On Wed, Aug 3, 2016 at 1:43 AM, Rowland Penny <rpenny at samba.org> wrote:> > See inline comments > And Please keep replies to the list > > On Tue, 2 Aug 2016 15:08:26 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > > > Samba's wiki didn't have a walk through working example from A to Z. > > It is great don't get me wrong but I followed it and at the end I was > > able to do all in the steps in it but still had the message I started > > this thread with. It leaves out A-F and R-Z or there abouts (It might > > have more or less but there are some missing parts.) I am still > > trying to figure out how to try and properly compile it for Fedora > > myself (as Fedora is my main distro of choice and I used a > > precompiled version from Alexander Bokovoy for F23 when I stared this > > thread, I had even gotten that to work following the samba wiki in > > the past but seem to had been having trouble when I built a vm for > > it). > > > > Most of the wiki was written by Marc Muehlfeld, he (as far as I am > aware) uses Centos, so the wiki should be relevant to fedora. >I was wrong to characterize it as missing A-F and R-Z it is more like it is really only missing A(some more pre install necessities and testing should probably test that ACL's are working and test named to make sure it is up to par) and Z (some testing that I'm not sure how to replicate outside of windows and I'm not sure how to fix the broken cases, like joining a domain as a test and when failing occurred all I could do is try a different prepackaged samba) and more so the samba wiki has B1, B2, B3 .... so many options that it confused me and I went with a simple example. Specifically I needed an example with bind as I know bind and use it. Once it was using bind I could do things like use the samba AD DC's bind as a master and use my main server as a slave without interfering with other Domain's I use on my main computer. And I no longer had to point the DNS to the VM I could use my main computer without worry. The windows test to run (after reading the error message from windows I was told by it to run:) "nltest /dsgetdc:<domain name>" Another good test is to run "dcdiag /s:<domain controller name>" Also on windows I installed the AD tools on my Windows 10 machine to create accounts and GPOs For Fedora the samba wiki worked on my main machine I used bind_flatfile as bind on Fedora did not support DLZ but on a vm following the same instructions did not work. I must not have had some options installed that I need for it to work properly. If and when I fix it maybe then I can update the wiki. For now I have a working Ubuntu 16.04 AD DC Samba server following the instructions on that linked page. I modified it with what you told me. I removed the forwarder in the smb.conf file, I set fstab back to how it was originally by the OS install, and I moved krb5.conf to krb5.conf.org. and linked to the one created by samba. Most of what was on that linked page where the same tests as on the samba wiki.> > > Samba's seems to leave out some important parts of setting up > > AppArmor or Selinux > > The setup of these could be improved on the wiki, care to help by > posting your files ? >That is why I went to some other wiki I don't know this well enough I just copied the rules I saw on the linked page. And after ten years of selinux in fedora I just use the defaults that the package maintainers put in. since I suspected selinux I disabled it and rebooted but the problems where still there. The apparmor rules were as follows: Add the following apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the {..} sudo nano /etc/apparmor.d/usr.sbin.named /usr/lib/x86_64-linux-gnu/ldb/** rwmk, /usr/lib/x86_64-linux-gnu/samba/** rwmk, /var/lib/samba/private/dns/** rwmk, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns.keytab r, /var/tmp/* rw, /dev/urandom rw, That worked well enough for me on the Ubuntu 16.04 install I did on a VM. For all I know this makes the machine super vulnerable so I am only testing with it and keeping an eye on it. Should I try and update the wiki with these apparmor instructions? and installing the necessary steps to install and> > test ACL's (that part was pretty good on the linked page). > > And it was totally unnecessary, the defaults for ext4 are what the > page you linked to advised adding. > >You are correct that the defaults for ext4 do support ACL's however I still think this is a good thing to test before continuing for people that might have installed a FS that does not support it. So they know they will need another partition to mount some place that has ACL's for samba to use.> > to test if those are the defaults for mounting ext4. I can try > > setting it back. I also didn't like using rm I always was taught to > > move the original out of the way that there maybe something in there > > you'll want later. > > You do not need to bother, take it from me, you do not need to > alter /etc/fstab if you are using ext4. > > > > > It also has me wondering how Ubuntu compiled samba to work if they are > > using Heimdal or MIT Kerberos and if they are using Heimdal how they > > got around other issues vs why Fedora is sticking with MIT? If they > > are using MIT why is Fedora still working on this? > > Samba comes with a built-in kerberos server, this uses Heimdal. The > red-hat world uses MIT and they want to use this with Samba and a lot > of work is going on to make this happen. Once this work is complete, > Samba will move to using MIT instead of Heimdal. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Thank you Rowland you are very helpful.
See inline comments On Thu, 4 Aug 2016 11:34:38 -0600 Jeff Sadowski <jeff.sadowski at gmail.com> wrote: Are you by any chance the same Jeff Sadowski that posts on fedoraforum.org ? The one that knew something I didn't ? The one that knew that there are unofficial fedora Samba AD DC packages available?> On Wed, Aug 3, 2016 at 1:43 AM, Rowland Penny <rpenny at samba.org> > wrote: > > > > > See inline comments > > And Please keep replies to the list > > > > On Tue, 2 Aug 2016 15:08:26 -0600 > > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > > > > > Samba's wiki didn't have a walk through working example from A to > > > Z. It is great don't get me wrong but I followed it and at the > > > end I was able to do all in the steps in it but still had the > > > message I started this thread with. It leaves out A-F and R-Z or > > > there abouts (It might have more or less but there are some > > > missing parts.) I am still trying to figure out how to try and > > > properly compile it for Fedora myself (as Fedora is my main > > > distro of choice and I used a precompiled version from Alexander > > > Bokovoy for F23 when I stared this thread, I had even gotten that > > > to work following the samba wiki in the past but seem to had been > > > having trouble when I built a vm for it).I installed fedora 23 in a VM (I tried fedora 24 first but gave up on that horror) and then tried to compile Samba 4.5.0rc1, found that the package list on the Samba wiki is wrong, installed all the other packages recommended for RHEL and compiled Samba. However I could not get the provision to work, it errored out after 'Setting up sam.ldb users and groups' with this: ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2816 File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 461, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1787, in provision_fill next_rid=next_rid, dc_rid=dc_rid) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1447, in fill_samdb "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif ldb.add_ldif(data, controls) File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif self.add(msg, controls) Whilst trying to find out a reason for the above, I found this webpage: http://forums.fedoraforum.org/showthread.php?t=296121 Which led to Samba packages for fedora, installed these and provisioned Samba following the wiki and it worked.> > > > > > > Most of the wiki was written by Marc Muehlfeld, he (as far as I am > > aware) uses Centos, so the wiki should be relevant to fedora. > > > > I was wrong to characterize it as missing A-F and R-Z it is more like > it is really only missing A(some more pre install necessities and > testing should probably test that ACL's are working and test named to > make sure it is up to par) and Z (some testing that I'm not sure how > to replicate outside of windows and I'm not sure how to fix the > broken cases, like joining a domain as a test and when failing > occurred all I could do is try a different prepackaged samba) and > more so the samba wiki has B1, B2, B3 .... so many options that it > confused me and I went with a simple example.If you use ext4, you don't need to test the ACLs as a matter of course, this is because it is known to work. If you have problems joining a computer to a Samba domain, then ask here, this is one of the ways we find out what to put on the wiki.> > Specifically I needed an example with bind as I know bind and use it. > Once it was using bind I could do things like use the samba AD DC's > bind as a master and use my main server as a slave without > interfering with other Domain's I use on my main computer. And I no > longer had to point the DNS to the VM I could use my main computer > without worry.There is at least one page on the wiki about using Bind with a Samba AD DC, but you shouldn't be using it in a 'master' 'slave' way. Bind needs to be authoritative for the domain and forward anything it doesn't know about to another DNS server.> > The windows test to run (after reading the error message from windows > I was told by it to run:) "nltest /dsgetdc:<domain name>" > Another good test is to run "dcdiag /s:<domain controller name>" > > Also on windows I installed the AD tools on my Windows 10 machine to > create accounts and GPOs > > For Fedora the samba wiki worked on my main machine I used > bind_flatfile as bind on Fedora did not support DLZ but on a vm > following the same instructions did not work. I must not have had > some options installed that I need for it to work properly. If and > when I fix it maybe then I can update the wiki.Please do not use flatfiles with Samba, they are not recommended or supported.> > For now I have a working Ubuntu 16.04 AD DC Samba server following the > instructions on that linked page. I modified it with what you told > me. I removed the forwarder in the smb.conf file, I set fstab back to > how it was originally by the OS install, and I moved krb5.conf to > krb5.conf.org. and linked to the one created by samba. > > Most of what was on that linked page where the same tests as on the > samba wiki. > > > > > > Samba's seems to leave out some important parts of setting up > > > AppArmor or Selinux > > > > The setup of these could be improved on the wiki, care to help by > > posting your files ? > > > > That is why I went to some other wiki I don't know this well enough I > just copied the rules I saw on the linked page. > And after ten years of selinux in fedora I just use the defaults that > the package maintainers put in. since I suspected selinux I disabled > it and rebooted but the problems where still there. > > > The apparmor rules were as follows: > > Add the following apparmor rules to the end of > /etc/apparmor.d/usr.sbin.named inside the {..} > > sudo nano /etc/apparmor.d/usr.sbin.named > > /usr/lib/x86_64-linux-gnu/ldb/** rwmk, > /usr/lib/x86_64-linux-gnu/samba/** rwmk, > > /var/lib/samba/private/dns/** rwmk, > /var/lib/samba/private/named.conf r, > /var/lib/samba/private/dns.keytab r, > > /var/tmp/* rw, > > /dev/urandom rw, > > > That worked well enough for me on the Ubuntu 16.04 install I did on a > VM. For all I know this makes the machine super vulnerable so I am > only testing with it and keeping an eye on it.That is similar to what is on the wiki, one of the problems is the different paths, another is that you are not sure if your settings are final, once you are sure they are, then would be the time to add them to the wiki. Rowland
On Thu, Aug 4, 2016 at 12:54 PM, Rowland Penny <rpenny at samba.org> wrote:> > See inline comments > > On Thu, 4 Aug 2016 11:34:38 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > > Are you by any chance the same Jeff Sadowski that posts on > fedoraforum.org ? The one that knew something I didn't ? > The one that knew that there are unofficial fedora Samba AD DC packages > available? >Same one I got that from Alexander Bokovoy (all credit goes to him) when he posted that about 6 months ago to the samba mailing list :-) As you can see I am trying to make this easy to do, you found it. Forums seem to work better for me. And you can also see I had been waiting a long long long time for AD DC support in Fedora. Looks like things are getting close.> > On Wed, Aug 3, 2016 at 1:43 AM, Rowland Penny <rpenny at samba.org> > > wrote: > > > > > > > > See inline comments > > > And Please keep replies to the list > > > > > > On Tue, 2 Aug 2016 15:08:26 -0600 > > > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > > > > > > > Samba's wiki didn't have a walk through working example from A to > > > > Z. It is great don't get me wrong but I followed it and at the > > > > end I was able to do all in the steps in it but still had the > > > > message I started this thread with. It leaves out A-F and R-Z or > > > > there abouts (It might have more or less but there are some > > > > missing parts.) I am still trying to figure out how to try and > > > > properly compile it for Fedora myself (as Fedora is my main > > > > distro of choice and I used a precompiled version from Alexander > > > > Bokovoy for F23 when I stared this thread, I had even gotten that > > > > to work following the samba wiki in the past but seem to had been > > > > having trouble when I built a vm for it). > > I installed fedora 23 in a VM (I tried fedora 24 first but gave up on > that horror) and then tried to compile Samba 4.5.0rc1, found that the > package list on the Samba wiki is wrong, installed all the other > packages recommended for RHEL and compiled Samba. However I could > not get the provision to work, it errored out after 'Setting up sam.ldb > users and groups' with this: > > ERROR(ldb): uncaught exception - operations error at > ../source4/dsdb/samdb/ldb_modules/password_hash.c:2816 > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", > line 461, in run > nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 2175, in provision > skip_sysvolacl=skip_sysvolacl) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1787, in provision_fill > next_rid=next_rid, dc_rid=dc_rid) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1447, in fill_samdb > "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", > line 55, in setup_add_ldif > ldb.add_ldif(data, controls) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", > line 225, in add_ldif > self.add(msg, controls) > > I didn't bother compiling on Fedora 23 As I said on FedoraforumI read https://copr.fedorainfracloud.org/co...n/samba_ad_dc/ <https://copr.fedorainfracloud.org/coprs/asn/samba_ad_dc/> then I ran dnf copr enable asn/samba_ad_dc and dnf install samba-dc then I was able to follow the samba wiki and this worked fine on my original machine and up to a point on my VM I realized a spelling error in my original domain and I wanted to upgrade to F24 anyways that is why I pushed my domain to a VM Currently I had been trying to work it out in rawhide and use a spec file from a src rpm that I had posted about on another thread. I've been trying to figure out what it is I need to do to compile it with AD DC support in Fedora but am lost. I think I just need to wait it out a bit longer. And use another distro that has it precompiled as an AD DC for now. Whilst trying to find out a reason for the above, I found this webpage:> > http://forums.fedoraforum.org/showthread.php?t=296121 > > Which led to Samba packages for fedora, installed these and provisioned > Samba following the wiki and it worked. > > I guess I just need to try that again but thenltest /dsgetdc:<domain name> test was failing for me on my VM I must have had some stuff different on my main computer. hmmm> > > > > > > > > > Most of the wiki was written by Marc Muehlfeld, he (as far as I am > > > aware) uses Centos, so the wiki should be relevant to fedora. > > > > > > > I was wrong to characterize it as missing A-F and R-Z it is more like > > it is really only missing A(some more pre install necessities and > > testing should probably test that ACL's are working and test named to > > make sure it is up to par) and Z (some testing that I'm not sure how > > to replicate outside of windows and I'm not sure how to fix the > > broken cases, like joining a domain as a test and when failing > > occurred all I could do is try a different prepackaged samba) and > > more so the samba wiki has B1, B2, B3 .... so many options that it > > confused me and I went with a simple example. > > If you use ext4, you don't need to test the ACLs as a matter of course, > this is because it is known to work. > If you have problems joining a computer to a Samba domain, then ask > here, this is one of the ways we find out what to put on the wiki. > > > > > Specifically I needed an example with bind as I know bind and use it. > > Once it was using bind I could do things like use the samba AD DC's > > bind as a master and use my main server as a slave without > > interfering with other Domain's I use on my main computer. And I no > > longer had to point the DNS to the VM I could use my main computer > > without worry. > > There is at least one page on the wiki about using Bind with a Samba > AD DC, but you shouldn't be using it in a 'master' 'slave' way. Bind > needs to be authoritative for the domain and forward anything it > doesn't know about to another DNS server. > > I had discussed this on ISC's mailing list. At first I was looking for anon caching DNS but quickly realized I can have a master slave relationship. I use a master on the DC with the DLZ and push to a slave on my main computer Fedora24 with bind and other domains It works nice as I know it will push when a change occurs and I can actually have multiple domains. On my main computer I have a lines like so zone "samdom.example.com" IN { type slave; masters { <address of my samdom.example.com DC>; }; file "db.samdom.example.com"; }; zone "test.test.test" IN { type slave; masters { <address of my test.test.test DC>; }; file "db.test.test.test"; }; on my DCs I have in the options section notify yes; also-notify { <main server's ip>; }; allow-transfer { <main server's ip>; }; If I point all machines to my main server's ip I can get up to date records for all my domains as the DC's will push to it. DNS didn't seem to be why mine was failing. I can verify DNS with nslookup, dig, or host> > > > The windows test to run (after reading the error message from windows > > I was told by it to run:) "nltest /dsgetdc:<domain name>" > > Another good test is to run "dcdiag /s:<domain controller name>" > > > > Also on windows I installed the AD tools on my Windows 10 machine to > > create accounts and GPOs > > > > For Fedora the samba wiki worked on my main machine I used > > bind_flatfile as bind on Fedora did not support DLZ but on a vm > > following the same instructions did not work. I must not have had > > some options installed that I need for it to work properly. If and > > when I fix it maybe then I can update the wiki. > > Please do not use flatfiles with Samba, they are not recommended or > supported. > > Flat files worked OK on my main server. Yeah it duplicates the databasesbut it worked without me having to recompile bind. As you saw compiling can be hairy I don't want to think about it. I guess I can download the src rpm and edit the spec file but flat file worked for me. I had been using a successful AD DC on Fedora 23 from about a month before posting that forum entry till a few days ago. And it still allowed me to do other things I want to do with bind instead of having to use samba's DNS server. Things like the also-notify and allow transfer that are critical for slaves that I can use with multiple domains. Also with bind I can override by making a subdomain that I can do whatever I want with.> > > > For now I have a working Ubuntu 16.04 AD DC Samba server following the > > instructions on that linked page. I modified it with what you told > > me. I removed the forwarder in the smb.conf file, I set fstab back to > > how it was originally by the OS install, and I moved krb5.conf to > > krb5.conf.org. and linked to the one created by samba. > > > > Most of what was on that linked page where the same tests as on the > > samba wiki. > > > > > > > > > Samba's seems to leave out some important parts of setting up > > > > AppArmor or Selinux > > > > > > The setup of these could be improved on the wiki, care to help by > > > posting your files ? > > > > > > > That is why I went to some other wiki I don't know this well enough I > > just copied the rules I saw on the linked page. > > And after ten years of selinux in fedora I just use the defaults that > > the package maintainers put in. since I suspected selinux I disabled > > it and rebooted but the problems where still there. > > > > > > The apparmor rules were as follows: > > > > Add the following apparmor rules to the end of > > /etc/apparmor.d/usr.sbin.named inside the {..} > > > > sudo nano /etc/apparmor.d/usr.sbin.named > > > > /usr/lib/x86_64-linux-gnu/ldb/** rwmk, > > /usr/lib/x86_64-linux-gnu/samba/** rwmk, > > > > /var/lib/samba/private/dns/** rwmk, > > /var/lib/samba/private/named.conf r, > > /var/lib/samba/private/dns.keytab r, > > > > /var/tmp/* rw, > > > > /dev/urandom rw, > > > > > > That worked well enough for me on the Ubuntu 16.04 install I did on a > > VM. For all I know this makes the machine super vulnerable so I am > > only testing with it and keeping an eye on it. > > That is similar to what is on the wiki, one of the problems is the > different paths, another is that you are not sure if your settings are > final, once you are sure they are, then would be the time to add them > to the wiki. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >