samba - Mar 2015 - Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server

I did not run that command at all. I did run samba-tool classicupgrade on
the DC after setting up ldap with my data. As far as I understand the
provisioning of the domain is done during that process. And on the other
machines provisioning must not be done, right?
On 20 Mar 2015 19:35, "Rowland Penny" <rowlandpenny at
googlemail.com> wrote:
> On 20/03/15 18:28, Timo Altun wrote:
>
>> Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did a
clean
>> install of jessie and installed samba 4.1.17 from jessie repositories.
Is
>> there a better way?
>>
>> Strangely the domain join, shares and users did work before on the
>> squeezy member against the Samba4 AD DC with security = domain and no
>> keytab defined, nor created.
>>
>> The only thing that didn't work, was setting the dns record during
'net
>> ads join -Uadministrator'. I'll probably go back to the old,
ugly,
>> overloaded smb.conf, so that I have the users working and add the dns
>> entries manually for the other linux machines.
>>
>> Greetings,
>> Timo
>>
>> On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at
googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>     On 20/03/15 16:56, Timo Altun wrote:
>>
>>         On 20 March 2015 at 17:00, Rowland Penny
>>         <rowlandpenny at googlemail.com
>>         <mailto:rowlandpenny at googlemail.com>
>>         <mailto:rowlandpenny at googlemail.com
>>         <mailto:rowlandpenny at googlemail.com>>> wrote:
>>
>>             On 20/03/15 15:47, Timo Altun wrote:
>>
>>                 I'm sorry it got confusing, changed the topic and
I'll
>>         try to
>>                 explain. I am using Jessie on the DC. Server13 is a
>>         linux file
>>                 server and domain member, it is on squeeze. If
>>         possible, I do
>>                 not want to upgrade it. The problem here is, that it
>>         does not
>>                 seem to generate a DNS record when joining the domain
and,
>>                 after setting up the new smb.conf, the users aren't
>>         passed on
>>                 from winbind to the local authentication tools. It
>>         also caused
>>                 the single share I set up in the smb.conf to be
>>         unaccessible
>>                 by user administrator. Maybe something with the keytab
>>         file is
>>                 not working.
>>
>>
>>             You were confused :-D
>>
>>
>>         And I most definitely still am :)
>>         In general, am I right, that Kerberos is working as intended,
>>         when I am able to get tickets?
>>         Further, my old smb.conf used security = domain and no
>>         keytab...might this be the reason for the winbind users not
>>         being transferred?
>>         Maybe it's also necessary for DNS updates to have that part
>>         working.
>>
>>
>>
>>
>>     Was your old domain server an NT-4 style PDC ? you didn't use
>>     kerberos with this type of server. Now that you are using a Samba4
>>     AD DC, you have to use 'security = ADS' and keytabs, the
main
>>     keytab (usually /etc/krb5.keytab) is created for you when you run
>>     'net ads join -U Administrator', the join should create the
dns
>>     record for the client but sometimes it doesn't. This is not a
>>     problem, you just have to create them manually on the DC with
>>     'samba-tool dns add <server> <zone> <name>
>>     <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See
samba-tool dns add
>>     --help' for more info.
>>
>>     Having said all that, one thing that I don't think has been
raised
>>     yet, how did you install samba on the DC ?
>>
>>
>>     Rowland
>>
>>
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, have you run this command (on any of your computers):
>
> samba-tool domain provision
>
> and if so which
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Yes, when i setup samba 4.1 for first time.
> Date: Fri, 20 Mar 2015 20:08:50 +0100
> From: olol13.samba at the-1337.org
> To: rowlandpenny at googlemail.com
> CC: samba at lists.samba.org
> Subject: Re: [Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for
debian squeezy member server
> 
> I did not run that command at all. I did run samba-tool classicupgrade on
> the DC after setting up ldap with my data. As far as I understand the
> provisioning of the domain is done during that process. And on the other
> machines provisioning must not be done, right?
> On 20 Mar 2015 19:35, "Rowland Penny" <rowlandpenny at
googlemail.com> wrote:
> 
> > On 20/03/15 18:28, Timo Altun wrote:
> >
> >> Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did
a clean
> >> install of jessie and installed samba 4.1.17 from jessie
repositories. Is
> >> there a better way?
> >>
> >> Strangely the domain join, shares and users did work before on the
> >> squeezy member against the Samba4 AD DC with security = domain and
no
> >> keytab defined, nor created.
> >>
> >> The only thing that didn't work, was setting the dns record
during 'net
> >> ads join -Uadministrator'. I'll probably go back to the
old, ugly,
> >> overloaded smb.conf, so that I have the users working and add the
dns
> >> entries manually for the other linux machines.
> >>
> >> Greetings,
> >> Timo
> >>
> >> On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at
googlemail.com
> >> <mailto:rowlandpenny at googlemail.com>> wrote:
> >>
> >>     On 20/03/15 16:56, Timo Altun wrote:
> >>
> >>         On 20 March 2015 at 17:00, Rowland Penny
> >>         <rowlandpenny at googlemail.com
> >>         <mailto:rowlandpenny at googlemail.com>
> >>         <mailto:rowlandpenny at googlemail.com
> >>         <mailto:rowlandpenny at googlemail.com>>>
wrote:
> >>
> >>             On 20/03/15 15:47, Timo Altun wrote:
> >>
> >>                 I'm sorry it got confusing, changed the topic
and I'll
> >>         try to
> >>                 explain. I am using Jessie on the DC. Server13 is
a
> >>         linux file
> >>                 server and domain member, it is on squeeze. If
> >>         possible, I do
> >>                 not want to upgrade it. The problem here is, that
it
> >>         does not
> >>                 seem to generate a DNS record when joining the
domain and,
> >>                 after setting up the new smb.conf, the users
aren't
> >>         passed on
> >>                 from winbind to the local authentication tools. It
> >>         also caused
> >>                 the single share I set up in the smb.conf to be
> >>         unaccessible
> >>                 by user administrator. Maybe something with the
keytab
> >>         file is
> >>                 not working.
> >>
> >>
> >>             You were confused :-D
> >>
> >>
> >>         And I most definitely still am :)
> >>         In general, am I right, that Kerberos is working as
intended,
> >>         when I am able to get tickets?
> >>         Further, my old smb.conf used security = domain and no
> >>         keytab...might this be the reason for the winbind users
not
> >>         being transferred?
> >>         Maybe it's also necessary for DNS updates to have that
part
> >>         working.
> >>
> >>
> >>
> >>
> >>     Was your old domain server an NT-4 style PDC ? you didn't
use
> >>     kerberos with this type of server. Now that you are using a
Samba4
> >>     AD DC, you have to use 'security = ADS' and keytabs,
the main
> >>     keytab (usually /etc/krb5.keytab) is created for you when you
run
> >>     'net ads join -U Administrator', the join should
create the dns
> >>     record for the client but sometimes it doesn't. This is
not a
> >>     problem, you just have to create them manually on the DC with
> >>     'samba-tool dns add <server> <zone>
<name>
> >>     <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See
samba-tool dns add
> >>     --help' for more info.
> >>
> >>     Having said all that, one thing that I don't think has
been raised
> >>     yet, how did you install samba on the DC ?
> >>
> >>
> >>     Rowland
> >>
> >>
> >>     --     To unsubscribe from this list go to the following URL
and read
> >> the
> >>     instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >>
> > OK, have you run this command (on any of your computers):
> >
> > samba-tool domain provision
> >
> > and if so which
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 20/03/15 19:08, Timo Altun wrote:
>
> I did not run that command at all. I did run samba-tool classicupgrade 
> on the DC after setting up ldap with my data. As far as I understand 
> the provisioning of the domain is done during that process. And on the 
> other machines provisioning must not be done, right?
>
>
Sorry about this, but I am losing the plot here :-)

So, you upgraded from a NT-4 style domain to a Samba 4 AD DC with 
classicupgrade, this AD DC is running on a Debian Jessie machine ?

I take it (hope would probably be a better word) that you are doing this 
in a test situation ?

You have set up a test Unix client using the smb.conf from the member 
server page on the wiki, what version of samba is this running ?

Your users have uidNumbers inside the range set in smb.conf ?
The Domain Users group (at least) has a gidNumber inside the range set 
in smb.conf ?

Your test Unix client is pointing to the AD DC for dns ?

Answer the above and we will go from there :-)

Rowland

Hello Samba Crowd,

finally had some more time to work on the problem today. I set up the
Wheezy VM, installed Samba, Winbind, Krb5-user and did the domain join.
With the configs from the wiki
<https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> I could
join the domain and retrieve the users, they are shown with getent passwd.
Problem is, the DNS update still does not work with Samba 3.6.6. and the
windows users can't access the shares (password dialog is shown, but
credentials do not work). The DNS failure I get on the wheezy VM says a bit
more than on the squeeze with Samba 3.5.6.:

net ads join -Uadministrator
Enter administrator's password:
Using short domain name -- MAYWEG.NET
Joined 'WHEEZYTEST' to realm 'intranet.mayweg.net'
DNS Update for wheezytest.intranet.mayweg.net failed:
ERROR_DNS_INVALID_MESSAGE
DNS update failed!

I also can't logon onto the wheezy machine with domain users...says
authentication error for administrator and "Could not update ICEAuthority
file /home/[user]/.ICEauthority", but that might be gnome related. As the
DNS issue doesn't seem to be caused by the older Samba version, I'll
continue trying to make it work on the Squeeze with 3.5.6..

The old smb.conf on that machine, where I had everything working but the
DNS updates, did not use a keytab and security = ADS. It used security domain.
Is there any disadvantage to that?

I did not know, that once the clients see the AC DC, that there's no going
back. Once I test it in the live environment, I'll expose it to a small
portion of the network first then.

Greetings,
Timo

On 20 March 2015 at 22:05, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
>  On 20/03/15 20:53, Timo Altun wrote:
>
>
> On 20 March 2015 at 20:24, Rowland Penny <rowlandpenny at
googlemail.com>
> wrote:
>
>> On 20/03/15 19:08, Timo Altun wrote:
>>
>>>
>>> I did not run that command at all. I did run samba-tool
classicupgrade
>>> on the DC after setting up ldap with my data. As far as I
understand the
>>> provisioning of the domain is done during that process. And on the
other
>>> machines provisioning must not be done, right?
>>>
>>>
>>>
>>  Sorry about this, but I am losing the plot here :-)
>>
>
> You did not lose the plot at all :)
>
>>
>> So, you upgraded from a NT-4 style domain to a Samba 4 AD DC with
>> classicupgrade, this AD DC is running on a Debian Jessie machine ?
>>
>
>  Yes. Tried dist-upgrading the old DC (Debian Lenny) first, but at some
> point did a clean install of Debian Jessie instead. Installed the newest
> ldap from jessie sources and imported the data from the old DC. Then
> installed Samba4, BIND9 and did the classicupgrade. I shutdown ldap, as
> Samba4 has its own backend, as described in the nice howto for the
> classicupgrade.
>
>
> OK
>
>
>> I take it (hope would probably be a better word) that you are doing
this
>> in a test situation ?
>>
>
> Of course :) They are all virtual machines running in their own subnet
> right now. The Debian Jessie AD DC, a Debian Squeeze File Server running
> Samba 3.5.6., a WinXP Client and a Win7 Client with RSAT tools for DNS/AD
> Administration testing. This should represent the bulk of the machines on
> the actual network.
>
>>
>>
> Thank goodness for that, you do know that once your main clients do see
> the AD DC, there is no going back!
>
> Can you setup a VM with wheezy and then set up samba (this should get you
> 3.6.6) and try this, hopefully this should work and you may be able to work
> out why your squeeze machine isn't (my money is on 3.5.6)
>
>   You have set up a test Unix client using the smb.conf from the member
>> server page on the wiki, what version of samba is this running ?
>>
>
>  That would be the Debian Squeeze machine running Samba 3.5.6.
>
>>
>> Your users have uidNumbers inside the range set in smb.conf ?
>>
>
>  Yes, though I did not check every single one.
>
>
> Good, as long as you have at least one with a uidNumber 'getent
passwd'
> should show it
>
>
>
>
>> The Domain Users group (at least) has a gidNumber inside the range set
in
>> smb.conf ?
>>
>
>  Yes, that would be gidNumber 20001.
>
>>
>>
> Good
>
>   Your test Unix client is pointing to the AD DC for dns ?
>>
>
>  Yes, and only at the AD DC. Nslookup works for the other domain members
> hostnames. Not for its own hostname btw...I'm guessing because there is
no
> dns record for its name :)
>
>>
>>
> OK, set up the new VM and try it, if you still need help we will pick it
> up from there tomorrow.
>
> Rowland
>
>   Answer the above and we will go from there :-)
>
>
>  Tried my best :) Again, thanks for this amazing help!
>
>>
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>

On 23/03/15 08:02, Timo Altun wrote:
> Hello Samba Crowd,
>
> finally had some more time to work on the problem today. I set up the 
> Wheezy VM, installed Samba, Winbind, Krb5-user and did the domain 
> join. With the configs from the wiki 
> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> I 
> could join the domain and retrieve the users, they are shown with 
> getent passwd. Problem is, the DNS update still does not work with 
> Samba 3.6.6. and the windows users can't access the shares (password 
> dialog is shown, but credentials do not work). The DNS failure I get 
> on the wheezy VM says a bit more than on the squeeze with Samba 3.5.6. 
> <http://3.5.6.>:
>
> net ads join -Uadministrator
> Enter administrator's password:
> Using short domain name -- MAYWEG.NET <http://MAYWEG.NET>
> Joined 'WHEEZYTEST' to realm 'intranet.mayweg.net 
> <http://intranet.mayweg.net>'
> DNS Update for wheezytest.intranet.mayweg.net 
> <http://wheezytest.intranet.mayweg.net> failed:
ERROR_DNS_INVALID_MESSAGE
> DNS update failed!
I take it that your clients are getting their ipaddress via DHCP, what 
you could try is to run Bind9 on the DC along with DHCP.

As for the shares problem, this is probably a permissions problem, have 
a look here:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

>
> I also can't logon onto the wheezy machine with domain users...says 
> authentication error for administrator and "Could not update 
> ICEAuthority file /home/[user]/.ICEauthority", but that might be gnome
> related. As the DNS issue doesn't seem to be caused by the older Samba 
> version, I'll continue trying to make it work on the Squeeze with
3.5.6..
>
> The old smb.conf on that machine, where I had everything working but 
> the DNS updates, did not use a keytab and security = ADS. It used 
> security = domain. Is there any disadvantage to that?
Well, I surprised it works, 'security = domain' means that you are 
connecting to a NT-4 style PDC, 'security = ADS' means that you want to 
connect to an active directory server via kerberos. For more info see 
'man smb.conf'

Rowland
>
> I did not know, that once the clients see the AC DC, that there's no 
> going back. Once I test it in the live environment, I'll expose it to 
> a small portion of the network first then.
>
>