samba - Sep 2024 - The care and feeding of the signing socket; also NTPsec

TLDW: I have a Samba install, and I can use help getting the signing socket to
return a signature with either Chrony or NTPsec; I would appreciate some
guidance on what I am doing incorrectly.
 
I partially followed the instructions at [1]; after checking and revising, I saw
that adding a line to start signd appeared to have broken everything else.
 
I have attached a  list of most of the steps I have taken. After I get my web
host back up tomorrow it will be mirrored at https://dell-2018.jamesb192.com/j/
 
[1] https://fedoramagazine.org/samba-as-ad-and-domain-controller/
-------------- next part --------------
# dnf install samba samba-dc samba-client krb5-workstation
# hostnamectl hostname bourbon2.jamesb192.com
# firewall-cmd --permanent --add-service samba-dc
# firewall-cmd --reload
# rm -iv /etc/samba/smb.conf
# mkdir -pv /etc/systemd/resolved.conf.d
$ ip addr
# nano /etc/systemd/resolved.conf.d/custom.conf
# systemctl restart systemd-resolved
# samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=SAMBA_INTERNAL --realm=JAMESB192.COM --domain=JAMESB192
# nano /etc/samba/smb.conf
# cp /var/lib/samba/private/krb5.conf /etc/krb5.conf.d/samba-dc
# systemctl enable samba --now
# groupadd machines
# useradd -g machines -d /var/lib/nobody -s /bin/false -c "local
machine" bourbon2$
# useradd -g machines -d /var/lib/nobody -s /bin/false -c "Dell 2018"
dell-2018$
# smbpasswd -a -m bourbon2
# smbpasswd -a -m dell-2018
# smbpasswd -a -m `whoami`
$ grep 1001 /etc/passwd /etc/group
/etc/passwd:bourbon2$:x:1001:1001:local machine:/var/lib/nobody:/bin/false
/etc/passwd:dell-2018$:x:1002:1001:Dell 2018:/var/lib/nobody:/bin/false
/etc/group:machines:x:1001:
# head -n 99 /etc/samba/smb.conf /etc/systemd/resolved.conf.d/custom.conf
/etc/krb5.conf.d/samba-dc
==> /etc/samba/smb.conf <=# Global parameters
[global]
        dns forwarder = 192.168.42.1
        netbios name = BOURBON2
        realm = JAMESB192.COM
        server role = active directory domain controller
        server services = ntp_signd
        workgroup = JAMESB192
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/jamesb192.com/scripts
        read only = No

==> /etc/systemd/resolved.conf.d/custom.conf <=[Resolve]
DNSStubListener=no
Domains=jamesb192.com
DNS=192.168.42.78

==> /etc/krb5.conf.d/samba-dc <=[libdefaults]
        default_realm = JAMESB192.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
JAMESB192.COM = {
        default_domain = jamesb192.com
}

[domain_realm]
        bourbon2 = JAMESB192.COM
==> /etc/chrony.conf <=pool 2.fedora.pool.ntp.org iburst

sourcedir /run/chrony-dhcp

driftfile /var/lib/chrony/drift

makestep 1.0 3

rtcsync

allow 192.168.42.0/24
allow 127.0.0.1/8
allow ::1

ntsdumpdir /var/lib/chrony

leapsectz right/UTC

logdir /var/log/chrony

ntpsigndsocket /var/lib/samba/ntp_signd
$ path/to/ntpq -D2 localhost 192.168.42.78
Module/Binary version mismatch
Binary: ntpsec-1.2.3+58-gf873f69c4
Module: ntpsec-1.2.3+57-g5af01fe36-dirty
ntpdig: querying ::1 (localhost)
ntpdig: Sent to ::1:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ea 95 a8 47 54 b1 18 00 ...........GT...
00 00 03 e9 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: querying 127.0.0.1 (localhost)
ntpdig: Sent to 127.0.0.1:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ea 95 a8 4c 56 04 70 00 ...........LV.p.
00 00 03 e9 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: querying 192.168.42.78 (192.168.42.78)
ntpdig: Sent to 192.168.42.78:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ea 95 a8 51 57 79 80 00 ...........QWy..
00 00 03 e9 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: no eligible servers

On Thu, 19 Sep 2024 06:44:13 -0700 (PDT)
James Browning via samba <samba at lists.samba.org> wrote:
> TLDW: I have a Samba install, and I can use help getting the signing
> socket to return a signature with either Chrony or NTPsec; I would
> appreciate some guidance on what I am doing incorrectly. I partially
> followed the instructions at [1]; after checking and revising, I saw
> that adding a line to start signd appeared to have broken everything
> else. I have attached a  list of most of the steps I have taken.
> After I get my web host back up tomorrow it will be mirrored at
> https://dell-2018.jamesb192.com/j/ [1]
> https://fedoramagazine.org/samba-as-ad-and-domain-controller/
First (I have to point this out, fedora doesn't), the default Samba
packages to create An AD domain on fedora use the MIT kdc, this is
still classed as experimental, so they shouldn't be used in production.

You seem to have created an AD domain, but then went on to use tools to
create users, groups and computers from an NT4-style domain, why did you
not use samba-tool as shown on the fedora page you linked to ?

Unless ntpsec has fixed its NTP server (and I haven't heard if they
have), it doesn't work with a Samba DC, so I would suggest only using
Chrony.

Now we come to the 'biggy', do you know by having this line in your
smb.conf:

server services = ntp_signd

You have turned everything else off ?

I would remove it and restart Samba.

I would also remove the spurious machines you have added to
/etc/passwd, that is not where they live and how you join them.

Rowland