Timo Altun
2015-Mar-20 18:28 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did a clean install of jessie and installed samba 4.1.17 from jessie repositories. Is there a better way? Strangely the domain join, shares and users did work before on the squeezy member against the Samba4 AD DC with security = domain and no keytab defined, nor created. The only thing that didn't work, was setting the dns record during 'net ads join -Uadministrator'. I'll probably go back to the old, ugly, overloaded smb.conf, so that I have the users working and add the dns entries manually for the other linux machines. Greetings, Timo On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 20/03/15 16:56, Timo Altun wrote: > >> On 20 March 2015 at 17:00, Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 20/03/15 15:47, Timo Altun wrote: >> >> I'm sorry it got confusing, changed the topic and I'll try to >> explain. I am using Jessie on the DC. Server13 is a linux file >> server and domain member, it is on squeeze. If possible, I do >> not want to upgrade it. The problem here is, that it does not >> seem to generate a DNS record when joining the domain and, >> after setting up the new smb.conf, the users aren't passed on >> from winbind to the local authentication tools. It also caused >> the single share I set up in the smb.conf to be unaccessible >> by user administrator. Maybe something with the keytab file is >> not working. >> >> >> You were confused :-D >> >> >> And I most definitely still am :) >> In general, am I right, that Kerberos is working as intended, when I am >> able to get tickets? >> Further, my old smb.conf used security = domain and no keytab...might >> this be the reason for the winbind users not being transferred? >> Maybe it's also necessary for DNS updates to have that part working. >> >> >> >> > Was your old domain server an NT-4 style PDC ? you didn't use kerberos > with this type of server. Now that you are using a Samba4 AD DC, you have > to use 'security = ADS' and keytabs, the main keytab (usually > /etc/krb5.keytab) is created for you when you run 'net ads join -U > Administrator', the join should create the dns record for the client but > sometimes it doesn't. This is not a problem, you just have to create them > manually on the DC with 'samba-tool dns add <server> <zone> <name> > <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See samba-tool dns add --help' > for more info. > > Having said all that, one thing that I don't think has been raised yet, > how did you install samba on the DC ? > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Mar-20 18:35 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
On 20/03/15 18:28, Timo Altun wrote:> Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did a > clean install of jessie and installed samba 4.1.17 from jessie > repositories. Is there a better way? > > Strangely the domain join, shares and users did work before on the > squeezy member against the Samba4 AD DC with security = domain and no > keytab defined, nor created. > > The only thing that didn't work, was setting the dns record during > 'net ads join -Uadministrator'. I'll probably go back to the old, > ugly, overloaded smb.conf, so that I have the users working and add > the dns entries manually for the other linux machines. > > Greetings, > Timo > > On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > > On 20/03/15 16:56, Timo Altun wrote: > > On 20 March 2015 at 17:00, Rowland Penny > <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>> wrote: > > On 20/03/15 15:47, Timo Altun wrote: > > I'm sorry it got confusing, changed the topic and I'll > try to > explain. I am using Jessie on the DC. Server13 is a > linux file > server and domain member, it is on squeeze. If > possible, I do > not want to upgrade it. The problem here is, that it > does not > seem to generate a DNS record when joining the domain and, > after setting up the new smb.conf, the users aren't > passed on > from winbind to the local authentication tools. It > also caused > the single share I set up in the smb.conf to be > unaccessible > by user administrator. Maybe something with the keytab > file is > not working. > > > You were confused :-D > > > And I most definitely still am :) > In general, am I right, that Kerberos is working as intended, > when I am able to get tickets? > Further, my old smb.conf used security = domain and no > keytab...might this be the reason for the winbind users not > being transferred? > Maybe it's also necessary for DNS updates to have that part > working. > > > > > Was your old domain server an NT-4 style PDC ? you didn't use > kerberos with this type of server. Now that you are using a Samba4 > AD DC, you have to use 'security = ADS' and keytabs, the main > keytab (usually /etc/krb5.keytab) is created for you when you run > 'net ads join -U Administrator', the join should create the dns > record for the client but sometimes it doesn't. This is not a > problem, you just have to create them manually on the DC with > 'samba-tool dns add <server> <zone> <name> > <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See samba-tool dns add > --help' for more info. > > Having said all that, one thing that I don't think has been raised > yet, how did you install samba on the DC ? > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, have you run this command (on any of your computers): samba-tool domain provision and if so which Rowland
Timo Altun
2015-Mar-20 19:08 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
I did not run that command at all. I did run samba-tool classicupgrade on the DC after setting up ldap with my data. As far as I understand the provisioning of the domain is done during that process. And on the other machines provisioning must not be done, right? On 20 Mar 2015 19:35, "Rowland Penny" <rowlandpenny at googlemail.com> wrote:> On 20/03/15 18:28, Timo Altun wrote: > >> Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did a clean >> install of jessie and installed samba 4.1.17 from jessie repositories. Is >> there a better way? >> >> Strangely the domain join, shares and users did work before on the >> squeezy member against the Samba4 AD DC with security = domain and no >> keytab defined, nor created. >> >> The only thing that didn't work, was setting the dns record during 'net >> ads join -Uadministrator'. I'll probably go back to the old, ugly, >> overloaded smb.conf, so that I have the users working and add the dns >> entries manually for the other linux machines. >> >> Greetings, >> Timo >> >> On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 20/03/15 16:56, Timo Altun wrote: >> >> On 20 March 2015 at 17:00, Rowland Penny >> <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>> wrote: >> >> On 20/03/15 15:47, Timo Altun wrote: >> >> I'm sorry it got confusing, changed the topic and I'll >> try to >> explain. I am using Jessie on the DC. Server13 is a >> linux file >> server and domain member, it is on squeeze. If >> possible, I do >> not want to upgrade it. The problem here is, that it >> does not >> seem to generate a DNS record when joining the domain and, >> after setting up the new smb.conf, the users aren't >> passed on >> from winbind to the local authentication tools. It >> also caused >> the single share I set up in the smb.conf to be >> unaccessible >> by user administrator. Maybe something with the keytab >> file is >> not working. >> >> >> You were confused :-D >> >> >> And I most definitely still am :) >> In general, am I right, that Kerberos is working as intended, >> when I am able to get tickets? >> Further, my old smb.conf used security = domain and no >> keytab...might this be the reason for the winbind users not >> being transferred? >> Maybe it's also necessary for DNS updates to have that part >> working. >> >> >> >> >> Was your old domain server an NT-4 style PDC ? you didn't use >> kerberos with this type of server. Now that you are using a Samba4 >> AD DC, you have to use 'security = ADS' and keytabs, the main >> keytab (usually /etc/krb5.keytab) is created for you when you run >> 'net ads join -U Administrator', the join should create the dns >> record for the client but sometimes it doesn't. This is not a >> problem, you just have to create them manually on the DC with >> 'samba-tool dns add <server> <zone> <name> >> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See samba-tool dns add >> --help' for more info. >> >> Having said all that, one thing that I don't think has been raised >> yet, how did you install samba on the DC ? >> >> >> Rowland >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, have you run this command (on any of your computers): > > samba-tool domain provision > > and if so which > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Winbind not able to start