samba - Apr 2017 - Setup a new samba AD DC

Il giorno mar, 25/04/2017 alle 14.36 +0100, Rowland Penny via samba ha
scritto:
> On Tue, 25 Apr 2017 15:09:55 +0200
> Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> 
> > Thanks Rowland, then the AD-DC is ok.
> > This little virtual server (3Gb of disk) must do only the DNS and
> > AD-DC for my network.
> > 
> > However I would like to enable also the DHCP service, and think
> > it's
> > right to activate it on this server.
> > 
> > What is the best way to do so?
> 
> Well you could always do it the way I have been doing it for the last
> 5
> years, see here:
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
> _with_BIND9
> 
> Rowland
Ok, thank.

Tomorrow I try this procedure for DHCP.

Another questions:

Where is the better place to set:

 - logon script = netlogon.bat
   and other logon options

 - wins support = yes

 - load printers = yes

on AD-DC or on Member server? 

Then.

I have join a samba server to AD with success.

This is my member server smb.conf

[global]
   workgroup = SOLINOS
   password server = fedora-addc.solinos.loc
   realm = SOLINOS.LOC
   security = ads
   ; idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

	winbind enum users = yes
	winbind enum groups = yes

	store dos attributes = yes

        client signing = yes
        client use spnego = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-99999
        idmap config solinos:backend = rid
        idmap config solinos:range = 100000-199999
        idmap config solinos:schema_mode = rfc2307

this my /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = SOLINOS.LOC
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>  SOLINOS.LOC = {
>  # kdc = fedora-addc.solinos.loc
>   admin_server = fedora-addc.solinos.loc
>   kdc = fedora-addc.solinos.loc
>  }
> 
> [domain_realm]
>  solinos.loc = SOLINOS.LOC
>  .solinos.loc = SOLINOS.LOC
Is always correct? You have some suggest to improve the configuration?

I have start with "idmap config * : range = 16777216-33554431" (now
commented) then I have change it to new per domain value.

I must to reset some cache? How to reset the local ID?

If I check the user still have the old id mapping (I believe)

# id ospite
uid=16777216(ospite) gid=16777216(domain users) gruppi=16777216(domain
users),10001(BUILTIN\users)

Is correct? (I not believe)

Thanks for reply

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

On Tue, 25 Apr 2017 18:29:47 +0200
Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> Another questions:
> 
> Where is the better place to set:
> 
>  - logon script = netlogon.bat
>    and other logon options
Actually the best place to set them is per user in AD.
> 
>  - wins support = yes
No where, AD uses DNS instead
> 
>  - load printers = yes
On the computer that you want to be a print server, in your case
probably the member server.
> I have join a samba server to AD with success.
> 
> This is my member server smb.conf
> 
>    password server = fedora-addc.solinos.loc
Can I suggest you remove the above line, the domain member should find
it via dns
> 	winbind enum users = yes
> 	winbind enum groups = yes
You should remove the 'winbind enum' lines, you do not need them
> 
> 	store dos attributes = yes
You should also add:

    vfs objects = acl_xattr
    map acl inherit = Yes

> this my /etc/krb5.conf
You only actually need:
> > [libdefaults]
> >  default_realm = SOLINOS.LOC
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = true
> 
> I have start with "idmap config * : range = 16777216-33554431"
(now
> commented) then I have change it to new per domain value.
> 
> I must to reset some cache? How to reset the local ID?
> 
> If I check the user still have the old id mapping (I believe)
Run 'net cache flush'

Rowland

Il giorno mar, 25/04/2017 alle 17.53 +0100, Rowland Penny via samba ha
scritto:
> 
> > Where is the better place to set:
> > 
> >  - logon script = netlogon.bat
> >    and other logon options
> 
> Actually the best place to set them is per user in AD.
What does it mean "per user in AD"?
Can explain better? Thank.
> > 	winbind enum users = yes
> > 	winbind enum groups = yes
> 
> You should remove the 'winbind enum' lines, you do not need them
I put it only for test with "getent passwd".
Now I have remove it.
> If I check the user still have the old id mapping (I believe)
> 
> Run 'net cache flush'
Great! it work!

Thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

Il giorno mar, 25/04/2017 alle 17.53 +0100, Rowland Penny via samba ha
scritto:
> > Where is the better place to set:
> > 
> >   - logon script = netlogon.bat
> >     and other logon options
> 
> Actually the best place to set them is per user in AD.
Thank Rowland, thanks to your help, at this moment my new network with:

 + samba 4.5.8 AD_DC+BIND_DNS+ISC_DHCP+NTP (Fedora 25 + rpm rebuilded)
 + samba 4.4.4 AD Member Server (Centos7 + standard rpm)

is on and working.

Now I want add logon script, or some thinks like this

What does it mean "per user in AD"?

Can explain to me better?

Thank.

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)