samba - Jul 2018 - Samba4 AD cannot see machines in windows browser

On Tue, 17 Jul 2018 15:07:53 -0700
Alberto Moreno via samba <samba at lists.samba.org> wrote:
> On Tue, Jul 17, 2018 at 1:57 PM Alberto Moreno <portsbsd at
gmail.com>
> wrote:
> 
> >
> >
> > On Tue, Jul 17, 2018 at 1:18 PM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On Tue, 17 Jul 2018 12:59:25 -0700
> >> Alberto Moreno via samba <samba at lists.samba.org> wrote:
> >>
> >> Hi Moreno, see inline comments:
> >>
> >> > Hi
> >> >
> >> > On Tue, Jul 17, 2018 at 12:38 PM Rowland Penny via samba <
> >> > samba at lists.samba.org> wrote:
> >> >
> >> > > On Tue, 17 Jul 2018 12:16:56 -0700
> >> > > Alberto Moreno via samba <samba at
lists.samba.org> wrote:
> >> > >
> >> > > > Hi.
> >> > > >
> >> > > > I'm continuing learning samba4.
> >> > > >
> >> > > > I had add some machines to the domain, windows 10
Pro.
> >> > > >
> >> > > > But I open windows browser and don't see my
domain and my
> >> > > > machines.
> >> > > >
> >> > > > Is normal with samba4?
> >> > >
> >> > > Depending on how you set up Samba, yes and no.
> >> > >
> >> > > >
> >> > > > My smb.conf
> >> > > >
> >> > > > # Global parameters
> >> > > > [global]
> >> > > >         netbios name = MBXDC1
> >> > > >         realm = MBX.LOCAL
> >> > > >         server role = active directory domain
controller
> >> > > >         server services = s3fs, rpc, nbt, wrepl,
ldap,
> >> > > > cldap, kdc, drepl, winbindd, ntp_signd, kcc,
dnsupdate
> >> > > >         workgroup = MBX
> >> > > >         idmap_ldb:use rfc2307 = yes
> >> > > >         log level = 5
> >> > > >
> >> > > > [netlogon]
> >> > > >         path
> >> > > > =
/usr/local/samba/var/locks/sysvol/mbx.local/scripts read
> >> > > > only = No
> >> > > >
> >> > > > [sysvol]
> >> > > >         path = /usr/local/samba/var/locks/sysvol
> >> > > >         read only = No
> >> > >
> >> > > Ah, it is an AD DC, so the answer is definitely yes,
there is
> >> > > no browsing with a Samba AD DC.
> >> > >
> >> > >
> >> > Now, who manage the machine list in the network?
> >>
> >> The DNS server on the DC
> >>
> >
> > Got it.
> >
> >
> >> >
> >> > >
> >> > > > Other thing, I try to increase my log level, but
samba won't
> >> > > > accept, it continue with log level = 2.
> >> > >
> >> > > Did you restart Samba after making the change ?
> >> > >
> >> > >
> >> > Yes, I stop first and latter start the service.
> >>
> >> Then it should work, unless nothing happened over log level 2 ;-)
> >>
> >
> > Got it.
> >
> >
> >> >
> >> > >
> >> > > > My windows machines had the computer browser
service off and
> >> > > > fw off.
> >> > >
> >> > > How do you expect to use a browser service that is
turned off ?
> >> > > Not that it will help if you do turn it on.
> >> > >
> >> > >
> >> > Just to understand, in samba NT4 domain, the recommendation
was
> >> > that, must exist only 1 network browser in the network, them
we
> >> > had to turn off this service(computer browser) under windows
> >> > machines, because this service conflict with samba, the
reason
> >> > was that those machines will try to became master/local
browser
> >> > in the domain and start sending packets all over the network
> >> > which is traffic unnecessary.
> >> >
> >> > With samba4 AD setup, the rule continue or I was wrong?
> >>
> >> Ye, the rule continues for Unix domain members, but there is no
> >> browsing of Samba AD DC's, they will not show up in a Windows
> >> Browser, you should use DNS instead. You should also be aware that
> >> Windows is moving away from network browsing.
> >>
> >
> > Got it.
> >
> > >
> >> >
> >> > > >
> >> > > > Samba version 4.7.8 CentOS Linux release 7.5.1804
(Core)
> >> > >
> >> > > How did you provision an AD DC using Centos packages, I
> >> > > thought you still couldn't use them for a DC.
> >> > >
> >> > >
> >> > I install samba4 from src(make && make install).
> >>
> >> OK, just checking ;-)
> >>
> >>
> > :-).
> >
> > > Thanks for your help Penny.
> >> >
> >>
> >> Please do not refer to me by my surname.
> >>
> >
> > My apologies, my mistake.
> >
> >
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> > --
> > LIving the dream...
> >
> 
> I setup DNS as backend which is running under the same server.
> 
> I have done my test like the wiki and works.
> 
> host -t SRV _ldap._tcp.MBX.LOCAL.
> _ldap._tcp.MBX.LOCAL has SRV record 0 100 389 mbxdc1.mbx.local.
> 
> host -t SRV _kerberos._udp.MBX.LOCAL.
> _kerberos._udp.MBX.LOCAL has SRV record 0 100 88 mbxdc1.mbx.local.
> 
>  host -t A MBXDC1.MBX.LOCAL.
> MBXDC1.MBX.LOCAL has address 192.168.1.5
> 
> But if I query a client won't answer:
> 
> host -t A MBX-TEST1.MBX.LOCAL.
> Host MBX-TEST1.MBX.LOCAL. not found: 3(NXDOMAIN)
> 
> I have run
> 
> samba_dnsupdate --verbose
> 
> But don't see my  clients.
> 
> What else do I need to allow bind to record my clients?
> 
> Looks like I had follow the wiki all the way.
> 
> In what stage does bind record the new machine?
> 
It doesn't, Either you have to add them with samba-tool, or get DHCP to
add them, or allow Windows clients to add & update their own records.

Rowland

Hi  Rowland.

Them to understand, we have different paths depend on how we would like to
register our windows machines to our DNS.

1; By DHCP
2; Manually with samba-tool
3; Let windows handle this, here is my doubt how can our clients(windows
boxes) do this?

Exist a recommendation by samba team?

Thanks for your help.

Peter.

On Wed, Jul 18, 2018 at 12:19 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 17 Jul 2018 15:07:53 -0700
> Alberto Moreno via samba <samba at lists.samba.org> wrote:
>
> > On Tue, Jul 17, 2018 at 1:57 PM Alberto Moreno <portsbsd at
gmail.com>
> > wrote:
> >
> > >
> > >
> > > On Tue, Jul 17, 2018 at 1:18 PM Rowland Penny via samba <
> > > samba at lists.samba.org> wrote:
> > >
> > >> On Tue, 17 Jul 2018 12:59:25 -0700
> > >> Alberto Moreno via samba <samba at lists.samba.org>
wrote:
> > >>
> > >> Hi Moreno, see inline comments:
> > >>
> > >> > Hi
> > >> >
> > >> > On Tue, Jul 17, 2018 at 12:38 PM Rowland Penny via samba
<
> > >> > samba at lists.samba.org> wrote:
> > >> >
> > >> > > On Tue, 17 Jul 2018 12:16:56 -0700
> > >> > > Alberto Moreno via samba <samba at
lists.samba.org> wrote:
> > >> > >
> > >> > > > Hi.
> > >> > > >
> > >> > > > I'm continuing learning samba4.
> > >> > > >
> > >> > > > I had add some machines to the domain, windows
10 Pro.
> > >> > > >
> > >> > > > But I open windows browser and don't see
my domain and my
> > >> > > > machines.
> > >> > > >
> > >> > > > Is normal with samba4?
> > >> > >
> > >> > > Depending on how you set up Samba, yes and no.
> > >> > >
> > >> > > >
> > >> > > > My smb.conf
> > >> > > >
> > >> > > > # Global parameters
> > >> > > > [global]
> > >> > > >         netbios name = MBXDC1
> > >> > > >         realm = MBX.LOCAL
> > >> > > >         server role = active directory domain
controller
> > >> > > >         server services = s3fs, rpc, nbt,
wrepl, ldap,
> > >> > > > cldap, kdc, drepl, winbindd, ntp_signd, kcc,
dnsupdate
> > >> > > >         workgroup = MBX
> > >> > > >         idmap_ldb:use rfc2307 = yes
> > >> > > >         log level = 5
> > >> > > >
> > >> > > > [netlogon]
> > >> > > >         path
> > >> > > > =
/usr/local/samba/var/locks/sysvol/mbx.local/scripts read
> > >> > > > only = No
> > >> > > >
> > >> > > > [sysvol]
> > >> > > >         path =
/usr/local/samba/var/locks/sysvol
> > >> > > >         read only = No
> > >> > >
> > >> > > Ah, it is an AD DC, so the answer is definitely
yes, there is
> > >> > > no browsing with a Samba AD DC.
> > >> > >
> > >> > >
> > >> > Now, who manage the machine list in the network?
> > >>
> > >> The DNS server on the DC
> > >>
> > >
> > > Got it.
> > >
> > >
> > >> >
> > >> > >
> > >> > > > Other thing, I try to increase my log level,
but samba won't
> > >> > > > accept, it continue with log level = 2.
> > >> > >
> > >> > > Did you restart Samba after making the change ?
> > >> > >
> > >> > >
> > >> > Yes, I stop first and latter start the service.
> > >>
> > >> Then it should work, unless nothing happened over log level 2
;-)
> > >>
> > >
> > > Got it.
> > >
> > >
> > >> >
> > >> > >
> > >> > > > My windows machines had the computer browser
service off and
> > >> > > > fw off.
> > >> > >
> > >> > > How do you expect to use a browser service that is
turned off ?
> > >> > > Not that it will help if you do turn it on.
> > >> > >
> > >> > >
> > >> > Just to understand, in samba NT4 domain, the
recommendation was
> > >> > that, must exist only 1 network browser in the network,
them we
> > >> > had to turn off this service(computer browser) under
windows
> > >> > machines, because this service conflict with samba, the
reason
> > >> > was that those machines will try to became master/local
browser
> > >> > in the domain and start sending packets all over the
network
> > >> > which is traffic unnecessary.
> > >> >
> > >> > With samba4 AD setup, the rule continue or I was wrong?
> > >>
> > >> Ye, the rule continues for Unix domain members, but there is
no
> > >> browsing of Samba AD DC's, they will not show up in a
Windows
> > >> Browser, you should use DNS instead. You should also be aware
that
> > >> Windows is moving away from network browsing.
> > >>
> > >
> > > Got it.
> > >
> > > >
> > >> >
> > >> > > >
> > >> > > > Samba version 4.7.8 CentOS Linux release
7.5.1804 (Core)
> > >> > >
> > >> > > How did you provision an AD DC using Centos
packages, I
> > >> > > thought you still couldn't use them for a DC.
> > >> > >
> > >> > >
> > >> > I install samba4 from src(make && make install).
> > >>
> > >> OK, just checking ;-)
> > >>
> > >>
> > > :-).
> > >
> > > > Thanks for your help Penny.
> > >> >
> > >>
> > >> Please do not refer to me by my surname.
> > >>
> > >
> > > My apologies, my mistake.
> > >
> > >
> > >> Rowland
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and
read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >>
> > > --
> > > LIving the dream...
> > >
> >
> > I setup DNS as backend which is running under the same server.
> >
> > I have done my test like the wiki and works.
> >
> > host -t SRV _ldap._tcp.MBX.LOCAL.
> > _ldap._tcp.MBX.LOCAL has SRV record 0 100 389 mbxdc1.mbx.local.
> >
> > host -t SRV _kerberos._udp.MBX.LOCAL.
> > _kerberos._udp.MBX.LOCAL has SRV record 0 100 88 mbxdc1.mbx.local.
> >
> >  host -t A MBXDC1.MBX.LOCAL.
> > MBXDC1.MBX.LOCAL has address 192.168.1.5
> >
> > But if I query a client won't answer:
> >
> > host -t A MBX-TEST1.MBX.LOCAL.
> > Host MBX-TEST1.MBX.LOCAL. not found: 3(NXDOMAIN)
> >
> > I have run
> >
> > samba_dnsupdate --verbose
> >
> > But don't see my  clients.
> >
> > What else do I need to allow bind to record my clients?
> >
> > Looks like I had follow the wiki all the way.
> >
> > In what stage does bind record the new machine?
> >
>
> It doesn't, Either you have to add them with samba-tool, or get DHCP to
> add them, or allow Windows clients to add & update their own records.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
LIving the dream...

On Wed, 18 Jul 2018 13:43:34 -0700
Alberto Moreno via samba <samba at lists.samba.org> wrote:
> Hi  Rowland.
> 
> Them to understand, we have different paths depend on how we would
> like to register our windows machines to our DNS.
> 
> 1; By DHCP
I use this:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

But most of my clients are Unix.
> 2; Manually with samba-tool
You would only really use this for fixed ip clients
> 3; Let windows handle this, here is my doubt how can our
> clients(windows boxes) do this?
Normally, the problem is stopping the Windows clients from trying to
update their own records, or to put it another way, this is the windows
default way.
> 
> Exist a recommendation by samba team?
Don't think so, just do what is best for you.

Rowland