On 16/09/2019 15:04, L.P.H. van Belle via samba wrote:> Well it was worth checking.. We just dont know what you already checked.. > > Then all i can say now is, or a different OS, or try Vincent's his packages. > I see that is should support AD-DC, but I really dont know. I only do debian/ubuntu. > At least it looks like it. > > (from : http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.8/RHEL7/SPECS/samba-v410x.spec ) > %description dc > The samba-dc package provides AD Domain Controller functionality >The problem with this list is that 90% of the users do not use red-hat based distros, so everything is usually based around Debian based distros. I think we need to fall back to checking how the OP has set up his OS, we need to see the contents of the following files: /etc/hostname /etc/hosts /etc/resolv.conf /etc/krb5.conf /etc/samba/smb.conf And the output of these commands: hostname -s hostname -d hostname -i Rowland
Bartłomiej Solarz-Niesłuchowski
2019-Sep-16 16:26 UTC
[Samba] Migrating Samba NT4 Domain to Samba AD
W dniu 2019-09-16 o?16:30, Rowland penny via samba pisze:> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote: >> Well it was worth checking.. We just dont know what you already >> checked..now I setup the Ubuntu Server 18.04.3 LTS + http://apt.van-belle.nl/ + https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268 + i changed krb (default is ... MIT!) to heimdal apt install heimdal-clients So now I have some success.... 1. I add the second AD controler "themes" as stated in https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller 2. bind configured and it looks like working: root at themes:~# samba_dnsupdate --verbose --all-names ... update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl themes.ad.wsisiz.edu.pl 389 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl themes.ad.wsisiz.edu.pl 389 (add) Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as THEMES$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl. update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl themes.ad.wsisiz.edu.pl 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl themes.ad.wsisiz.edu.pl 389 (add) Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as THEMES$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl. 3. when I try to join another samba server (but as AD member!): [root at mask ~]# net ads join -U administrator Using short domain name -- WSISIZ.EDU.PL Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl' DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL message looks not good BUT domain connection in fact works..... [root at mask ~]# wbinfo --ping-dc checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to "oceanic.ad.wsisiz.edu.pl" succeeded So how can I drop DC "oceanic" and reconnect whole network to DC "themes"? (when I do it DC will be on server which has no shares (only netlogon + sysvol?)) And after disconnecting oceanic as DC - i want to make cleaning with ldap/AD ldap. I have workstation based both on windows and linux. Currently for windows workstations source of user data is Samba AD , but for linux workstations is openldap. Problems are two: on windows worstation we use "NThash" on linux workstations we use "SHA512" hash. So how can i arrange that if user change password via CTRL+ALT+DEL via windows if fact pasword changing procedure changes both hash? in NT4 domain it was used pam password change = Yes which changes BOTH hashes. What I need to do to conserve this feature? Best Regards -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
On 16/09/2019 17:26, Bart?omiej Solarz-Nies?uchowski wrote:> W dniu 2019-09-16 o?16:30, Rowland penny via samba pisze: >> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote: >>> Well it was worth checking.. We just dont know what you already >>> checked.. > > now I setup the Ubuntu Server 18.04.3 LTS + > > http://apt.van-belle.nl/ + > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268 > > + i changed krb (default is ... MIT!) to heimdal > > apt install heimdal-clients > > > > So now I have some success.... > > 1. I add the second AD controler "themes" as stated in > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > > > 2. bind configured and it looks like working: > > root at themes:~# samba_dnsupdate --verbose --all-names > > ... > > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 (add) > Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl > as THEMES$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 > themes.ad.wsisiz.edu.pl. > > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 (add) > Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl > as THEMES$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl. > 900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl. > > 3. when I try to join another samba server (but as AD member!): > > [root at mask ~]# net ads join -U administrator > Using short domain name -- WSISIZ.EDU.PL > Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl' > DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR > DNS update failed: NT_STATUS_UNSUCCESSFUL > > message looks not good BUT domain connection in fact works..... > > [root at mask ~]# wbinfo --ping-dc > checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to > "oceanic.ad.wsisiz.edu.pl" succeeded > > > So how can I drop DC "oceanic" and reconnect whole network to DC > "themes"? > > (when I do it DC will be on server which has no shares (only netlogon > + sysvol?))If 'oceanic' was the first AD DC you created, then it will hold the FSMO roles, you can check this with: samba-tool fsmo show If you see 'oceanic' amongst the output, then run this command on 'themes'' samba-tool fsmo transfer --role=all -U Administrator You can then demote 'oceanic' by running this command on 'oceanic': samba-tool domain demote -U Administrator> > > And after disconnecting oceanic as DC - i want to make cleaning with > ldap/AD ldap.At this point you can just remove Samba entirely> > > I have workstation based both on windows and linux. > > Currently for windows workstations source of user data is Samba AD , > but for linux workstations is openldap. > > Problems are two: > > on windows worstation we use "NThash" on linux workstations we use > "SHA512" hash. > > So how can i arrange that if user change password via CTRL+ALT+DEL via > windows if fact pasword changing procedure changes both hash?If you must keep your openldap machine (and you haven't actually told us what auths from it) you will need to script around this: See here for an example (in French): https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP However, if you are referring to Linux workstations running as Unix domain members, then you do not need to do anything, they and the users will auth directly from the Samba AD DC, provided that Samba is set up correctly. If you run: getent passwd <a domain user> on a Unix domain member, you should get something like this: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> > in NT4 domain it was used > > pam password change = Yes > > which changes BOTH hashes. > > > What I need to do to conserve this feature?I am not 100% convinced you need to do anything like this. What do you use the openldap for ? A mailserver or something else ? You may be able to extend the AD schema with whatever it is you are using openldap for. Rowland
Mandi! Bart?omiej Solarz-Nies?uchowski via samba In chel di` si favelave...> What I need to do to conserve this feature?...if you want you can ''sync'' password between Samba/AD and other sources via: https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP but it is surely better to extend the schema, i've personally added the 'laser-draft-schema' to my AD. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Bartłomiej Solarz-Niesłuchowski
2019-Sep-19 18:33 UTC
[Samba] Migrating Samba NT4 Domain to Samba AD
Dear List, After migration I have found some problems: 1. directives in /etc/samba/smb.conf force user force group I have found similar problems like here: https://bugzilla.samba.org/show_bug.cgi?id=11320 if i have share: [global] ??????? workgroup = WSISIZ.EDU.PL ??????? realm = ad.wsisiz.edu.pl ??????? server role = member server ??????? security = ads ?.... ??????? winbind use default domain = Yes [admin] ?valid users = +laboratoria ?write list = +laboratoria ?force group = laboratoria i cannot connect: oceanic:~# smbclient \\oceanic\admins -U solarz Enter WSISIZ.EDU.PL\solarz's password: tree connect failed: NT_STATUS_NO_SUCH_GROUP BUT if i change "force group" to: ?force group = unix group\laboratoria it works! (prefix unix group is not documented?) Samba is at version: Name??????? : samba Epoch?????? : 2 Version???? : 4.10.7 Release???? : 0.fc30 Architecture: x86_64 I have some strange problems with AD: at domain member: oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 to gid oceanic:~# wbinfo? --online-status BUILTIN : active connection OCEANIC : active connection WSISIZ.EDU.PL : active connection wbinfo -u and -g works as expected.... at DC AD server: root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 1038 root at themes:~# wbinfo? --online-status BUILTIN : active connection WSISIZ.EDU.PL : active connection It looks very strange ... Those conversion from sid to gid is an essential one? Any help will be welcome. Best Regards -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
On 19/09/2019 19:33, Bart?omiej Solarz-Nies?uchowski via samba wrote:> Dear List, > > After migration I have found some problems: > > 1. > > directives in /etc/samba/smb.conf > > force user > > force groupYou shouldn't be using those anymore, you should use Windows ACLs> > I have found similar problems like here: > https://bugzilla.samba.org/show_bug.cgi?id=11320 > > if i have share: > > [global] > > ??????? workgroup = WSISIZ.EDU.PLIs that really your workgroup name ? I would have expected something like 'AD' based on your realm (which incidentally should be in uppercase)> realm = ad.wsisiz.edu.pl > ??????? server role = member server > ??????? security = ads > ?.... > > ??????? winbind use default domain = Yes > > [admin] > > ?valid users = +laboratoria > ?write list = +laboratoria > ?force group = laboratoria > > i cannot connect: > > oceanic:~# smbclient \\oceanic\admins -U solarz > Enter WSISIZ.EDU.PL\solarz's password: > tree connect failed: NT_STATUS_NO_SUCH_GROUP > > BUT > > if i change "force group" to: > > ?force group = unix group\laboratoria > > it works! (prefix unix group is not documented?)I think you had better post your full smb.conf from the Unix domain member.> > Samba is at version: > > Name??????? : samba > Epoch?????? : 2 > Version???? : 4.10.7 > Release???? : 0.fc30 > Architecture: x86_64 > > > I have some strange problems with AD: > > at domain member: > > oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" > S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) > oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 > failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 > to gid > > oceanic:~# wbinfo? --online-status > BUILTIN : active connection > OCEANIC : active connection > WSISIZ.EDU.PL : active connection > > wbinfo -u and -g works as expected....Bit meaningless on a Unix computer> > at DC AD server: > > root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria" > S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2) > root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077 > 1038 > root at themes:~# wbinfo? --online-status > BUILTIN : active connection > WSISIZ.EDU.PL : active connection > > > It looks very strange ... Those conversion from sid to gid is an > essential one? >As I said, post your smb.conf Rowland