samba - Jul 2018 - Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range

Hello Rowland,
> These shouldn't be set or are defaults:
> name resolve order = host
> passdb backend = tdbsam
> security = user
> domain logons = yes
> log level = 3
> os level = 64
> preferred master = yes
> local master = yes
> domain master = yes
> tls keyfile  = key.pem
> tls certfile = cert.pem
> tls cafile   = ca.pem
I kicked these out. I found the config somewhere on the Internet and
left the stuff I did not understand as provided.
> time server = yes
I have ntpd configured on the ip address which serves time. So I leave
it in.
> This is definitely wrong:
> dns forwarder = 127.0.0.1
> You do not forward to itself.
Acutally, I do. I have a recursive bind listening on 127.0.0.1 and
recursive name lookup works also via the SAMBA internal DNS
implementation. So I'm happy with it.
> This is all 'netlogon' needs:
> [netlogon]
> comment = Domain Logon Service
> path = /local/samba-config/v101/netlogon
> read only = no
fixed.
> 'sysvol' is okay except it needs to be writeable.
fixed as well.
> You also do not set the maximum password age with pdbedit.
I do, but you're saying I should not? I do in the shell script:

/local/samba/bin/samba-tool user setexpiry Administrator --noexpiry -s
${SAMBACONFIG}
/local/samba/bin/pdbedit -s ${SAMBACONFIG} -P "maximum password age"
-C -1

While my active directories do not survive one week, I thought just to be on
the safe side, I disable password aging. Is there a better way?
> Yes try reading up on Samba AD more before trying to train others on
> how to use it. ;-)
Rest assured, I'm training no one on samba, I just need an active directory
to
be able show a domain join with VMware products. That's all. However I was
quiet impressed how far samba has become. And how good it works. Can you
recommend a book or a documentation to get more familiar with SAMBA AD?

Thanks a lot. After your cleanup, I can now use Active Directory Users
and Computers. My new Samba Config is here:

https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/smb-v101.conf.cleanedup

Cheers,
	Thomas

On Wed, 18 Jul 2018 18:18:46 +0200
Thomas Glanzmann <thomas at glanzmann.de> wrote:
> Hello Rowland,
> 
> > These shouldn't be set or are defaults:
> > name resolve order = host
> > passdb backend = tdbsam
> > security = user
> > domain logons = yes
> > log level = 3
> > os level = 64
> > preferred master = yes
> > local master = yes
> > domain master = yes
> > tls keyfile  = key.pem
> > tls certfile = cert.pem
> > tls cafile   = ca.pem
> 
> I kicked these out. I found the config somewhere on the Internet and
> left the stuff I did not understand as provided.
> 
> > time server = yes
> 
> I have ntpd configured on the ip address which serves time. So I leave
> it in.
You DO NOT need it.
> 
> > This is definitely wrong:
> > dns forwarder = 127.0.0.1
> > You do not forward to itself.
> 
> Acutally, I do. I have a recursive bind listening on 127.0.0.1 and
> recursive name lookup works also via the SAMBA internal DNS
> implementation. So I'm happy with it.
This sounds like a recipe for disaster, how do get two dns servers to
listen on port 53 and differentiate between them. Your clients should
use the Samba DNS server for anything inside the domain and then the
samba DNS server should forward anything outside the domain to an
external dns server.
> 
> > This is all 'netlogon' needs:
> 
> > [netlogon]
> > comment = Domain Logon Service
> > path = /local/samba-config/v101/netlogon
> > read only = no
> 
> fixed.
> 
> > 'sysvol' is okay except it needs to be writeable.
> 
> fixed as well.
> 
> > You also do not set the maximum password age with pdbedit.
> 
> I do, but you're saying I should not? I do in the shell script:
> 
> /local/samba/bin/samba-tool user setexpiry Administrator --noexpiry
> -s ${SAMBACONFIG} /local/samba/bin/pdbedit -s ${SAMBACONFIG} -P
> "maximum password age" -C -1
Yes I know you do, but you set the maximum password age in AD and you
can do this with a GPO or samba-tool.
> 
> While my active directories do not survive one week, I thought just
> to be on the safe side, I disable password aging. Is there a better
> way?
Yes, stop disabling password ageing.
> 
> > Yes try reading up on Samba AD more before trying to train others on
> > how to use it. ;-)
> 
> Rest assured, I'm training no one on samba, I just need an active
> directory to be able show a domain join with VMware products. That's
> all. However I was quiet impressed how far samba has become. And how
> good it works. Can you recommend a book or a documentation to get
> more familiar with SAMBA AD?
Yes the samba wiki, it is the only documentation I would recommend
 
Rowland

Hello Rowland,
> > > time server = yes
> You DO NOT need it.
I read the manpage again and I think now I got it. So this is some
netbios time server thing. That I really don't need. I killed it.
> > > dns forwarder = 127.0.0.1
> This sounds like a recipe for disaster, how do get two dns servers to
> listen on port 53 and differentiate between them. Your clients should
> use the Samba DNS server for anything inside the domain and then the
> samba DNS server should forward anything outside the domain to an
> external dns server.
That's what is happening. I just have everything on one box. I both
specified in samba and in bind where they should listen on and lsof -P
-i -n confirms that they do what they're supposed to do.
> Yes I know you do, but you set the maximum password age in AD and you
> can do this with a GPO or samba-tool.
I see, I'll look it up and use samba-tool instead.
> Yes, stop disabling password ageing.
I only change a password when it is compromised. And the passwords in
the lab environment are all insecure.
> Yes the samba wiki, it is the only documentation I would recommend.
I see, I read a lot in the samba wiki, but missed the minimal samba
config for active directory.

Cheers,
        Thomas

Hello Rowland,
> Yes the samba wiki, it is the only documentation I would recommend
after you told me to RTFM. I read the wiki page again and realized that
the samba tool creates the samba config for me. So now I setup my domain
using this twoliner:
>  smb.conf
/local/samba/bin/samba-tool domain provision -s ${SAMBACONFIG} --server-role=dc
--use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=${REALM} --domain=V101
--adminpass='Pa$$w0rd' --host-name=ad \
        --option="interfaces=bond0.101" \
        --option="bind interfaces only=yes" \
        --option "lock directory = /local/samba-config/v101/lock" \
        --option "cache directory = /local/samba-config/v101/cache" \
        --option "pid directory = /local/samba-config/v101/pid" \
        --option "private dir = /local/samba-config/v101/private" \
        --option "state directory = /local/samba-config/v101/state" \

And it even gets the recursive DNS right:

# Global parameters
[global]
	bind interfaces only = Yes
	cache directory = /local/samba-config/v101/cache
	dns forwarder = 127.0.0.1
	interfaces = bond0.101
	lock directory = /local/samba-config/v101/lock
	netbios name = AD
	pid directory = /local/samba-config/v101/pid
	private dir = /local/samba-config/v101/private
	realm = V101.HPVL.ORG
	server role = active directory domain controller
	state directory = /local/samba-config/v101/state
	workgroup = V101
	idmap_ldb:use rfc2307 = yes

[netlogon]
	path = /local/samba-config/v101/state/sysvol/v101.hpvl.org/scripts
	read only = No

[sysvol]
	path = /local/samba-config/v101/state/sysvol
	read only = No

Thanks again.

Cheers,
	Thomas