oeh univie edv lists
2015-Oct-04 23:00 UTC
[Samba] Question Wiki Setup a Samba Active Directory Domain Controller
Hi again, I refer to https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_your_Samba_Domain_Controller Thank you for this great wiki! I run all the tests and everything looks perfect! I encounter just a little difference here. Actually I thought that there should be no Master and Workgroup for a AD DC. (as given in the wiki and in Stefan Kania's book "Samba 4) Why is it at my installation (Debian 8.2., Samba 4.1.17)?... ow, and after I restarted the computer samba, nmbd and smbd were running.... I didn't install any start script. I thought nmbd is not needed on AD DC, is it? I'd also prefer a setup where my windows client will not be able to browse the AD DC.>smbclient -L localhost -U%Domain=[BLA] OS=[Unix] Server=[Samba 4.1.17-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.17-Debian) Domain=[BLA] OS=[Unix] Server=[Samba 4.1.17-Debian] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP MYHOSTNAME cat /etc/samba/smb.conf # Global parameters [global] workgroup = BLA realm = AD.BLA.AT netbios name = MYHOSTNAME server role = active directory domain controller dns forwarder = my dns IP idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/ad.bla.at/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Actually this mailing list keeps me alive. As I cannot give you anything back at the moment (still DAU knowledge status here), is it possible to donate a little money? If appreciated, send a link or howto. kind regards, birgit
Rowland Penny
2015-Oct-05 08:58 UTC
[Samba] Question Wiki Setup a Samba Active Directory Domain Controller
On 05/10/15 00:00, oeh univie edv lists wrote:> Hi again, > > I refer to > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_your_Samba_Domain_Controller > > Thank you for this great wiki! I run all the tests and everything looks > perfect! > > I encounter just a little difference here. Actually I thought that there > should be no Master and Workgroup for a AD DC. (as given in the wiki and > in Stefan Kania's book "Samba 4)You are correct, there is no master in an AD domain, but you still need the workgroup name. I cannot speak for the book having never read it, but there are several problems with the conf files on the website you provided earlier. I would suggest that you stick with the Samba wiki and asking questions here :-)> > Why is it at my installation (Debian 8.2., Samba 4.1.17)?... ow, and after > I restarted the computer samba, nmbd and smbd were running.... I didn't > install any start script. I thought nmbd is not needed on AD DC, is it? > I'd also prefer a setup where my windows client will not be able to browse > the AD DC.If you have both the samba and nmbd daemons running, then you have something wrong, the samba daemon has its own nmbd built in. If you installed via apt-get, you would probably get nmbd installed in /usr/sbin. You need to stop nmbd being started on boot, but just how you would this, I do not know because you are using Jessie that uses systemd. Rowland>> smbclient -L localhost -U% > Domain=[BLA] OS=[Unix] Server=[Samba 4.1.17-Debian] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.1.17-Debian) > Domain=[BLA] OS=[Unix] Server=[Samba 4.1.17-Debian] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > WORKGROUP MYHOSTNAME > > cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = BLA > realm = AD.BLA.AT > netbios name = MYHOSTNAME > server role = active directory domain controller > dns forwarder = my dns IP > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.bla.at/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Actually this mailing list keeps me alive. As I cannot give you anything > back at the moment (still DAU knowledge status here), is it possible to > donate a little money? If appreciated, send a link or howto. > > kind regards, birgit >
oeh univie edv lists
2015-Oct-05 17:23 UTC
[Samba] Question Wiki Setup a Samba Active Directory Domain Controller
Hello, Probably problem is numer 3... see below.... All of them are running after restart of computer: # /etc/init.d/samba-ad-dc status ● samba-ad-dc.service - LSB: start Samba daemons for the AD DC Loaded: loaded (/etc/init.d/samba-ad-dc) Active: active (running) since Son 2015-10-04 23:14:36 CEST; 18h ago # /etc/init.d/samba status ● samba-ad-dc.service - LSB: start Samba daemons for the AD DC Loaded: loaded (/etc/init.d/samba-ad-dc) Active: active (running) since Son 2015-10-04 23:14:36 CEST; 18h ago # /etc/init.d/nmbd status ● nmbd.service - LSB: start Samba NetBIOS nameserver (nmbd) Loaded: loaded (/etc/init.d/nmbd) Active: active (exited) since Son 2015-10-04 23:14:36 CEST; 18h ago # /etc/init.d/smbd status ● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd) Loaded: loaded (/etc/init.d/smbd) Active: active (exited) since Son 2015-10-04 23:14:36 CEST; 18h ago winbind is not running. And yes, nmbd is in /usr/sbin. I checked my /etc/init.d/samba-ad-dc and it is the same as http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD which is recommended for Debian on https://wiki.samba.org/index.php/Samba4/InitScript . I got all those init scripts set to 755 like recommended: /etc/init.d # ls -l samba samba-ad-dc nmbd smbd -rwxr-xr-x 1 root root 1948 Mär 7 2015 nmbd -rwxr-xr-x 1 root root 1266 Mär 7 2015 samba -rwxr-xr-x 1 root root 2299 Mär 7 2015 samba-ad-dc -rwxr-xr-x 1 root root 1930 Mär 7 2015 smbd As far as I understand /etc/init.d/samba starts samba-ad-dc, smbd and nmbd and the init each of them themselves check if the process is needed or not. As far as I can understand the /etc/init.d/nmbd file nmbd should not be started but exit, because I have an active directory domain controller. I tested on the command line:>samba-tool testparm --parameter-name="server role"active directory domain controller I do not understand that behaviour. Furthermore I do not understand why I do have to have a /etc/init.d/samba additionally to /etc/init.d/samba-ad-dc. So what I did was stopping everything and just start /etc/init.d/samba-ad-dc (which does not start nmbd and smbd). Then I did all recommended tests of the Wiki again. Everything's works fine. But am I going to run into problems later on? Do I need to get rid of init files? I attached /etc/init.d/samba and /etc/init.d/nmbd files below. Please can somebody point out 1) which init scripts/processes are necessary for Samba 4 AD DC 2) and most important: how to deactivate the unnecessary ones at startup 3) do I have mixed up my installation? To me it seems I somehow have a samba 4 pdc and a samba 4 AD DC simultaneusly installed. Ow, now I remember at provision I was informed to remove /etc/samba/smb.conf (the one that was produced at samba install with aptitude which included "server role = standalone server"). I renamed it to smb_old.conf and then the AD AC installation succeeded. But did it somehow install those unnecessary processes as wellt? If yes, how to clean up? (I could also start the whole installation from scratch if it is the easiest way to do it.) kind regards, birgit ======================================== cat /etc/init.d/samba #!/bin/sh ### BEGIN INIT INFO # Provides: samba # Required-Start: # Required-Stop: # Default-Start: # Default-Stop: # Short-Description: ensure Samba daemons are started (nmbd and smbd) ### END INIT INFO set -e # start nmbd, smbd and samba-ad-dc unconditionally # the init scripts themselves check if they are needed or not case $1 in start) /etc/init.d/nmbd start /etc/init.d/smbd start /etc/init.d/samba-ad-dc start ;; stop) /etc/init.d/samba-ad-dc stop /etc/init.d/smbd stop /etc/init.d/nmbd stop ;; reload) /etc/init.d/smbd reload ;; restart|force-reload) /etc/init.d/nmbd "$1" /etc/init.d/smbd "$1" /etc/init.d/samba-ad-dc "$1" ;; status) status=0 NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null || true` SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1 || true` if [ "$SERVER_ROLE" != "active directory domain controller" ]; then if [ "$NMBD_DISABLED" != "Yes" ]; then /etc/init.d/nmbd status || status=$? fi /etc/init.d/smbd status || status=$? else /etc/init.d/samba-ad-dc status || status=$? fi exit $status ;; *) echo "Usage: /etc/init.d/samba {start|stop|reload|restart|force-reload|status}" exit 1 ;; esac # more /etc/init.d/nmbd #!/bin/sh ### BEGIN INIT INFO # Provides: nmbd # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # X-Start-Before: smbd # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start Samba NetBIOS nameserver (nmbd) ### END INIT INFO PIDDIR=/var/run/samba NMBDPID=$PIDDIR/nmbd.pid # clear conflicting settings from the environment unset TMPDIR # See if the daemons are there test -x /usr/sbin/nmbd || exit 0 . /lib/lsb/init-functions case $1 in start) if init_is_upstart; then exit 1 fi SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1` if [ "$SERVER_ROLE" = "active directory domain controller" ]; then exit 0 fi if [ -n `which testparm` ] then NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null` fi if [ "$NMBD_DISABLED" != Yes ]; then log_daemon_msg "Starting NetBIOS name server" nmbd # Make sure we have our PIDDIR, even if it's on a tmpfs install -o root -g root -m 755 -d $PIDDIR if ! start-stop-daemon --start --quiet --oknodo --exec /usr/sbin/nmbd -- -D then log_end_msg 1 exit 1 fi log_end_msg 0 fi ;; esac exit 0 When I just start "/etc/init.d/samba-ad-dc start" nmbd and smbd are not started.
On Mon, 2015-10-05 at 01:00 +0200, oeh univie edv lists wrote:> Actually this mailing list keeps me alive. As I cannot give you > anything > back at the moment (still DAU knowledge status here), is it possible > to > donate a little money? If appreciated, send a link or howto. > > kind regards, birgitDonations are most welcome, and help pay travel costs and server hosting. https://www.samba.org/samba/donations.html Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
thanx! kr, birgit Andrew Bartlett <abartlet at samba.org> schreibt:>On Mon, 2015-10-05 at 01:00 +0200, oeh univie edv lists wrote: > >> Actually this mailing list keeps me alive. As I cannot give you >> anything >> back at the moment (still DAU knowledge status here), is it possible >> to >> donate a little money? If appreciated, send a link or howto. >> >> kind regards, birgit > >Donations are most welcome, and help pay travel costs and server >hosting. > >https://www.samba.org/samba/donations.html > >Andrew Bartlett > >-- >Andrew Bartlett http://samba.org/~abartlet/ >Authentication Developer, Samba Team http://samba.org >Samba Developer, Catalyst IT >http://catalyst.net.nz/services/samba > > >