samba - Apr 2017 - Setup a new samba AD DC

Il giorno mer, 26/04/2017 alle 07.27 +0100, Rowland Penny via samba ha
scritto:
> On Wed, 26 Apr 2017 01:55:16 +0200
> Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> Your problem is that you need to find out just who dhcpd runs as on
> fedora. On Devuan it is root and everything just works.
Yes, on Debian work.

And with this patch:

[root at fedora-addc ~]# diff -Nau /etc/samba/bin/dhcp-dyndns.sh.old
/etc/samba/bin/dhcp-dyndns.sh
--- /etc/samba/bin/dhcp-dyndns.sh.old	2017-04-26 11:06:30.930347314 +0200
+++ /etc/samba/bin/dhcp-dyndns.sh	2017-04-26 11:45:16.072373036 +0200
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# /etc/bin/dhcp-dyndns.sh
+# /etc/samba/bin/dhcp-dyndns.sh
 
 # This script is for secure DDNS updates on Samba 4
 # Version: 0.8.8
@@ -24,6 +24,12 @@
 # krbcc ticket cache
 export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
 
+if [ -f "$KRB5CCNAME" -a ! -r "$KRB5CCNAME" ]
+then
+    echo "File krbcc ticket cache $KRB5CCNAME is not readable. Remove it
with 'rm -f $KRB5CCNAME'"
+    exit 1
+fi
+
 # Kerberos principal
 SETPRINCIPAL="dhcpduser@${REALM}"
 # Kerberos keytab
@@ -43,13 +49,15 @@
 fi
 
 # Check for Kerberos keytab
-if [ ! -f /etc/dhcp/dhcpduser.keytab ]; then
-    echo "Required keytab /etc/dhcpduser.keytab not found, it needs to be
created."
+dhcpduser_keytab='/etc/samba/dhcpduser.keytab'
+#dhcpduser_keytab=/etc/dhcp/dhcpduser.keytab
+if [ ! -f $dhcpduser_keytab ]; then
+    echo "Required keytab $dhcpduser_keytab not found, it needs to be
created."
     echo "Use the following commands as root"
-    echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL}
/etc/dhcpduser.keytab"
-    echo "chown XXXX:XXXX /etc/dhcpduser.keytab"
+    echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL}
$dhcpduser_keytab"
+    echo "chown XXXX:XXXX $dhcpduser_keytab"
     echo "Replace 'XXXX:XXXX' with the user & group that dhcpd
runs as on your distro"
-    echo "chmod 400 /etc/dhcpduser.keytab"
+    echo "chmod 400 $dhcpduser_keytab"
     exit 1
 fi
 
@@ -75,12 +83,13 @@
 
 # Check for valid kerberos ticket
 #logger "${test} [dyndns] : Running check for valid kerberos ticket"
-klist -c /tmp/dhcp-dyndns.cc -s
+klist -c "$KRB5CCNAME" -s
 if [ "$?" != "0" ]; then
-    logger "${test} [dyndns] : Getting new ticket, old one has
expired"
-    kinit -F -k -t /etc/dhcp/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
"${SETPRINCIPAL}"
+    logger "${test} [dyndns] : Getting new ticket, old one has
expired."
+    cmd="kinit -F -k -t $dhcpduser_keytab -c '$KRB5CCNAME'
'${SETPRINCIPAL}'"
+    eval $cmd
     if [ "$?" != "0" ]; then
-        logger "${test} [dyndns] : dhcpd kinit for dynamic DNS
failed"
+        logger "${test} [dyndns] : dhcpd kinit for dynamic DNS failed
[$cmd]"
         exit 1;
     fi
 fi

can work also on Centos and Fedora.

On more system that script work, more person can use it.

> Whilst you seem to have created the '12.11.10.in-addr.arpa'
> reversezone, it seems to be trying to update the '10.IN-ADDR.ARPA'
> reversezone. Can you check what zones you have now.
Now This is my zones:

# samba-tool dns zonelist $(hostname)
  3 zone(s) found

  pszZoneName                 : 12.11.10.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.solinos.loc

  pszZoneName                 : solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.solinos.loc

  pszZoneName                 : _msdcs.solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED 
  pszDpFqdn                   : ForestDnsZones.solinos.loc


Yesterday I have also try to force the use of this zone into shell ,
> nsupdate -g ${NSUPDFLAGS} << UPDATE
> server 127.0.0.1
> realm ${REALM}
> zone 12.11.10.in-addr.arpa       <---<<<
> update delete ${ptr} 3600 PTR
> update add ${ptr} 3600 PTR ${name}.${domain}
> send 
> UPDATE
but none is changed, the error log is the same.

Furthermore this morning after I have start my AD-DC server test kinit
not work anymore:

# kinit -F -k -t /etc/samba/dhcpduser.keytab -c '/tmp/dhcp-dyndns.cc'
'dhcpduser at SOLINOS.LOC'
kinit: Cannot contact any KDC for realm 'SOLINOS.LOC' while getting
initial credentials

then the dhcpd script not work anymore

The rest work as expected :

[root at fedora-addc ~]# wbinfo --ping-dc
checking the NETLOGON for domain[SOLINOS] dc connection to
"fedora-addc.solinos.loc" succeeded
[root at fedora-addc ~]# id ospite
uid=3000017(SOLINOS\ospite) gid=100(users)
gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users)
[root at fedora-addc ~]# !smbcl:p
smbclient //$(hostname)/netlogon -Uospite%P at ssw0rd -c 'cd test;mkdir
ospite'
[root at fedora-addc ~]# smbclient //$(hostname)/netlogon -Uospite%P at ssw0rd
-c 'ls'
Domain=[SOLINOS] OS=[Windows 6.1] Server=[Samba 4.5.8]
  .                                   D        0  Tue Apr 25 09:31:16 2017
  ..                                  D        0  Tue Apr 25 08:25:55 2017
  test                                D        0  Tue Apr 25 09:31:16 2017

		2291712 blocks of size 1024. 603824 blocks available


this is AD final config files:

[root at fedora-addc ~]# cat /etc/krb5.conf
[libdefaults]
	default_realm = SOLINOS.LOC
	dns_lookup_realm = false
	dns_lookup_kdc = true
[root at fedora-addc ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
	netbios name = FEDORA-ADDC
	realm = SOLINOS.LOC
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
	workgroup = SOLINOS
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

	template shell = /bin/bash
	template homedir = /home/%U

[netlogon]
	path = /var/lib/samba/sysvol/solinos.loc/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

obviously on the member server something not work:

[root at fed-build-addc ~]# kinit administrator at SOLINOS.LOC
kinit: Cannot contact any KDC for realm 'SOLINOS.LOC' while getting
initial credentials
[root at fed-build-addc ~]# wbinfo --ping-dc
checking the NETLOGON for domain[SOLINOS] dc connection to "" failed
wbcPingDc2(SOLINOS): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
(0xc0000233)

What kind of problem is this?

 
Thanks for reply some suggest.

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

On Wed, 26 Apr 2017 11:49:08 +0200
Dario Lesca via samba <samba at lists.samba.org> wrote:
> Il giorno mer, 26/04/2017 alle 07.27 +0100, Rowland Penny via samba ha
> scritto:
> > On Wed, 26 Apr 2017 01:55:16 +0200
> > Dario Lesca via samba <samba at lists.samba.org> wrote:
> > 
> > Your problem is that you need to find out just who dhcpd runs as on
> > fedora. On Devuan it is root and everything just works.
> 
> Yes, on Debian work.
OK, done some investigating and it seems likely this is the problem on
fedora:

On debian:
root at dc3:~# ls -lad /etc/dhcp/
drwxr-xr-x 4 root root 4096 Feb 27 11:09 /etc/dhcp/
root at dc3:~# ls -la /etc/dhcp/dhcpd.conf
-rw-r--r-- 1 root root 2107 Mar  2 16:49 /etc/dhcp/dhcpd.conf

On fedora:
root at fed24:~# ls -lad /etc/dhcp/
drwxr-xr-- 3 root root 61 Apr 26 09:07 /etc/dhcp/
root at fed24:~# ls -la /etc/dhcp/dhcpd.conf
-rw-r--r-- 1 root root 123 Aug  3 2016 /etc/dhcp/dhcpd.conf

I think it is all down to the permissions (or lack of them) on /etc/dhcp

debian: drwxr-xr-x
fedora: drwxr-xr--

I think that 'chmod +x /etc/dhcp' would have fixed all of your problems.

Rowland

Il giorno mer, 26/04/2017 alle 11.37 +0100, Rowland Penny via samba ha
scritto:
> I think that 'chmod +x /etc/dhcp' would have fixed all of your
> problems.
Yes, I think so too.
But I have preferred modify the script and do no touch a system folder.
I do not know if this change can cause some other problems (probably
no, but ...).

Now I have reboot the AD test server and ... magically all work fine
and dhcpd update correctly also the reverse zone

    apr 26 14:12:07 fedora-addc.solinos.loc named[861]: samba_dlz: subtracted
rdataset 100.12.11.10.in-addr.arpa
'100.12.11.10.in-addr.arpa.        3600        IN        PTR        centos7.solinos.loc.'
    apr 26 14:12:07 fedora-addc.solinos.loc named[861]: client
127.0.0.1#37403/key dhcpduser\@SOLINOS.LOC: updating zone
'12.11.10.in-addr.arpa/NONE': adding an RR at
'100.12.11.10.in-addr.arpa' PTR centos7.solinos.loc.
    apr 26 14:12:07 fedora-addc.solinos.loc named[861]: samba_dlz: added
rdataset 100.12.11.10.in-addr.arpa
'100.12.11.10.in-addr.arpa.        3600        IN        PTR        centos7.solinos.loc.'
    apr 26 14:12:07 fedora-addc.solinos.loc named[861]: samba_dlz: committed
transaction on zone 12.11.10.in-addr.arpa
    apr 26 14:12:07 fedora-addc.solinos.loc dhcpd[1156]: DHCP-DNS Update
succeeded
    apr 26 14:12:07 fedora-addc.solinos.loc dhcpd[1087]: reuse_lease: lease age
1 (secs) under 25% threshold, reply with unaltered, existing lease for
10.11.12.100
    apr 26 14:12:07 fedora-addc.solinos.loc dhcpd[1087]: DHCPREQUEST for
10.11.12.100 from 52:54:00:93:83:52 (centos7) via ens3
    apr 26 14:12:07 fedora-addc.solinos.loc dhcpd[1087]: DHCPACK on 10.11.12.100
to 52:54:00:93:83:52 (centos7) via ens3

    [    root at fedora-addc     ~]# host 10.11.12.100
    100.12.11.10.in-addr.arpa domain name pointer centos7.solinos.loc.

    Now goto to setup the production servers ;)

    Thank

    -- 
    Dario Lesca
    (inviato dal mio Linux Fedora 25 Workstation)