On 15/09/2019 16:44, Bart?omiej Solarz-Nies?uchowski wrote:> >> Done with some problems: > > 1. bugs reported here: > > https://bugzilla.altlinux.org/show_bug.cgi?id=36496 > > and here > > https://bugzilla.samba.org/show_bug.cgi?id=13060 > > involved me - but and make workarounds and migration was done. > > > Basically AD samba works. > > > I have some questions: > > I not currently understood - bind9 connected to AD server must be used > by the LAN workstations - or only via AD server? > > currently workstations are pointed to the another DNS server than AD - > how must be it done correctly? >Your domain workstations must use the AD DC(s) as their nameserver, the DC(s) will forward anything outside the AD dns domain to an external dns server.> > So i have, current open problems: > > 1. share: > > [private] > > path = %H > > does not work: > > ?smbd[42055]:?? make_connection_snum: canonicalize_connect_path failed > for service private, path /%H > > on console cd ~user works correctly >If this share is on the DC, then it really shouldn't be, using a DC as a fileserver isn't recommended.> > 2. How to connect internal AD LDAP server? > > I tried with: > > oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H > ldaps://oceanic.wsisiz.edu.pl > search error - 00002020: Operation unavailable without authentication >I would have thought that was fairly obvious, you need to authenticate, try this instead (as root): kinit Administrator Then: ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes That way, your password never leaves the machine.> I want to add necessary attributes e.g.: > > uidNumber: 10000 > gidNumber: 10000 > > when creating the account. >'samba-tool user create --help' will show you how to do this.> > 3. How about password aging - i need it not only on Windows part but > on unix part it is needed too (unix have acounts/password/etc. via ldap)? >A Unix user in AD is just a Windows user with RFC2307 attributes, so they all get the same password rules BIG NOTE: I hope that 'via ldap' means users in AD 'samba-tool domain passwordsettings show' will display the current settings, something like this: Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 0 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 Rowland
Bartłomiej Solarz-Niesłuchowski
2019-Sep-15 18:08 UTC
[Samba] Migrating Samba NT4 Domain to Samba AD
W dniu 2019-09-15 o?18:32, Rowland penny via samba pisze:> On 15/09/2019 16:44, Bart?omiej Solarz-Nies?uchowski wrote: >> I have some questions: >> >> I not currently understood - bind9 connected to AD server must be >> used by the LAN workstations - or only via AD server? >> >> currently workstations are pointed to the another DNS server than AD >> - how must be it done correctly? >> > Your domain workstations must use the AD DC(s) as their nameserver, > the DC(s) will forward anything outside the AD dns domain to an > external dns server. >>so i need only forward form my common DNS server querries to ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)?>> So i have, current open problems: >> >> 1. share: >> >> [private] >> >> path = %H >> >> does not work: >> >> ?smbd[42055]:?? make_connection_snum: canonicalize_connect_path >> failed for service private, path /%H >> >> on console cd ~user works correctly >> > If this share is on the DC, then it really shouldn't be, using a DC as > a fileserver isn't recommended. >>yes understood - I try to setup second AD server on which i use only domain part of samba and on my major server I start to use only smbd/nmbd/winbindd. But my current problem is: there are not working dynamic updates in bind/internal_dns... I setup the bind: add to named.conf: options { .... ?? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; ???? minimal-responses yes; }; + include "/var/lib/samba/bind-dns/named.conf"; and oceanic:~# samba_upgradedns --dns-backend=BIND9_DLZ --verbose Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/AD.WSISIZ.EDU.PL.zone /sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead ? logger.warn("DNS records will be automatically created") DNS records will be automatically created DNS partitions already exist dns-oceanic account already exists Could not remove /var/lib/samba/private/named.conf: No such file or directory Could not remove /var/lib/samba/private/named.conf.update: No such file or directory Could not remove /var/lib/samba/private/named.txt: No such file or directory Could not delete dir /var/lib/samba/private/dns: No such file or directory See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS but when I check if dns updates really works: oceanic:/var/lib/samba/bind-dns# samba_dnsupdate --verbose --all-names --fail-immediately IPs: ['2001:1a68:a::33', '213.135.44.33'] force update: A oceanic.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA oceanic.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: NS ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl force update: NS _msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl force update: A ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _ldap._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.7be4eeae-49f0-4b2f-9b13-9482284869f4.domains._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _kerberos._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kerberos._udp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kerberos._tcp.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kpasswd._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 464 force update: SRV _kpasswd._udp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 464 force update: CNAME bab81aef-5660-4aa8-a484-761e3a426ca8._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _ldap._tcp.pdc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: A gc._msdcs.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA gc._msdcs.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _gc._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: SRV _ldap._tcp.gc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: SRV _gc._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: A DomainDnsZones.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA DomainDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _ldap._tcp.DomainDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: A ForestDnsZones.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA ForestDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 34 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/oceanic.ad.wsisiz.edu.pl as OCEANIC$ update(nsupdate): A oceanic.ad.wsisiz.edu.pl 213.135.44.33 Calling nsupdate for A oceanic.ad.wsisiz.edu.pl 213.135.44.33 (add) Successfully obtained Kerberos ticket to DNS/oceanic.ad.wsisiz.edu.pl as OCEANIC$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: oceanic.ad.wsisiz.edu.pl. 900?? IN????? A?????? 213.135.44.33 dns_tkey_gssnegotiate: TKEY is unacceptable Failed update with /tmp/tmpxkhqw31b checking is everything ok: oceanic:/var/lib/samba# ll /var/lib/samba/private/dns.keytab -rw-r----- 2 root named 792 Sep 15 19:31 /var/lib/samba/private/dns.keytab oceanic:/var/lib/samba# ls -ld /var/lib/samba/bind-dns drwxrwx--- 3 root named 4096 Sep 15 19:55 /var/lib/samba/bind-dns oceanic:/var/lib/samba# ls -l /var/lib/samba/bind-dns/named.conf -rw-r--r-- 1 root root 808 Sep 15 19:53 /var/lib/samba/bind-dns/named.conf oceanic:/var/lib/samba# cat /var/lib/samba/bind-dns/named.conf # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/var/lib/samba/bind-dns/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { ??? # For BIND 9.8.x ??? # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; ??? # For BIND 9.9.x ??? # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so"; ??? # For BIND 9.10.x ??? # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so"; ??? # For BIND 9.11.x ???? database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so"; ??? # For BIND 9.12.x ??? # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so"; }; oceanic:/var/lib/samba/bind-dns# klist -k /var/lib/samba/private/dns.keytab Keytab name: FILE:/var/lib/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- ?? 1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL ?? 1 dns-oceanic at AD.WSISIZ.EDU.PL ?? 1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL ?? 1 dns-oceanic at AD.WSISIZ.EDU.PL ?? 1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL ?? 1 dns-oceanic at AD.WSISIZ.EDU.PL ?? 1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL ?? 1 dns-oceanic at AD.WSISIZ.EDU.PL ?? 1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL ?? 1 dns-oceanic at AD.WSISIZ.EDU.PL I cannot check presense of the account dns-oceanic but it propably exist: dns-oceanic account already exists oceanic:/var/lib/samba/bind-dns# ls -l /etc/krb5.conf -rw-r--r-- 1 root root 97 Sep 15 14:39 /etc/krb5.conf so I check everything according to manual: https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable but it does not work.... I even tried to change to: samba_upgradedns --dns-backend=SAMBA_INTERNAL but even here i have similar problem with dns updates.... Can you help me? (dns updates are needed e.g. for joining into this AD new samba servers as domain members....)>> 2. How to connect internal AD LDAP server? >> >> I tried with: >> >> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H >> ldaps://oceanic.wsisiz.edu.pl >> search error - 00002020: Operation unavailable without authentication >> > I would have thought that was fairly obvious, you need to > authenticate, try this instead (as root): > > kinit Administrator > > Then: > > ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes > > That way, your password never leaves the machine.not works: oceanic:/var/lib/samba/bind-dns# ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes Invalid option -k: unknown option>> 3. How about password aging - i need it not only on Windows part but >> on unix part it is needed too (unix have acounts/password/etc. via >> ldap)? >> > A Unix user in AD is just a Windows user with RFC2307 attributes, so > they all get the same password rules > > BIG NOTE: I hope that 'via ldap' means users in ADkhhm.. currently on linux workstation I use openldap for linux password aging i use shadow attributes stored in ldap. Thank for any help.... -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
On 15/09/2019 19:08, Bart?omiej Solarz-Nies?uchowski wrote:> W dniu 2019-09-15 o?18:32, Rowland penny via samba pisze: >> On 15/09/2019 16:44, Bart?omiej Solarz-Nies?uchowski wrote: >>> I have some questions: >>> >>> I not currently understood - bind9 connected to AD server must be >>> used by the LAN workstations - or only via AD server? >>> >>> currently workstations are pointed to the another DNS server than AD >>> - how must be it done correctly? >>> >> Your domain workstations must use the AD DC(s) as their nameserver, >> the DC(s) will forward anything outside the AD dns domain to an >> external dns server. >>> > so i need only forward form my common DNS server querries to > ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)?From any domain joined computers, yes. They would ask the DC for any dns info they require, if it is something inside the AD domain, the DC will return the data, if it is something outside the AD domain e.g. google.com, the DC would ask its forwarder and then return whatever the forwarder returns.> > >>> So i have, current open problems: >>> >>> 1. share: >>> >>> [private] >>> >>> path = %H >>> >>> does not work: >>> >>> ?smbd[42055]:?? make_connection_snum: canonicalize_connect_path >>> failed for service private, path /%H >>> >>> on console cd ~user works correctly >>> >> If this share is on the DC, then it really shouldn't be, using a DC >> as a fileserver isn't recommended. >>> > > yes understood - I try to setup second AD server on which i use only > domain part of samba and on my major server I start to use only > smbd/nmbd/winbindd.I take it that you are referring to a Unix domain member being used as a fileserver> > > But my current problem is: > > there are not working dynamic updates in bind/internal_dns... > > > Can you help me? > > (dns updates are needed e.g. for joining into this AD new samba > servers as domain members....)Try adding this to the DC smb.conf: dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool> > >>> 2. How to connect internal AD LDAP server? >>> >>> I tried with: >>> >>> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H >>> ldaps://oceanic.wsisiz.edu.pl >>> search error - 00002020: Operation unavailable without authentication >>> >> I would have thought that was fairly obvious, you need to >> authenticate, try this instead (as root): >> >> kinit Administrator >> >> Then: >> >> ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes >> >> That way, your password never leaves the machine. > > not works: > > oceanic:/var/lib/samba/bind-dns# ldbsearch -H > ldap://oceanic.wsisiz.edu.pl -k yes > Invalid option -k: unknown optionWhen I run it, I get this: ldbsearch -H ldap://dc4.samdom.example.com -k yes # record 1 dn: CN=W10PRO,CN=Computers,DC=samdom,DC=example,DC=com cn: W10PRO instanceType: 4 whenCreated: 20190704082927.0Z uSNCreated: 555788 .......................................... ................................. ....................... # record 457 dn: CN=RID Set,CN=DC4,OU=Domain Controllers,DC=samdom,DC=example,DC=com objectClass: top objectClass: rIDSet cn: RID Set instanceType: 4 whenCreated: 20180324201834.0Z whenChanged: 20180324201834.0Z uSNCreated: 4097 uSNChanged: 4097 showInAdvancedViewOnly: TRUE name: RID Set objectGUID: 2ac1e0a9-4e65-4681-9592-0ee6a87ed379 rIDAllocationPool: 5100-5599 rIDUsedPool: 0 objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC ?com rIDPreviousAllocationPool: 5100-5599 rIDNextRID: 5176 distinguishedName: CN=RID Set,CN=DC4,OU=Domain Controllers,DC=samdom,DC=exampl ?e,DC=com # Referral ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com # returned 460 records # 457 entries # 3 referrals What OS is this and what Samba packages did you install ?> >>> 3. How about password aging - i need it not only on Windows part but >>> on unix part it is needed too (unix have acounts/password/etc. via >>> ldap)? >>> >> A Unix user in AD is just a Windows user with RFC2307 attributes, so >> they all get the same password rules >> >> BIG NOTE: I hope that 'via ldap' means users in AD > > > khhm.. currently on linux workstation I use openldap for linux > password aging i use shadow attributes stored in ldapI think you will find that it is now 'I used openldap' You can sync passwords etc between AD and openldap, but you will probably find that it easier to migrate whatever you have in openldap to AD and then have just one point of maintenance. So, what do you have in openldap ? Rowland
Mandi! Bart?omiej Solarz-Nies?uchowski via samba In chel di` si favelave...> khhm.. currently on linux workstation I use openldap for linux password > aging i use shadow attributes stored in ldap.Ahem, no, AFAIK there's no 'shadow' schema for AD, nor there's a ''compatibility layer'' between winbind (the samba NSS provider) and the shadow context. I'm also caming from samba/smbldap-tools, and things are simply different. In brief, you *have* to use winbind as NSS provider, and leave to winbind the management of password policies. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)