Hi Rowland, On Wed, Nov 08, 2017 at 09:45:48AM +0000, Rowland Penny wrote:> On Wed, 8 Nov 2017 09:24:30 +0100 > Ervin Hegedüs via samba <samba at lists.samba.org> wrote: > > > Hi folks, > > > > there are two Samba4 DC server. The first one is the "PDC", and > > after I finished to set up that, I've joined the second one. > > I am a bit confused here, from reading this post, you seem to have > called the two DCs 'open-ldap' & 'open-ldap2' and you refer to the > first one as the 'PDC', yet I think you are talking about an AD domain.the open-ldap and open-ldap2 is just the naming convention... these were installed, because we've started to build a directory infrastructure, and started with OpenLDAP. The cluster had worked as well, but wasn't enough. We had kept the names - nevermind.> Is this the case ?Probably :) I'm not expert in AD, I've used the Samba3 in standalone mode as DC. The last Windows environment where I used WIN Domain was about Win2008... I'm really sorry for the confuse...> If so, you have just won the prize for the most confusing post to the > Samba mailing list ;-)oh, I'm pleased to read it! :)> I think you need to post the following files from all three machines: > > /etc/hostname > /etc/hosts > /etc/resolv.conf > /etc/krb5.conf > smb.conf=======open-ldap: -------- /etc/hostname open-ldap.core.mydomain.hu -------- /etc/hosts 127.0.0.1 localhost #10.10.20.202 open-ldap.core.mydomain.hu #10.10.20.204 open-ldap2.core.mydomain.hu # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters -------- /etc/resolv.conf search core.mydomain.hu nameserver 127.0.0.1 nameserver 10.10.10.1 -------- /etc/krb5.conf [libdefaults] default_realm = CORE.MYDOMAIN.HU dns_lookup_realm = false dns_lookup_kdc = true [realms] CORE.MYDOMAIN.HU = { kdc = OPEN-LDAP.CORE.MYDOMAIN.HU kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU } -------- /etc/samba/smb.conf # Global parameters [global] netbios name = OPEN-LDAP realm = CORE.MYDOMAIN.HU workgroup = CORE dns forwarder = 10.10.10.1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes #tls enabled = yes #tls keyfile = tls/key.pem #tls certfile = tls/cert.pem #tls cafile = tls/ca.pem # if not required, set empty log level = 3 passdb:5 auth:5 tdb:5 ldb:5 #ldap debug level = -1 ntlm auth = yes lanman auth = yes client ntlmv2 auth = yes # server services = -dns server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs [netlogon] path = /var/lib/samba/sysvol/core.mydomain.hu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No =======open-ldap2: -------- /etc/hostname open-ldap2 -------- /etc/hosts 127.0.0.1 localhost 10.10.20.204 open-ldap2.core.mydomain.hu 10.10.20.202 open-ldap.core.mydomain.hu # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters -------- /etc/resolv.conf search core.mydomain.hu nameserver 127.0.0.1 nameserver 10.10.10.1 -------- /etc/krb5.conf [libdefaults] default_realm = CORE.MYDOMAIN.HU dns_lookup_realm = false dns_lookup_kdc = true [realms] CORE.MYDOMAIN.HU = { kdc = OPEN-LDAP.CORE.MYDOMAIN.HU kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU } -------- /etc/samba/smb.conf # Global parameters [global] netbios name = OPEN-LDAP2 realm = CORE.MYDOMAIN.HU workgroup = CORE dns forwarder = 10.10.10.1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes ntlm auth = yes lanman auth = yes client ntlmv2 auth = yes log level = 3 passdb:5 auth:5 tdb:5 ldb:5 #server runs = -dns server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs [netlogon] path = /var/lib/samba/sysvol/core.mydomain.hu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No =======client: -------- /etc/hostname open-client -------- /etc/hosts 127.0.0.1 localhost 10.10.20.205 open-client.core.mydomain.hu open-client ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters -------- /etc/resolv.conf search core.mydomain.hu nameserver 10.10.20.202 nameserver 10.10.20.204 -------- /etc/krb5.conf [libdefaults] default_realm = CORE.MYDOMAIN.HU kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true dns_lookup_realm = false dns_lookup_kdc = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA -------- /etc/samba/smb.conf [global] workgroup = CORE security = ads realm = CORE.MYDOMAIN.HU idmap config * : backend = tdb idmap config * : range = 3000-7999 username map = /etc/samba/user.map dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [homes] comment = Home Directories browseable = no read only = yes create mask = 0700 directory mask = 0700 valid users = %S [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no Sorry again for the confusing post. a.
See inline comments: On Wed, 8 Nov 2017 11:18:10 +0100 Ervin Hegedüs <airween at gmail.com> wrote:> =======> open-ldap: > > -------- > /etc/hostname > open-ldap.core.mydomain.huThis should just be the short hostname not the fqdn> > -------- > /etc/hosts > 127.0.0.1 localhost > > #10.10.20.202 open-ldap.core.mydomain.huUncomment the above line> #10.10.20.204 open-ldap2.core.mydomain.hu > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > -------- > /etc/resolv.conf > search core.mydomain.hu > nameserver 127.0.0.1 > nameserver 10.10.10.1You would be better using the DCs ipaddress rather than '127.0.0.1'. You should also remove '10.10.0.1' it doesn't seem to be a DC.> > -------- > /etc/krb5.conf > [libdefaults] > default_realm = CORE.MYDOMAIN.HU > dns_lookup_realm = false > dns_lookup_kdc = true >You don't need the rest of the krb5.conf> [realms] > CORE.MYDOMAIN.HU = { > kdc = OPEN-LDAP.CORE.MYDOMAIN.HU > kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU > admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU > admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU > } > > > -------- > /etc/samba/smb.conf > # Global parameters > [global] > netbios name = OPEN-LDAP > realm = CORE.MYDOMAIN.HU > workgroup = CORE > dns forwarder = 10.10.10.1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5 > ntlm auth = yes > lanman auth = yes > client ntlmv2 auth = yesI would investigate upgrading security on the clients, rather than turning it down on the DC> > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate, dns, s3fsThe above line contains all the defaults, so you can remove it.> > [netlogon] > path = /var/lib/samba/sysvol/core.mydomain.hu/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > =======> open-ldap2: > > -------- > /etc/hostname > open-ldap2 > > -------- > /etc/hosts > 127.0.0.1 localhost > > 10.10.20.204 open-ldap2.core.mydomain.hu > 10.10.20.202 open-ldap.core.mydomain.huRemove the above line, the other DC should be found by DNS> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > -------- > /etc/resolv.conf > search core.mydomain.hu > nameserver 127.0.0.1 > nameserver 10.10.10.1As the other DC, but use this DCs ipaddress> > -------- > /etc/krb5.conf > [libdefaults] > default_realm = CORE.MYDOMAIN.HU > dns_lookup_realm = false > dns_lookup_kdc = true >As the other DC, you don't need the rest of krb5.conf> [realms] > CORE.MYDOMAIN.HU = { > kdc = OPEN-LDAP.CORE.MYDOMAIN.HU > kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU > admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU > admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU > } > > > -------- > /etc/samba/smb.conf > # Global parameters > [global] > netbios name = OPEN-LDAP2 > realm = CORE.MYDOMAIN.HU > workgroup = CORE > dns forwarder = 10.10.10.1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > ntlm auth = yes > lanman auth = yes > client ntlmv2 auth = yes > log level = 3 passdb:5 auth:5 tdb:5 ldb:5 > > #server runs = -dns > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate, dns, s3fsAs the other DC, you don't need the above line> > [netlogon] > path = /var/lib/samba/sysvol/core.mydomain.hu/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > =======> client: > > -------- > /etc/hostname > open-client > > -------- > /etc/hosts > 127.0.0.1 localhost > > 10.10.20.205 open-client.core.mydomain.hu open-client > > > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > -------- > /etc/resolv.conf > search core.mydomain.hu > nameserver 10.10.20.202 > nameserver 10.10.20.204 > > -------- > /etc/krb5.confThe krb5.conf only needs to match the ones on the DCs, so you don't need all of the following.> [libdefaults] > default_realm = CORE.MYDOMAIN.HU > > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > ATHENA.MIT.EDU = { > kdc = kerberos.mit.edu > kdc = kerberos-1.mit.edu > kdc = kerberos-2.mit.edu:88 > admin_server = kerberos.mit.edu > default_domain = mit.edu > } > ZONE.MIT.EDU = { > kdc = casio.mit.edu > kdc = seiko.mit.edu > admin_server = casio.mit.edu > } > CSAIL.MIT.EDU = { > admin_server = kerberos.csail.mit.edu > default_domain = csail.mit.edu > } > IHTFP.ORG = { > kdc = kerberos.ihtfp.org > admin_server = kerberos.ihtfp.org > } > 1TS.ORG = { > kdc = kerberos.1ts.org > admin_server = kerberos.1ts.org > } > ANDREW.CMU.EDU = { > admin_server = kerberos.andrew.cmu.edu > default_domain = andrew.cmu.edu > } > CS.CMU.EDU = { > kdc = kerberos-1.srv.cs.cmu.edu > kdc = kerberos-2.srv.cs.cmu.edu > kdc = kerberos-3.srv.cs.cmu.edu > admin_server = kerberos.cs.cmu.edu > } > DEMENTIA.ORG = { > kdc = kerberos.dementix.org > kdc = kerberos2.dementix.org > admin_server = kerberos.dementix.org > } > stanford.edu = { > kdc = krb5auth1.stanford.edu > kdc = krb5auth2.stanford.edu > kdc = krb5auth3.stanford.edu > master_kdc = krb5auth1.stanford.edu > admin_server = krb5-admin.stanford.edu > default_domain = stanford.edu > } > UTORONTO.CA = { > kdc = kerberos1.utoronto.ca > kdc = kerberos2.utoronto.ca > kdc = kerberos3.utoronto.ca > admin_server = kerberos1.utoronto.ca > default_domain = utoronto.ca > } > > [domain_realm] > .mit.edu = ATHENA.MIT.EDU > mit.edu = ATHENA.MIT.EDU > .media.mit.edu = MEDIA-LAB.MIT.EDU > media.mit.edu = MEDIA-LAB.MIT.EDU > .csail.mit.edu = CSAIL.MIT.EDU > csail.mit.edu = CSAIL.MIT.EDU > .whoi.edu = ATHENA.MIT.EDU > whoi.edu = ATHENA.MIT.EDU > .stanford.edu = stanford.edu > .slac.stanford.edu = SLAC.STANFORD.EDU > .toronto.edu = UTORONTO.CA > .utoronto.ca = UTORONTO.CA > > -------- > /etc/samba/smb.conf > > [global] > > workgroup = CORE > security = ads > realm = CORE.MYDOMAIN.HU > idmap config * : backend = tdb > idmap config * : range = 3000-7999Are you using sssd ? If not, good, but you need to READ all of this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and probably this: https://wiki.samba.org/index.php/Idmap_config_rid You are trying to put EVERYTHING into the '*' domain, this is wrong.> username map = /etc/samba/user.map > > dns proxy = no > > log file = /var/log/samba/log.%m > max log size = 1000 > > syslog = 0 > panic action = /usr/share/samba/panic-action %d > > server role = standalone serverOh no its not, it is a Unix domain member, remove the above line.> passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yesYou CANNOT have a user in /etc/passwd and in AD with the same username, so you cannot have the above line.> > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > > pam password change = yes > map to guest = bad user > > usershare allow guests = yes > > [homes] > comment = Home Directories > browseable = no > read only = yes > create mask = 0700 > directory mask = 0700 > valid users = %S > > [printers] > comment = All Printers > browseable = no > path = /var/spool/samba > printable = yes > guest ok = no > read only = yes > create mask = 0700 > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > browseable = yes > read only = yes > guest ok = no >You would be better setting the permissions from windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> > Sorry again for the confusing post.No problem, just don't refer to your first DC as a 'PDC' again, it just confuses things, every DC is equal ;-) Rowland
Hi Rowland, many thanks for your help, On Wed, Nov 08, 2017 at 11:00:59AM +0000, Rowland Penny wrote:> > On Wed, 8 Nov 2017 11:18:10 +0100 > Ervin Hegedüs <airween at gmail.com> wrote: > > > > =======> > open-ldap:...> > -------- > > /etc/resolv.conf > > search core.mydomain.hu > > nameserver 127.0.0.1 > > nameserver 10.10.10.1 > > You would be better using the DCs ipaddress rather than '127.0.0.1'. > You should also remove '10.10.0.1' it doesn't seem to be a DC.yes, that's the forwarder (see in smb.conf). Most documents notives that keep it in resolv.conf.> > -------- > > /etc/samba/smb.conf > > # Global parameters > > [global] > > netbios name = OPEN-LDAP > > realm = CORE.MYDOMAIN.HU > > workgroup = CORE > > dns forwarder = 10.10.10.1 > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5 > > ntlm auth = yes > > lanman auth = yes > > client ntlmv2 auth = yes > > I would investigate upgrading security on the clients, rather than > turning it down on the DCI'm sorry, what do you think about exactly?> > > > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbind, ntp_signd, kcc, dnsupdate, dns, s3fs > > The above line contains all the defaults, so you can remove it.ok, I just missed up to remove, I just tested it... now I removed it.> > =======> > open-ldap2: > >... everything is done,> > =======> > client: > > > > -------- > > /etc/krb5.conf > > The krb5.conf only needs to match the ones on the DCs, so you don't > need all of the following.does it mean that the krb5.conf should be empty?> > -------- > > /etc/samba/smb.conf > > > > [global] > > > > workgroup = CORE > > security = ads > > realm = CORE.MYDOMAIN.HU > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > Are you using sssd ?no,> If not, good, but you need to READ all of this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_MemberI've followed this page (may be I forgot something - I review it again)> and probably this: > > https://wiki.samba.org/index.php/Idmap_config_ridI'm afraid I don't need to that :)> You are trying to put EVERYTHING into the '*' domain, this is wrong.right,> > syslog = 0 > > panic action = /usr/share/samba/panic-action %d > > > > server role = standalone server > > Oh no its not, it is a Unix domain member, remove the above line.ok, removed,> > passdb backend = tdbsam > > obey pam restrictions = yes > > unix password sync = yes > > You CANNOT have a user in /etc/passwd and in AD with the same username, > so you cannot have the above line.this condition is met - line removed,> > [homes] > > comment = Home Directories > > browseable = no > > read only = yes > > create mask = 0700 > > directory mask = 0700 > > valid users = %S > > > > [printers] > > comment = All Printers > > browseable = no > > path = /var/spool/samba > > printable = yes > > guest ok = no > > read only = yes > > create mask = 0700 > > > > [print$] > > comment = Printer Drivers > > path = /var/lib/samba/printers > > browseable = yes > > read only = yes > > guest ok = no > > > You would be better setting the permissions from windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsI don't want to build the fileserver, I just need the user management - these blocks stayed from the previous install.> > Sorry again for the confusing post. > > No problem, just don't refer to your first DC as a 'PDC' again, it just > confuses things, every DC is equal ;-)yes, in meantime I've discussed with a Windows engineer, he said that there aren't primary and backup roles. Thanks again, I'll review the client config, and check it again. Just one thing remains: what do you mean about here:> I would investigate upgrading security on the clients, rather > than turning it down on the DCand is it enough an empty krb5.conf file on client? Regards, a.