samba - Jun 2017 - Samba4 DC with Secondary Questions

Hello all.

I am currently working on setting an S4 domain to replace our aging samba 3
setup.  We have found many answers on the net, in various documentation,
but when it comes to setting up beyond one node documentation becomes a
little thinner.

We are setting up a Primary DC with AD, using BIND9_DLZ, also serving dhcp
from Primary, and we want to setup a Secondary that is both a
DNS(bind9_dlz) slave, a kerberos slave, and AD secondary. Our Secondary
will be our file serve, and perhaps a third "member" as our cups
server.
We run no Windows in house, except on the desktop, hence the desire for a
domain.  We have been using samba 3 with openldap for some years now and
successfully sync with Google Apps for our mail.

My examples of hostnames in here and related are in my sandbox, so they are
fun names :)

On to the questions.  I cannot seem to find a good answer to these.

First, When doing a join of the Secondary to the domain created by the
Primary, (using this command):

samba-tool domain join hobbiton.shire.middleearth DC
-U"HOBBITON\Administrator" --dns-backend=BIND9_DLZ --server
bagend.shire.middleearth

does this type of join command automatically create this Seconday as
kerberos slave?  The reason I want a slave is so that I have some
redundancy in the network, where Primary (bagend) lives on one VM
hypervisor, and Secondary (bywater) lives on a different VM Hypervisor.
If this does not automatically create Secondary/bywater as a kerberos
slave, are there any 'gotchya's I need to watch our for when I manually
add
this secondary as a kerberos slave?  Will doing so automatically update the
domain?

I wondered if during samba install through apt, dpkg prompts to know the
kerberos realm, admin server, and 'space separated list' of kerberos
servers.  Should I have designate during install that this would become a
slave?  I know you guys are samba and not ubuntu support ;)  But I could
not find anywhere on the net an example of anybody using more than just
their kdc for this entry.

I have a lot of linux experience, but my AD knowledge is thin and mostly
from a client perspective.

Second big question, When you join (as in above example) and the Secondary
becomes a domain secondary dc, how should I most appropriately update the
bind zone files to designate that this secondary is also a NS name server?
Or should I at all?

I wasnt sure so what I did do was extend my zone file by adding this as a
second NS like this:

$ORIGIN shire.middleearth.
$TTL 86400      ; 1 day

@ 	    	IN 		SOA  bagend.shire.middleearth. root.bagend.shire.middleearth. (
                                1706031458	 ; serial YYMMDDHHmm
                                5400       ; refresh (1 hour 30 minutes)
                                1800       ; retry (30 minutes)
                                1814400    ; expire (3 weeks)
                                14400      ; minimum (4 hours)
                                )

; name server NS record and following A record
				      IN        NS      bagend.shire.middleearth.
				      IN	NS	bywater.shire.middleearth.

bagend.shire.middleearth. 	      IN	A	192.168.222.10
bywater.shire.middleearth.	      IN	A	192.168.222.11


Did I do this correctly? Should I have left it alone? thoughts?  We will be
using bind intentionally because we have about a dozen subnets in
production that rely on existing DNS and future dns entries.  Resolutions
do work with this currently set as is, but I am asking if this is best
practice.  I would rather not be bit in the future because I did something
unwise now.

Thanks all!


--
Nowell Morris
nowell29
​ at ​
gmail.com

On Wed, 7 Jun 2017 10:29:12 -0700
Nowell Morris via samba <samba at lists.samba.org> wrote:
> Hello all.
> 
> I am currently working on setting an S4 domain to replace our aging
> samba 3 setup.  We have found many answers on the net, in various
> documentation, but when it comes to setting up beyond one node
> documentation becomes a little thinner.
Have you by any chance read the Samba wiki ?
See here if you haven't:

https://wiki.samba.org/index.php/Main_Page
> 
> We are setting up a Primary DC with AD
No you aren't, you will set up your first DC ;-)
> , using BIND9_DLZ, also serving
> dhcp from Primary, 
This is documented on the Samba wiki.
> and we want to setup a Secondary
Again, no you don't, you want to set up another DC, all DCs are equal.
> that is both a
> DNS(bind9_dlz) slave 
All AD DCs (if they run a dns server) are authoritative, there are no
slave dns servers, or are thinking of using bind with flatfiles ? If
so, think again, the dns records go into AD.
>, a kerberos slave, and AD secondary. 
No such things.
> Our
> Secondary will be our file serve, and perhaps a third "member" as
our
> cups server. 
You would probably better running the third machine as a Unix domain
member, with this as a print and file server.
> We run no Windows in house, except on the desktop,
> hence the desire for a domain.  We have been using samba 3 with
> openldap for some years now and successfully sync with Google Apps
> for our mail.
> 
> My examples of hostnames in here and related are in my sandbox, so
> they are fun names :)
> 
> On to the questions.  I cannot seem to find a good answer to these.
> 
> First, When doing a join of the Secondary to the domain created by the
> Primary, (using this command):
> 
> samba-tool domain join hobbiton.shire.middleearth DC
> -U"HOBBITON\Administrator" --dns-backend=BIND9_DLZ --server
> bagend.shire.middleearth
> 
> does this type of join command automatically create this Seconday as
> kerberos slave?  
No, as I said above, all DCs are equal.
> The reason I want a slave is so that I have some
> redundancy in the network, where Primary (bagend) lives on one VM
> hypervisor, and Secondary (bywater) lives on a different VM
> Hypervisor. If this does not automatically create Secondary/bywater
> as a kerberos slave, are there any 'gotchya's I need to watch our
for
> when I manually add this secondary as a kerberos slave?  Will doing
> so automatically update the domain?
All DCs replicate AD between themselves, so all DCs hold the same AD
records.
> 
> I wondered if during samba install through apt, dpkg prompts to know
> the kerberos realm, admin server, and 'space separated list' of
> kerberos servers.  Should I have designate during install that this
> would become a slave?  I know you guys are samba and not ubuntu
> support ;)  But I could not find anywhere on the net an example of
> anybody using more than just their kdc for this entry.
You do not set the kdc to do anything.
> 
> I have a lot of linux experience, but my AD knowledge is thin and
> mostly from a client perspective.
All the info you require is on the wiki, but if you don't understand
something, ask here.
> 
> Second big question, When you join (as in above example) and the
> Secondary becomes a domain secondary dc, how should I most
> appropriately update the bind zone files to designate that this
> secondary is also a NS name server? Or should I at all?
See this wiki page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> 
> I wasnt sure so what I did do was extend my zone file by adding this
> as a second NS like this:
> 
> $ORIGIN shire.middleearth.
> $TTL 86400      ; 1 day
> 
> @ 	    	IN 		SOA
> bagend.shire.middleearth. root.bagend.shire.middleearth.
> ( 1706031458	 ; serial YYMMDDHHmm 5400       ; refresh (1 hour
> 30 minutes) 1800       ; retry (30 minutes)
>                                 1814400    ; expire (3 weeks)
>                                 14400      ; minimum (4 hours)
>                                 )
> 
> ; name server NS record and following A record
> 				      IN        NS
> bagend.shire.middleearth. IN	NS
> bywater.shire.middleearth.
> 
> bagend.shire.middleearth. 	      IN	A
> 192.168.222.10 bywater.shire.middleearth.	      IN
> A	192.168.222.11
> 
> 
> Did I do this correctly? 
No
 
> Should I have left it alone? 
Yes
> thoughts?  We
> will be using bind intentionally because we have about a dozen
> subnets in production that rely on existing DNS and future dns
> entries.  Resolutions do work with this currently set as is, but I am
> asking if this is best practice.  I would rather not be bit in the
> future because I did something unwise now.
If you have your own dns domain, you will need to make your AD dns
domain a sub domain of this, i.e. if your domain is 'example.com', your
AD domain should be something like 'ad.example.com'. Your AD clients
should be part of this dns domain.

Now awaiting lots of questions ;-)

Rowland

On Wed, Jun 7, 2017 at 10:29 AM, Nowell Morris via samba <
samba at lists.samba.org> wrote:
> We are setting up a Primary DC with AD, using BIND9_DLZ, also serving
> dhcpWe have been using samba 3 with openldap for some years now and
>
successfully sync with Google Apps for our mail.
>
Good luck with this.  The last time I checked, GAPS had problems with the
way Samba4 passwords are hashed (it was expecting X format, but Samba does
it in Y).  The only way around it is to store passwords in plaintext, which
is somewhat undesirable.  GADS might work in terms of account creation on
both ends, but I haven't looked that far into it.

AFAIK, the only way to synchronize Google Apps credentials is to run it
with SSO -- which then offloads the Google Auth directly onto the S4
environment.  You'll still have issues with IMAP requiring the original
Google credentials, and I don't know how Google's 2FA would work with
this
(though if you're using SSO, you'd probably have your own 2FA as well).
But if you're purely using webmail, it'll work.


Kris Lou
klou at themusiclink.net

Rowland,  thank you for the reply.

I must have misstated.  We have successfully setup our first DC.  It works
great with DHCP and BIND9_DLZ and updates nicely as it is designed to,
kerberos and all.

The question is about the second server.  Perhaps MY understanding of what
I have read on the samba wiki, and others, is different than actual
reality.  http://bit.ly/2r3IOjt   ;)

Perhaps if I show you the information I have gathered it will help you
understand what I am asking.

I have written this couple wiki pages to help me keep track.  I have gone
through the steps and ironed out most of the bugs.  I CAN follow these
steps repeatedly to have functioning DC's functioning Kerberos, and
functioning DNS.  I am just not sure that I have done as best-practice.
The 'second' server is also up, but I am not sure it is as it ought to
be.

Please be gentle in your review :)
http://wiki.nowell29.com/w/index.php/Samba_Setup

I am confident on what I am calling my 'Primary', but not as confident
on
what I call my 'secondary'.

--
Nowell Morris
nowell29 at gmail.com
480-255-3491

On Wed, Jun 7, 2017 at 11:01 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 7 Jun 2017 10:29:12 -0700
> Nowell Morris via samba <samba at lists.samba.org> wrote:
>
> > Hello all.
> >
> > I am currently working on setting an S4 domain to replace our aging
> > samba 3 setup.  We have found many answers on the net, in various
> > documentation, but when it comes to setting up beyond one node
> > documentation becomes a little thinner.
>
> Have you by any chance read the Samba wiki ?
> See here if you haven't:
>
> https://wiki.samba.org/index.php/Main_Page
> >
> > We are setting up a Primary DC with AD
>
> No you aren't, you will set up your first DC ;-)
>
> > , using BIND9_DLZ, also serving
> > dhcp from Primary,
>
> This is documented on the Samba wiki.
>
> > and we want to setup a Secondary
>
> Again, no you don't, you want to set up another DC, all DCs are equal.
>
> > that is both a
> > DNS(bind9_dlz) slave
>
> All AD DCs (if they run a dns server) are authoritative, there are no
> slave dns servers, or are thinking of using bind with flatfiles ? If
> so, think again, the dns records go into AD.
>
> >, a kerberos slave, and AD secondary.
>
> No such things.
>
> > Our
> > Secondary will be our file serve, and perhaps a third
"member" as our
> > cups server.
>
> You would probably better running the third machine as a Unix domain
> member, with this as a print and file server.
>
> > We run no Windows in house, except on the desktop,
> > hence the desire for a domain.  We have been using samba 3 with
> > openldap for some years now and successfully sync with Google Apps
> > for our mail.
> >
> > My examples of hostnames in here and related are in my sandbox, so
> > they are fun names :)
> >
> > On to the questions.  I cannot seem to find a good answer to these.
> >
> > First, When doing a join of the Secondary to the domain created by the
> > Primary, (using this command):
> >
> > samba-tool domain join hobbiton.shire.middleearth DC
> > -U"HOBBITON\Administrator" --dns-backend=BIND9_DLZ --server
> > bagend.shire.middleearth
> >
> > does this type of join command automatically create this Seconday as
> > kerberos slave?
>
> No, as I said above, all DCs are equal.
>
> > The reason I want a slave is so that I have some
> > redundancy in the network, where Primary (bagend) lives on one VM
> > hypervisor, and Secondary (bywater) lives on a different VM
> > Hypervisor. If this does not automatically create Secondary/bywater
> > as a kerberos slave, are there any 'gotchya's I need to watch
our for
> > when I manually add this secondary as a kerberos slave?  Will doing
> > so automatically update the domain?
>
> All DCs replicate AD between themselves, so all DCs hold the same AD
> records.
>
> >
> > I wondered if during samba install through apt, dpkg prompts to know
> > the kerberos realm, admin server, and 'space separated list'
of
> > kerberos servers.  Should I have designate during install that this
> > would become a slave?  I know you guys are samba and not ubuntu
> > support ;)  But I could not find anywhere on the net an example of
> > anybody using more than just their kdc for this entry.
>
> You do not set the kdc to do anything.
>
> >
> > I have a lot of linux experience, but my AD knowledge is thin and
> > mostly from a client perspective.
>
> All the info you require is on the wiki, but if you don't understand
> something, ask here.
>
> >
> > Second big question, When you join (as in above example) and the
> > Secondary becomes a domain secondary dc, how should I most
> > appropriately update the bind zone files to designate that this
> > secondary is also a NS name server? Or should I at all?
>
> See this wiki page:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_
> DNS_records_with_BIND9
>
> >
> > I wasnt sure so what I did do was extend my zone file by adding this
> > as a second NS like this:
> >
> > $ORIGIN shire.middleearth.
> > $TTL 86400      ; 1 day
> >
> > @             IN              SOA
> > bagend.shire.middleearth. root.bagend.shire.middleearth.
> > ( 1706031458   ; serial YYMMDDHHmm 5400       ; refresh (1 hour
> > 30 minutes) 1800       ; retry (30 minutes)
> >                                 1814400    ; expire (3 weeks)
> >                                 14400      ; minimum (4 hours)
> >                                 )
> >
> > ; name server NS record and following A record
> >                                     IN        NS
> > bagend.shire.middleearth. IN  NS
> > bywater.shire.middleearth.
> >
> > bagend.shire.middleearth.           IN        A
> > 192.168.222.10 bywater.shire.middleearth.           IN
> > A     192.168.222.11
> >
> >
> > Did I do this correctly?
>
> No
>
> > Should I have left it alone?
>
> Yes
>
> > thoughts?  We
> > will be using bind intentionally because we have about a dozen
> > subnets in production that rely on existing DNS and future dns
> > entries.  Resolutions do work with this currently set as is, but I am
> > asking if this is best practice.  I would rather not be bit in the
> > future because I did something unwise now.
>
> If you have your own dns domain, you will need to make your AD dns
> domain a sub domain of this, i.e. if your domain is 'example.com',
your
> AD domain should be something like 'ad.example.com'. Your AD
clients
> should be part of this dns domain.
>
> Now awaiting lots of questions ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Kris,  thank you for your input.  We have been using GADS (google sync)
with samba3 and openldap for years now.  I am just looking at moving
upwards to samba4.  I will take your thoughts seriously.  I appreciate the
wisdom.

I am about to just throw in the towel and setup NIS.... jk

--
Nowell Morris
nowell29 at gmail.com
480-255-3491

On Wed, Jun 7, 2017 at 11:11 AM, Kris Lou via samba <samba at
lists.samba.org>
wrote:
> On Wed, Jun 7, 2017 at 10:29 AM, Nowell Morris via samba <
> samba at lists.samba.org> wrote:
>
> > We are setting up a Primary DC with AD, using BIND9_DLZ, also serving
> > dhcpWe have been using samba 3 with openldap for some years now and
> >
> successfully sync with Google Apps for our mail.
> >
>
> Good luck with this.  The last time I checked, GAPS had problems with the
> way Samba4 passwords are hashed (it was expecting X format, but Samba does
> it in Y).  The only way around it is to store passwords in plaintext, which
> is somewhat undesirable.  GADS might work in terms of account creation on
> both ends, but I haven't looked that far into it.
>
> AFAIK, the only way to synchronize Google Apps credentials is to run it
> with SSO -- which then offloads the Google Auth directly onto the S4
> environment.  You'll still have issues with IMAP requiring the original
> Google credentials, and I don't know how Google's 2FA would work
with this
> (though if you're using SSO, you'd probably have your own 2FA as
well).
> But if you're purely using webmail, it'll work.
>
>
> Kris Lou
> klou at themusiclink.net
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>