samba - Apr 2017 - Setup a new samba AD DC

Il giorno mar, 25/04/2017 alle 13.26 +0100, Rowland Penny via samba ha
scritto:
> On Tue, 25 Apr 2017 14:07:05 +0200
> Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> > I have setup a new Samba Active Directory DC on Fedora 25 and
> > samba-
> > 4.5.8-1.fc25.x86_64, rebuild from src.rpm with dc option enable.
> > 
> > This system (fedora-addc) is only an AD-DC. In the next days I will
> > deploy another Centos 7 samba member server with standard samba-
> > 4.4.4
> > rpm (without dc enabled) and join it to Fedora AD-DC for manage
> > data
> > users.
> >  
> > After install bind dns and samba new rebuild rpms, I have follow
> > this
> > howto and setting up the AD:  
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Dire
> > ctory_Domain_Controller
> > 
> > I have use this samba tool deploy:
> > 
> >     samba-tool domain provision --realm=solinos.loc --
> > domain=solinos \
> >      --dns-backend=BIND9_DLZ --use-rfc2307 \
> >      --server-role=dc --function-level=2008_R2 \
> >      --use-xattr=yes
> > 
> > At this point, in this test environment, all work fine, I can
> > manage
> > users, groups and dns entry, and join for test some windows client
> > to
> > it, the new samba users are recognized from Linux:
> > 
> >     [    root at fedora-addc     ~]# id ospite
> >     uid=3000017(SOLINOS\ospite) gid=100(users)
> >     gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users
> > )
> > 
> 
> This is ONLY on the Samba AD DC, when you come to setup a Unix domain
> member you will need to set it up so that the OS can recognise the AD
> users, all the info is the wiki.
> 
> > Now my question is:
> > 
> > There are other thinks I must to do on AD DC?
> 
> Only if you are going to use the DC as a fileserver as well.
>  
> > 
> > What parameter is better add to smb.conf?
> 
> Do not add anything until you have researched it properly and only
> then
> if you are 100% sure you need it and you probably don't need to add
> anything.
> 
> > 
> > Why administrator is mapped like root?:
> >     [    root at fedora-addc     ~]# id
> >     administrator
> >     uid=0(root) gid=0(root) gruppi=0(root)
> 
> So that Administrator can do the things that root can do.
> 
> > 
> > and if I add administrator to "Domain Admins" nothing
change 
> 
> That was a waste of time, Administrator was already a member of
> Domain
> Admins.
> 
> >     # samba-tool group addmembers 'Domain Admins'
Administrator
> >     # samba-tool group listmembers 'Domain Admins'
> >     Administrator
> >     # id administrator
> >     uid=0(root) gid=0(root) gruppi=0(root)
> > 
> > Please, let me know, this is my first samba AD-DC + samba AD-Member
> > server implementation, and tomorrow I must deploy all into a
> > servers
> > production.
> > 
> 
> You seem to be doing okay at the moment, next stop the Unix domain
> member ;-)
Thanks Rowland, then the AD-DC is ok.
This little virtual server (3Gb of disk) must do only the DNS and AD-DC 
for my network.

However I would like to enable also the DHCP service, and think it's
right to activate it on this server.

What is the best way to do so?

It's possible enable ISC DHCP and automatically update the AD-DC zone,
in this case solinos.loc zone?

Let me know some suggest. Thanks 

Now I try to setup a samba domain member and join it to this AD-DC.


-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

On Tue, 25 Apr 2017 15:09:55 +0200
Dario Lesca via samba <samba at lists.samba.org> wrote:

> Thanks Rowland, then the AD-DC is ok.
> This little virtual server (3Gb of disk) must do only the DNS and
> AD-DC for my network.
> 
> However I would like to enable also the DHCP service, and think it's
> right to activate it on this server.
> 
> What is the best way to do so?
Well you could always do it the way I have been doing it for the last 5
years, see here:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Rowland

Il giorno mar, 25/04/2017 alle 14.36 +0100, Rowland Penny via samba ha
scritto:
> On Tue, 25 Apr 2017 15:09:55 +0200
> Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> 
> > Thanks Rowland, then the AD-DC is ok.
> > This little virtual server (3Gb of disk) must do only the DNS and
> > AD-DC for my network.
> > 
> > However I would like to enable also the DHCP service, and think
> > it's
> > right to activate it on this server.
> > 
> > What is the best way to do so?
> 
> Well you could always do it the way I have been doing it for the last
> 5
> years, see here:
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
> _with_BIND9
> 
> Rowland
Ok, thank.

Tomorrow I try this procedure for DHCP.

Another questions:

Where is the better place to set:

 - logon script = netlogon.bat
   and other logon options

 - wins support = yes

 - load printers = yes

on AD-DC or on Member server? 

Then.

I have join a samba server to AD with success.

This is my member server smb.conf

[global]
   workgroup = SOLINOS
   password server = fedora-addc.solinos.loc
   realm = SOLINOS.LOC
   security = ads
   ; idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

	winbind enum users = yes
	winbind enum groups = yes

	store dos attributes = yes

        client signing = yes
        client use spnego = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-99999
        idmap config solinos:backend = rid
        idmap config solinos:range = 100000-199999
        idmap config solinos:schema_mode = rfc2307

this my /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = SOLINOS.LOC
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>  SOLINOS.LOC = {
>  # kdc = fedora-addc.solinos.loc
>   admin_server = fedora-addc.solinos.loc
>   kdc = fedora-addc.solinos.loc
>  }
> 
> [domain_realm]
>  solinos.loc = SOLINOS.LOC
>  .solinos.loc = SOLINOS.LOC
Is always correct? You have some suggest to improve the configuration?

I have start with "idmap config * : range = 16777216-33554431" (now
commented) then I have change it to new per domain value.

I must to reset some cache? How to reset the local ID?

If I check the user still have the old id mapping (I believe)

# id ospite
uid=16777216(ospite) gid=16777216(domain users) gruppi=16777216(domain
users),10001(BUILTIN\users)

Is correct? (I not believe)

Thanks for reply

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

Il giorno mar, 25/04/2017 alle 14.36 +0100, Rowland Penny via samba ha
scritto:
> > However I would like to enable also the DHCP service, and think
> > it's right to activate it on this server.
> > 
> > What is the best way to do so?
> 
> Well you could always do it the way I have been doing it for the last
> 5 years, see here:
> 
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
I have setup dhcp like howto say, and this is the result:

Problem 1:

On fedora the script put into /etc/dhcp/bin cannot work:

# ls -ld /etc/ /etc/dhcp /etc/dhcp/bin/
drwxr-xr-x. 93 root root 8192 25 apr 19.46 /etc/
drwxr-x---.  4 root root  119 25 apr 16.13 /etc/dhcp
drwxr-xr-x   2 root root   28 25 apr 16.06 /etc/dhcp/bin/

Because the dhcpd daemon do not have the right to access to /etc/dhcp
folder

Solution 1:
I have move the bin directory to /etc/samba and modify the dhcpd.conf.

Problem 2:
At line 46 the Script test -f /etc/dhcp/dhcpduser.keytab but do not can
access to it for the previous problem (inaccessible /etc/dhcp/ dir),
then at line 47 show an mistaken error message "Required keytab
/etc/dhcpduser.keytab not found,"

Solution 2:
I have move dhcpduser.keytab file to /etc/samba and modify the script
(see attachment). 

Problem 3:
For strange reason the krbcc ticket cache /tmp/dhcp-dyndns.cc is not
readable from dhcpd user, have owner root:root and 600 access.

Solution 3:
I have add into shell a specific error message and manually remove it

Problem 4:

The new ticket cache is not generate because user dhcpd cannot execute
kinit:
> # su - dhcpd -s /bin/bash
> -bash-4.3$ kinit -F -k -t /etc/samba/dhcpduser.keytab -c '/tmp/dhcp-
> dyndns.cc' 'dhcpduser at SOLINOS.LOC'
> kinit: Permission denied while initializing Kerberos 5 library
> -bash-4.3$ 
This problem is caused from access denied to /etc/krb5.conf
https://wiki.ncsa.illinois.edu/display/ITS/Kerberos+Troubleshooting+for+Unix#KerberosTroubleshootingforUnix-general

# ll /etc/krb5.conf
lrwxrwxrwx. 1 root root 32 25 apr 08.27 /etc/krb5.conf ->
/var/lib/samba/private/krb5.conf
# ll /var/lib/samba/private/krb5.conf
-rw-r--r--. 1 root root 92 25 apr 08.26 /var/lib/samba/private/krb5.conf
# ll /var/lib/samba/private/ -d
drwxr-x---. 8 root named 4096 26 apr 00.48 /var/lib/samba/private/

Solution 4:
I have remove symbolic link and copy the samba krb5.conf directly to
/etc

Now, after this change the dhcp script work, can add the new DNS record
A and bind the new name to assigned IP.

apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: Commit: IP: 10.11.12.100
DHCID: 1:52:54:0:93:83:52 Name: centos7
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[0] =
/etc/samba/bin/dhcp-dyndns.sh
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[1] =
add
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[2] =
10.11.12.100
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[3] =
1:52:54:0:93:83:52
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[4] =
centos7
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: starting
transaction on zone solinos.loc
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: allowing update
of signer=dhcpduser\@SOLINOS.LOC name=centos7.solinos.loc tcpaddr=127.0.0.1
type=A key=3307522444.sig-fedora-addc.solinos.loc/160/0
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: allowing update
of signer=dhcpduser\@SOLINOS.LOC name=centos7.solinos.loc tcpaddr=127.0.0.1
type=A key=3307522444.sig-fedora-addc.solinos.loc/160/0
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: client 127.0.0.1#33191/key
dhcpduser\@SOLINOS.LOC: updating zone 'solinos.loc/NONE': deleting rrset
at 'centos7.solinos.loc' A
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: client 127.0.0.1#33191/key
dhcpduser\@SOLINOS.LOC: updating zone 'solinos.loc/NONE': adding an RR
at 'centos7.solinos.loc' A 10.11.12.100
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: added rdataset
centos7.solinos.loc 'centos7.solinos.loc.        3600        IN        A    
10.11.12.100'
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: subtracted
rdataset solinos.loc 'solinos.loc.        3600        IN        SOA       
fedora-addc.solinos.loc. hostmaster.solinos.loc. 9 900 600 86400 3600'
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: added rdataset
solinos.loc 'solinos.loc.        3600        IN        SOA       
fedora-addc.solinos.loc. hostmaster.solinos.loc. 10 900 600 86400 3600'
apr 26 00:58:22 fedora-addc.solinos.loc named[901]: samba_dlz: committed
transaction on zone solinos.loc
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1946]: DHCP-DNS Update failed: 02
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: execute:
/etc/samba/bin/dhcp-dyndns.sh exit status 512
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: DHCPREQUEST for
10.11.12.100 from 52:54:00:93:83:52 (centos7) via ens3
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: DHCPACK on 10.11.12.100 to
52:54:00:93:83:52 (centos7) via ens3

[root at fedora-addc ~]# host centos7.solinos.loc
centos7.solinos.loc has address 10.11.12.100
[root at fedora-addc ~]# host 10.11.12.100
Host 100.12.11.10.in-addr.arpa. not found: 3(NXDOMAIN)

But the procedure fail to add the PTR record for new IP.

Seem I have a DNS problem with reverse zone.

# host 10.11.12.200 #(AD-DC IP)
Host 200.12.11.10.in-addr.arpa. not found: 3(NXDOMAIN)
# samba-tool dns zonelist $(hostname)
  2 zone(s) found

  pszZoneName                 : solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.solinos.loc

  pszZoneName                 : _msdcs.solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.solinos.loc


I have try to create the missing reverse zone:

# samba-tool dns zonecreate $(hostname) 12.11.10.in-addr.arpa
Zone 12.11.10.in-addr.arpa created successfully

But now the error when dhcp update dns is:
apr 26 01:31:35 fedora-addc.solinos.loc named[901]: client 127.0.0.1#36099/key
dhcpduser\@SOLINOS.LOC: updating zone '10.IN-ADDR.ARPA/IN': update
failed: not authoritative for update zone (NOTAUTH)

Can someone help me to find what is the problem and how to resolve it?

Many thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)