On 28/01/2023 08:57, Mark Foley via samba wrote:> On Sat Jan 28 02:37:16 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
>> On 28/01/2023 06:44, Mark Foley via samba wrote:
>>> I wrote earlier about setting the domain user password minimum to
> 14
>>> characters. It was advised that my first step should be to upgrade
from Samba
>>> 4.8.2 to the most recent version available which for my Slackware
15.0 distro is
>>> 4.15.5. This also involved a distro upgrade from Slackware 14.2 to
15.0.
>>>
>>> After upgrading, just for the heck of it, I tried starting Samba
without
>>> changing my 4.8.2 configs. Of course, that didn't work. My
initial error (of
>>> several) in syslog was:
>>>
>>> Jan 28 00:42:52 mail krb5kdc[2725]: Cannot open DB2 database
'/var/kerberos/krb5kdc/principal': No such file or directory - while
initializing database for realm MYDOM.LOCAL
>>
>> That looks like you also installed a MIT kerberos server as well, a
>> Samba domain usually uses the Heimdal kerberos server it comes with.
>
> This DC was originally installed back in 2014 and perhaps that was what was
> available then. I certainly didn't have the expertise to choose. Of
course, that
> message (above) is from trying to run the new samba 4.15.5, not the old
one.
Not being a slackware user, I do not know what was available when you
first installed Samba as a DC, but back then it was even more
experimental to use MIT as the kdc than it is now.
A few distros chose not to supply Samba packages that could be
provisioned as a DC, others supplied packages that had been built with
MIT, but didn't tell anyone that they should be treated as experimental.
You should be able to find out if your Samba packages were built with
MIT by running:
smbd -b | grep HAVE_LIBKADM5SRV_MIT
You should get nothing returned if Samba was built using the built in
Heimdal. If this is the case, you need to check if you have the MIT
kerberos kdc installed and if so, I suggest you remove it, you can only
have one kdc.
If you get back 'HAVE_LIBKADM5SRV_MIT', then your Samba packages were
built with MIT. At this point you will need to decide if you can accept
using something that is experimental, or find slackware Samba packages
that are not built using MIT.
>
> I have routinely upgraded the OS including Samba since.
>
>>> At that point I decided to read the Wiki:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction
>>>
>>> Under "Only Applicable if Samba was Previously
Installed", it is telling me to
>>> deleted all my carefully crafted config files and looks like
it's going to lead
>>> me through the steps of re-provisioning.
>>>
>>> Before taking that step I thought I'd ask if I really need to
do that? Can I not
>>> just install krb5, etc. and get there step-wise without redoing
especially my
>>> /var/lib/samba/private/ named.conf and dns/ files, and
re-provisioning?
>>
>> That wiki page is indeed for setting up a new domain, to join another
>> DC, you need this page:
>>
>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>
>> But before you do anything, I would check if you are running a separate
>> kdc and if you are, stop and remove it.
>
> I'm certainly running some kerberos. My original provisioning gave the
message,
>
> "A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf"
That is the kerberos conf file to use as /etc/krb5.conf
>
> My notes also say, "This Samba4 utilizes the Heimdal implementation of
> Kerberos", so is it possible I am (or rather 'was') running
Heimdal? I also have
> zone files showing "krb5 servers". And I do have a
/var/lib/samba/private/krb5.conf.
It sounds entirely possible that you were using Samba with its builtin
Heimdal kdc, though I do think that the krb5.conf is supplied if you don't.
>
>> I do hope you are doing this on a different machine to your existing
DC.
>>
>> Rowland
>
> Well, no -- same machine :) I did a complete backup so I can quickly put
the old
> DC back. This office doesn't have the resources to stage a new server,
but I'm
> doing this over the weekend so not really interfering with important
production.
Well, at least you can revert if required.
>
> I'm beginning to think I need to actually reprovision. Aside from the
> kerberos question, I initially provisioned with
--dns-backend=BIND9_FLATFILE,
> which I believe is now deprecated. The FLATFILE was easy as I only needed
minor
> tweaks to a non-DC bind configuration. Probably I can't just install
and
> configure bits and pieces (like kerberos) and get this running using mostly
> 4.8.2 configs, right?
Well, it is probably impossible to just change bits and pieces, tweak
conf files, yes, change a bit here and there, no.
>
> here's my original provision command:
>
> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 \
> --server-role='dc' --realm=hprs.local --domain=HPRS \
> --adminpass='password' --dns-backend=BIND9_FLATFILE \
> --option="interfaces=lo eth1" --option="bind interfaces
only=yes"
You built Samba yourself by the look of it and I remember you know,
aren't you something to do with a police retirement fund ?
>
> Do you agree, or are there a few things I can do to make things work with
4.15.5?
If you did build Samba yourself and you have now installed Samba from
Slackware packages, you could now have Samba in two places. This could
be a good thing, because it is highly likely that your original Samba is
untouched.
You should be able to upgrade your dns server quite easily with
'samba_dnsupdate'.
Rowland