samba - Nov 2017 - DC's are unavailable when PDC halted

Hi Rowland,

many thanks for your help,

On Wed, Nov 08, 2017 at 11:00:59AM +0000, Rowland Penny
wrote:
> 
> On Wed, 8 Nov 2017 11:18:10 +0100
> Ervin Hegedüs <airween at gmail.com> wrote:
> 
>  
> > =======> > open-ldap:
...
> > --------
> > /etc/resolv.conf
> > search core.mydomain.hu
> > nameserver 127.0.0.1
> > nameserver 10.10.10.1
> 
> You would be better using the DCs ipaddress rather than
'127.0.0.1'.
> You should also remove '10.10.0.1' it doesn't seem to be a DC.
yes, that's the forwarder (see in smb.conf). Most documents
notives that keep it in resolv.conf.
 
> > --------
> > /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > 	netbios name = OPEN-LDAP
> > 	realm = CORE.MYDOMAIN.HU
> > 	workgroup = CORE
> > 	dns forwarder = 10.10.10.1
> > 	server role = active directory domain controller
> > 	idmap_ldb:use rfc2307 = yes
> > 
> > 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > 	ntlm auth = yes
> > 	lanman auth = yes
> > 	client ntlmv2 auth = yes
> 
> I would investigate upgrading security on the clients, rather than
> turning it down on the DC
I'm sorry, what do you think about exactly?
  
> > 
> > 	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
>
> The above line contains all the defaults, so you can remove it.
ok, I just missed up to remove, I just tested it... now I removed
it.
 
> > =======> > open-ldap2:
> > 
...

everything is done,
> > =======> > client:
> > 
> > --------
> > /etc/krb5.conf
> 
> The krb5.conf only needs to match the ones on the DCs, so you don't
> need all of the following.
does it mean that the krb5.conf should be empty?
 
> > --------
> > /etc/samba/smb.conf
> > 
> > [global]
> > 
> >    workgroup = CORE
> >    security = ads
> >    realm = CORE.MYDOMAIN.HU
> >    idmap config * : backend = tdb
> >    idmap config * : range = 3000-7999
> 
> Are you using sssd ?
no,
> If not, good, but you need to READ all of this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I've followed this page (may be I forgot something - I review it
again)
 
> and probably this:
> 
> https://wiki.samba.org/index.php/Idmap_config_rid
I'm afraid I don't need to that :)
 
> You are trying to put EVERYTHING into the '*' domain, this is
wrong.
right,
 
> >    syslog = 0
> >    panic action = /usr/share/samba/panic-action %d
> > 
> >    server role = standalone server
> 
> Oh no its not, it is a Unix domain member, remove the above line.
ok, removed,
 
> >    passdb backend = tdbsam
> >    obey pam restrictions = yes
> >    unix password sync = yes
> 
> You CANNOT have a user in /etc/passwd and in AD with the same username,
> so you cannot have the above line.
this condition is met - line removed,
 
> > [homes]
> >    comment = Home Directories
> >    browseable = no
> >    read only = yes
> >    create mask = 0700
> >    directory mask = 0700
> >    valid users = %S
> > 
> > [printers]
> >    comment = All Printers
> >    browseable = no
> >    path = /var/spool/samba
> >    printable = yes
> >    guest ok = no
> >    read only = yes
> >    create mask = 0700
> > 
> > [print$]
> >    comment = Printer Drivers
> >    path = /var/lib/samba/printers
> >    browseable = yes
> >    read only = yes
> >    guest ok = no
> > 
> You would be better setting the permissions from windows, see here:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
I don't want to build the fileserver, I just need the user
management - these blocks stayed from the previous install.
 
> > Sorry again for the confusing post.
> 
> No problem, just don't refer to your first DC as a 'PDC' again,
it just
> confuses things, every DC is equal ;-)
yes, in meantime I've discussed with a Windows engineer, he said
that there aren't primary and backup roles.


Thanks again, I'll review the client config, and check it again.


Just one thing remains: what do you mean about here:
> I would investigate upgrading security on the clients, rather
> than turning it down on the DC
and is it enough an empty krb5.conf file on client?


Regards,

a.

See inline comments, extraneous lines removed from post:

On Wed, 8 Nov 2017 12:43:16 +0100
Ervin Hegedüs <airween at gmail.com> wrote:
> > You would be better using the DCs ipaddress rather than
'127.0.0.1'.
> > You should also remove '10.10.0.1' it doesn't seem to be a
DC.
> 
> yes, that's the forwarder (see in smb.conf). Most documents
> notives that keep it in resolv.conf.
And most documents get it wrong, The DC is a DNS server and your
clients should use it as their nameserver. Your DC should forward
anything unknown to the nameserver that is set in the DCs smb.conf if
using the internal DNS server, or if in the named conf files if using
Bind9
>  
> > > --------
> > > /etc/samba/smb.conf
> > > # Global parameters
> > > [global]
> > > 	netbios name = OPEN-LDAP
> > > 	realm = CORE.MYDOMAIN.HU
> > > 	workgroup = CORE
> > > 	dns forwarder = 10.10.10.1
> > > 	server role = active directory domain controller
> > > 	idmap_ldb:use rfc2307 = yes
> > > 
> > > 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > > 	ntlm auth = yes
> > > 	lanman auth = yes
> > > 	client ntlmv2 auth = yes
> > 
> > I would investigate upgrading security on the clients, rather than
> > turning it down on the DC
> 
> I'm sorry, what do you think about exactly?
You have set 'ntlm auth = yes' in the smb.conf, this means your clients
can use NTLMv1, this is insecure, you would be better off removing this
line and then make your clients use NTLMv2 (at least) by default.
> 
> > > =======> > > client:
> > > 
> > > --------
> > > /etc/krb5.conf
> > 
> > The krb5.conf only needs to match the ones on the DCs, so you
don't
> > need all of the following.
> 
> does it mean that the krb5.conf should be empty?
No, the /etc/krb5.conf on all the machines needs to be only this:

[libdefaults]
 	default_realm = CORE.MYDOMAIN.HU
 	dns_lookup_realm = false
 	dns_lookup_kdc = true
> 
> > If not, good, but you need to READ all of this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> I've followed this page (may be I forgot something - I review it
> again)
>  
> > and probably this:
> > 
> > https://wiki.samba.org/index.php/Idmap_config_rid
> 
> I'm afraid I don't need to that :)
Yes you do :)

windbind needs to map your windows users & groups to Unix IDs in the
'CORE' domain, not the '*' domain. The '*' domain is
reserved for the
well known SIDs and anything outside the 'CORE' domain.
 
> 
> I don't want to build the fileserver, I just need the user
> management - these blocks stayed from the previous install.
Then why have the Unix domain member ???
>  
> > > Sorry again for the confusing post.
> > 
> > No problem, just don't refer to your first DC as a 'PDC'
again, it
> > just confuses things, every DC is equal ;-)
> 
> yes, in meantime I've discussed with a Windows engineer, he said
> that there aren't primary and backup roles.
> 
There were Primary and Backup roles, but this was with NT4-style domains
> Just one thing remains: what do you mean about here:
> 
> > I would investigate upgrading security on the clients, rather
> > than turning it down on the DC
> 
> and is it enough an empty krb5.conf file on client?
Hopefully I have answered these questions above.

Rowland

Hi Rowland,

On Wed, Nov 08, 2017 at 12:12:20PM +0000, Rowland Penny
wrote:
> On Wed, 8 Nov 2017 12:43:16 +0100
> Ervin Hegedüs <airween at gmail.com> wrote:
> 
> > > You would be better using the DCs ipaddress rather than
'127.0.0.1'.
> > > You should also remove '10.10.0.1' it doesn't seem to
be a DC.
> > 
> > yes, that's the forwarder (see in smb.conf). Most documents
> > notives that keep it in resolv.conf.
> 
> And most documents get it wrong, The DC is a DNS server and your
> clients should use it as their nameserver. Your DC should forward
> anything unknown to the nameserver that is set in the DCs smb.conf if
> using the internal DNS server, or if in the named conf files if using
> Bind9
right, I've removed it, now all DC uses only themselves as
nameserver.
> > > > /etc/samba/smb.conf
> > > > # Global parameters
> > > > [global]
> > > > 	netbios name = OPEN-LDAP
> > > > 	realm = CORE.MYDOMAIN.HU
> > > > 	workgroup = CORE
> > > > 	dns forwarder = 10.10.10.1
> > > > 	server role = active directory domain controller
> > > > 	idmap_ldb:use rfc2307 = yes
> > > > 
> > > > 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > > > 	ntlm auth = yes
> > > > 	lanman auth = yes
> > > > 	client ntlmv2 auth = yes
> > > 
> > > I would investigate upgrading security on the clients, rather
than
> > > turning it down on the DC
> > 
> > I'm sorry, what do you think about exactly?
> 
> You have set 'ntlm auth = yes' in the smb.conf, this means your
clients
> can use NTLMv1, this is insecure, you would be better off removing this
> line and then make your clients use NTLMv2 (at least) by default.
well, this line needs some clarification - see below
 
> > > > =======> > > > client:
> > > > 
> > > > --------
> > > > /etc/krb5.conf
> > > 
> > > The krb5.conf only needs to match the ones on the DCs, so you
don't
> > > need all of the following.
> > 
> > does it mean that the krb5.conf should be empty?
> 
> No, the /etc/krb5.conf on all the machines needs to be only this:
> 
> [libdefaults]
>  	default_realm = CORE.MYDOMAIN.HU
>  	dns_lookup_realm = false
>  	dns_lookup_kdc = true
right,
 
> > > and probably this:
> > > 
> > > https://wiki.samba.org/index.php/Idmap_config_rid
> > 
> > I'm afraid I don't need to that :)
> 
> Yes you do :)
no, I don't :)
 
> windbind needs to map your windows users & groups to Unix IDs in the
> 'CORE' domain, not the '*' domain. The '*' domain
is reserved for the
> well known SIDs and anything outside the 'CORE' domain.
there will _not_ any Linux user - see below :)
  
> > 
> > I don't want to build the fileserver, I just need the user
> > management - these blocks stayed from the previous install.
> 
> Then why have the Unix domain member ???
so, the directory service needs because we have a captive portal,
to authenticate users for several services - eg. network access,
network groups. But only for these. There will _not_ any file
sharing.

The current device (Aruba) can authenticate only if the

  ntlm auth = yes

had turned on (but I'll check it again, may be the ntlmv2 is
enough).

We configured the CP that use this AD. We joined the deices to
domain, set up the both DC's. Then when I turned off the "first"
DC (which isn't the PDC :), I just installed and configred
first), then the auth service stops to work. The device doesn't
use the backup server (in the device config we see the "Backup
device" - I'm sorry).

So, I ask from the provider a "client" machine, which is a Linux
(I prefer the Linux), and this is the open-client.

Now I'ld like to test the redundant work of both DC's, and that's
why I don't need to any Linux user, user mapping, or any other
specific things. There will be thousends of users, everyone has a
login and a password. Connected to WiFI/eth LAN with 802.1x, and
use the network.
> Hopefully I have answered these questions above.
yes, thank you for all of your help again.


I left the domain (from client), and re-join again, but now I got
this message:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- CORE
Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu'
DNS Update for open-client.core.mydomain.hu failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

# wbinfo --ping-dc
checking the NETLOGON for domain[CORE] dc connection to
"open-ldap.core.mydomain.hu" succeeded

# ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE
--target-hostname=open-ldap2.core.mydomain.hu
NT_STATUS_OK: Success (0x0)
# ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE
--target-hostname=open-ldap.core.mydomain.hu
NT_STATUS_OK: Success (0x0)

# ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE
--target-hostname=open-ldap.core.mydomain.hu
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
# ntlm_auth --username=abc_airween --password=WRONGPASS # --domain=CORE
--target-hostname=open-ldap2.core.mydomain.hu
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

so, looks like it works.

# net ads status

gives a very long output.

And wbinfo gives only open-ldap as DC:

# wbinfo --dsgetdcname=CORE
open-ldap.core.mydomain.hu
\\10.10.20.202
1
37241698-63dd-40d5-805b-d83f4a35223a
core.mydomain.hu
core.mydomain.hu
0xe00013fd
Default-First-Site-Name
Default-First-Site-Name

# wbinfo --getdcname=CORE
OPEN-LDAP

# wbinfo -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication succeeded

# wbinfo -a abc_airween%WRONGPASS
plaintext password authentication failed
Could not authenticate user abc_airween%WRONGPASS with plaintext password
challenge/response password authentication failed
wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_WRONG_PASSWORD
(0xc000006a)
error message was: Wrong Password
Could not authenticate user abc_airween with challenge/response


At this point I made open-ldap (the first server) as
unattainable, and the result of the command above:

# time wbinfo -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication failed
Could not authenticate user abc_airween with challenge/response

real	1m2.640s
user	0m0.012s
sys	0m0.000s

it waits 1 minute, and then I got the message.

When I turned off the open-ldap2, and open-ldap works, then the
wbinfo -a returns with succeed, but only after 30 seconds.



So, looks like something is still wrong - may be I'm using wbinfo
as wrong way?


What should I do that the auth method works as well, when a DC
kicked out?



a.

Am 2017-11-08 um 13:12 schrieb Rowland Penny via samba:
> And most documents get it wrong, The DC is a DNS server and your
> clients should use it as their nameserver. Your DC should forward
> anything unknown to the nameserver that is set in the DCs smb.conf if
> using the internal DNS server, or if in the named conf files if using
> Bind9
additional question here as I also prepare to deploy a 2nd DC at one site:

right now I tell the clients to use these as DNSs (via DHCP):

samba-DC, DNS on router to internet, one DNS upstream (just in case,
maybe stupid)

with additional DCs I assume I would have to list the DCs as well as
DNSs, to make sure DNS (in terms of AD *and* "normal" DNS) still works
in case the first DC is unreachable?

Stefan

Hai Stefan,

What happens on the DC itself. 
The dns `CLIENT queries` (resolving) goes through /etc/resolv.conf 
And uses these settings. 
for example, ping www.google.nl from the DC commandline.

The PC in the lan use the DC DNS but NOT  /etc/resolv.conf of the DC.
That uses the DNS Server settings, internal samba, used the forward setting in
smb.conf
Or bind9_dlz + samba, used the forward setting in bind.


Now you know this. (DC1)
/etc/resolv.conf 
search ADDC.domain.TLD externaldomain.tld
nameserver IP_OF_DC1 and not localhost/127.0.0.1
Nameserver IP_of_your_gateway
Nameserver IP_of_anyother_dns. 

Now adding a second DC.

DC1 changes a bit. 
/etc/resolv.conf 
search ADDC.domain.TLD externaldomain.tld
nameserver IP_OF_DC1
nameserver IP_OF_DC2
Nameserver IP_of_anyother_dns. 

DC2.
/etc/resolv.conf 
search ADDC.domain.TLD externaldomain.tld
nameserver IP_OF_DC2
nameserver IP_OF_DC1
Nameserver IP_of_anyother_dns. 

And set you client PC's DNS to the DC.s 

Results in. 
1) if DC1 is down, DC2 is used.
2) if DC2 is down, DC1 is used.
3) If both DC's are down, the DC still has internet, clients not. 
But without any DC, your network is in serious problem.. 

The DC still has internet due to Nameserver IP_of_anyother_dns. 
And you need that when your in trouble. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 8 november 2017 14:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DC's are unavailable when PDC halted
> 
> Am 2017-11-08 um 13:12 schrieb Rowland Penny via samba:
> 
> > And most documents get it wrong, The DC is a DNS server and your
> > clients should use it as their nameserver. Your DC should forward
> > anything unknown to the nameserver that is set in the DCs 
> smb.conf if
> > using the internal DNS server, or if in the named conf 
> files if using
> > Bind9
> 
> additional question here as I also prepare to deploy a 2nd DC 
> at one site:
> 
> right now I tell the clients to use these as DNSs (via DHCP):
> 
> samba-DC, DNS on router to internet, one DNS upstream (just in case,
> maybe stupid)
> 
> with additional DCs I assume I would have to list the DCs as well as
> DNSs, to make sure DNS (in terms of AD *and* "normal" DNS) still
works
> in case the first DC is unreachable?
> 
> Stefan
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>