samba - Aug 2015 - More on bind_dlz - documentation I have not found

On 28/08/15 16:45, Robert Moskowitz wrote:
>
>
> On 08/28/2015 11:04 AM, Rowland Penny wrote:
>> On 28/08/15 15:56, Robert Moskowitz wrote:
>>>
>>>
>>> On 08/28/2015 10:42 AM, L.P.H. van Belle wrote:
>>>> Are you setting up a AD DC or old style NT PDC ?
>>>>
>>>> see :
>>>> /etc/default/sernet-samba to "classic". for NT PDC
>>>> /etc/default/sernet-samba to "ad". for AD DC.
>>> More:
>>>
>>> # service sernet-samba-ad status
>>> Checking for SAMBA AD services : [FAILED]
>>>
>>> # service sernet-samba-ad start
>>> Starting SAMBA AD services : [  OK  ]
>>> # [ 4529.028579] nf_conntrack: automatic helper assignment is 
>>> deprecated and it will be removed soon. Use the iptables CT target 
>>> to attach helpers instead.
>>>
>>> # service sernet-samba-ad status
>>> Checking for SAMBA AD services : [  OK  ]
>>>
>>> # samba-tool dns zonelist localhost
>>> Password for [HOME\root]:  <- had to figure out what password to
use!
>>> Password for [HOME\root]:  <- got it the second try...
>>> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
>>>
ncacn_ip_tcp:127.0.0.1[1024,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
>>> NT_STATUS_LOGON_FAILURE
>>> ERROR(runtime): uncaught exception - (-1073741715, 'Logon
failure')
>>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>>     return self.run(*args, **kwargs)
>>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>>> 809, in run
>>>     dns_conn = dns_connect(server, self.lp, self.creds)
>>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>>> 40, in dns_connect
>>>     dns_conn = dnsserver.dnsserver(binding_str, lp, creds
>>
>> [snip]
>>
>> and try this:
>>
>> samba-tool dns zonelist localhost -U Administrator
>
> # samba-tool dns zonelist localhost -U Administrator
> Password for [HOME\Administrator]:
> Password for [HOME\Administrator]:
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
>
ncacn_ip_tcp:127.0.0.1[1024,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
> NT_STATUS_LOGON_FAILURE
> ERROR(runtime): uncaught exception - (-1073741715, 'Logon failure')
>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/dns.py",
line
> 809, in run
>     dns_conn = dns_connect(server, self.lp, self.creds)
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/dns.py",
line
> 40, in dns_connect
>     dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
>
> I am wondering if I know what passwords are for HOME\root or 
> HOME\Administrator!
>
> How were these set?
>
>
Well, you can forget HOME\root, this doesn't exist :-)
HOME\Administrator is set when you provision (you supply the password) 
or when you carry out the classicupgrade, not sure if it uses the 
password of the old admin user or not, but it doesn't matter, you can 
reset it:

samba-tool user setpassword Administrator --newpassword=P4ssW0rd*

Note that the password must be complex (and no, don't use the one above)

Rowland

Progress...

On 08/28/2015 11:59 AM, Rowland Penny wrote:
> On 28/08/15 16:45, Robert Moskowitz wrote:
>>
>>
>> On 08/28/2015 11:04 AM, Rowland Penny wrote:
>>> On 28/08/15 15:56, Robert Moskowitz wrote:
>>>>
>>>>
>>>> On 08/28/2015 10:42 AM, L.P.H. van Belle wrote:
>>>>> Are you setting up a AD DC or old style NT PDC ?
>>>>>
>>>>> see :
>>>>> /etc/default/sernet-samba to "classic". for NT
PDC
>>>>> /etc/default/sernet-samba to "ad". for AD DC.
>>>> More:
>>>>
>>>> # service sernet-samba-ad status
>>>> Checking for SAMBA AD services : [FAILED]
>>>>
>>>> # service sernet-samba-ad start
>>>> Starting SAMBA AD services : [  OK  ]
>>>> # [ 4529.028579] nf_conntrack: automatic helper assignment is 
>>>> deprecated and it will be removed soon. Use the iptables CT
target
>>>> to attach helpers instead.
>>>>
>>>> # service sernet-samba-ad status
>>>> Checking for SAMBA AD services : [  OK  ]
>>>>
>>>> # samba-tool dns zonelist localhost
>>>> Password for [HOME\root]:  <- had to figure out what
password to use!
>>>> Password for [HOME\root]:  <- got it the second try...
>>>> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
>>>>
ncacn_ip_tcp:127.0.0.1[1024,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
>>>> NT_STATUS_LOGON_FAILURE
>>>> ERROR(runtime): uncaught exception - (-1073741715, 'Logon
failure')
>>>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>>     return self.run(*args, **kwargs)
>>>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>>>> 809, in run
>>>>     dns_conn = dns_connect(server, self.lp, self.creds)
>>>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>>>> 40, in dns_connect
>>>>     dns_conn = dnsserver.dnsserver(binding_str, lp, creds
>>>
>>> [snip]
>>>
>>> and try this:
>>>
>>> samba-tool dns zonelist localhost -U Administrator
>>
>> # samba-tool dns zonelist localhost -U Administrator
>> Password for [HOME\Administrator]:
>> Password for [HOME\Administrator]:
>> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
>>
ncacn_ip_tcp:127.0.0.1[1024,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
>> NT_STATUS_LOGON_FAILURE
>> ERROR(runtime): uncaught exception - (-1073741715, 'Logon
failure')
>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>     return self.run(*args, **kwargs)
>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>> 809, in run
>>     dns_conn = dns_connect(server, self.lp, self.creds)
>>   File
"/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>> 40, in dns_connect
>>     dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>>
>>
>> I am wondering if I know what passwords are for HOME\root or 
>> HOME\Administrator!
>>
>> How were these set?
>>
>>
>
> Well, you can forget HOME\root, this doesn't exist :-)
See above.  That is what I got prompted with when I left off the -U; I 
suspect as I am logged in as root.
> HOME\Administrator is set when you provision (you supply the password) 
> or when you carry out the classicupgrade, 
AH that complex password, that I forgot to copy down  :(
> not sure if it uses the password of the old admin user or not, but it 
> doesn't matter, you can reset it:
>
> samba-tool user setpassword Administrator --newpassword=P4ssW0rd*
>
> Note that the password must be complex (and no, don't use the one
above)
worked:

# samba-tool dns zonelist localhost -U AdministratorPassword for 
[HOME\Administrator]:
   2 zone(s) found

   pszZoneName                 : home.htt
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED 
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
   pszDpFqdn                   : DomainDnsZones.home.htt

   pszZoneName                 : _msdcs.home.htt
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED 
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
   pszDpFqdn                   : ForestDnsZones.home.htt

Is there a command to dump the zone?

On 28/08/15 17:10, Robert Moskowitz wrote:
>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>
>> Well, you can forget HOME\root, this doesn't exist :-)
No, if you leave off -U it uses the name of the person logged in, puts 
the Domain name on the front of it and asks for that users password, the 
only problem is, the user must exist in AD or it will error out and root 
should never exist in AD.
>
> See above.  That is what I got prompted with when I left off the -U; I 
> suspect as I am logged in as root.
>
>
> worked:
>
> # samba-tool dns zonelist localhost -U AdministratorPassword for 
> [HOME\Administrator]:
>   2 zone(s) found
>
>   pszZoneName                 : home.htt
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.home.htt
>
>   pszZoneName                 : _msdcs.home.htt
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.home.htt
>
> Is there a command to dump the zone?
>
>
Not that I am aware, but you can use ldbsearch to display all the dns 
objects, you just need to use the option '--cross-ncs', you can also use
'--show-binary' to see the full records.

There is some info on the wiki about using ldbtools and they function 
very similarly to ldap-utils (ldapsearch etc) and there is loads of info 
on the net.

Rowland