samba - May 2019 - Doman join issues

Hi Rowland,

I get the same error messages even with the following smb.conf, generated by the
migration process.

[global]
          workgroup = LIN
         realm = LIN.COM
         netbios name = LINSERVER01
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/log.%m
        log level = 4
[netlogon]
        path = /var/lib/samba/sysvol/lin.com/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


Regards,
Praveen Ghimire





-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Monday, 6 May 2019 4:47 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Doman join issues

On Mon, 6 May 2019 02:51:18 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> From: Praveen Ghimire via samba <samba at lists.samba.org>
> To: "samba at lists.samba.org" <samba at lists.samba.org>
> Subject: [Samba] Doman join issues
> Date: Mon, 6 May 2019 02:51:18 +0000
> Reply-To: Praveen Ghimire <PGhimire at sundata.com.au>
> Sender: "samba" <samba-bounces at lists.samba.org>
> 
> Hi,
> 
> We are running test migration on the following environment in 
> preparation for the prod migration. Any suggestions will be grealty 
> appreciated.
> 
> OS: Ubuntu18.04
> Hypervisor: Proxmox Container (LXC)
> Samba Version 4.6.7
> DNS: BIND9_DLZ
> AD and File server in the same server. Have gone through the Samba 
> documentation regarding this
Obviously not well enough, or the warnings are not obvious enough ;-)
> Smb.conf
> 
> [global]
>         workgroup = LIN
>         realm = LIN.COM
>         netbios name = LINSERVER01
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 4
>         acl allow execute always = True
>         server services = -dns
>         allow dns updates = nonsecure
The above lines are okay for a DC
>         winbind enum users = yes
>         winbind enum groups = yes
The above lines just slow things down and should only be used for testing
purposes.
>         winbind nss info = rfc2307
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config LIN:backend = ad
>         idmap config LIN:schema_mode = rfc2307
>         idmap config LIN:range = 10000-999999
The above lines have no place on a DC, even if you are using it as a fileserver.
> We are seeing issues with winbind
> 
> * winbind.service - Samba Winbind Daemon
>    Loaded: loaded (/lib/systemd/system/winbind.service; enabled; 
> vendor preset: enabled) Active: failed (Result: exit-code) since Mon
> 2019-05-06 02:14:54 UTC; 22min ago Docs: man:winbindd(8)
>            man:samba(7)
>            man:smb.conf(5)
>   Process: 145 ExecStart=/usr/sbin/winbindd --foreground 
> --no-process-group $WINBINDOPTIONS (code=exited, status=1/FAILURE) 
> Main PID: 145 (code=exited, status=1/FAILURE)
> 
> May 06 02:14:54 linserver01 systemd[1]: Starting Samba Winbind 
> Daemon... May 06 02:14:54 linserver01 systemd[1]: winbind.service:
> Main process exited, code=exited, status=1/FAILURE May 06 02:14:54
> linserver01 systemd[1]: winbind.service: Failed with result 
> 'exit-code'. May 06 02:14:54 linserver01 systemd[1]: Failed to
start
> Samba Winbind Daemon.
There is an obvious way to stop the above, stop trying to start winbind yourself
and allow Samba to do it for you.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

On Mon, 6 May 2019 07:35:07 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> I get the same error messages even with the following smb.conf,
> generated by the migration process. 
> 
> [global]
>           workgroup = LIN
>          realm = LIN.COM
>          netbios name = LINSERVER01
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 4
> [netlogon]
>         path = /var/lib/samba/sysvol/lin.com/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
Have you altered AD in anyway ?

Can you post the following files:

/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

What user are you using to join the Windows machine ?

Rowland

Hi Rowland,

 Haven't altered AD . The changes I made post the upgrade were around the
apparmor (usr.sbin.named) , have included that in the email toward the end
I have been using the domain administrator account for the domain join. Have run
the kinit and seems to be ok.

Also, saw an "id structure is invalid" message when trying to add to
the domain initially. A restart of the samba services seems to have fixed that.


Here are the details

/etc/resolv.conf
search lin.com
nameserver 192.168.14.10

/etc/hostname
linserver01

/etc/hosts
127.0.0.1 localhost
192.168.14.10 linserver01.lin.com linserver01

/etc/krb5.conf
[libdefaults]
        default_realm = lin.com
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        lin.com = {
                kdc = linserver01
                admin_server = linserver01

}

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bind/named.conf.options
options {
        directory "/var/cache/bind";
	forwarders { 8.8.8.8; 8.8.4.4; };
        dnssec-validation no;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};


/etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


/etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


host -t SRV _kerberos._udp.lin.com.
_kerberos._udp.lin.com has SRV record 0 100 88 linserver01.lin.com.

host -t SRV _ldap._tcp.lin.com.
_ldap._tcp.lin.com has SRV record 0 100 389 linserver01.lin.com.

host -t A linserver01.lin.com.
linserver01.lin.com has address 192.168.14.10

/var/lib/samba/private/named.conf

dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};

Added the following to apparmor.d/usr.sbin.named

   /var/lib/samba/private/krb5.conf r,
   /var/lib/samba/private/dns.keytab r,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns/** rwk,
   /usr/lib/x86_64-linux-gnu/samba/** m,
   /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,


Regards,
Praveen Ghimire

















-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Monday, 6 May 2019 5:51 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Doman join issues

On Mon, 6 May 2019 07:35:07 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> I get the same error messages even with the following smb.conf, 
> generated by the migration process.
> 
> [global]
>           workgroup = LIN
>          realm = LIN.COM
>          netbios name = LINSERVER01
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 4
> [netlogon]
>         path = /var/lib/samba/sysvol/lin.com/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
Have you altered AD in anyway ?

Can you post the following files:

/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

What user are you using to join the Windows machine ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

Hai, 


1) apparmor, disable it, and try again, so we can confirm if its an apparmor
settings.

2) winbind is starting from systemd while as AD-DC you should disable that. 
   - stop the member parts of samba and systemd. 
   systemctl stop winbind smbd nmbd samba
   systemctl disable winbind smbd nmbd samba
   systemctl mask winbind smbd nmbd samba

   - enable the samba-ad-dc part in systemd.
	systemctl unmask samba-ad-dc
	systemctl enable samba-ad-dc
	systemdct start samba-ad-dc 

Using bind9? 
systemctl edit samba-ad-dc
Add: 
[Unit]
After=network.target network-online.target bind9.service

systemctl edit bind9
Add: 
[Service]
ExecReload
>    /var/lib/samba/private/krb5.conf r,
>    /var/lib/samba/private/dns.keytab r,
>    /var/lib/samba/private/named.conf r,
>    /var/lib/samba/private/dns/** rwk,
Also add in advanced for 4.9+  and apparmor. 
And if you look in that apparmor file, you will see : 
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>
So use the local/usr.sbin.named file, that tracking changes more easy. 

/var/lib/samba/bind-dns/dns/ rw,
/var/lib/samba/bind-dns/dns.keytab rw,
/var/lib/samba/bind-dns/dns/named.conf r,
/var/lib/samba/bind-dns/dns/named.conf.update r,
/var/lib/samba/bind-dns/dns/named.txt rw,

And, ive added some parts below.  
> 
> /etc/krb5.conf
> [libdefaults]
>         default_realm = lin.com
HERE : LIN.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
Remove this part as of here : 
> [realms]
>         lin.com = {
>                 kdc = linserver01
>                 admin_server = linserver01
> 
> }
To here. 
> 
> /etc/bind/named.conf
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> /etc/bind/named.conf.options
> options {
>         directory "/var/cache/bind";
> 	forwarders { 8.8.8.8; 8.8.4.4; };
>         dnssec-validation no;
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>        // auth-nxdomain no;    # conform to RFC1035
		 auth-nxdomain yes; # because this server is controling the AD domain. 
>         listen-on-v6 { any; };
> };
> 
Greetz, 

Louis