On Tue, 24 Apr 2018 09:50:10 +0200 Denis Cardon via samba <samba at lists.samba.org> wrote:> A more expeditive way is to delete and recreate the zone using the > samba-tool dns zonedelete / zonecreate. The SRV entries are recreated > when the server restart. You should just be careful about having your > kerberos configuration properly so it does not needs DNS to find its > KDC (you can take a look at krb5.conf file in [1] for inspiration). > Then you'll have to recreate your DNS entries in that clean'ed up > zone. >Hi Dennis, DNS is an integral part of Active Directory, so if the machine you are trying to join as a DC cannot find the KDC via dns, then it is likely to have problems later. You must have working dns before the join. I have read your join howto and have the following comments, based on my experience. I would also install libpam_winbind and libpam_krb5 /etc/krb5.conf needs to be only this: [libdefaults] default_realm = MONDOMAINE.LAN dns_lookup_realm = false dns_lookup_kdc = true I would stop smbd, nmbd, winbind before the join I would run the join command like this: samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307 = yes' --option='dns forwarder = 8.8.8.8' if you copy netlogon and sysvol from the first DC, you really also need to copy idmap.ldb Please do not do this: ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf If you must do it, then do this instead: cp /var/lib/samba/private/krb5.conf to /etc/krb5.conf But it will just replace what is there, with the same content, if it has been set as suggested above. Finally, I would have set up NTP before the join and ensured the time was the same as on the DC. Rowland
Hi Rowland,>> A more expeditive way is to delete and recreate the zone using the >> samba-tool dns zonedelete / zonecreate. The SRV entries are recreated >> when the server restart. You should just be careful about having your >> kerberos configuration properly so it does not needs DNS to find its >> KDC (you can take a look at krb5.conf file in [1] for inspiration). >> Then you'll have to recreate your DNS entries in that clean'ed up >> zone. >> > > Hi Dennis, DNS is an integral part of Active Directory, so if the > machine you are trying to join as a DC cannot find the KDC via dns, > then it is likely to have problems later. You must have working dns > before the join.Thanks for you input. It is indeed important to stress out how important is DNS in an AD environment. My point just above underline that if we have wiped out the DNS zone, then using dns_lookup_kdc=true won't work anymore, so it will be necessary to give a hint to the local machine to authenticate to "find itself". Once the DNS zone has been recreated with all the proper SRV entries, then one can switch back to dns_lookup_kdc=true. But actually, even on a properly setup domain, I advocate to make an explicit configuration of KDC in /etc/krb5.conf. And actually it is a must have in a large multi-site setup with slow VPN and strict firewall rules.> I have read your join howto and have the following comments, based on > my experience. > > I would also install libpam_winbind and libpam_krb5we are limiting at much as possible shell connection to the AD (a compromission on your AD is a compromission of your whole network). So we don't enable this kind of authentication on DC. SSH key exchange for the lucky few that manage the AD is much better suited IMHO.> /etc/krb5.conf needs to be only this: > > [libdefaults] > default_realm = MONDOMAINE.LAN > dns_lookup_realm = false > dns_lookup_kdc = truesee above> I would stop smbd, nmbd, winbind before the joinIndeed that might be cleaner, even if it does change much in the present case. Debian behavior of starting daemon just after installation is sometime awkward.> I would run the join command like this: > samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307 = yes' --option='dns forwarder = 8.8.8.8'we are trying to get people out of RFC2307. It is almost never really needed and it may create issues when people forget to setup a UID/GID for a user or if there are duplicate (there is no pool for UID like there is for RID, and there is no unique index on that value). By the way, 8.8.8.8 is a easy to remember ip address, but it is a PITA in the long run with internal DNS. Google does throttling and since internal DNS does no caching, one very fast non answered queries and angry users on any moderate size site. That is why we advocate for using Bind-DLZ, even if it is awkward to setup. You can take a look at the page https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9> if you copy netlogon and sysvol from the first DC, you really also need to copy idmap.ldbit is really helpful if you have GPO delegation. Otherwise a simple samba-tool ntacl sysvolreset will do it like it is mentioned in the documentation. Maintaining replication of idmap.ldb is not easy either in the long run. It would be great to have a RID xid mapping for domain controllers too!> Please do not do this: ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf > If you must do it, then do this instead: cp /var/lib/samba/private/krb5.conf to /etc/krb5.confIt is important to have both file in sync, since some processes are using one or the other. So symlink is a must IMHO. And since /var/lib/samba/private is not readable for everyone, the best thing is to have a symlink like stated in our wiki page [1] you are referring to. By the way, those small details are the result of more than 250 migrations or domain fixing in the last 5 years... So even though it might not be perfect, it is field tested.> But it will just replace what is there, with the same content, if it has been set as suggested above. > > Finally, I would have set up NTP before the join and ensured the time was the same as on the DC.An ntpdate might be of use before the join indeed. But since the NTP is connecting to a UNIX socket instanciated by Samba, I prefer to start it afterward. Thanks for you input, Cheers, Denis [1] https://dev.tranquil.it/wiki/SAMBA_-_Installation_samba4_comme_DC_secondaire> > Rowland >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
On Tue, 24 Apr 2018 13:07:58 +0200 Denis Cardon <dcardon at tranquil.it> wrote:> Hi Rowland, > Thanks for you input. It is indeed important to stress out how > important is DNS in an AD environment. My point just above underline > that if we have wiped out the DNS zone, then using > dns_lookup_kdc=true won't work anymore, so it will be necessary to > give a hint to the local machine to authenticate to "find itself".Not sure I understand what you are trying to say, we are discussing joining a potential DC to a domain, so surely the DNS zone wont have been 'wiped out'> > Once the DNS zone has been recreated with all the proper SRV entries, > then one can switch back to dns_lookup_kdc=true.No, sorry the DNS zone will not have been recreated, added to probably, recreated, no.>But actually, even > on a properly setup domain, I advocate to make an explicit > configuration of KDC in /etc/krb5.conf. And actually it is a must > have in a large multi-site setup with slow VPN and strict firewall > rules.What you are saying is very probably true, but the basis of your howto is how to join a computer to a domain as another DC, what you do after the join has nothing to do with the join.> > > I have read your join howto and have the following comments, based > > on my experience. > > > > I would also install libpam_winbind and libpam_krb5 > > we are limiting at much as possible shell connection to the AD (a > compromission on your AD is a compromission of your whole network). > So we don't enable this kind of authentication on DC. SSH key > exchange for the lucky few that manage the AD is much better suited > IMHO.Note that I said 'I would', doesn't mean you have to, I should also probably point out that you can use ssh with kerberos and not require passwords or SSH keys.> > > /etc/krb5.conf needs to be only this: > > > > [libdefaults] > > default_realm = MONDOMAINE.LAN > > dns_lookup_realm = false > > dns_lookup_kdc = true > > see aboveI have ;-)> > > I would stop smbd, nmbd, winbind before the join > > Indeed that might be cleaner, even if it does change much in the > present case. Debian behavior of starting daemon just after > installation is sometime awkward. > > > I would run the join command like this: > > samba-tool domain join mondomaine.lan DC -U administrator > > --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use > > rfc2307 = yes' --option='dns forwarder = 8.8.8.8' > > we are trying to get people out of RFC2307. It is almost never really > needed and it may create issues when people forget to setup a UID/GID > for a user or if there are duplicate (there is no pool for UID like > there is for RID, and there is no unique index on that value).There are pools for UID & GID, Samba just decided not to use them.> > By the way, 8.8.8.8 is a easy to remember ip address, but it is a > PITA in the long run with internal DNS. Google does throttling and > since internal DNS does no caching, one very fast non answered > queries and angry users on any moderate size site.Then why did you use it in your howto ?> > That is why we advocate for using Bind-DLZ, even if it is awkward to > setup. You can take a look at the page > https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9 >It is not awkward to set up, unless you do it wrong, I have never used the internal dns server myself, I always use Bind9> > if you copy netlogon and sysvol from the first DC, you really also > > need to copy idmap.ldb > > it is really helpful if you have GPO delegation. Otherwise a simple > samba-tool ntacl sysvolreset will do it like it is mentioned in the > documentation. Maintaining replication of idmap.ldb is not easy > either in the long run. It would be great to have a RID xid mapping > for domain controllers too!The problem is that sysvolreset is broken if you add any GPOs, it does not set the correct ACES.> > > Please do not do this: ln > > -s /etc/krb5.conf /var/lib/samba/private/krb5.conf If you must do > > it, then do this instead: cp /var/lib/samba/private/krb5.conf > > to /etc/krb5.conf > > It is important to have both file in sync, since some processes are > using one or the other. So symlink is a must IMHO. And since > /var/lib/samba/private is not readable for everyone, the best thing > is to have a symlink like stated in our wiki page [1] you are > referring to.I take it that you unaware that the private dir is only accessible by 'root' from 4.7.0> > By the way, those small details are the result of more than 250 > migrations or domain fixing in the last 5 years... So even though it > might not be perfect, it is field tested. > > > But it will just replace what is there, with the same content, if > > it has been set as suggested above. > > > > Finally, I would have set up NTP before the join and ensured the > > time was the same as on the DC. > > An ntpdate might be of use before the join indeed. But since the NTP > is connecting to a UNIX socket instanciated by Samba, I prefer to > start it afterward. >Again, I did say that it was what I would do and I also said to ensure the time was the same as on the Domain DC. Rowland