Hi Rowland, first and foremost thanks for the answer...on a saturday! Since I wrote I got it running! Did a complete purge of packages samba libnss-winbind libpam-winbind krb5-user krb5-config libpam-krb5 and reinstalled. Stopped smbd, nmbd and winbind and joined the domain. Started the services again and winbind could start as well. Thanks! Fyi, the smb.conf on AD (got a bit of a strange naming convention for workgroup/realm, but this way windows machines do not notice the change from NT4 domain to AD): # Global parameters [global] workgroup = MAYWEG.NET realm = INTRANET.MAYWEG.NET netbios name = SERVER06 interfaces = lo, eth0 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No On 11 April 2015 at 14:52, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 11/04/15 13:01, Timo Altun wrote: > >> Hi guys, >> >> we're testing the domain join of a Debian Wheezy machine to an Samba 4.17 >> AD with BIND9 backend (Debian Jessie). I can join the domain with "net ads >> join" alright, but "wbinfo -u" delivers nothing, cause winbind is not able >> to start. >> >> /etc/init.d/winbind status tells me it is not running. >> >> If I try winbindd -S -F I receive: >> >> initialize_winbindd_cache: clearing cache and re-creating with version >> number 2 >> create_local_token failed: NT_STATUS_NO_SUCH_USER >> >> Is it possibly a rights issue? Some additional information: >> - the machine was on squeezy before and we did a dist-upgrade to wheezy >> - pam-auth-update lists kerberos and windows-nt/active directory >> authentication as possible auth methods. >> - windows machines can join the domain and communicate fine with the ad >> dc. >> Samba Version 3.6.6. >> Following the configs of the domain member to be (wheezy), they worked for >> a fresh wheezy install for the same domain: >> >> >> *smb.conf:* >> [global] >> >> netbios name = WheezyTest >> workgroup = MAYWEG.NET >> security = ADS >> realm = INTRANET.MAYWEG.NET >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config MAYWEG.NET:backend = ad >> idmap config MAYWEG.NET:schema_mode = rfc2307 >> idmap config MAYWEG.NET:range = 10000-99999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> template homedir = /home/%U >> template shell = /bin/bash >> >> *nsswitch.conf:* >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> >> *krb5.conf:* >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> *hosts:* >> nameserver 192.168.111.90 >> search intranet.mayweg.net >> >> As usual, I'm happy for every pointer or help I can get. Googling mostly >> returned smbd not being able to start with this error, but that's running. >> >> Greetings, >> Timo >> > > You seem to be using the realm name for the workgroup, what is in the > smb.conf on the Samba AD DC ? > > If you are updating to wheezy then you might as well use samba from > backports, this will give you a version that isn't EOL. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Greetings, Timo Altun!> Fyi, the smb.conf on AD (got a bit of a strange naming convention for > workgroup/realm, but this way windows machines do not notice the change > from NT4 domain to AD):They do notice. And if you try to roll back migration, you'll see that machines that once logged in to AD no longer able to login to old domain. The only part that visible changes is the default suffix, and in default Windows configuration, it is changed automatically once the system joins AD for the first time.> # Global parameters > [global] > workgroup = MAYWEG.NETSaid the above, your configuration only works, because you do not have older systems in your network, that do not understand periods in workgroup names. In all other cases, you could have left the workgroup as it once was.> realm = INTRANET.MAYWEG.NET > netbios name = SERVER06 > interfaces = lo, eth0 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, > ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes> [netlogon] > path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts > read only = No> [sysvol] > path = /var/lib/samba/sysvol > read only = No-- With best regards, Andrey Repin Saturday, April 11, 2015 18:49:42 Sorry for my terrible english...
Good evening, unfortunately one problem emerged during the change from my testing environment to a small portion of the live environment. The automatic dns updates of the windows clients do not seem to work in the live environment. I changed the AD DC IP from another subnet to 192.168.111.90, without reprovisioning. Everything else seems to work fine though (e.g. domain joins, shares and DNS forwarding, looking up manually added entries). I could also add entries manually with samba-tool dns add, but keeping in mind that it worked in the other subnet I would like to avoid that. My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources. As I don't receive any real error messages (looked in syslog, messages, /var/log/samba/log.smbd) I don't have a clue where the problem is. Maybe somebody has an idea?! The startup seems fine in the log: Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f -u bind Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' Apr 11 18:53:42 server06 named[4141]: ---------------------------------------------------- Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet Systems Consortium, Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Apr 11 18:53:42 server06 named[4141]: corporation. Support and training for BIND 9 are Apr 11 18:53:42 server06 named[4141]: available at https://www.isc.org/support Apr 11 18:53:42 server06 named[4141]: ---------------------------------------------------- Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files from 4096 to 1048576 Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets Apr 11 18:53:42 server06 named[4141]: loading configuration from '/etc/bind/named.conf' Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys from file '/etc/bind/bind.keys' Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port range: [1024, 65535] Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port range: [1024, 65535] Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo, 127.0.0.1#53 Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface eth0, 192.168.111.90#53 Apr 11 18:53:42 server06 named[4141]: generating session key for dynamic DNS Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 zones Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using driver dlopen Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN DC=intranet,DC=mayweg,DC=net Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable zone '111.168.192.in-addr.arpa' Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable zone ' intranet.mayweg.net' Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable zone '_msdcs.intranet.mayweg.net' Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for view _default, file 'managed-keys.bind' [...] Apr 11 18:53:42 server06 named[4141]: command channel listening on 127.0.0.1#953 Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953 Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3 Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded serial 1 Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded serial 1 Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2 Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded serial 1 Apr 11 18:53:42 server06 named[4141]: all zones loaded Apr 11 18:53:42 server06 named[4141]: running The only thing I find a bit strange is "command channel listening on ::1#953" instead of the actual IPv4 address. My smb.conf on the AD DC can be found in the e-mail before. Here is the rest: *krb5.conf:* [libdefaults] default_realm = INTRANET.MAYWEG.NET dns_lookup_realm = false dns_lookup_kdc = true *named.conf:* include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; *named.conf.default-zones:* // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; *named.conf.options:* options { directory "/var/cache/bind"; forwarders { 192.168.111.79; }; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on { any; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; *named.conf.local:* //empty */var/lib/samba/private/named.conf:* dlz "AD DNS Zone" { # For BIND 9.9.x database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; }; I also checked the permissions on /etc/krb5.keytab and /var/lib/samba/private/dns.keytab. Both should be accessible by bind and samba. Greetings, Timo On 11 April 2015 at 16:16, Timo Altun <olol13.samba at the-1337.org> wrote:> Hi Rowland, > > first and foremost thanks for the answer...on a saturday! Since I wrote I > got it running! > Did a complete purge of packages samba libnss-winbind libpam-winbind > krb5-user krb5-config libpam-krb5 and reinstalled. > Stopped smbd, nmbd and winbind and joined the domain. Started the services > again and winbind could start as well. > > Thanks! > > > > Fyi, the smb.conf on AD (got a bit of a strange naming convention for > workgroup/realm, but this way windows machines do not notice the change > from NT4 domain to AD): > # Global parameters > [global] > workgroup = MAYWEG.NET > realm = INTRANET.MAYWEG.NET > netbios name = SERVER06 > interfaces = lo, eth0 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, > ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > On 11 April 2015 at 14:52, Rowland Penny <rowlandpenny at googlemail.com> > wrote: > >> On 11/04/15 13:01, Timo Altun wrote: >> >>> Hi guys, >>> >>> we're testing the domain join of a Debian Wheezy machine to an Samba 4.17 >>> AD with BIND9 backend (Debian Jessie). I can join the domain with "net >>> ads >>> join" alright, but "wbinfo -u" delivers nothing, cause winbind is not >>> able >>> to start. >>> >>> /etc/init.d/winbind status tells me it is not running. >>> >>> If I try winbindd -S -F I receive: >>> >>> initialize_winbindd_cache: clearing cache and re-creating with version >>> number 2 >>> create_local_token failed: NT_STATUS_NO_SUCH_USER >>> >>> Is it possibly a rights issue? Some additional information: >>> - the machine was on squeezy before and we did a dist-upgrade to wheezy >>> - pam-auth-update lists kerberos and windows-nt/active directory >>> authentication as possible auth methods. >>> - windows machines can join the domain and communicate fine with the ad >>> dc. >>> Samba Version 3.6.6. >>> Following the configs of the domain member to be (wheezy), they worked >>> for >>> a fresh wheezy install for the same domain: >>> >>> >>> *smb.conf:* >>> [global] >>> >>> netbios name = WheezyTest >>> workgroup = MAYWEG.NET >>> security = ADS >>> realm = INTRANET.MAYWEG.NET >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> idmap config MAYWEG.NET:backend = ad >>> idmap config MAYWEG.NET:schema_mode = rfc2307 >>> idmap config MAYWEG.NET:range = 10000-99999 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = Yes >>> >>> template homedir = /home/%U >>> template shell = /bin/bash >>> >>> *nsswitch.conf:* >>> >>> passwd: compat winbind >>> group: compat winbind >>> shadow: compat >>> >>> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 >>> networks: files >>> >>> protocols: db files >>> services: db files >>> ethers: db files >>> rpc: db files >>> >>> netgroup: nis >>> >>> >>> *krb5.conf:* >>> [libdefaults] >>> default_realm = INTRANET.MAYWEG.NET >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> *hosts:* >>> nameserver 192.168.111.90 >>> search intranet.mayweg.net >>> >>> As usual, I'm happy for every pointer or help I can get. Googling mostly >>> returned smbd not being able to start with this error, but that's >>> running. >>> >>> Greetings, >>> Timo >>> >> >> You seem to be using the realm name for the workgroup, what is in the >> smb.conf on the Samba AD DC ? >> >> If you are updating to wheezy then you might as well use samba from >> backports, this will give you a version that isn't EOL. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
On 11/04/15 18:54, Timo Altun wrote:> Good evening, > > unfortunately one problem emerged during the change from my testing > environment to a small portion of the live environment. > The automatic dns updates of the windows clients do not seem to work > in the live environment. I changed the AD DC IP from another subnet to > 192.168.111.90, without reprovisioning. Everything else seems to work > fine though (e.g. domain joins, shares and DNS forwarding, looking up > manually added entries). I could also add entries manually with > samba-tool dns add, but keeping in mind that it worked in the other > subnet I would like to avoid that. > My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources. > As I don't receive any real error messages (looked in syslog, > messages, /var/log/samba/log.smbd) I don't have a clue where the > problem is. Maybe somebody has an idea?! > > The startup seems fine in the log: > Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f > -u bind > Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' > '--enable-largefile' '--with-libtool' '--enable-shared' > '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' > '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' > '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing > -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' > Apr 11 18:53:42 server06 named[4141]: > ---------------------------------------------------- > Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet > Systems Consortium, > Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit > 501(c)(3) public-benefit > Apr 11 18:53:42 server06 named[4141]: corporation. Support and > training for BIND 9 are > Apr 11 18:53:42 server06 named[4141]: available at > https://www.isc.org/support > Apr 11 18:53:42 server06 named[4141]: > ---------------------------------------------------- > Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files > from 4096 to 1048576 > Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads > Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface > Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets > Apr 11 18:53:42 server06 named[4141]: loading configuration from > '/etc/bind/named.conf' > Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys > from file '/etc/bind/bind.keys' > Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port > range: [1024, 65535] > Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port > range: [1024, 65535] > Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo, > 127.0.0.1#53 > Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface > eth0, 192.168.111.90#53 > Apr 11 18:53:42 server06 named[4141]: generating session key for > dynamic DNS > Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 > zones > Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using > driver dlopen > Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN > DC=intranet,DC=mayweg,DC=net > Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable > zone '111.168.192.in-addr.arpa' > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable > zone 'intranet.mayweg.net <http://intranet.mayweg.net>' > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable > zone '_msdcs.intranet.mayweg.net <http://msdcs.intranet.mayweg.net>' > Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for > view _default, file 'managed-keys.bind' > [...] > Apr 11 18:53:42 server06 named[4141]: command channel listening on > 127.0.0.1#953 > Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953 > Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3 > Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded > serial 1 > Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded > serial 1 > Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2 > Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded > serial 1 > Apr 11 18:53:42 server06 named[4141]: all zones loaded > Apr 11 18:53:42 server06 named[4141]: running > > The only thing I find a bit strange is "command channel listening on > ::1#953" instead of the actual IPv4 address. > My smb.conf on the AD DC can be found in the e-mail before. Here is > the rest: > > *krb5.conf:* > [libdefaults] > default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > dns_lookup_realm = false > dns_lookup_kdc = true > * > * > *named.conf:* > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > *named.conf.default-zones:* > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > *named.conf.options:* > options { > directory "/var/cache/bind"; > > forwarders { > 192.168.111.79; > }; > > dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on { any; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > * > * > *named.conf.local:* > //empty > > */var/lib/samba/private/named.conf:* > dlz "AD DNS Zone" { > # For BIND 9.9.x > database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > }; > > I also checked the permissions on /etc/krb5.keytab and > /var/lib/samba/private/dns.keytab. Both should be accessible by bind > and samba. > > Greetings, > TimoYour files are the same as mine and mine works (mind you I use dhcp running on the first DC), If something does go wrong It shows errors in syslog. I take it that the clients are set up to do their own updates. The '953' number you are worrying about is the command channel listening on the ipv6 localhost address. I am not entirely sure you can use the DNS server on an AD DC for more than one domain, it usually just updates the one forward zone. I am still not happy with the workgroup with a dot in it. Rowland Rowland