I've installed these packages: apt-get install samba winbind libnss-winbind libpam-winbind libpam-krb5 krb5-config Installing on fresh Ubuntu 18.04 server Nothing is configured yet as following the wikis you come to the DNS configuration before you get to configuring Samba stuff. Wiki states: If you are planning to set up a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ back end, you have to install and configure the BIND DNS server first. And : By default, the first Domain Controller (DC) in a forest runs a DNS server for Active Directory (AD)-based zones. For failover reasons it is recommended to run multiple DCs acting as a DNS server in a network. If you consider providing a DNS service on the new DC: ? For the BIND9_DLZ back end, see BIND9_DLZ DNS Back End<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End>. Finish this task before you start the Samba DC service. I really didn't want to tackle this now but I will as eventually all the Windows Servers will go away. I had hoped to migrate things one by one. I have embarked on learning bind, bind9, etc. now noting all the numerous details I must follow on wikis to get that going. I am wondering is the DNS on the Samba AD DC going to get all the DNS entries from the Windows AD DNS servers? I suppose I'll also setup the Samba AD DC as the DHCP server as that doesn't seem so difficult. Barry Adkins
On Wed, 21 Nov 2018 10:22:21 +0000 "Barry D. Adkins via samba" <samba at lists.samba.org> wrote:> I've installed these packages: > > apt-get install samba winbind libnss-winbind libpam-winbind > libpam-krb5 krb5-config > > Installing on fresh Ubuntu 18.04 server > > Nothing is configured yet as following the wikis you come to the DNS > configuration before you get to configuring Samba stuff. > > Wiki states: If you are planning to set up a Samba Active Directory > (AD) domain controller (DC) using the BIND9_DLZ back end, you have to > install and configure the BIND DNS server first.That isn't entirely true, you need to install Bind9 before you provision with BIND9_DLZ, but you can configure it after the provision and before you start Samba.> > And : By default, the first Domain Controller (DC) in a forest runs > a DNS server for Active Directory (AD)-based zones. For failover > reasons it is recommended to run multiple DCs acting as a DNS server > in a network. If you consider providing a DNS service on the new > DC: ? For the BIND9_DLZ back end, see BIND9_DLZ DNS Back > End<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End>. Finish > this task before you start the Samba DC service.Yes, every Samba AD DC is a dns server, unless you provision with '--dns-backend=NONE' and this isn't recommended. You do not have to use Bind9, Samba has its own dns server.> > I really didn't want to tackle this now but I will as eventually all > the Windows Servers will go away. I had hoped to migrate things one > by one.Just provision using the internal dns server (the default) and upgrade to Bind9 later.> > I have embarked on learning bind, bind9, etc. now noting all the > numerous details I must follow on wikis to get that going. I am > wondering is the DNS on the Samba AD DC going to get all the DNS > entries from the Windows AD DNS servers? I suppose I'll also setup > the Samba AD DC as the DHCP server as that doesn't seem so difficult.It isn't, just follow the wiki page and shout if something goes wrong (it shouldn't) Rowland
>> I really didn't want to tackle this now but I will as eventually all >> the Windows Servers will go away. I had hoped to migrate things one >> by one. >> > Just provision using the internal dns server (the default) and upgrade > to Bind9 later.Better to do this right the first time, and prevent problems later on.> > It isn't, just follow the wiki page and shout if something goes wrong > (it shouldn't) > > RowlandIts just bit hard to follow imo. I suggest read: https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt If one has improvements for this setup, tell me i'll adjust it. Greetz, Louis
On Wed, 21 Nov 2018 12:07:37 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> >> I really didn't want to tackle this now but I will as eventually > >> all the Windows Servers will go away. I had hoped to migrate > >> things one by one. > >> > > Just provision using the internal dns server (the default) and > > upgrade to Bind9 later. > > Better to do this right the first time, and prevent problems later > on. > > > > > > It isn't, just follow the wiki page and shout if something goes > > wrong (it shouldn't) > > > > Rowland > > Its just bit hard to follow imo.I was referring to the dhcp page, were you ? If so, what is wrong with it ? Rowland
Hai, Ahh... No i did mean the wiki in general. Not that is really wrong, but if you are new to samba and the samba setup, the wiki is jumping from page to page, which makes it harder to follow. Thats it. I would preffer a wiki setup more like this. UserDocu - setting up samba as AD DC. - Pre os things. - Pre samba things ( ntp bind ) - installing samba by package or source. - os packages - source - Use AD backend or RID backend. - AD. - RID - provisioning samba AD. ...etc. etc. - setting up samba as Domain Member. - Pre os things. - Pre samba things - install samba - joining the domain. - setting up samba as Stand Alone. - etc. etc. It makes it more readable imo. But just my thoughts here, nothing wrong with the info on the wiki. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 21 november 2018 12:26 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC > > On Wed, 21 Nov 2018 12:07:37 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > >> I really didn't want to tackle this now but I will as eventually > > >> all the Windows Servers will go away. I had hoped to migrate > > >> things one by one. > > >> > > > Just provision using the internal dns server (the default) and > > > upgrade to Bind9 later. > > > > Better to do this right the first time, and prevent problems later > > on. > > > > > > > > > > It isn't, just follow the wiki page and shout if something goes > > > wrong (it shouldn't) > > > > > > Rowland > > > > Its just bit hard to follow imo. > > I was referring to the dhcp page, were you ? > If so, what is wrong with it ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Samba-tool FAILED> I've installed these packages: > > apt-get install samba winbind libnss-winbind libpam-winbind > libpam-krb5 krb5-config > > Installing on fresh Ubuntu 18.04 server >:~$ samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL --site=MySite --option="interfaces=ens2f0" Finding a writeable DC for domain 'mydomain.com' Found DC DC01.mydomain.com Password for [MYDOMAIN\administrator]: workgroup is MYDOMAIN realm is mydomain.com Adding CN=DCU18,OU=Domain Controllers,DC=mydomain,DC=com Adding CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain,DC=com Adding CN=NTDS Settings,CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain,DC=com Join failed - cleaning up Deleted CN=DCU18,OU=Domain Controllers,DC=mydomain,DC=com Deleted CN=NTDS Settings,CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain,DC=com Deleted CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain,DC=com ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points ref 1: '50bb59f8-933c-41a5-87d9-f98ad1fa4e10._msdcs.daram.com'> <ldap://50bb59f8-933c-41a5-87d9-f98ad1fa4e10._msdcs.mydomain.com>File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects ctx.samdb.modify(m)
which samba version, because i've een reports the 4.8 fails and 4.7 fails but 4.6 should work, and i dont know about 4.9.2 Can you show your /etc/hosts file and /etc/resolv.conf and /etc/krb5.conf You used : samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0" not wrong, but can you try. kinit Administrator samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --site=MySite --option="interfaces=ens2f0" -k If that does not work. samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0" -k If not,... samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL -k If not, samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --realm=YOUR_REALM -k Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Barry D. Adkins via samba > Verzonden: woensdag 21 november 2018 22:15 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > Samba-tool FAILED > > > I've installed these packages: > > > > apt-get install samba winbind libnss-winbind libpam-winbind > > libpam-krb5 krb5-config > > > > Installing on fresh Ubuntu 18.04 server > > > > :~$ samba-tool domain join mydomain.com DC > -U"MYDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL > --site=MySite --option="interfaces=ens2f0" > Finding a writeable DC for domain 'mydomain.com' > Found DC DC01.mydomain.com > Password for [MYDOMAIN\administrator]: > workgroup is MYDOMAIN > realm is mydomain.com > Adding CN=DCU18,OU=Domain Controllers,DC=mydomain,DC=com > Adding > CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=myd > omain,DC=com > Adding CN=NTDS > Settings,CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configurati > on,DC=mydomain,DC=com > Join failed - cleaning up > Deleted CN=DCU18,OU=Domain Controllers,DC=mydomain,DC=com > Deleted CN=NTDS > Settings,CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configurati > on,DC=mydomain,DC=com > Deleted > CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=myd > omain,DC=com > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > - <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points > ref 1: '50bb59f8-933c-41a5-87d9-f98ad1fa4e10._msdcs.daram.com' > > <ldap://50bb59f8-933c-41a5-87d9-f98ad1fa4e10._msdcs.mydomain.com> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > line 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 1474, in join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 1375, in do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 668, in join_add_objects > ctx.samdb.modify(m) > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
OK, I have been trying to help Barry get Samba to join to a Windows domain as a DC and we seem to have chased it down to this: ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for XXXXX from both secrets.ldb (Could not find entry to match filter: '(&(flatname=XXXXX)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4702) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(runtime): uncaught exception - (9005, 'WERR_DNS_ERROR_RCODE_REFUSED') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 716, in run backend_store=backend_store) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1405, in do_join ctx.join_add_dns_records() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1110, in join_add_dns_records del_rec_buf) He has examined the secrets.ldb and it doesn't contain the ' dn: flatname=XXXXX,cn=Primary Domains' object, even if he deletes it, it gets recreated without that object. I have run out of ideas, I even joined a Samba machine to a 2012 DC (2008 function level) without problem, anybody got any ideas ? Rowland