Hi Rowland, I get the same error messages even with the following smb.conf, generated by the migration process. [global] workgroup = LIN realm = LIN.COM netbios name = LINSERVER01 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes log file = /var/log/samba/log.%m log level = 4 [netlogon] path = /var/lib/samba/sysvol/lin.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Regards, Praveen Ghimire -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Monday, 6 May 2019 4:47 PM To: samba at lists.samba.org Subject: Re: [Samba] Doman join issues On Mon, 6 May 2019 02:51:18 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> From: Praveen Ghimire via samba <samba at lists.samba.org> > To: "samba at lists.samba.org" <samba at lists.samba.org> > Subject: [Samba] Doman join issues > Date: Mon, 6 May 2019 02:51:18 +0000 > Reply-To: Praveen Ghimire <PGhimire at sundata.com.au> > Sender: "samba" <samba-bounces at lists.samba.org> > > Hi, > > We are running test migration on the following environment in > preparation for the prod migration. Any suggestions will be grealty > appreciated. > > OS: Ubuntu18.04 > Hypervisor: Proxmox Container (LXC) > Samba Version 4.6.7 > DNS: BIND9_DLZ > AD and File server in the same server. Have gone through the Samba > documentation regarding thisObviously not well enough, or the warnings are not obvious enough ;-)> Smb.conf > > [global] > workgroup = LIN > realm = LIN.COM > netbios name = LINSERVER01 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 4 > acl allow execute always = True > server services = -dns > allow dns updates = nonsecureThe above lines are okay for a DC> winbind enum users = yes > winbind enum groups = yesThe above lines just slow things down and should only be used for testing purposes.> winbind nss info = rfc2307 > idmap config * : backend = tdb > idmap config * : range = 4000-7999 > idmap config LIN:backend = ad > idmap config LIN:schema_mode = rfc2307 > idmap config LIN:range = 10000-999999The above lines have no place on a DC, even if you are using it as a fileserver.> We are seeing issues with winbind > > * winbind.service - Samba Winbind Daemon > Loaded: loaded (/lib/systemd/system/winbind.service; enabled; > vendor preset: enabled) Active: failed (Result: exit-code) since Mon > 2019-05-06 02:14:54 UTC; 22min ago Docs: man:winbindd(8) > man:samba(7) > man:smb.conf(5) > Process: 145 ExecStart=/usr/sbin/winbindd --foreground > --no-process-group $WINBINDOPTIONS (code=exited, status=1/FAILURE) > Main PID: 145 (code=exited, status=1/FAILURE) > > May 06 02:14:54 linserver01 systemd[1]: Starting Samba Winbind > Daemon... May 06 02:14:54 linserver01 systemd[1]: winbind.service: > Main process exited, code=exited, status=1/FAILURE May 06 02:14:54 > linserver01 systemd[1]: winbind.service: Failed with result > 'exit-code'. May 06 02:14:54 linserver01 systemd[1]: Failed to start > Samba Winbind Daemon.There is an obvious way to stop the above, stop trying to start winbind yourself and allow Samba to do it for you. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On Mon, 6 May 2019 07:35:07 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > I get the same error messages even with the following smb.conf, > generated by the migration process. > > [global] > workgroup = LIN > realm = LIN.COM > netbios name = LINSERVER01 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 4 > [netlogon] > path = /var/lib/samba/sysvol/lin.com/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No >Have you altered AD in anyway ? Can you post the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf /etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local /etc/bind/named.conf.default-zones What user are you using to join the Windows machine ? Rowland
Hi Rowland, Haven't altered AD . The changes I made post the upgrade were around the apparmor (usr.sbin.named) , have included that in the email toward the end I have been using the domain administrator account for the domain join. Have run the kinit and seems to be ok. Also, saw an "id structure is invalid" message when trying to add to the domain initially. A restart of the samba services seems to have fixed that. Here are the details /etc/resolv.conf search lin.com nameserver 192.168.14.10 /etc/hostname linserver01 /etc/hosts 127.0.0.1 localhost 192.168.14.10 linserver01.lin.com linserver01 /etc/krb5.conf [libdefaults] default_realm = lin.com dns_lookup_realm = false dns_lookup_kdc = true [realms] lin.com = { kdc = linserver01 admin_server = linserver01 } /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; /etc/bind/named.conf.options options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; host -t SRV _kerberos._udp.lin.com. _kerberos._udp.lin.com has SRV record 0 100 88 linserver01.lin.com. host -t SRV _ldap._tcp.lin.com. _ldap._tcp.lin.com has SRV record 0 100 389 linserver01.lin.com. host -t A linserver01.lin.com. linserver01.lin.com has address 192.168.14.10 /var/lib/samba/private/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; # For BIND 9.11.x database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; }; Added the following to apparmor.d/usr.sbin.named /var/lib/samba/private/krb5.conf r, /var/lib/samba/private/dns.keytab r, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns/** rwk, /usr/lib/x86_64-linux-gnu/samba/** m, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m, Regards, Praveen Ghimire -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Monday, 6 May 2019 5:51 PM To: samba at lists.samba.org Subject: Re: [Samba] Doman join issues On Mon, 6 May 2019 07:35:07 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > I get the same error messages even with the following smb.conf, > generated by the migration process. > > [global] > workgroup = LIN > realm = LIN.COM > netbios name = LINSERVER01 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 4 > [netlogon] > path = /var/lib/samba/sysvol/lin.com/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No >Have you altered AD in anyway ? Can you post the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf /etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local /etc/bind/named.conf.default-zones What user are you using to join the Windows machine ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Hai, 1) apparmor, disable it, and try again, so we can confirm if its an apparmor settings. 2) winbind is starting from systemd while as AD-DC you should disable that. - stop the member parts of samba and systemd. systemctl stop winbind smbd nmbd samba systemctl disable winbind smbd nmbd samba systemctl mask winbind smbd nmbd samba - enable the samba-ad-dc part in systemd. systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemdct start samba-ad-dc Using bind9? systemctl edit samba-ad-dc Add: [Unit] After=network.target network-online.target bind9.service systemctl edit bind9 Add: [Service] ExecReload> /var/lib/samba/private/krb5.conf r, > /var/lib/samba/private/dns.keytab r, > /var/lib/samba/private/named.conf r, > /var/lib/samba/private/dns/** rwk,Also add in advanced for 4.9+ and apparmor. And if you look in that apparmor file, you will see : # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.named> So use the local/usr.sbin.named file, that tracking changes more easy. /var/lib/samba/bind-dns/dns/ rw, /var/lib/samba/bind-dns/dns.keytab rw, /var/lib/samba/bind-dns/dns/named.conf r, /var/lib/samba/bind-dns/dns/named.conf.update r, /var/lib/samba/bind-dns/dns/named.txt rw, And, ive added some parts below.> > /etc/krb5.conf > [libdefaults] > default_realm = lin.comHERE : LIN.COM> dns_lookup_realm = false > dns_lookup_kdc = true >Remove this part as of here :> [realms] > lin.com = { > kdc = linserver01 > admin_server = linserver01 > > }To here.> > /etc/bind/named.conf > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > /etc/bind/named.conf.options > options { > directory "/var/cache/bind"; > forwarders { 8.8.8.8; 8.8.4.4; }; > dnssec-validation no; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > // auth-nxdomain no; # conform to RFC1035auth-nxdomain yes; # because this server is controling the AD domain.> listen-on-v6 { any; }; > }; >Greetz, Louis