Hai.
?
Im trying to add my samba to a win 2008R2 domain.
?
Im following howto, but its not clear.?
?
what i did already.
did read ( and follow
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC?)
1 installed samba and its packages, ( sernet samba is used )
( apt-get install sernet-samba-ad , extra are installed also )
samba -V gives :? Version 4.0.10-SerNet-Ubuntu-6.precise?
?
kinit and klist output is ok.
klist output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.LAN
Valid starting??? Expires?????????? Service principal
23/10/2013 10:13? 23/10/2013 20:13? krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN
??????? renew until 24/10/2013 10:13
my readonly dns servers are in the /etc/resolve.conf?? ( and these servers have
a copy of my domain, bind based and is ok )
So, im followin howto and now at point join as a DC.
?
here:?? Since samba4 rc2 the internal DNS server is default. If you want to join
this or a higher version with using BIND as DNS backend, use the following
command:
# samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan
--dns-backend=BIND9_DLZ
but, first.. BIND as DNS.. setup. check.?
http://wiki.samba.org/index.php/Dns-backend_bind?
using bind9.8 , as it states.?
During provisioning/upgrading, a file
('/usr/local/samba/private/named.conf') was created, that must be
included in your Bind named.conf:
?
i have these three files :
/usr/share/samba/setup/named.conf
/usr/share/samba/setup/named.conf.dlz
/usr/share/samba/setup/named.conf.update
when i look in?? /usr/share/samba/setup/named.conf? : ( is see variables not
filled in, and thats correct, since no providioning done yet. )
?
# This file should be included in your main BIND configuration file
#
# For example with
# include "${NAMED_CONF}";
?
zone "${DNSDOMAIN}." IN {
??????? type master;
??????? file "${ZONE_FILE}";
??????? /*
???????? * the list of principals and what they can change is created
???????? * dynamically by Samba, based on the membership of the domain
controllers
???????? * group. The provision just creates this file as an empty file.
???????? */
??????? include "${NAMED_CONF_UPDATE}";
?
??????? /* we need to use check-names ignore so _msdcs A records can be created
*/
??????? check-names ignore;
};
BUT WAIT !
the howto says...
During provisioning/upgrading, a file
('/usr/local/samba/private/named.conf') was created, that must be
included in your Bind named.conf:
still no provisioning done, im in a loop of howtos....
any suggestions ?
?
So, im at point http://wiki.samba.org/index.php/Dns-backend_bind?
Configuring Bind as Samba Active Directory backend
include "/usr/local/samba/private/named.conf"; ( i know this file is
located after provisioning in /var/lib/samba/private for sernet samba. )
and i need some help. following the howtos is not helping me. :-((
this is the error i get.
root at ms249-lin-007:/etc# samba-tool domain join mydomain.lan DC
-Uadministrator --realm=mydomain.lan --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'mydomain.lan'
Found DC MS249-DB-001.mydomain.lan
Password for [WORKGROUP\administrator]:
workgroup is MYDOMAIN
realm is mydomain.lan
checking sAMAccountName
Adding CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Adding
CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Adding CN=NTDS
Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Adding SPNs to CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Setting account password for MS249-LIN-007$
Enabling account
Adding DNS account CN=dns-MS249-LIN-007,CN=Users,DC=mydomain,DC=lan with dns/
SPN
Join failed - cleaning up
checking sAMAccountName
Deleted CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Deleted CN=NTDS
Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Deleted
CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -?
<0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data
0> <>
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
??? return self.run(*args, **kwargs)
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
552, in run
??? machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1169, in
join_DC
??? ctx.do_join()
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1072, in
do_join
??? ctx.join_add_objects()
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in
join_add_objects
??? ctx.samdb.add(msg)
someone any sugestions?
?
Thanks,
Louis
Aplied the patch: https://attachments.samba.org/attachment.cgi?id=9210 And works fine! Thanks! Jac? Ramos 2013/10/23 L.P.H. van Belle <belle at bazuin.nl>> Hai. > > Im trying to add my samba to a win 2008R2 domain. > > Im following howto, but its not clear. > > what i did already. > did read ( and follow > http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC ) > 1 installed samba and its packages, ( sernet samba is used ) > ( apt-get install sernet-samba-ad , extra are installed also ) > samba -V gives : Version 4.0.10-SerNet-Ubuntu-6.precise > > kinit and klist output is ok. > klist output: > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at MYDOMAIN.LAN > Valid starting Expires Service principal > 23/10/2013 10:13 23/10/2013 20:13 krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN > renew until 24/10/2013 10:13 > > my readonly dns servers are in the /etc/resolve.conf ( and these servers > have a copy of my domain, bind based and is ok ) > So, im followin howto and now at point join as a DC. > > here: Since samba4 rc2 the internal DNS server is default. If you want > to join this or a higher version with using BIND as DNS backend, use the > following command: > # samba-tool domain join mydomain.lan DC -Uadministrator > --realm=mydomain.lan --dns-backend=BIND9_DLZ > > but, first.. BIND as DNS.. setup. check. > http://wiki.samba.org/index.php/Dns-backend_bind > using bind9.8 , as it states. > During provisioning/upgrading, a file > ('/usr/local/samba/private/named.conf') was created, that must be included > in your Bind named.conf: > > i have these three files : > /usr/share/samba/setup/named.conf > /usr/share/samba/setup/named.conf.dlz > /usr/share/samba/setup/named.conf.update > > when i look in /usr/share/samba/setup/named.conf : ( is see variables > not filled in, and thats correct, since no providioning done yet. ) > > # This file should be included in your main BIND configuration file > # > # For example with > # include "${NAMED_CONF}"; > > zone "${DNSDOMAIN}." IN { > type master; > file "${ZONE_FILE}"; > /* > * the list of principals and what they can change is created > * dynamically by Samba, based on the membership of the domain > controllers > * group. The provision just creates this file as an empty file. > */ > include "${NAMED_CONF_UPDATE}"; > > /* we need to use check-names ignore so _msdcs A records can be > created */ > check-names ignore; > }; > > BUT WAIT ! > the howto says... > > During provisioning/upgrading, a file > ('/usr/local/samba/private/named.conf') was created, that must be included > in your Bind named.conf: > > still no provisioning done, im in a loop of howtos.... > > any suggestions ? > > So, im at point http://wiki.samba.org/index.php/Dns-backend_bind > Configuring Bind as Samba Active Directory backend > > include "/usr/local/samba/private/named.conf"; ( i know this file is > located after provisioning in /var/lib/samba/private for sernet samba. ) > > and i need some help. following the howtos is not helping me. :-(( > this is the error i get. > > root at ms249-lin-007:/etc# samba-tool domain join mydomain.lan DC > -Uadministrator --realm=mydomain.lan --dns-backend=BIND9_DLZ > Finding a writeable DC for domain 'mydomain.lan' > Found DC MS249-DB-001.mydomain.lan > Password for [WORKGROUP\administrator]: > workgroup is MYDOMAIN > realm is mydomain.lan > checking sAMAccountName > Adding CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan > Adding > CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan > Adding CN=NTDS > Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan > Adding SPNs to CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan > Setting account password for MS249-LIN-007$ > Enabling account > Adding DNS account CN=dns-MS249-LIN-007,CN=Users,DC=mydomain,DC=lan with > dns/ SPN > Join failed - cleaning up > checking sAMAccountName > Deleted CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan > Deleted CN=NTDS > Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan > Deleted > CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan > ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM > - <0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0 > > <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 552, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1169, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1072, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in > join_add_objects > ctx.samdb.add(msg) > > > someone any sugestions? > > > > Thanks, > > Louis > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *"O homem n?o foi criado para ser feliz nem para vencer, mas para viver para Deus. Quando vive para Deus ? feliz e vence." Isaltino Gomes * * $whoami* - Perito Forense Computacional - Pentester - Esp. em Seguran?a de Redes de Computadores com enf?se a Per?cia Forense Computacional - FACID - Bacharel em Ci?ncia da Computa??o - UESPI - Administrador de Redes de Computadores - CCNA Modulo II - Lattes: *http://lattes.cnpq.br/1591329268136905* Esta mensagem pode conter informa??es confidenciais e/ou privilegiadas. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o deve usar, copiar ou divulgar as informa??es nela contida ou tomar qualquer a??o baseada nessas informa??es.
You are the man !!!?
?
Thank you, it seems the sernet samba version (4.0.10-6 ) ?didnt have this patch
applied.
I?manualy changed the entries as are mentiont in the patch and my server is
joined now.
ok back to the howto, and really thank you.
?
Louis
?
Van: Jac? Ramos [mailto:j4c0r4m0s at gmail.com]
Verzonden: woensdag 23 oktober 2013 12:40
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] adding samba to win2008Rd domain as DC
Aplied the patch: https://attachments.samba.org/attachment.cgi?id=9210
And works fine!
Thanks!
Jac? Ramos
2013/10/23 L.P.H. van Belle <belle at bazuin.nl>
Hai.
?
Im trying to add my samba to a win 2008R2 domain.
?
Im following howto, but its not clear.?
?
what i did already.
did read ( and follow
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC?)
1 installed samba and its packages, ( sernet samba is used )
( apt-get install sernet-samba-ad , extra are installed also )
samba -V gives :? Version 4.0.10-SerNet-Ubuntu-6.precise?
?
kinit and klist output is ok.
klist output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.LAN
Valid starting??? Expires?????????? Service principal
23/10/2013 10:13? 23/10/2013 20:13? krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN
??????? renew until 24/10/2013 10:13
my readonly dns servers are in the /etc/resolve.conf?? ( and these servers have
a copy of my domain, bind based and is ok )
So, im followin howto and now at point join as a DC.
?
here:?? Since samba4 rc2 the internal DNS server is default. If you want to join
this or a higher version with using BIND as DNS backend, use the following
command:
# samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan
--dns-backend=BIND9_DLZ
but, first.. BIND as DNS.. setup. check.?
http://wiki.samba.org/index.php/Dns-backend_bind?
using bind9.8 , as it states.?
During provisioning/upgrading, a file
('/usr/local/samba/private/named.conf') was created, that must be
included in your Bind named.conf:
?
i have these three files :
/usr/share/samba/setup/named.conf
/usr/share/samba/setup/named.conf.dlz
/usr/share/samba/setup/named.conf.update
when i look in?? /usr/share/samba/setup/named.conf? : ( is see variables not
filled in, and thats correct, since no providioning done yet. )
?
# This file should be included in your main BIND configuration file
#
# For example with
# include "${NAMED_CONF}";
?
zone "${DNSDOMAIN}." IN {
??????? type master;
??????? file "${ZONE_FILE}";
??????? /*
???????? * the list of principals and what they can change is created
???????? * dynamically by Samba, based on the membership of the domain
controllers
???????? * group. The provision just creates this file as an empty file.
???????? */
??????? include "${NAMED_CONF_UPDATE}";
?
??????? /* we need to use check-names ignore so _msdcs A records can be created
*/
??????? check-names ignore;
};
BUT WAIT !
the howto says...
During provisioning/upgrading, a file
('/usr/local/samba/private/named.conf') was created, that must be
included in your Bind named.conf:
still no provisioning done, im in a loop of howtos....
any suggestions ?
?
So, im at point http://wiki.samba.org/index.php/Dns-backend_bind?
Configuring Bind as Samba Active Directory backend
include "/usr/local/samba/private/named.conf"; ( i know this file is
located after provisioning in /var/lib/samba/private for sernet samba. )
and i need some help. following the howtos is not helping me. :-((
this is the error i get.
root at ms249-lin-007:/etc# samba-tool domain join mydomain.lan DC
-Uadministrator --realm=mydomain.lan --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'mydomain.lan'
Found DC MS249-DB-001.mydomain.lan
Password for [WORKGROUP\administrator]:
workgroup is MYDOMAIN
realm is mydomain.lan
checking sAMAccountName
Adding CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Adding
CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Adding CN=NTDS
Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Adding SPNs to CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Setting account password for MS249-LIN-007$
Enabling account
Adding DNS account CN=dns-MS249-LIN-007,CN=Users,DC=mydomain,DC=lan with dns/
SPN
Join failed - cleaning up
checking sAMAccountName
Deleted CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Deleted CN=NTDS
Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Deleted
CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -?
<0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data
0> <>
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
??? return self.run(*args, **kwargs)
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
552, in run
??? machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1169, in
join_DC
??? ctx.do_join()
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1072, in
do_join
??? ctx.join_add_objects()
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in
join_add_objects
??? ctx.samdb.add(msg)
someone any sugestions?
?
Thanks,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: ?https://lists.samba.org/mailman/options/samba
--
"O homem n?o foi criado para ser feliz nem para vencer, mas para viver para
Deus. Quando vive para Deus ? feliz e vence." Isaltino Gomes
$whoami
* Perito Forense Computacional
* Pentester
* Esp. em Seguran?a de Redes de Computadores com enf?se a Per?cia Forense
Computacional - FACID
* Bacharel em Ci?ncia da Computa??o - UESPI
* Administrador de Redes de Computadores
* CCNA Modulo II
* Lattes: http://lattes.cnpq.br/1591329268136905
Esta mensagem pode conter informa??es confidenciais e/ou privilegiadas. Se voc?
n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o deve
usar, copiar ou divulgar as informa??es nela contida ou tomar qualquer a??o
baseada nessas informa??es.
L.P.H. van Belle
2013-Oct-23 12:18 UTC
[Samba] adding samba to win2008Rd domain as DC ( second question)
Ok, server is joined, looks good but other question.
i reading on the wiki, https://wiki.samba.org/index.php/Dns-backend_bind
Testing/Debugging dynamic DNS updates
samba_dnsupdate --verbose --all-names
im getting
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 11 entries
so read on what i already did.
bind loads ok,
some parts of the log.
Oct 23 13:33:14 ms249-lin-007 named[12524]: Loading 'AD DNS Zone' using
driver dlopen
Oct 23 13:33:14 ms249-lin-007 named[12524]: samba_dlz: Processing section
"[netlogon]"
Oct 23 13:33:14 ms249-lin-007 named[12524]: samba_dlz: Processing section
"[sysvol]"
last line. .
Oct 23 13:33:14 ms249-lin-007 named[12524]: running
so looks ok to me.
I did the zone test, is ok.
I included : include "/var/lib/samba/private/named.conf"; and is
ok, since bind loads ok.
checked again manualy and the bind 9.8.0 dlz is used, thats ok.
i wanted to enable : ( since its recommended )
DNS dynamic updates via Kerberos (optional, but recommended)
so i added in named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
..
check for owner on that file, was root, so changed it :
chown bind:bind /var/lib/samba/private/dns.keytab
ls -al : -rw------- 1 bind bind 937 Oct 23 12:48
/var/lib/samba/private/dns.keytab
and when testing dynamic dns updates,
samba_dnsupdate --verbose --all-names
( output : a part of the messages )
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for SRV
_gc._tcp.default-first-site-name._sites.rotterdam.bazuin.nl
ms249-lin-007.mydomain.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.mydomain.lan. 900 IN SRV 0 100 3268
ms249-lin-007.mydomain.lan.
i checked the time om both servers.
ntpq -p
remote refid st t when poll reach delay offset jitter
=============================================================================
MS249-DB-001.ro .LOCL. 1 u 21 64 77 0.496 -6.743 3.525
less than 1 sec off
host -t SRV _ldap._tcp.mydomain.lan.
_ldap._tcp.mydomain.lan has SRV record 0 100 389 ms249-lin-007.mydomain.lan.
_ldap._tcp.mydomain.lan has SRV record 0 100 389 ms249-db-001.mydomain.lan.
host -t SRV _kerberos._udp.mydomain.lan.
_kerberos._udp.mydomain.lan has SRV record 0 100 88 ms249-lin-007.mydomain.lan.
_kerberos._udp.mydomain.lan has SRV record 0 100 88 ms249-db-001.mydomain.lan.
host -t A ms249-db-001.mydomain.lan
ms249-db-001.mydomain.lan has address 192.168.249.225
host -t A ms249-lin-007.mydomain.lan
ms249-lin-007.mydomain.lan has address 192.168.249.227
so any one knows why am i getting the update error?
what have i missed? Or, is DNS dynamic updates via Kerberos not needed in my
case.
When im ready i want to transfer the fsmo roles, but the windows stays dns+dhcp.
Anyone some other tips where to look.
Louis