Matthias Busch
2015-Mar-12  15:43 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Hey Peter, many thanks for your reply. --- regarding .local domains I know this is regarded by some as bad form, is actively being discouraged by the samba wiki and can cause problems with bonjour/zerobla configuration. I can say for certain that no apple devices will ever come anywhere near that network and the other drawbacks of .local like getting signed certs... should never be an issue in this case. I am hesitant to use .net (the domain I own) in fear of having dns issues. i do not control the NS for the internet accesible .net domain either. In the end, unless .local will not cause problems like software X will not work with .local I should be fine. --- DNS seems fixed I was further looking around and studying /var/log/syslog, looking for hints when I saw some signs of slapd causing taking ports and causing samba to throw errors (cant bind to port) I removed slapd and rebooted: - DNS works for internet domains - host -t SRV _ldap._tcp.my-domain.local --> looking good - samba_dnsupdate --verbose --> looking good - smbclient -L localhost -U% --> showing shares --- Kerberos still on the fritz kinit administrator at MY-DOMAIN.LOCAL --> kinit: Cannot contact any KDC for realm 'MY-DOMAIN.LOCAL' while getting initial credentials klist -e --> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) --- /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = MY-DOMAIN realm = MY-DOMAIN.LOCAL netbios name = ADSERVER server role = active directory domain controller dns forwarder = 192.168.7.1 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/fam-busch.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- /etc/krb5.conf [libdefaults] default_realm = MY-DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true --- nsswitch ??? whats that? where? find / -iname "nsswitch" shows 3 directories in my samba4.1.17 source directory --- checking daemon.log now and google abit about krb5. If anything strikes you as odd and/or you have ideas to try, I'll look forward to hearing about it. Thanks M.
Rowland Penny
2015-Mar-12  16:23 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
On 12/03/15 15:43, Matthias Busch wrote:> Hey Peter, > > many thanks for your reply. > > --- > regarding .local domains > I know this is regarded by some as bad form, is actively being > discouraged by the samba wiki and can cause problems with > bonjour/zerobla configuration. > > I can say for certain that no apple devices will ever come anywhere > near that network and the other drawbacks of .local like getting > signed certs... should never be an issue in this case. > > I am hesitant to use .net (the domain I own) in fear of having dns > issues. i do not control the NS for the internet accesible .net domain > either. > > In the end, unless .local will not cause problems like software X will > not work with .local I should be fine. > > --- > > DNS seems fixed > > I was further looking around and studying /var/log/syslog, looking for > hints when I saw some signs of slapd causing taking ports and causing > samba to throw errors (cant bind to port) > > I removed slapd and rebooted: > - DNS works for internet domains > - host -t SRV _ldap._tcp.my-domain.local --> looking good > - samba_dnsupdate --verbose --> looking good > - smbclient -L localhost -U% --> showing shares > > --- > > Kerberos still on the fritz > > kinit administrator at MY-DOMAIN.LOCAL --> kinit: Cannot contact any KDC > for realm 'MY-DOMAIN.LOCAL' while getting initial credentials > klist -e --> klist: No credentials cache found (ticket cache > FILE:/tmp/krb5cc_0) > > --- /usr/local/samba/etc/smb.conf > > # Global parameters > [global] > workgroup = MY-DOMAIN > realm = MY-DOMAIN.LOCAL > netbios name = ADSERVER > server role = active directory domain controller > dns forwarder = 192.168.7.1 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/fam-busch.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > --- /etc/krb5.conf > > [libdefaults] > default_realm = MY-DOMAIN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > > --- nsswitch ??? > > whats that? where? find / -iname "nsswitch" shows 3 directories in my > samba4.1.17 source directory > > --- > > checking daemon.log now and google abit about krb5. > > If anything strikes you as odd and/or you have ideas to try, I'll look > forward to hearing about it. > > Thanks > M.Hi, please don't use .local, you say that no apple devices will come near, but what about an iphone ? and what about avahi ? When you ran configure, you might as well just run it like this: ./configure All the rest are defaults and you do not really need debug. You only need to alter /etc/nsswitch.conf (yes that's the one) if you want/need your users to log into the DC. Rowland
Peter Serbe
2015-Mar-12  16:34 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Matthias Busch schrieb am 12.03.2015 16:43:> I am hesitant to use .net (the domain I own) in fear of having dns > issues. i do not control the NS for the internet accesible .net domain > either.At least w.r.t. the Bind backend this fear is not necessary. It is indeed exactly what I do. The AD-DNS is only authoritative to "domain.samdom.com", not to "samdom.com". There is only one little trick necessary if You got a slave nameserver, which is tied to Your AD-DC server. # forward lookup zone "domain.samdom.com" { type slave; masters { 192.168.1.1; 192.168.1.2; }; file "/etc/bind/namedb/bak.domain.samdom.com"; forwarders{}; }; # reverse lookup zone "1.168.192.in-addr.arpa" { type slave; masters { 192.168.1.1; 192.168.1.2; }; file "/etc/bind/namedb/bak.192.168.1"; forwarders{}; }; Note the line "forwarders{}", which will ensure, that the local DNS server doesn't ask the public DNS, which is authoritative for the public "samdom.com". You would then get the IP of "samdom.com" when looking up a local host. But I agree, that this is a bit of perfectionsm. One can do things simpler. On the other hand: one of my two DCs was down for a week (the one 70km away in the "weekend"-appartment), but the whole network worked flawlessly. These Arm based appliances are definitely less reliable than ordinary PC H/W. I use slave DNS servers on my file servers, which keep at least DNS working whatever the Raspi or the Cubieboard do (better: don't do...).
Peter Serbe
2015-Mar-12  16:37 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Rowland Penny schrieb am 12.03.2015 17:23:> All the rest are defaults and you do not really need debug.Hm. It doesn't work at the moment. So he might be forced to debug. :-(
Matthias Busch
2015-Mar-12  21:08 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
>Hi, please don't use .local, you say that no apple devices will come >near, but what about an iphone ? and what about avahi ?>When you ran configure, you might as well just run it like this: ./configure>All the rest are defaults and you do not really need debug.>You only need to alter /etc/nsswitch.conf (yes that's the one) if you >want/need your users to log into the DC.>RowlandPeter convinced me to not use .local from now on. But the .local should not be able to cause my problems? And yeah, for now, this is for testing/learning purposes, if it works (good/reliable enough) I plan to use it for my home network, maybe add radius for wifi And I can guarantee that no apple devices are coming near that network. and if some guest would bring one, he can survive without bonjour and zeroconf Avahi is running, ive seen that. wouldnt miss it if it were gone either. When configure, I did not know which were the default switches. and since I had trouble in the first place I enabled debug my nsswitch.conf I posted down below. I have no clue how to interpret the content... --->At least w.r.t. the Bind backend this fear is not necessary. It is indeed >exactly what I do. The AD-DNS is only authoritative to "domain.samdom.com", >not to "samdom.com". There is only one little trick necessary if You got >a slave nameserver, which is tied to Your AD-DC server.>Note the line "forwarders{}", which will ensure, that the local DNS server >doesn't ask the public DNS, which is authoritative for the public >"samdom.com". You would then get the IP of "samdom.com" when looking up >a local host.>But I agree, that this is a bit of perfectionsm. One can do things simpler. >On the other hand: one of my two DCs was down for a week (the one 70km away >in the "weekend"-appartment), but the whole network worked flawlessly. These >Arm based appliances are definitely less reliable than ordinary PC H/W. I >use slave DNS servers on my file servers, which keep at least DNS working >whatever the Raspi or the Cubieboard do (better: don't do...).As I said before, I would like to stay clear of bind if I can. At least for now. It adds one more level to configure, administer and troubleshoot. I think adding components like a 2nd DC or a slave ns or a second dhcp* for redundancy may be a great idea later when the system is in production and does not perform as reliable as expected. In the meantime, Clients still work without DC, static ips or router dhcp can push corrected ip/dns settings and radius can be configured to use fallback user/pass if AD goes down... *DHCP: Still havent decided if I should change router dhcp to push out AD DNS and domain name or disable router dhcp and get my own dhcp going - including dynamic dns updates... --- kerberos still isnt working and I dont know enough about kerberos yet to really trouble shoot or see problems in logs... after further googling I think I may have been in the wrong when I copied the samba supplied krb5.conf over the one in /etc. so i restored the one in etc and added the samba one... the change(s) in the krb5.conf did not help... --- this is my /etc/krb5.conf [libdefaults] default_realm = MY-DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] MY-DOMAIN.LOCAL = { kdc = adserver.my-domain.local <-- tried with adserver admin_server = adserver.my-domain.local and adserver.my-domain.local } ... lots of .MIT.EDU entries ... [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA [login] krb4_convert = true krb4_get_tickets = false --- this is my /etc/nsswitch.conf: passwd: compat group: compat shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis --- Matze
Matthias Busch
2015-Mar-12  22:31 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - first good results!
RESULT! ~# kinit administrator at MY-DOMAIN.LOCAL Password for administrator at MY-DOMAIN.LOCAL: Warning: Your password will expire in 41 days on Thu Apr 23 16:57:35 2015 !!!! --- I should have listened to you guys much sooner. I suspect that the .local did indeed have something to do with it since mDNS was running and may have screwed with dns resolution for *.local. tlds? additionally, I adjusted the /etc/krb5.conf file according to Peters suggestion. rowland says I only need the top four lines? samba generated a krb5.conf file for me with only those 4 lines. the longer one is working now, is there a reason for why the shorter one would be better? --->Btw, we would like to check the smb.conf, too..I posted my entire smb.conf this afternoon already. --->and yes, you do need winbind adding to the passwd & group lines in >/etc/nsswitch.conf, but you need more, see the wiki page I posted earlier.looking into that next! --- >> syslog paste... > There is something going on there, how are you starting samba ? via init.d script / on boot see first post for where I got the script from and how I edited it...> OH yes you do! >tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2239/samba >udp 0 0 192.168.7.254:88 0.0.0.0:* 2239/sambaah, I was looking for krb5 or similar process name... ---> ipv6well, its not exactly enabled. no ipv6 in network/interfaces, none in /etc/hosts and i am pretty sure I build without ipv6 support. if need be I could go deeper into raspbian and see if I can forceable disable ipv6 however, in the not too distant future, the possibility to at least run a dualstack should exist. forcing ipv6 off in the OS would be a step in the wrong direction for that :) --- just tested... I was able to add a win7pro to the domain!
Possibly Parallel Threads
- samba 4.1.17 on raspberry pi as ad dc - first good results!
- samba 4.1.17 on raspberry pi as ad dc - internal dns problems
- samba 4.1.17 on raspberry pi as ad dc - krb5 problem / ipv6?
- samba 4.1.17 on raspberry pi as ad dc - internal dns problems
- samba 4.1.17 on raspberry pi as ad dc - internal dns problems