-Z it is more like it is
really only missing A(some more pre install necessities and testing should
probably test that ACL's are working and test named to make sure it is up
to par) and Z (some testing that I'm not sure how to replicate outside of
windows and I'm not sure how to fix the broken cases, like joining a domain
as a test and when failing occurred all I could do is try a different
prepackaged samba) and more so the samba wiki has B1, B2, B3 .... so many
options that it confused me and I went with a simple example.

Specifically I needed an example with bind as I know bind and use it. Once
it was using bind I could do things like use the samba AD DC's bind as a
master and use my main server as a slave without interfering with other
Domain's I use on my main computer. And I no longer had to point the DNS to
the VM I could use my main computer without worry.

The windows test to run (after reading the error message from windows I was
told by it to run:) "nltest /dsgetdc:<domain name>"
Another good test is to run "dcdiag /s:<domain controller name>"

Also on windows I installed the AD tools on my Windows 10 machine to create
accounts and GPOs

For Fedora the samba wiki worked on my main machine I used bind_flatfile as
bind on Fedora did not support DLZ but on a vm following the same
instructions did not work. I must not have had some options installed that
I need for it to work properly. If and when I fix it maybe then I can
update the wiki.

For now I have a working Ubuntu 16.04 AD DC Samba server following the
instructions on that linked page. I modified it with what you told me. I
removed the forwarder in the smb.conf file, I set fstab back to how it was
originally by the OS install, and I moved krb5.conf to krb5.conf.org. and
linked to the one created by samba.

Most of what was on that linked page where the same tests as on the samba
wiki.
>
> > Samba's seems to leave out some important parts of setting up
> > AppArmor or Selinux
>
> The setup of these could be improved on the wiki, care to help by
> posting your files ?
>
That is why I went to some other wiki I don't know this well enough I just
copied the rules I saw on the linked page.
And after ten years of selinux in fedora I just use the defaults that the
package maintainers put in. since I suspected selinux I disabled it and
rebooted but the problems where still there.


The apparmor rules were as follows:

Add the following apparmor rules to the end of
/etc/apparmor.d/usr.sbin.named inside the {..}

sudo nano /etc/apparmor.d/usr.sbin.named

   /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
   /usr/lib/x86_64-linux-gnu/samba/** rwmk,

   /var/lib/samba/private/dns/** rwmk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns.keytab r,

   /var/tmp/* rw,

   /dev/urandom rw,


That worked well enough for me on the Ubuntu 16.04 install I did on a VM.
For all I know this makes the machine super vulnerable so I am only testing
with it and keeping an eye on it.

Should I try and update the wiki with these apparmor instructions?

 and installing the necessary steps to install and
> > test ACL's (that part was pretty good on the linked page).
>
> And it was totally unnecessary, the defaults for ext4 are what the
> page you linked to advised adding.
>
>
You are correct that the defaults for ext4 do support ACL's however I still
think this is a good thing to test before continuing for people that might
have installed a FS that does not support it. So they know they will need
another partition to mount some place that has ACL's for samba to use.

> > to test if those are the defaults for mounting ext4. I can try
> > setting it back. I also didn't like using rm I always was taught
to
> > move the original out of the way that there maybe something in there
> > you'll want later.
>
> You do not need to bother, take it from me, you do not need to
> alter /etc/fstab if you are using ext4.
>
> >
> > It also has me wondering how Ubuntu compiled samba to work if they are
> > using Heimdal or MIT Kerberos and if they are using Heimdal how they
> > got around other issues vs why Fedora is sticking with MIT? If they
> > are using MIT why is Fedora still working on this?
>
> Samba comes with a built-in kerberos server, this uses Heimdal. The
> red-hat world uses MIT and they want to use this with Samba and a lot
> of work is going on to make this happen. Once this work is complete,
> Samba will move to using MIT instead of Heimdal.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Thank you Rowland you are very helpful.