Luis, I had mentioned that I first provisioned a Samba4 DC 10 years ago when migrating from Windows Small Business Server. At that time I did try, Zental and Debian before Slackware. Back then Debian did not work well. I had to install lots of additional packages and things like Microsoft Update and Remote Desktop just wouldn't work. I spent months trying various things. I started over with Slackware which was, and is, a very basic no frills Linux distribution. That worked right out of the box, no problems. And, I was able to provision with the BIND9_FLATFILE back end which let me migrate from my existing bind/named config rather painlessly. So, I was pretty happy with Slackware. The only issue then, as now, is that ntpd wasn't built with --enable-ntp-signd, but I was able to build ntpd from sources with that option and everything ran fine for the next 10 years with subsequent kernel and samba updates. Since then I've simply continued to use Slackware as I'm familiar with it and I don't feel like investing time in converting everything to systemd. Likewise I use Sendmail not Postfix and don't want to mess with seeing how my extensive milters would work (Slackware now ships with Postfix, but I can "blacklist" those updates). Slackware also has an easier way for updating programs, kernels and configs/startscrpts than Debian -- at least that used to be true. Bottom line is that I'm familiar with Slackware and it works. I'll leave it to my successor to change distros. This time, Slackware took no longer to install the Samba DC. Your 20 minute ball-park is probably longer than reality. All is needed is to run the samba-tool provision and done! I'm sure, just like on Debian. My weeks-long problem was ntpd. I knew about that from my 10-years-ago install of Samba and I thought I had built it this time with --enable-ntp-signd, more than once. But, something obviously messed up, probably user error. Your suggestion to use tcpdump was what showed me definitively that my ntpd was not doing ntp-signd. I am going to post something to linuxquestions.org (which is where the Slackware distro maintainers look for issues) to advise them to please build ntpd AND chrony with ntp-signd support in the future. There's no reason not to as it doesn't hurt anything to have that enabled. Thanks for you help. --Mark On Sun Feb 11 02:06:52 2024 Luis Peromarta via samba <samba at lists.samba.org> wrote: Congratulations. Happy to hear you got it running. Just out of curiosity and apologies if this has been answered before, but why Slack and not Debian when general consensus is Debian is great for Samba ? Building a Samba AD on Debian is painless and takes 20m from start to finish. Anyway, glad you sort it. LP. On 11 Feb 2024 at 05:11 +0100, Mark Foley <mfoley at novatec-inc.com>, wrote:> > YAAAAAAAY! Finally! I have my Windows domain members syncing with the DC!!!
Luis Peromarta
2024-Feb-11 22:12 UTC
[Samba] Joining Windows 10 Domain Member to Samba AD/DC
Anytime. LP On 11 Feb 2024 at 18:24 +0100, Mark Foley <mfoley at novatec-inc.com>, wrote:> > Thanks for you help
I am using Samba 4.18.9, not in a Windows domain environment. I recently
upgraded a Windows computer on the LAN to Windows 11. This is the first time
since either the Samba or Windows upgrade I have tried to map a drive which is a
Linux Samba share to a Windows 11 computer. The samba share is (was):
Code:
# smbclient -L localhost
Anonymous login successful
Sharename Type Comment
--------- ---- -------
homes Disk Home Directory on quadmon
The smb.conf is:
[global]
workgroup = WORKGROUP
server string = QUADMON Samba Server
security = user
unix password sync = yes
kernel oplocks = false
log file = /var/log/samba.clients
max log size = 50
socket options = TCP_NODELAY
local master = no
domain master = no
preferred master = yes
dns proxy = no
;[homes]
; comment = Home Directory on quadmon
; browseable = yes
; writable = yes
; create mask = 0660
[mfoley]
comment = Home Directory on quadmon
path = /home/mfoley
valid users = mfoley
browseable = yes
writable = yes
create mask = 0660
The Windows host can ping and ssh to the Linux by hostname quadmon. When trying
to map to \\quadmon\homes on Windows I get, "Windows cannot access
\\quadmon\homes.". I've also tried using the IP. When I click on the
browse
button in the 'Map Network Drive' dialog it does not see quadmon. I do
have
wsdd.py running on Linux which is supposed to facilitate discovery by Windows
computers.
There are no messages on the Linux /var/log files related to this problem.
As shown, I tried commenting out the [homes] share and replacing it with an
explict share to my home directory [mfoley]. I have [re]set the smbpasswd
password for mfoley. None of this is working. I always get the "Windows
cannot
access ..." message.
Any idea what is going wrong here? Do I need something in PAM? Different
settings in /etc/samba/smb.conf?
Interestingly, on another LAN, with the Linux host being part of a Windows
Active Directory domain, I have no problem mapping drives from Windows.
Certainly many people have this working with Windows 11!
Thanks --Mark
I've successfully joined two Linux Domain Members to two different Domains. Now, I'm joining a second Linux host as a Domain Member to a Samba4 (4.18.9) Domain. I'm having some possible issues this time. Issue #1 Reverse Zone On the SambaWiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, under 2.5 Forward Lookup, no problem: # host mail mail.hprs.local has address 192.168.0.2 2.6 Reverse Lookup is not working: # host 192.168.0.2 Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) This is true for the other Linux domain member as well. I did create the reverse zone when provisioning the DC, and when I get a zonelist on the DC it does show the reverse zone (I think): # samba-tool dns zonelist mail pszZoneName : 0.168.192.in-addr.arpa <---- Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.hprs.local What's up here and is this a problem? Issue #2: "DNS Update failed" When joining the domain member, it joins (I think), but I get "DNS update failed" messages: # net ads join -U Administrator Using short domain name -- HPRS Joined 'WEBSERVER' to dns domain 'hprs.local' DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL I'm hoping this is just because I had added an A record for this host back when I provisioned the domain (and this host was not a domain member). In fact, at the time I added A records for all the non-Domain-Member Linux hosts and other devices (like network printers). I'm hopig this is not a real error, but is basically saying the A record already exists and it can't "update" the DNS. If so, a less scarey message would be nice. Please advise. Issue #3: getent not working After joining this Domain Member I ran the getent test: # getent passwd HPRS\\mark Nothing came back. I do get results if I run it on the other Domain Member: # getent passwd HPRS\\mark HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash winbindd is running and the /etc/nsswitch.conf file has been appropriately modified. The only config different I know of between this member and the one where getent works is that in /etc/samba/smb.conf I added: username map = /var/lib/samba/etc/user.map and in /var/lib/samba/etc/user.map I have: !root = hprs\Administrator uid = 0 wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't work? Thanks --Mark