Bestattungen Vitt - Thomas Reitelbach
2023-Oct-28  09:05 UTC
[Samba] Member join to Active Directory -> DNS-Update fails
Hello Rowland,>> >> I guess this is because this specific machine has an old samba >> >> version (4.6.4) which lacks the necessary functions. >> >> >> >> What are my options now? >> >> a) update Samba on the old machine to a current version? (not >> >> preferred) >> > Excelent idea. Try: >> >> Unfortunately this is complicated. Current samba configure scripts >> need python3 which is unavailable for this old server. I would have >> to compile python and all its dependencies as well. I'll try not to >> do this ;-) >> Well, I COULD do this, but this is my last choice... > > I wouldn't bother, just transfer any FSMO roles to another DC, then > demote this old DC and then, if required, create a new one.This DC is also my main Fileserver as well (I know, bad decision 12 years ago). What will happen to the file service if I demote the DC. If I understand the docs I should turn off the server afer demoting it which means shut down file and print services as well. This is not possible at the time beeing because it holds the users home directories, folder redirection share and so on.>> >> b) let the joining Fileserver choose a different AD-Server >> >> preferred for >> >> DNS-Updates? (how would I do that?? the other AD servers are >> >> running on >> >> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD >> >> servers. > > I suggest you upgrade Bullseye to Bookworm and then use Samba from > backports.Upgrade to Bookworm is planned. But what's the exact reason to use samba from backports with bookworm? Is here a known problem with the samba version packaged with bookworm? (besides that it is not always the newest version...)>> > I don?t think you can do that unless you stop samba in the old >> > server. Worth trying . >> >> I'll test when the old server is unused. At the working hours this is >> not possible.Tried it today. Stopped samba service on the old server. Now the new fileserver can be joined without the errors about failed DNS updates because it chooses one of the newer DCs for it's DNS update. Fine :)>> > Review your member server config, just in case your missing >> > something: >> >> The config at time of the Join is very basic: >> [global] >> ### Grundkonfiguration ### >> security = ADS >> workgroup = ADVITT >> realm = ADVITT.SITE >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> idmap config * : backend = autorid >> idmap config * : range = 10000-9999999 >> >> vfs objects = acl_xattr >> map acl inherit = yes > > Using the 'autorid' idmap backend is quite okay, but it has a > limitation, you cannot set 'winbind use default domain = yes' in your > smb.conf and then just use '$USERNAME' to logon, instead of > '$DOMAIN\$USERNAME'. > There are quite few extra lines I would add, 'winbind refresh tickets > yes' for one.Thank you for your input, I'll read the docs regarding those options :)>> Time Syncronization is pulled via NTP from the AD-DC Servers. >> Name resolution is set to the three AD-DC servers and Name resolution >> tests are OK. > > When you move to Bookworm, use Chrony instead, ntpsec has replaced ntp > and ntpsec isn't working with Samba at the present.With "pulled via NTP" I referred to NTP as a network protocol, not the daemon with that name. Actually I'm using chrony on the DCs right now and systemd-timesyncd on the new File server (Member server) which should be fine I guess.> How is /etc/hosts set up ? > If you run 'hostname -f' in a terminal, does it return the computers > FQDN ?Yes, it does. The hosts file is straight forward: root at fs1:~# cat /etc/hosts 127.0.0.1 localhost 192.168.3.246 fs1.advitt.site fs1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Thank you all on this list for helping me. Stopping the old samba server was the easiest solution to join the new member. After beeing successful I restarted the old samba server. Now I can migrate file- and print-services from the old to the new server and finally shut down the ancient one :) Cheers Thomas -- Bestattungen Vitt oHG Inhaber Willi & Thomas Reitelbach Rochusstra?e 176 53123 Bonn-Duisdorf Registergericht: Amtsgericht Bonn, HRA 7958 Facebook: http://www.facebook.de/bestattungenvitt Gedenkportal: http://begleiten.bestattungen-vitt.de Internet: http://www.bestattungen-vitt.de Telefon: 0228 - 62 68 68 Fax: 0228 - 978 30 36
Rowland Penny
2023-Oct-28  10:13 UTC
[Samba] Member join to Active Directory -> DNS-Update fails
On Sat, 28 Oct 2023 11:05:11 +0200 Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org> wrote:> Hello Rowland, > > >> >> I guess this is because this specific machine has an old samba > >> >> version (4.6.4) which lacks the necessary functions. > >> >> > >> >> What are my options now? > >> >> a) update Samba on the old machine to a current version? (not > >> >> preferred) > >> > Excelent idea. Try: > >> > >> Unfortunately this is complicated. Current samba configure scripts > >> need python3 which is unavailable for this old server. I would have > >> to compile python and all its dependencies as well. I'll try not to > >> do this ;-) > >> Well, I COULD do this, but this is my last choice... > > > > I wouldn't bother, just transfer any FSMO roles to another DC, then > > demote this old DC and then, if required, create a new one. > > This DC is also my main Fileserver as well (I know, bad decision 12 > years ago). > What will happen to the file service if I demote the DC. If I > understand the docs I should turn off the server afer demoting it > which means shut down file and print services as well. This is not > possible at the time beeing because it holds the users home > directories, folder redirection share and so on.That complicates it somewhat, if you were using the 'ad' idmap backend, then that would simplify things, you could have demoted the DC and turned it it a Unix domain member, but as you seem to have been using the DCs standard idmap_ldb, all your users and groups will have IDs in the '3000000' range. I suppose you could use the IDs to set uidNumber & gidNumber attributes in AD, demote the DC and then make it a Unix domain member using the 'ad' idmap backend, but that would be a lot of work for just one machine.> > >> >> b) let the joining Fileserver choose a different AD-Server > >> >> preferred for > >> >> DNS-Updates? (how would I do that?? the other AD servers are > >> >> running on > >> >> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD > >> >> servers. > > > > I suggest you upgrade Bullseye to Bookworm and then use Samba from > > backports. > > Upgrade to Bookworm is planned. But what's the exact reason to use > samba from backports with bookworm? Is here a known problem with the > samba version packaged with bookworm? (besides that it is not always > the newest version...)Mainly just to get the latest possible version of Samba (newer is always better, things get fixed and added).> > >> > I don?t think you can do that unless you stop samba in the old > >> > server. Worth trying . > >> > >> I'll test when the old server is unused. At the working hours this > >> is not possible. > > Tried it today. > Stopped samba service on the old server. Now the new fileserver can > be joined without the errors about failed DNS updates because it > chooses one of the newer DCs for it's DNS update. Fine :) >Glad to hear that :-)> >> > Review your member server config, just in case your missing > >> > something: > >> > >> The config at time of the Join is very basic: > >> [global] > >> ### Grundkonfiguration ### > >> security = ADS > >> workgroup = ADVITT > >> realm = ADVITT.SITE > >> > >> log file = /var/log/samba/%m.log > >> log level = 1 > >> > >> idmap config * : backend = autorid > >> idmap config * : range = 10000-9999999 > >> > >> vfs objects = acl_xattr > >> map acl inherit = yes > > > > Using the 'autorid' idmap backend is quite okay, but it has a > > limitation, you cannot set 'winbind use default domain = yes' in > > your smb.conf and then just use '$USERNAME' to logon, instead of > > '$DOMAIN\$USERNAME'. > > There are quite few extra lines I would add, 'winbind refresh > > tickets = yes' for one. > > Thank you for your input, I'll read the docs regarding those options > :) > > >> Time Syncronization is pulled via NTP from the AD-DC Servers. > >> Name resolution is set to the three AD-DC servers and Name > >> resolution tests are OK. > > > > When you move to Bookworm, use Chrony instead, ntpsec has replaced > > ntp and ntpsec isn't working with Samba at the present. > > With "pulled via NTP" I referred to NTP as a network protocol, not > the daemon with that name. Actually I'm using chrony on the DCs right > now and systemd-timesyncd on the new File server (Member server) > which should be fine I guess.Best to say what you mean in plain English, I took it as you were running NTP.> > > How is /etc/hosts set up ? > > If you run 'hostname -f' in a terminal, does it return the computers > > FQDN ? > > Yes, it does. > The hosts file is straight forward: > root at fs1:~# cat /etc/hosts > 127.0.0.1 localhost > 192.168.3.246 fs1.advitt.site fs1 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allroutersI have seen them were the ipaddress only points to the short hostname, that can be one cause of the problem you were having.> > Thank you all on this list for helping me. > Stopping the old samba server was the easiest solution to join the > new member. After beeing successful I restarted the old samba server. > Now I can migrate file- and print-services from the old to the new > server and finally shut down the ancient one :) > > Cheers > ThomasCan I suggest that you try to keep more up to date, Samba is a rapidly changing program, things get added with every major update. Rowland>
Apparently Analagous Threads
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?