samba - Sep 2019 - Migrating Samba NT4 Domain to Samba AD

On 16/09/2019 15:04, L.P.H. van Belle via samba wrote:
> Well it was worth checking.. We just dont know what you already checked..
>
> Then all i can say now is, or a different OS, or try Vincent's his
packages.
> I see that is should support AD-DC, but I really dont know. I only do
debian/ubuntu.
> At least it looks like it.
>
> (from :
http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.8/RHEL7/SPECS/samba-v410x.spec
)
> %description dc
> The samba-dc package provides AD Domain Controller functionality
>
The problem with this list is that 90% of the users do not use red-hat 
based distros, so everything is usually based around Debian based distros.

I think we need to fall back to checking how the OP has set up his OS, 
we need to see the contents of the following files:

/etc/hostname

/etc/hosts

/etc/resolv.conf

/etc/krb5.conf

/etc/samba/smb.conf

And the output of these commands:

hostname -s

hostname -d

hostname -i

Rowland

W dniu 2019-09-16 o?16:30, Rowland penny via samba
pisze:
> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote:
>> Well it was worth checking.. We just dont know what you already 
>> checked..
now I setup the Ubuntu Server 18.04.3 LTS +

http://apt.van-belle.nl/ + 
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268

+ i changed krb (default is ... MIT!) to heimdal

apt install heimdal-clients



So now I have some success....

1. I add the second AD controler "themes" as stated in

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller

2. bind configured and it looks like working:

root at themes:~# samba_dnsupdate --verbose --all-names

...

update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389 (add)
Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as 
THEMES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 
themes.ad.wsisiz.edu.pl.

update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389 (add)
Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as 
THEMES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl. 
900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl.

3. when I try to join another samba server (but as AD member!):

[root at mask ~]# net ads join -U administrator
Using short domain name -- WSISIZ.EDU.PL
Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl'
DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

message looks not good BUT domain connection in fact works.....

[root at mask ~]# wbinfo --ping-dc
checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to 
"oceanic.ad.wsisiz.edu.pl" succeeded


So how can I drop DC "oceanic" and reconnect whole network to DC
"themes"?

(when I do it DC will be on server which has no shares (only netlogon + 
sysvol?))


And after disconnecting oceanic as DC - i want to make cleaning with 
ldap/AD ldap.


I have workstation based both on windows and linux.

Currently for windows workstations source of user data is Samba AD , but 
for linux workstations is openldap.

Problems are two:

on windows worstation we use "NThash" on linux workstations we use 
"SHA512" hash.

So how can i arrange that if user change password via CTRL+ALT+DEL via 
windows if fact pasword changing procedure changes both hash?

in NT4 domain it was used

pam password change = Yes

which changes BOTH hashes.


What I need to do to conserve this feature?


Best Regards


-- 
Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16
Motto - Jak sobie po?cielisz tak sie wy?pisz

On 16/09/2019 17:26, Bart?omiej Solarz-Nies?uchowski
wrote:
> W dniu 2019-09-16 o?16:30, Rowland penny via samba pisze:
>> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote:
>>> Well it was worth checking.. We just dont know what you already 
>>> checked..
>
> now I setup the Ubuntu Server 18.04.3 LTS +
>
> http://apt.van-belle.nl/ + 
>
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268
>
> + i changed krb (default is ... MIT!) to heimdal
>
> apt install heimdal-clients
>
>
>
> So now I have some success....
>
> 1. I add the second AD controler "themes" as stated in
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
>
>
> 2. bind configured and it looks like working:
>
> root at themes:~# samba_dnsupdate --verbose --all-names
>
> ...
>
> update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389 (add)
> Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl 
> as THEMES$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 
> themes.ad.wsisiz.edu.pl.
>
> update(nsupdate): SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389
> Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389 (add)
> Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl 
> as THEMES$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl. 
> 900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl.
>
> 3. when I try to join another samba server (but as AD member!):
>
> [root at mask ~]# net ads join -U administrator
> Using short domain name -- WSISIZ.EDU.PL
> Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl'
> DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> message looks not good BUT domain connection in fact works.....
>
> [root at mask ~]# wbinfo --ping-dc
> checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to 
> "oceanic.ad.wsisiz.edu.pl" succeeded
>
>
> So how can I drop DC "oceanic" and reconnect whole network to DC 
> "themes"?
>
> (when I do it DC will be on server which has no shares (only netlogon 
> + sysvol?))
If 'oceanic' was the first AD DC you created, then it will hold the FSMO
roles, you can check this with:

samba-tool fsmo show

If you see 'oceanic' amongst the output, then run this command on
'themes''

samba-tool fsmo transfer --role=all -U Administrator

You can then demote 'oceanic' by running this command on
'oceanic':

samba-tool domain demote -U Administrator
>
>
> And after disconnecting oceanic as DC - i want to make cleaning with 
> ldap/AD ldap.
At this point you can just remove Samba entirely
>
>
> I have workstation based both on windows and linux.
>
> Currently for windows workstations source of user data is Samba AD , 
> but for linux workstations is openldap.
>
> Problems are two:
>
> on windows worstation we use "NThash" on linux workstations we
use
> "SHA512" hash.
>
> So how can i arrange that if user change password via CTRL+ALT+DEL via 
> windows if fact pasword changing procedure changes both hash?
If you must keep your openldap machine (and you haven't actually told us 
what auths from it) you will need to script around this:

See here for an example (in French):

https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

However, if you are referring to Linux workstations running as Unix 
domain members, then you do not need to do anything, they and the users 
will auth directly from the Samba AD DC, provided that Samba is set up 
correctly. If you run:

getent passwd <a domain user> on a Unix domain member, you should get 
something like this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> in NT4 domain it was used
>
> pam password change = Yes
>
> which changes BOTH hashes.
>
>
> What I need to do to conserve this feature?
I am not 100% convinced you need to do anything like this.

What do you use the openldap for ?

A mailserver or something else ?

You may be able to extend the AD schema with whatever it is you are 
using openldap for.

Rowland

Mandi! Bart?omiej Solarz-Nies?uchowski via samba
  In chel di` si favelave...
> What I need to do to conserve this feature?
...if you want you can ''sync'' password between Samba/AD and
other
sources via:
	https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

but it is surely better to extend the schema, i've personally added the
'laser-draft-schema' to my AD.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Dear List,

After migration I have found some problems:

1.

directives in /etc/samba/smb.conf

force user

force group

I have found similar problems like here: 
https://bugzilla.samba.org/show_bug.cgi?id=11320

if i have share:

[global]

 ??????? workgroup = WSISIZ.EDU.PL
 ??????? realm = ad.wsisiz.edu.pl
 ??????? server role = member server
 ??????? security = ads
 ?....

 ??????? winbind use default domain = Yes

[admin]

 ?valid users = +laboratoria
 ?write list = +laboratoria
 ?force group = laboratoria

i cannot connect:

oceanic:~# smbclient \\oceanic\admins -U solarz
Enter WSISIZ.EDU.PL\solarz's password:
tree connect failed: NT_STATUS_NO_SUCH_GROUP

BUT

if i change "force group" to:

 ?force group = unix group\laboratoria

it works! (prefix unix group is not documented?)

Samba is at version:

Name??????? : samba
Epoch?????? : 2
Version???? : 4.10.7
Release???? : 0.fc30
Architecture: x86_64


I have some strange problems with AD:

at domain member:

oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 to gid

oceanic:~# wbinfo? --online-status
BUILTIN : active connection
OCEANIC : active connection
WSISIZ.EDU.PL : active connection

wbinfo -u and -g works as expected....

at DC AD server:

root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
1038
root at themes:~# wbinfo? --online-status
BUILTIN : active connection
WSISIZ.EDU.PL : active connection


It looks very strange ... Those conversion from sid to gid is an 
essential one?


Any help will be welcome.


Best Regards

-- 
Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16
Motto - Jak sobie po?cielisz tak sie wy?pisz

On 19/09/2019 19:33, Bart?omiej Solarz-Nies?uchowski via samba
wrote:
> Dear List,
>
> After migration I have found some problems:
>
> 1.
>
> directives in /etc/samba/smb.conf
>
> force user
>
> force group
You shouldn't be using those anymore, you should use Windows
ACLs
>
> I have found similar problems like here: 
> https://bugzilla.samba.org/show_bug.cgi?id=11320
>
> if i have share:
>
> [global]
>
> ??????? workgroup = WSISIZ.EDU.PL
Is that really your workgroup name ?

I would have expected something like 'AD' based on your realm (which 
incidentally should be in uppercase)
> realm = ad.wsisiz.edu.pl
> ??????? server role = member server
> ??????? security = ads
> ?....
>
> ??????? winbind use default domain = Yes
>
> [admin]
>
> ?valid users = +laboratoria
> ?write list = +laboratoria
> ?force group = laboratoria
>
> i cannot connect:
>
> oceanic:~# smbclient \\oceanic\admins -U solarz
> Enter WSISIZ.EDU.PL\solarz's password:
> tree connect failed: NT_STATUS_NO_SUCH_GROUP
>
> BUT
>
> if i change "force group" to:
>
> ?force group = unix group\laboratoria
>
> it works! (prefix unix group is not documented?)
I think you had better post your full smb.conf from the Unix domain
member.
>
> Samba is at version:
>
> Name??????? : samba
> Epoch?????? : 2
> Version???? : 4.10.7
> Release???? : 0.fc30
> Architecture: x86_64
>
>
> I have some strange problems with AD:
>
> at domain member:
>
> oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
> oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 
> to gid
>
> oceanic:~# wbinfo? --online-status
> BUILTIN : active connection
> OCEANIC : active connection
> WSISIZ.EDU.PL : active connection
>
> wbinfo -u and -g works as expected....
Bit meaningless on a Unix computer
>
> at DC AD server:
>
> root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
> root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
> 1038
> root at themes:~# wbinfo? --online-status
> BUILTIN : active connection
> WSISIZ.EDU.PL : active connection
>
>
> It looks very strange ... Those conversion from sid to gid is an 
> essential one?
>
As I said, post your smb.conf

Rowland