thr3ads.net - samba - [Samba] GPO on a DC [Jun 2022]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2022-Jun-24 12:18 UTC

[Samba] GPO on a DC

On Fri, 2022-06-24 at 11:01 +0000, samba-ml-en via samba
wrote:> Hello Louis,
> 
> $host tristsnpa43.ad2.domain.eu
> tristsnpa43.ad2.domain.eu has address 10.10.20.43
> $dig tristsnpa43.ad2.domain.eu +short
> 10.10.20.43
> 
> $host 10.10.20.43
> 43.20.10.10.in-addr.arpa domain name pointer
> tristsnpa43.ad2.domain.eu.
> $dig -x 10.10.20.43 +short
> tristsnpa43.ad2.domain.eu.
> 
> $resolvectl
> Global
>        Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
> resolv.conf mode: stub
> 
> Link 2 (vlan10)
>     Current Scopes: DNS
>          Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS
> DNSSEC=yes/supported
> Current DNS Server: 10.10.10.9
>        DNS Servers: 10.10.10.9
>         DNS Domain: ~inf.domain.eu
> 
> Link 3 (vlan20)
>     Current Scopes: DNS
>          Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS
> DNSSEC=yes/supported
> Current DNS Server: 127.0.0.1
>        DNS Servers: 127.0.0.1
>         DNS Domain: ad2.domain.eu ~.
> 
> 
> For named, I have
> systemctl edit named.service<<EOF
> [Service]
> ExecReload> ExecReload=/usr/bin/systemctl restart named.service
> ExecStartPost=/bin/sleep 10
> [Unit]
> After> After=network.target network-online.target
> EOF
> }
> 
> For samba-ad-dc, I have
> systemctl edit samba-ad-dc.service<<EOF
> [Unit]
> After> After=network.target network-online.target named.service
> EOF
> }
> 
There are a number of parameters set in your DC's smb.conf that I
wouldn't set, for a number of reasons.
Let's go through them:

domain master = Yes
That is an NT4-style domain term and has no place in a DC smb.conf

winbind enum groups = Yes
winbind enum users = Yes
You do not need those, nsswitch will work without them, they can just
slow things down.

name resolve order = host lmhosts wins bcast
Another NT4-style term, you use DNS instead.

template homedir = /home/%D/%U
That is a default setting.

disable netbios = Yes
That is not how you turn off netbios on a DC, you need to either remove
'nbt' from the 'server services' line or have a 'server
services' line
with '-nbt' (at least) in it.

winbind rpc only = Yes
With this set, you are not allowing winbindd to retrieve information
from AD with ldap. It might be your problem.

Rowland

samba-ml-en

2022-Jun-24 14:45 UTC

head link

[Samba] GPO on a DC

Hello Rowland,

I removed the down level options, left the winbind enum ones (I am still
testing, not many users/groups), re-enabled netbios, and disabled winbind over
RPC.

now I can see better ldap conversation, however I am hitting in one case the
same problem as before, the other probably another issue. so:

1) tls enabled = Yes

I have a valid certificate
openssl s_client -showcerts -connect tristsnpa43.ad2.domain.eu:636
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = tristsnpa43.ad2.domain.eu
verify return:1
...
Server certificate
subject=CN = tristsnpa43.ad2.domain.eu
issuer=C = US, O = Let's Encrypt, CN = R3
---
...
---
SSL handshake has read 3890 bytes and written 441 bytes
Verification: OK
---

Looking at the log (attached log.winbindd.with-tls-and-error) after a reboot, I
have a new error
 /usr/sbin/samba-gpupdate: Connecting to 10.10.20.43 at port 389
[2022/06/24 14:07:48.855245,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: open_socket_out: failed to open socket
.....
[2022/06/24 14:07:48.887965,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: RuntimeError: ads_connect() failed: Operations error

2) tls enabled = No
This is already better, however exactly same result as with winbind rpc only =
Yes (see attached log.winbindd.no-tls)

[2022/06/24 13:52:03.940310,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: sid S-1-5-21-121635736-320366473-2533684654-1000
-> uid 3000027
[2022/06/24 13:52:03.940619,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: add_local_groups: SID
S-1-5-21-121635736-320366473-2533684654-1000 -> getpwuid(3000027) failed, is
nsswitch configured?
......
[2022/06/24 13:52:03.971762,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for
'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Linux,OU=AOA,OU=Domain
Controllers,DC=ad2,DC=domain,DC=eu): The specified account does not exist.


Eric



> domain master = Yes
> That is an NT4-style domain term and has no place in a DC smb.conf
>
> winbind enum groups = Yes
> winbind enum users = Yes
> You do not need those, nsswitch will work without them, they can just
> slow things down.
>
> name resolve order = host lmhosts wins bcast
> Another NT4-style term, you use DNS instead.
>
> template homedir = /home/%D/%U
> That is a default setting.
>
> disable netbios = Yes
> That is not how you turn off netbios on a DC, you need to either remove
> 'nbt' from the 'server services' line or have a 'server
services' line
> with '-nbt' (at least) in it.
>
> winbind rpc only = Yes
> With this set, you are not allowing winbindd to retrieve information
> from AD with ldap. It might be your problem.

samba - Jun 2022 - GPO on a DC

[Samba] GPO on a DC

[Samba] GPO on a DC