samba - Jul 2018 - Samba4 AD cannot see machines in windows browser

On Tue, Jul 17, 2018 at 1:18 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 17 Jul 2018 12:59:25 -0700
> Alberto Moreno via samba <samba at lists.samba.org> wrote:
>
> Hi Moreno, see inline comments:
>
> > Hi
> >
> > On Tue, Jul 17, 2018 at 12:38 PM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Tue, 17 Jul 2018 12:16:56 -0700
> > > Alberto Moreno via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hi.
> > > >
> > > > I'm continuing learning samba4.
> > > >
> > > > I had add some machines to the domain, windows 10 Pro.
> > > >
> > > > But I open windows browser and don't see my domain and
my
> > > > machines.
> > > >
> > > > Is normal with samba4?
> > >
> > > Depending on how you set up Samba, yes and no.
> > >
> > > >
> > > > My smb.conf
> > > >
> > > > # Global parameters
> > > > [global]
> > > >         netbios name = MBXDC1
> > > >         realm = MBX.LOCAL
> > > >         server role = active directory domain controller
> > > >         server services = s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc,
> > > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > > >         workgroup = MBX
> > > >         idmap_ldb:use rfc2307 = yes
> > > >         log level = 5
> > > >
> > > > [netlogon]
> > > >         path =
/usr/local/samba/var/locks/sysvol/mbx.local/scripts
> > > >         read only = No
> > > >
> > > > [sysvol]
> > > >         path = /usr/local/samba/var/locks/sysvol
> > > >         read only = No
> > >
> > > Ah, it is an AD DC, so the answer is definitely yes, there is no
> > > browsing with a Samba AD DC.
> > >
> > >
> > Now, who manage the machine list in the network?
>
> The DNS server on the DC
>
Got it.

> >
> > >
> > > > Other thing, I try to increase my log level, but samba
won't
> > > > accept, it continue with log level = 2.
> > >
> > > Did you restart Samba after making the change ?
> > >
> > >
> > Yes, I stop first and latter start the service.
>
> Then it should work, unless nothing happened over log level 2 ;-)
>
Got it.

> >
> > >
> > > > My windows machines had the computer browser service off and
fw
> > > > off.
> > >
> > > How do you expect to use a browser service that is turned off ?
> > > Not that it will help if you do turn it on.
> > >
> > >
> > Just to understand, in samba NT4 domain, the recommendation was that,
> > must exist only 1 network browser in the network, them we had to turn
> > off this service(computer browser) under windows machines, because
> > this service conflict with samba, the reason was that those machines
> > will try to became master/local browser in the domain and start
> > sending packets all over the network which is traffic unnecessary.
> >
> > With samba4 AD setup, the rule continue or I was wrong?
>
> Ye, the rule continues for Unix domain members, but there is no
> browsing of Samba AD DC's, they will not show up in a Windows Browser,
> you should use DNS instead. You should also be aware that Windows is
> moving away from network browsing.
>
Got it.
>
> >
> > > >
> > > > Samba version 4.7.8 CentOS Linux release 7.5.1804 (Core)
> > >
> > > How did you provision an AD DC using Centos packages, I thought
you
> > > still couldn't use them for a DC.
> > >
> > >
> > I install samba4 from src(make && make install).
>
> OK, just checking ;-)
>
>
:-).
> Thanks for your help Penny.
> >
>
> Please do not refer to me by my surname.
>
My apologies, my mistake.

> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
LIving the dream...

On Tue, Jul 17, 2018 at 1:57 PM Alberto Moreno <portsbsd at gmail.com>
wrote:
>
>
> On Tue, Jul 17, 2018 at 1:18 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Tue, 17 Jul 2018 12:59:25 -0700
>> Alberto Moreno via samba <samba at lists.samba.org> wrote:
>>
>> Hi Moreno, see inline comments:
>>
>> > Hi
>> >
>> > On Tue, Jul 17, 2018 at 12:38 PM Rowland Penny via samba <
>> > samba at lists.samba.org> wrote:
>> >
>> > > On Tue, 17 Jul 2018 12:16:56 -0700
>> > > Alberto Moreno via samba <samba at lists.samba.org>
wrote:
>> > >
>> > > > Hi.
>> > > >
>> > > > I'm continuing learning samba4.
>> > > >
>> > > > I had add some machines to the domain, windows 10 Pro.
>> > > >
>> > > > But I open windows browser and don't see my domain
and my
>> > > > machines.
>> > > >
>> > > > Is normal with samba4?
>> > >
>> > > Depending on how you set up Samba, yes and no.
>> > >
>> > > >
>> > > > My smb.conf
>> > > >
>> > > > # Global parameters
>> > > > [global]
>> > > >         netbios name = MBXDC1
>> > > >         realm = MBX.LOCAL
>> > > >         server role = active directory domain controller
>> > > >         server services = s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc,
>> > > > drepl, winbindd, ntp_signd, kcc, dnsupdate
>> > > >         workgroup = MBX
>> > > >         idmap_ldb:use rfc2307 = yes
>> > > >         log level = 5
>> > > >
>> > > > [netlogon]
>> > > >         path =
/usr/local/samba/var/locks/sysvol/mbx.local/scripts
>> > > >         read only = No
>> > > >
>> > > > [sysvol]
>> > > >         path = /usr/local/samba/var/locks/sysvol
>> > > >         read only = No
>> > >
>> > > Ah, it is an AD DC, so the answer is definitely yes, there is
no
>> > > browsing with a Samba AD DC.
>> > >
>> > >
>> > Now, who manage the machine list in the network?
>>
>> The DNS server on the DC
>>
>
> Got it.
>
>
>> >
>> > >
>> > > > Other thing, I try to increase my log level, but samba
won't
>> > > > accept, it continue with log level = 2.
>> > >
>> > > Did you restart Samba after making the change ?
>> > >
>> > >
>> > Yes, I stop first and latter start the service.
>>
>> Then it should work, unless nothing happened over log level 2 ;-)
>>
>
> Got it.
>
>
>> >
>> > >
>> > > > My windows machines had the computer browser service off
and fw
>> > > > off.
>> > >
>> > > How do you expect to use a browser service that is turned off
?
>> > > Not that it will help if you do turn it on.
>> > >
>> > >
>> > Just to understand, in samba NT4 domain, the recommendation was
that,
>> > must exist only 1 network browser in the network, them we had to
turn
>> > off this service(computer browser) under windows machines, because
>> > this service conflict with samba, the reason was that those
machines
>> > will try to became master/local browser in the domain and start
>> > sending packets all over the network which is traffic unnecessary.
>> >
>> > With samba4 AD setup, the rule continue or I was wrong?
>>
>> Ye, the rule continues for Unix domain members, but there is no
>> browsing of Samba AD DC's, they will not show up in a Windows
Browser,
>> you should use DNS instead. You should also be aware that Windows is
>> moving away from network browsing.
>>
>
> Got it.
>
> >
>> >
>> > > >
>> > > > Samba version 4.7.8 CentOS Linux release 7.5.1804 (Core)
>> > >
>> > > How did you provision an AD DC using Centos packages, I
thought you
>> > > still couldn't use them for a DC.
>> > >
>> > >
>> > I install samba4 from src(make && make install).
>>
>> OK, just checking ;-)
>>
>>
> :-).
>
> > Thanks for your help Penny.
>> >
>>
>> Please do not refer to me by my surname.
>>
>
> My apologies, my mistake.
>
>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> LIving the dream...
>
I setup DNS as backend which is running under the same server.

I have done my test like the wiki and works.

host -t SRV _ldap._tcp.MBX.LOCAL.
_ldap._tcp.MBX.LOCAL has SRV record 0 100 389 mbxdc1.mbx.local.

host -t SRV _kerberos._udp.MBX.LOCAL.
_kerberos._udp.MBX.LOCAL has SRV record 0 100 88 mbxdc1.mbx.local.

 host -t A MBXDC1.MBX.LOCAL.
MBXDC1.MBX.LOCAL has address 192.168.1.5

But if I query a client won't answer:

host -t A MBX-TEST1.MBX.LOCAL.
Host MBX-TEST1.MBX.LOCAL. not found: 3(NXDOMAIN)

I have run

samba_dnsupdate --verbose

But don't see my  clients.

What else do I need to allow bind to record my clients?

Looks like I had follow the wiki all the way.

In what stage does bind record the new machine?

Thanks for your help.
-- 
LIving the dream...

On Tue, 17 Jul 2018 15:07:53 -0700
Alberto Moreno via samba <samba at lists.samba.org> wrote:
> On Tue, Jul 17, 2018 at 1:57 PM Alberto Moreno <portsbsd at
gmail.com>
> wrote:
> 
> >
> >
> > On Tue, Jul 17, 2018 at 1:18 PM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On Tue, 17 Jul 2018 12:59:25 -0700
> >> Alberto Moreno via samba <samba at lists.samba.org> wrote:
> >>
> >> Hi Moreno, see inline comments:
> >>
> >> > Hi
> >> >
> >> > On Tue, Jul 17, 2018 at 12:38 PM Rowland Penny via samba <
> >> > samba at lists.samba.org> wrote:
> >> >
> >> > > On Tue, 17 Jul 2018 12:16:56 -0700
> >> > > Alberto Moreno via samba <samba at
lists.samba.org> wrote:
> >> > >
> >> > > > Hi.
> >> > > >
> >> > > > I'm continuing learning samba4.
> >> > > >
> >> > > > I had add some machines to the domain, windows 10
Pro.
> >> > > >
> >> > > > But I open windows browser and don't see my
domain and my
> >> > > > machines.
> >> > > >
> >> > > > Is normal with samba4?
> >> > >
> >> > > Depending on how you set up Samba, yes and no.
> >> > >
> >> > > >
> >> > > > My smb.conf
> >> > > >
> >> > > > # Global parameters
> >> > > > [global]
> >> > > >         netbios name = MBXDC1
> >> > > >         realm = MBX.LOCAL
> >> > > >         server role = active directory domain
controller
> >> > > >         server services = s3fs, rpc, nbt, wrepl,
ldap,
> >> > > > cldap, kdc, drepl, winbindd, ntp_signd, kcc,
dnsupdate
> >> > > >         workgroup = MBX
> >> > > >         idmap_ldb:use rfc2307 = yes
> >> > > >         log level = 5
> >> > > >
> >> > > > [netlogon]
> >> > > >         path
> >> > > > =
/usr/local/samba/var/locks/sysvol/mbx.local/scripts read
> >> > > > only = No
> >> > > >
> >> > > > [sysvol]
> >> > > >         path = /usr/local/samba/var/locks/sysvol
> >> > > >         read only = No
> >> > >
> >> > > Ah, it is an AD DC, so the answer is definitely yes,
there is
> >> > > no browsing with a Samba AD DC.
> >> > >
> >> > >
> >> > Now, who manage the machine list in the network?
> >>
> >> The DNS server on the DC
> >>
> >
> > Got it.
> >
> >
> >> >
> >> > >
> >> > > > Other thing, I try to increase my log level, but
samba won't
> >> > > > accept, it continue with log level = 2.
> >> > >
> >> > > Did you restart Samba after making the change ?
> >> > >
> >> > >
> >> > Yes, I stop first and latter start the service.
> >>
> >> Then it should work, unless nothing happened over log level 2 ;-)
> >>
> >
> > Got it.
> >
> >
> >> >
> >> > >
> >> > > > My windows machines had the computer browser
service off and
> >> > > > fw off.
> >> > >
> >> > > How do you expect to use a browser service that is
turned off ?
> >> > > Not that it will help if you do turn it on.
> >> > >
> >> > >
> >> > Just to understand, in samba NT4 domain, the recommendation
was
> >> > that, must exist only 1 network browser in the network, them
we
> >> > had to turn off this service(computer browser) under windows
> >> > machines, because this service conflict with samba, the
reason
> >> > was that those machines will try to became master/local
browser
> >> > in the domain and start sending packets all over the network
> >> > which is traffic unnecessary.
> >> >
> >> > With samba4 AD setup, the rule continue or I was wrong?
> >>
> >> Ye, the rule continues for Unix domain members, but there is no
> >> browsing of Samba AD DC's, they will not show up in a Windows
> >> Browser, you should use DNS instead. You should also be aware that
> >> Windows is moving away from network browsing.
> >>
> >
> > Got it.
> >
> > >
> >> >
> >> > > >
> >> > > > Samba version 4.7.8 CentOS Linux release 7.5.1804
(Core)
> >> > >
> >> > > How did you provision an AD DC using Centos packages, I
> >> > > thought you still couldn't use them for a DC.
> >> > >
> >> > >
> >> > I install samba4 from src(make && make install).
> >>
> >> OK, just checking ;-)
> >>
> >>
> > :-).
> >
> > > Thanks for your help Penny.
> >> >
> >>
> >> Please do not refer to me by my surname.
> >>
> >
> > My apologies, my mistake.
> >
> >
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> > --
> > LIving the dream...
> >
> 
> I setup DNS as backend which is running under the same server.
> 
> I have done my test like the wiki and works.
> 
> host -t SRV _ldap._tcp.MBX.LOCAL.
> _ldap._tcp.MBX.LOCAL has SRV record 0 100 389 mbxdc1.mbx.local.
> 
> host -t SRV _kerberos._udp.MBX.LOCAL.
> _kerberos._udp.MBX.LOCAL has SRV record 0 100 88 mbxdc1.mbx.local.
> 
>  host -t A MBXDC1.MBX.LOCAL.
> MBXDC1.MBX.LOCAL has address 192.168.1.5
> 
> But if I query a client won't answer:
> 
> host -t A MBX-TEST1.MBX.LOCAL.
> Host MBX-TEST1.MBX.LOCAL. not found: 3(NXDOMAIN)
> 
> I have run
> 
> samba_dnsupdate --verbose
> 
> But don't see my  clients.
> 
> What else do I need to allow bind to record my clients?
> 
> Looks like I had follow the wiki all the way.
> 
> In what stage does bind record the new machine?
> 
It doesn't, Either you have to add them with samba-tool, or get DHCP to
add them, or allow Windows clients to add & update their own records.

Rowland