I'll resume this topic in this thread -- keep the noise down ...> On 24/07/2023 07:52, Rowland Penny via samba wrote: > > > The correct version should have been: > > > > samba-tool domain join hprs.local DC -U Administrator > > > > The command should also have failed because you had a smb.conf file, you > > need to remove any existing smb.conf when joining a DC, the join would > > then create a new one > > > > Hi Mark, the only thing you did incorrectly was to not specify that you > were joining as a DC. After reading the code, it seems that if you do > not specify the type of join, MEMBER, DC or RODC, it defaults to MEMBER, > which, in my opinion, it shouldn't, it should error out. > > RowlandI removed the new computer from the domain and deleted the smb.conf file. I then did: samba-tool domain join hprs.local DC --option='idmap_ldb:use rfc2307 = yes' -U Administrator INFO 2023-07-24 09:29:41,946 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #105: Finding a writeable DC for domain 'hprs.local' INFO 2023-07-24 09:29:41,983 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #107: Found DC mail.hprs.local Password for [WORKGROUP\Administrator]: INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is HPRS INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is hprs.local Adding CN=DC1,OU=Domain Controllers,DC=hprs,DC=local Adding CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local Adding CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local Adding SPNs to CN=DC1,OU=Domain Controllers,DC=hprs,DC=local Setting account password for DC1$ Enabling account : : INFO 2023-07-24 09:30:05,249 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1544: Joined domain HPRS (SID S-1-5-21-1052267278-1962196458-41193656 63) as a DC plus I got a whole bunch more output not included here, but including messages on Setting up idmap db, kerberos, replication, schema objects, SAM database, Note that I did not specify any --dns-backend. I hope that's OK as I provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC. I do have LAN members not part of the domain that need to have DNS service, so I may have to redo this later. Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's IP, but that didn't work -- couldn't see any other host, so I reverted back to the original DC's IP. However, that's not working either, even after a reboot. I switched back to the new DC's IP and rebooted. Again, not working. So, something is wrong with the DNS setup. $ host webserver ;; connection timed out; no servers could be reached Note that I ran the following not realizing DNS wasn't working. That could make a difference. Next I followed the instructions on syncing idmap.ldb. On my original server the idmap.ldb in in /var/lib/samba/private, not /usr/local/samba/private; same with this new DC, so I copied the idmap.ldb.bak from OLD:/var/lib/samba/private to NEW:/var/lib/samba/idmap.ldb. Seem odd to just remove the .bak. The .bak file is 4% of the size of the idmap.ldb, so it appears some serious compressing is going on. But whatever, that's what the wiki says! Next I ran 'net cache flush' on the new DC; seemed to work (no error). Next 'samba-tool ntacl sysvolreset', but I had a problem with that: # samba-tool ntacl sysvolreset set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.') File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 412, in run provision.setsysvolacl(samdb, netlogon, sysvol, File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1754, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info, File "/usr/lib64/python3.9/site-packages/samba/ntacls.py", line 228, in setntacl smbd.set_nt_acl( What did I do wrong? Note that samba is not yet running. Also, you noted in your previous message:> I feel that I should point out that, if you were to use Debian instead, > you would find this all a lot easier and you would get a much more > recent version of Samba, 4.17.8 at present, which would become 4.18.x > when Bookworm backports is created (or so I am reliably informed).In fact, way back in 2010 when I embarked on this venture, I did start with Debian, but it wasn't going well; lots of extra packages to download, configs not working ... I switched to Slackware and it installed, provisioned and worked right out of the box. So I've stuck with Slackware. Now, I have several other server (webserver, NAS, VM hosts ...) all running Slackware, so I'd rather not switch horses and add a new distro into the mix. Most of my problems on this latest effort have been do to my misunderstandings or screw-ups, so I think I can probably get this working with Slackware -- inch by inch. Thanks --Mark
On 24/07/2023 17:46, Mark Foley via samba wrote:> I removed the new computer from the domain and deleted the smb.conf file. I then > did: > > samba-tool domain join hprs.local DC --option='idmap_ldb:use rfc2307 = yes' -U Administrator > INFO 2023-07-24 09:29:41,946 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #105: Finding a writeable DC for domain 'hprs.local' > INFO 2023-07-24 09:29:41,983 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #107: Found DC mail.hprs.local > Password for [WORKGROUP\Administrator]: > INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is HPRS > INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is hprs.local > Adding CN=DC1,OU=Domain Controllers,DC=hprs,DC=local > Adding CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local > Adding CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local > Adding SPNs to CN=DC1,OU=Domain Controllers,DC=hprs,DC=local > Setting account password for DC1$ > Enabling account > : > : > INFO 2023-07-24 09:30:05,249 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1544: Joined domain HPRS (SID S-1-5-21-1052267278-1962196458-41193656 > 63) as a DC > > plus I got a whole bunch more output not included here, but including messages on > Setting up idmap db, kerberos, replication, schema objects, SAM database,It sounds like you now have a DC :-)> > Note that I did not specify any --dns-backend. I hope that's OK as I > provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC. I do > have LAN members not part of the domain that need to have DNS service, so I may > have to redo this later.If you didn't specify a dns backend, then the default internal dns server will be used.> > Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's > IP, but that didn't work -- couldn't see any other host, so I reverted back to > the original DC's IP. However, that's not working either, even after a reboot. I > switched back to the new DC's IP and rebooted. Again, not working. So, something > is wrong with the DNS setup.The dns problem is probably because there are no records in AD, you need to either transfer the records from the flat files (you will probably have to create the reverse zone) or let your Windows computers create them in AD.> > $ host webserver > ;; connection timed out; no servers could be reached > > Note that I ran the following not realizing DNS wasn't working. That could make > a difference. > > Next I followed the instructions on syncing idmap.ldb. On my original server the > idmap.ldb in in /var/lib/samba/private, not /usr/local/samba/private;The wiki is written from the point of view of a self compiled Samba, where (unless it is specified) everything ends up in /usr/local/samba < same with> this new DC, so I copied the idmap.ldb.bak from OLD:/var/lib/samba/private to > NEW:/var/lib/samba/idmap.ldb. Seem odd to just remove the .bak. The .bak file is > 4% of the size of the idmap.ldb, so it appears some serious compressing is going > on. But whatever, that's what the wiki says!It is correct, backing the .tdb file up also removes anything not required etc.> > Next I ran 'net cache flush' on the new DC; seemed to work (no error). > > Next 'samba-tool ntacl sysvolreset', but I had a problem with that: > > # samba-tool ntacl sysvolreset > set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND > ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.') > File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 412, in run > provision.setsysvolacl(samdb, netlogon, sysvol, > File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1754, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl > setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info, > File "/usr/lib64/python3.9/site-packages/samba/ntacls.py", line 228, in setntacl > smbd.set_nt_acl( > > What did I do wrong? Note that samba is not yet running.Did you also sync Sysvol ? On a newly joined DC, there is very little in sysvol, it needs to be synced from a DC that holds all the GPO's.> > Also, you noted in your previous message: > >> I feel that I should point out that, if you were to use Debian instead, >> you would find this all a lot easier and you would get a much more >> recent version of Samba, 4.17.8 at present, which would become 4.18.x >> when Bookworm backports is created (or so I am reliably informed). > > In fact, way back in 2010 when I embarked on this venture, I did start with > Debian, but it wasn't going well; lots of extra packages to download, configs > not working ... I switched to Slackware and it installed, provisioned and > worked right out of the box. So I've stuck with Slackware. Now, I have several > other server (webserver, NAS, VM hosts ...) all running Slackware, so I'd rather > not switch horses and add a new distro into the mix. Most of my problems on > this latest effort have been do to my misunderstandings or screw-ups, so I think > I can probably get this working with Slackware -- inch by inch. >I can understand that, it is just that Debian (and Debian base distros, Ubuntu for instance) has been the goto distro for a Samba AD DC since Samba 4.0.0 and there is a lot of Knowledge out there. I run two Samba AD DCs on Raspberry pi OS (Debian based), so I can vouch that it works well. Rowland