Hi Rowland, many thanks for your help, On Wed, Nov 08, 2017 at 11:00:59AM +0000, Rowland Penny wrote:> > On Wed, 8 Nov 2017 11:18:10 +0100 > Ervin Hegedüs <airween at gmail.com> wrote: > > > > =======> > open-ldap:...> > -------- > > /etc/resolv.conf > > search core.mydomain.hu > > nameserver 127.0.0.1 > > nameserver 10.10.10.1 > > You would be better using the DCs ipaddress rather than '127.0.0.1'. > You should also remove '10.10.0.1' it doesn't seem to be a DC.yes, that's the forwarder (see in smb.conf). Most documents notives that keep it in resolv.conf.> > -------- > > /etc/samba/smb.conf > > # Global parameters > > [global] > > netbios name = OPEN-LDAP > > realm = CORE.MYDOMAIN.HU > > workgroup = CORE > > dns forwarder = 10.10.10.1 > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5 > > ntlm auth = yes > > lanman auth = yes > > client ntlmv2 auth = yes > > I would investigate upgrading security on the clients, rather than > turning it down on the DCI'm sorry, what do you think about exactly?> > > > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbind, ntp_signd, kcc, dnsupdate, dns, s3fs > > The above line contains all the defaults, so you can remove it.ok, I just missed up to remove, I just tested it... now I removed it.> > =======> > open-ldap2: > >... everything is done,> > =======> > client: > > > > -------- > > /etc/krb5.conf > > The krb5.conf only needs to match the ones on the DCs, so you don't > need all of the following.does it mean that the krb5.conf should be empty?> > -------- > > /etc/samba/smb.conf > > > > [global] > > > > workgroup = CORE > > security = ads > > realm = CORE.MYDOMAIN.HU > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > Are you using sssd ?no,> If not, good, but you need to READ all of this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_MemberI've followed this page (may be I forgot something - I review it again)> and probably this: > > https://wiki.samba.org/index.php/Idmap_config_ridI'm afraid I don't need to that :)> You are trying to put EVERYTHING into the '*' domain, this is wrong.right,> > syslog = 0 > > panic action = /usr/share/samba/panic-action %d > > > > server role = standalone server > > Oh no its not, it is a Unix domain member, remove the above line.ok, removed,> > passdb backend = tdbsam > > obey pam restrictions = yes > > unix password sync = yes > > You CANNOT have a user in /etc/passwd and in AD with the same username, > so you cannot have the above line.this condition is met - line removed,> > [homes] > > comment = Home Directories > > browseable = no > > read only = yes > > create mask = 0700 > > directory mask = 0700 > > valid users = %S > > > > [printers] > > comment = All Printers > > browseable = no > > path = /var/spool/samba > > printable = yes > > guest ok = no > > read only = yes > > create mask = 0700 > > > > [print$] > > comment = Printer Drivers > > path = /var/lib/samba/printers > > browseable = yes > > read only = yes > > guest ok = no > > > You would be better setting the permissions from windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsI don't want to build the fileserver, I just need the user management - these blocks stayed from the previous install.> > Sorry again for the confusing post. > > No problem, just don't refer to your first DC as a 'PDC' again, it just > confuses things, every DC is equal ;-)yes, in meantime I've discussed with a Windows engineer, he said that there aren't primary and backup roles. Thanks again, I'll review the client config, and check it again. Just one thing remains: what do you mean about here:> I would investigate upgrading security on the clients, rather > than turning it down on the DCand is it enough an empty krb5.conf file on client? Regards, a.
See inline comments, extraneous lines removed from post: On Wed, 8 Nov 2017 12:43:16 +0100 Ervin Hegedüs <airween at gmail.com> wrote:> > You would be better using the DCs ipaddress rather than '127.0.0.1'. > > You should also remove '10.10.0.1' it doesn't seem to be a DC. > > yes, that's the forwarder (see in smb.conf). Most documents > notives that keep it in resolv.conf.And most documents get it wrong, The DC is a DNS server and your clients should use it as their nameserver. Your DC should forward anything unknown to the nameserver that is set in the DCs smb.conf if using the internal DNS server, or if in the named conf files if using Bind9> > > > -------- > > > /etc/samba/smb.conf > > > # Global parameters > > > [global] > > > netbios name = OPEN-LDAP > > > realm = CORE.MYDOMAIN.HU > > > workgroup = CORE > > > dns forwarder = 10.10.10.1 > > > server role = active directory domain controller > > > idmap_ldb:use rfc2307 = yes > > > > > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5 > > > ntlm auth = yes > > > lanman auth = yes > > > client ntlmv2 auth = yes > > > > I would investigate upgrading security on the clients, rather than > > turning it down on the DC > > I'm sorry, what do you think about exactly?You have set 'ntlm auth = yes' in the smb.conf, this means your clients can use NTLMv1, this is insecure, you would be better off removing this line and then make your clients use NTLMv2 (at least) by default.> > > > =======> > > client: > > > > > > -------- > > > /etc/krb5.conf > > > > The krb5.conf only needs to match the ones on the DCs, so you don't > > need all of the following. > > does it mean that the krb5.conf should be empty?No, the /etc/krb5.conf on all the machines needs to be only this: [libdefaults] default_realm = CORE.MYDOMAIN.HU dns_lookup_realm = false dns_lookup_kdc = true> > > If not, good, but you need to READ all of this: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > I've followed this page (may be I forgot something - I review it > again) > > > and probably this: > > > > https://wiki.samba.org/index.php/Idmap_config_rid > > I'm afraid I don't need to that :)Yes you do :) windbind needs to map your windows users & groups to Unix IDs in the 'CORE' domain, not the '*' domain. The '*' domain is reserved for the well known SIDs and anything outside the 'CORE' domain.> > I don't want to build the fileserver, I just need the user > management - these blocks stayed from the previous install.Then why have the Unix domain member ???> > > > Sorry again for the confusing post. > > > > No problem, just don't refer to your first DC as a 'PDC' again, it > > just confuses things, every DC is equal ;-) > > yes, in meantime I've discussed with a Windows engineer, he said > that there aren't primary and backup roles. >There were Primary and Backup roles, but this was with NT4-style domains> Just one thing remains: what do you mean about here: > > > I would investigate upgrading security on the clients, rather > > than turning it down on the DC > > and is it enough an empty krb5.conf file on client?Hopefully I have answered these questions above. Rowland
Hi Rowland, On Wed, Nov 08, 2017 at 12:12:20PM +0000, Rowland Penny wrote:> On Wed, 8 Nov 2017 12:43:16 +0100 > Ervin Hegedüs <airween at gmail.com> wrote: > > > > You would be better using the DCs ipaddress rather than '127.0.0.1'. > > > You should also remove '10.10.0.1' it doesn't seem to be a DC. > > > > yes, that's the forwarder (see in smb.conf). Most documents > > notives that keep it in resolv.conf. > > And most documents get it wrong, The DC is a DNS server and your > clients should use it as their nameserver. Your DC should forward > anything unknown to the nameserver that is set in the DCs smb.conf if > using the internal DNS server, or if in the named conf files if using > Bind9right, I've removed it, now all DC uses only themselves as nameserver.> > > > /etc/samba/smb.conf > > > > # Global parameters > > > > [global] > > > > netbios name = OPEN-LDAP > > > > realm = CORE.MYDOMAIN.HU > > > > workgroup = CORE > > > > dns forwarder = 10.10.10.1 > > > > server role = active directory domain controller > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5 > > > > ntlm auth = yes > > > > lanman auth = yes > > > > client ntlmv2 auth = yes > > > > > > I would investigate upgrading security on the clients, rather than > > > turning it down on the DC > > > > I'm sorry, what do you think about exactly? > > You have set 'ntlm auth = yes' in the smb.conf, this means your clients > can use NTLMv1, this is insecure, you would be better off removing this > line and then make your clients use NTLMv2 (at least) by default.well, this line needs some clarification - see below> > > > =======> > > > client: > > > > > > > > -------- > > > > /etc/krb5.conf > > > > > > The krb5.conf only needs to match the ones on the DCs, so you don't > > > need all of the following. > > > > does it mean that the krb5.conf should be empty? > > No, the /etc/krb5.conf on all the machines needs to be only this: > > [libdefaults] > default_realm = CORE.MYDOMAIN.HU > dns_lookup_realm = false > dns_lookup_kdc = trueright,> > > and probably this: > > > > > > https://wiki.samba.org/index.php/Idmap_config_rid > > > > I'm afraid I don't need to that :) > > Yes you do :)no, I don't :)> windbind needs to map your windows users & groups to Unix IDs in the > 'CORE' domain, not the '*' domain. The '*' domain is reserved for the > well known SIDs and anything outside the 'CORE' domain.there will _not_ any Linux user - see below :)> > > > I don't want to build the fileserver, I just need the user > > management - these blocks stayed from the previous install. > > Then why have the Unix domain member ???so, the directory service needs because we have a captive portal, to authenticate users for several services - eg. network access, network groups. But only for these. There will _not_ any file sharing. The current device (Aruba) can authenticate only if the ntlm auth = yes had turned on (but I'll check it again, may be the ntlmv2 is enough). We configured the CP that use this AD. We joined the deices to domain, set up the both DC's. Then when I turned off the "first" DC (which isn't the PDC :), I just installed and configred first), then the auth service stops to work. The device doesn't use the backup server (in the device config we see the "Backup device" - I'm sorry). So, I ask from the provider a "client" machine, which is a Linux (I prefer the Linux), and this is the open-client. Now I'ld like to test the redundant work of both DC's, and that's why I don't need to any Linux user, user mapping, or any other specific things. There will be thousends of users, everyone has a login and a password. Connected to WiFI/eth LAN with 802.1x, and use the network.> Hopefully I have answered these questions above.yes, thank you for all of your help again. I left the domain (from client), and re-join again, but now I got this message: # net ads join -U administrator Enter administrator's password: Using short domain name -- CORE Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu' DNS Update for open-client.core.mydomain.hu failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL # wbinfo --ping-dc checking the NETLOGON for domain[CORE] dc connection to "open-ldap.core.mydomain.hu" succeeded # ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu NT_STATUS_OK: Success (0x0) # ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu NT_STATUS_OK: Success (0x0) # ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) # ntlm_auth --username=abc_airween --password=WRONGPASS # --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) so, looks like it works. # net ads status gives a very long output. And wbinfo gives only open-ldap as DC: # wbinfo --dsgetdcname=CORE open-ldap.core.mydomain.hu \\10.10.20.202 1 37241698-63dd-40d5-805b-d83f4a35223a core.mydomain.hu core.mydomain.hu 0xe00013fd Default-First-Site-Name Default-First-Site-Name # wbinfo --getdcname=CORE OPEN-LDAP # wbinfo -a abc_airween%GOODPASS plaintext password authentication failed Could not authenticate user abc_airween%GOODPASS with plaintext password challenge/response password authentication succeeded # wbinfo -a abc_airween%WRONGPASS plaintext password authentication failed Could not authenticate user abc_airween%WRONGPASS with plaintext password challenge/response password authentication failed wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user abc_airween with challenge/response At this point I made open-ldap (the first server) as unattainable, and the result of the command above: # time wbinfo -a abc_airween%GOODPASS plaintext password authentication failed Could not authenticate user abc_airween%GOODPASS with plaintext password challenge/response password authentication failed Could not authenticate user abc_airween with challenge/response real 1m2.640s user 0m0.012s sys 0m0.000s it waits 1 minute, and then I got the message. When I turned off the open-ldap2, and open-ldap works, then the wbinfo -a returns with succeed, but only after 30 seconds. So, looks like something is still wrong - may be I'm using wbinfo as wrong way? What should I do that the auth method works as well, when a DC kicked out? a.
Am 2017-11-08 um 13:12 schrieb Rowland Penny via samba:> And most documents get it wrong, The DC is a DNS server and your > clients should use it as their nameserver. Your DC should forward > anything unknown to the nameserver that is set in the DCs smb.conf if > using the internal DNS server, or if in the named conf files if using > Bind9additional question here as I also prepare to deploy a 2nd DC at one site: right now I tell the clients to use these as DNSs (via DHCP): samba-DC, DNS on router to internet, one DNS upstream (just in case, maybe stupid) with additional DCs I assume I would have to list the DCs as well as DNSs, to make sure DNS (in terms of AD *and* "normal" DNS) still works in case the first DC is unreachable? Stefan
Hai Stefan, What happens on the DC itself. The dns `CLIENT queries` (resolving) goes through /etc/resolv.conf And uses these settings. for example, ping www.google.nl from the DC commandline. The PC in the lan use the DC DNS but NOT /etc/resolv.conf of the DC. That uses the DNS Server settings, internal samba, used the forward setting in smb.conf Or bind9_dlz + samba, used the forward setting in bind. Now you know this. (DC1) /etc/resolv.conf search ADDC.domain.TLD externaldomain.tld nameserver IP_OF_DC1 and not localhost/127.0.0.1 Nameserver IP_of_your_gateway Nameserver IP_of_anyother_dns. Now adding a second DC. DC1 changes a bit. /etc/resolv.conf search ADDC.domain.TLD externaldomain.tld nameserver IP_OF_DC1 nameserver IP_OF_DC2 Nameserver IP_of_anyother_dns. DC2. /etc/resolv.conf search ADDC.domain.TLD externaldomain.tld nameserver IP_OF_DC2 nameserver IP_OF_DC1 Nameserver IP_of_anyother_dns. And set you client PC's DNS to the DC.s Results in. 1) if DC1 is down, DC2 is used. 2) if DC2 is down, DC1 is used. 3) If both DC's are down, the DC still has internet, clients not. But without any DC, your network is in serious problem.. The DC still has internet due to Nameserver IP_of_anyother_dns. And you need that when your in trouble. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: woensdag 8 november 2017 14:45 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DC's are unavailable when PDC halted > > Am 2017-11-08 um 13:12 schrieb Rowland Penny via samba: > > > And most documents get it wrong, The DC is a DNS server and your > > clients should use it as their nameserver. Your DC should forward > > anything unknown to the nameserver that is set in the DCs > smb.conf if > > using the internal DNS server, or if in the named conf > files if using > > Bind9 > > additional question here as I also prepare to deploy a 2nd DC > at one site: > > right now I tell the clients to use these as DNSs (via DHCP): > > samba-DC, DNS on router to internet, one DNS upstream (just in case, > maybe stupid) > > with additional DCs I assume I would have to list the DCs as well as > DNSs, to make sure DNS (in terms of AD *and* "normal" DNS) still works > in case the first DC is unreachable? > > Stefan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- DC's are unavailable when PDC halted
- nameservers, all DCS??
- Mailbox sharing, user to user in same domain, OK! User to user sharing in separate domains, problem. ( ... and more oh boy!)
- nameservers, all DCS??
- samba ADDC dns setup? ( this is same for any MS server )