Hopefully you've noticed that I'm working on two Samba AD issues at the same time and have two threads, one for joining a Linux Samba server as a domain member to a Windows AD domain, and the other (this one) setting up a new Samba DC on an existing Linux Samba domain with the goal of promoting the new DC and demoting/removing the old/current one. I am not the admin for the Windows AD server, but I am the admin for the Samba AD server. On Jul 23 16:07:32 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> On 23/07/2023 20:40, Mark Foley via samba wrote: > > On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at lists.samba.org> wrote: > > > >> On 16/07/2023 07:10, Mark Foley via samba wrote:[deleted]> > Thanks, I'm now referencing your suggested wiki. > > > > Question 1: That wiki says: > > > > Configuring the /etc/resolv.conf > > > > Set the DNS server IP and AD DNS domain in your /etc/resolv.conf. For example: > > > > nameserver 10.99.0.1 > > search samdom.example.com > > > > Is the nameserver as shown supposed to be the primary/current AD/DC? > > It is supposed to be another AD DC (there is no such thing as a > 'primary' DC, they are all equal). I have added a note to the wiki page.Until this one gets promoted, there is only one AD DC, Samba version 4.8.2. Hence the need to create a more up-to-date server.> > Currently, > > the AD/DC is 192.168.0.2 and in that host's resolv.conf the nameserver IP is set > > to itself. In this joined DC, should the nameserver be the primary/current AD/DC > > or itself (192.168.0.7)? > > Initially the nameserver needs to be another AD DC, once the join > succeeds you change it to the new DCs ipaddress (aka its own ipaddress)Done!> > > > Question 2: After setting krb5.conf per the wiki, the kerberos test commands do not work: > > > > # kinit Administrator > > Password for Administrator at hprs.local: > > kinit: KDC reply did not match expectations while getting initial credentials> I really hope that '.local' is placeholder for the real TLD, '.local' is > reserved for Bonjour and Avahi and, as such, shouldn't be used.Unfortunately, .local is the name. This whole domain started as a Windows Small Business Server back in 2010 and I replaced the SBS AD/DC with Samba. I did not change original the domain name (hprs.local) as I was very new at this and wasn't sure how that would affect the other Windows workstation in the domain. The other Windows AD domain I'm working on also has .local, so maybe that's a thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from Windows and Linux workstations when present.> Provided that kerberos and dns are setup correctly, that should work.I think they are. I followed the wiki instructs for krb5.conf, and I can see the DC and all domain members via 'host'.> > # klist > > klist: No credentials cache found (filename: /tmp/krb5cc_0) > > > > Does something have to be running first? Note that samba is installed, but not > > running. > > Your DC needs to be able to contact a DC, preferably itself, but if the > computer is pointing at another DC and the required packages are > installed, then kinit should work. > > Rowland"itself" is not yet a DC. I can contact the DC and DNS seems to be working. If I run these command on the DC I get:> kinitPassword for Administrator at HPRS.LOCAL: (nothing returned, 0 return status)> klistTicket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at HPRS.LOCAL Valid starting Expires Service principal 07/23/2023 17:56:29 07/24/2023 03:56:29 krbtgt/HPRS.LOCAL at HPRS.LOCAL renew until 07/24/2023 17:56:23 So, what do you suggest I do to get kerberos working on this wannbe-DC? It is not yet joined to the domain, but I don't think I can do the join until kerberos is working. Samba is not running. Perhaps there is an issue with which Kerberos is running on the DC versus what's on this new machine? On the DC have have kerberos version Kerberos 5 version 1.11.6 On this new machine I have kerberos version Kerberos 5 version 1.19.2 The version numbers seem to indicate the same kerberos package, but it doesn't say whether it's Heimdal or MIT. Thanks --Mark
More information ...
Just to see what would happen, I started samba and joined this future DC to the
domain. I do have another Linux Samba domain member on this domain, so I just
copied its smb.conf, started samba, and joined. Interestingly, the joining
process re-created my smb.conf, mostly with the same settings, but eliminating
comments and spaces, removing some settings like 'domain master',
'printing',
and some others, and added 'server role' and possibly others. Then, the
whole
smb.conf was sorted alphabetically giving:
# Global parameters
[global]
client max protocol = SMB3
client min protocol = SMB2
disable spoolss = Yes
max log size = 10000
netbios name = DC1
printcap name = /dev/null
realm = HPRS.LOCAL
security = ADS
server role = member server
server string = HPRS DC1
template shell = /bin/bash
usershare allow guests = Yes
usershare max shares = 10
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = HPRS
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config hprs:backend = ad
idmap config hprs:schema_mode = rfc2307
idmap config hprs:range = 10000-10099
I then joined (I did not use the --dns-backend parameter):
# samba-tool domain join hprs.local -U Administrator
Password for [HPRS\Administrator]:
Joined domain hprs.local (S-1-5-21-1052267278-1962196458-4119365663)
That's all I got as output. I did not get the copious output described in
the
Joining_a_Samba_DC_to_an_Existing_Active_Directory wiki.
Also, I did not use --option='idmap_ldb' as the wiki suggested (the
original DC
was provisioned with --use-rfc2307), because I didn't read far enough in the
wiki. Do you think this would make a difference? I can un-join and rejoin if
you think so.
Unfortunately, the kerberos tests still fail:
# kinit Administrator
Password for Administrator at hprs.local:
kinit: KDC reply did not match expectations while getting initial credentials
# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
On the other hand, these commands on the existing domain member (not DC) do
work. That member is running Samba Version 4.6.16 whereas the "new"
machine is Version
4.15.13. The DC is running Samba version 4.8.2.
So, I think I'm a bit stuck trying to figure out how to get kerberos working
on
this new machine. I have proceeded no further with the wiki instructions. I was
hoping starting samba would magically work.
--Mark
-----Original Message -----
Date: Sun, 23 Jul 2023 18:12:06 -0400
To: samba at lists.samba.org
Subject: Re: [Samba] Joining a new Samba AD DC
From: Mark Foley via samba <samba at lists.samba.org>
Hopefully you've noticed that I'm working on two Samba AD issues at the
same
time and have two threads, one for joining a Linux Samba server as a domain
member to a Windows AD domain, and the other (this one) setting up a new Samba
DC on an existing Linux Samba domain with the goal of promoting the new DC and
demoting/removing the old/current one. I am not the admin for the Windows AD
server, but I am the admin for the Samba AD server.
On Jul 23 16:07:32 2023 Rowland Penny via samba <samba at lists.samba.org>
wrote:
> On 23/07/2023 20:40, Mark Foley via samba wrote:
> > On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> >
> >> On 16/07/2023 07:10, Mark Foley via samba wrote:
[deleted]
> > Thanks, I'm now referencing your suggested wiki.
> >
> > Question 1: That wiki says:
> >
> > Configuring the /etc/resolv.conf
> >
> > Set the DNS server IP and AD DNS domain in your /etc/resolv.conf.
For example:
> >
> > nameserver 10.99.0.1
> > search samdom.example.com
> >
> > Is the nameserver as shown supposed to be the primary/current AD/DC?
>
> It is supposed to be another AD DC (there is no such thing as a
> 'primary' DC, they are all equal). I have added a note to the wiki
page.
Until this one gets promoted, there is only one AD DC, Samba version 4.8.2.
Hence the need to create a more up-to-date server.
> > Currently,
> > the AD/DC is 192.168.0.2 and in that host's resolv.conf the
nameserver IP is set
> > to itself. In this joined DC, should the nameserver be the
primary/current AD/DC
> > or itself (192.168.0.7)?
>
> Initially the nameserver needs to be another AD DC, once the join
> succeeds you change it to the new DCs ipaddress (aka its own ipaddress)
Done!
> >
> > Question 2: After setting krb5.conf per the wiki, the kerberos test
commands do not work:
> >
> > # kinit Administrator
> > Password for Administrator at hprs.local:
> > kinit: KDC reply did not match expectations while getting initial
credentials
> I really hope that '.local' is placeholder for the real TLD,
'.local' is
> reserved for Bonjour and Avahi and, as such, shouldn't be used.
Unfortunately, .local is the name. This whole domain started as a Windows Small
Business Server back in 2010 and I replaced the SBS AD/DC with Samba.
I did not change original the domain name (hprs.local) as I was very new at this
and
wasn't sure how that would affect the other Windows workstation in the
domain.
The other Windows AD domain I'm working on also has .local, so maybe
that's a
thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from
Windows
and Linux workstations when present.
> Provided that kerberos and dns are setup correctly, that should work.
I think they are. I followed the wiki instructs for krb5.conf, and I can see the
DC and all domain members via 'host'.
> > # klist
> > klist: No credentials cache found (filename: /tmp/krb5cc_0)
> >
> > Does something have to be running first? Note that samba is installed,
but not
> > running.
>
> Your DC needs to be able to contact a DC, preferably itself, but if the
> computer is pointing at another DC and the required packages are
> installed, then kinit should work.
>
> Rowland
"itself" is not yet a DC.
I can contact the DC and DNS seems to be working. If I run these command
on the DC I get:
> kinit
Password for Administrator at HPRS.LOCAL:
(nothing returned, 0 return status)
> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at HPRS.LOCAL
Valid starting Expires Service principal
07/23/2023 17:56:29 07/24/2023 03:56:29 krbtgt/HPRS.LOCAL at HPRS.LOCAL
renew until 07/24/2023 17:56:23
So, what do you suggest I do to get kerberos working on this wannbe-DC? It is
not yet joined to the domain, but I don't think I can do the join until
kerberos
is working. Samba is not running.
Perhaps there is an issue with which Kerberos is running on the DC versus
what's
on this new machine?
On the DC have have kerberos version Kerberos 5 version 1.11.6
On this new machine I have kerberos version Kerberos 5 version 1.19.2
The version numbers seem to indicate the same kerberos package, but it
doesn't
say whether it's Heimdal or MIT.
Thanks --Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On 23/07/2023 23:12, Mark Foley via samba wrote:> Hopefully you've noticed that I'm working on two Samba AD issues at the same > time and have two threads, one for joining a Linux Samba server as a domain > member to a Windows AD domain, and the other (this one) setting up a new Samba > DC on an existing Linux Samba domain with the goal of promoting the new DC and > demoting/removing the old/current one. I am not the admin for the Windows AD > server, but I am the admin for the Samba AD server.Yes, I had noticed :-)>> >> It is supposed to be another AD DC (there is no such thing as a >> 'primary' DC, they are all equal). I have added a note to the wiki page. > > Until this one gets promoted, there is only one AD DC, Samba version 4.8.2. > Hence the need to create a more up-to-date server.That is a very good reason to update, 4.8.2 is ancient in the Samba world and there have been a great many improvements.>>> >>> Question 2: After setting krb5.conf per the wiki, the kerberos test commands do not work: >>> >>> # kinit Administrator >>> Password for Administrator at hprs.local: >>> kinit: KDC reply did not match expectations while getting initial credentials > >> I really hope that '.local' is placeholder for the real TLD, '.local' is >> reserved for Bonjour and Avahi and, as such, shouldn't be used. > > Unfortunately, .local is the name. This whole domain started as a Windows Small > Business Server back in 2010 and I replaced the SBS AD/DC with Samba. > I did not change original the domain name (hprs.local) as I was very new at this and > wasn't sure how that would affect the other Windows workstation in the domain. > The other Windows AD domain I'm working on also has .local, so maybe that's a > thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from Windows > and Linux workstations when present.Microsoft used to recommend '.local', they now do not, because if you use it, you have to do what you have done, turn off Bonjour and Avahi.> >> Provided that kerberos and dns are setup correctly, that should work. > > I think they are. I followed the wiki instructs for krb5.conf, and I can see the > DC and all domain members via 'host'. > >>> # klist >>> klist: No credentials cache found (filename: /tmp/krb5cc_0) >>> >>> Does something have to be running first? Note that samba is installed, but not >>> running. >> >> Your DC needs to be able to contact a DC, preferably itself, but if the >> computer is pointing at another DC and the required packages are >> installed, then kinit should work. >> >> Rowland > > "itself" is not yet a DC. > > I can contact the DC and DNS seems to be working. If I run these command > on the DC I get: > >> kinit > Password for Administrator at HPRS.LOCAL: > (nothing returned, 0 return status) > >> klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at HPRS.LOCAL > > Valid starting Expires Service principal > 07/23/2023 17:56:29 07/24/2023 03:56:29 krbtgt/HPRS.LOCAL at HPRS.LOCAL > renew until 07/24/2023 17:56:23 > > So, what do you suggest I do to get kerberos working on this wannbe-DC?It is working, you have got a ticket for Administrator from your existing DC. < It is> not yet joined to the domain, but I don't think I can do the join until kerberos > is working. Samba is not running.If everything else is set up, it looks like you now need to run the samba-tool command to join your computer as another DC.> > Perhaps there is an issue with which Kerberos is running on the DC versus what's > on this new machine?Until you join the computer as a DC and start Samba, there isn't a KDC running on the computer.> > On the DC have have kerberos version Kerberos 5 version 1.11.6Is it possible that you are using the OS's MIT kdc rather than the Heimdal built into Samba ?> > On this new machine I have kerberos version Kerberos 5 version 1.19.2 > > The version numbers seem to indicate the same kerberos package, but it doesn't > say whether it's Heimdal or MIT.It sounds to me that you are using MIT and if so, that is yet another reason to update. Using a Samba AD DC with a MIT KDC was very experimental at 4.8.x (a lot of things just didn't work, or if they did work, they had missing components), now, whilst there are still minor problems, using MIT doesn't seem to be regarded as experimental. Rowland