samba - Nov 2018 - Setup a Samba AD DC as an additional DC

Hai Barry, 

We know about exchange might be a problem, the others i dont know..
Check the windows schema levels. 
https://wiki.samba.org/index.php/AD_Schema_Version_Support 

You could try a clean setup as shown by my howto. 

Before you install setup ip and hostname in the windows DNS for the linux
server.
Make sure you use a name thats never used before, just to be sure of no side
effects.

Then follow this to the letter. ( so use bind9_dlz ) 

https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
Line 31, use the windows DC's ip's 
Line 47, use the same time server as the windows DC's. 

Until line 259, the provisioning line, change that to join. 
And proceed with the steps. 

> -----Oorspronkelijk bericht-----
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> > 2008 Member - MS Exchange 2010
> 
> >BOING!!!         ^^^^^^^^^^^
> 
> >From my knowledge, you cannot use exchange with a Samba DC.
> 
> My original plan was a stepped approach.  Recall I created a 
> Samba Member Server.  Created a Share, entered GID, UID for 
> all users and groups, but we could not get the member server 
> to ever see those users/groups.
Thats a mis-config in you setup. 

> 
> I can connect to that share from windows clients, but I have 
> to connect as the administrator (who is mapped to root). I 
> set ACLs with Windows Tools, and Windows still looks at them 
> as there, but they do not function because we never could.
> 
> The Thread is:
> getenv does not return any AD DOMAIN users or groups - 
> ?nsswitch is not setup for Samba?
> 
> I am going to migrate away from Exchange.  In fact MailEnable 
> has completed implementation of mail delivery to public 
> folders so I can go ahead and do that.  Louis however 
> recommended Kopano.  I had considered and dismissed it as too 
> expensive.  I was trying to see if it was available as Open 
> Source or if there was a subscription that would Not be expensive.
Kopano community version is free, so cant be cheaper. 
https://kopano.io/  
Downloads : https://download.kopano.io/community/ 

Debian buster wil get kopano. ( at least lets hope so ) 
https://packages.debian.org/search?keywords=kopano-core 

> 
> For the moment if we could go back to the Member Server and get it working
I had started
> that to create a Replicated Storage Volume as we are having trouble with
Microsoft DFS Replicated folders.
A linux member of windows member ? 
If i think i can make some extra time tomorrow and i'll make a member howto
also for Ubuntu and i'll update the current stretch version to 4.8/4.9


So far, 

Greetz, 

Louis

No, there is a simple problem and solution to get id.s

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch

For the member, 
apt-get install libnss-winbind libpam-winbind

change /etc/nsswitch.conf 
passwd:         compat systemd winbind
group:          compat systemd winbind

Run pam-auth-update
And for testing set these to yes in smb.conf 
winbind enum users  = no
winbind enum groups = no

And here you go all you users ;-) 
Set it back to no and then use getent passwd username. 

;-) 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Barry D. Adkins [mailto:Barry at daram.com] 
> Verzonden: donderdag 29 november 2018 16:09
> Aan: L.P.H. van Belle
> Onderwerp: RE: [Samba] Setup a Samba AD DC as an additional DC
> 
> I will follow your instructions.
> 
> As for this:
> 
> >> For the moment if we could go back to the Member Server 
> and get it working I had started 
> >> that to create a Replicated Storage Volume as we are 
> having trouble with Microsoft DFS Replicated folders.
> >A linux member of windows member ? 
> >If i think i can make some extra time tomorrow and i'll make 
> a member howto also for Ubuntu and i'll update the current 
> stretch version to 4.8/4.9 
> 
> I joined a Samba Member Server to the Windows AD Domain.  We 
> had problems with user/group retrieval/connection.
> 
> That was this thread:
> " getenv does not return any AD DOMAIN users or groups - 
> ?nsswitch is not setup for Samba?"
> 
> It was suggested to overcome that problem to create a Samba 
> DC.  That’s why we are doing that.  Eventually, I hope to 
> have no Microsoft servers.  eMail maybe just the Windows OS 
> depending on if I can get a Linux Mail server with the 
> functionality we need.
> 
> -Barry Adkins
>

On Thu, 29 Nov 2018 16:15:24 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> No, there is a simple problem and solution to get id.s
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch
> 
> For the member, 
> apt-get install libnss-winbind libpam-winbind
> 
> change /etc/nsswitch.conf 
> passwd:         compat systemd winbind
> group:          compat systemd winbind
> 
> Run pam-auth-update
> And for testing set these to yes in smb.conf 
> winbind enum users  = no
> winbind enum groups = no
ER, why would you add default settings that do nothing ?
Changing 'no' to 'yes' would make sense ;-)

Rowland

Yes, 
Your totaly correct, but readability get higer prio for me then not showing
defaults im my setup.
Just bit easier to read and it does not harm. 

This is also why my configs have the lines like this : 
# Keep no in production, set yes when debugging, this slows down your samba.

Readability is also a big thing, and often forgoten/misplaced. 

Greetz, 

Lousi

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 29 november 2018 16:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC
> 
> On Thu, 29 Nov 2018 16:15:24 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > No, there is a simple problem and solution to get id.s
> > 
> > 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_
> Member#Configuring_the_Name_Service_Switch 
> > 
> > For the member, 
> > apt-get install libnss-winbind libpam-winbind
> > 
> > change /etc/nsswitch.conf 
> > passwd:         compat systemd winbind
> > group:          compat systemd winbind
> > 
> > Run pam-auth-update
> > And for testing set these to yes in smb.conf 
> > winbind enum users  = no
> > winbind enum groups = no
> 
> ER, why would you add default settings that do nothing ?
> Changing 'no' to 'yes' would make sense ;-)
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

>We know about exchange might be a problem, the others i dont know..
>Check the windows schema levels. 
>https://wiki.samba.org/index.php/AD_Schema_Version_Support 
56 = Windows Server 2012

What the heck... I'm getting better at it... I'll start over again and
follow your how to.

-Barry

I have not proceeded past loading your files as it is complaining about
Clearsigned file invalid, etc...:
:~$ sudo wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | sudo
apt-key add -
--2018-11-30 00:03:40--  http://apt.van-belle.nl/louis-van-belle.gpg-key.asc
Resolving apt.van-belle.nl (apt.van-belle.nl)... 149.210.206.148,
2a01:7c8:aab6:5ab:5054:ff:feff:ae66
Connecting to apt.van-belle.nl (apt.van-belle.nl)|149.210.206.148|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 8684 (8.5K) [text/plain]
Saving to: ‘STDOUT’

-                   100%[===================>]   8.48K  --.-KB/s    in 0s

2018-11-30 00:03:40 (179 MB/s) - written to stdout [8684/8684]

OK
:~$ sudo apt-get update
Hit:1 http://ubuntu.mirrors.tds.net/ubuntu bionic InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:4 http://archive.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Get:3 http://apt.van-belle.nl/debian?bionic-samba49 main InRelease [1,242 B]
Err:3 http://apt.van-belle.nl/debian?bionic-samba49 main InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network
require authentication?)
Get:5 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Reading package lists... Done
E: Failed to fetch
http://apt.van-belle.nl/debian?bionic-samba49/dists/main/InRelease  Clearsigned
file isn't valid, got 'NOSPLIT' (does the network require
authentication?)
E: The repository 'http://apt.van-belle.nl/debian?bionic-samba49 main
InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore
disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration
details.

************
Also, since I'm stopped for now... you had me create a resolv.conf file
here: /etc/systemd/resolv.conf
Yet Ubuntu has it here: /etc/resolv.conf  AND.... that is a "read
only" file as it is dynamically updated as Ubuntu uses Netplan...  I have
not uninstalled resolvd as I did before under other guidance.

I created the file you directed in the How-to, but I don't think it is doing
anything.  Never the less the is NO problem resolving to whatever valid DNS name
used in nslookup.

I did not want to proceed until you let me know if there is something wrong with
how I am retrieving your packages.

-Barry Adkins

Aah... 

You copied the instruction from the list mail and one where out of the blue
"??" are in..
http://apt.van-belle.nl/debian?bionic-samba49 main InRelease 
Should be 
http://apt.van-belle.nl/debian/bionic-samba49 main InRelease

So change the ? To / in the aptfile ;-) and procede.. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Barry D. Adkins via samba
> Verzonden: vrijdag 30 november 2018 7:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> I have not proceeded past loading your files as it is 
> complaining about Clearsigned file invalid, etc...:
> :~$ sudo wget -O - 
> http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | sudo 
> apt-key add -
> --2018-11-30 00:03:40--  
> http://apt.van-belle.nl/louis-van-belle.gpg-key.asc
> Resolving apt.van-belle.nl (apt.van-belle.nl)... 
> 149.210.206.148, 2a01:7c8:aab6:5ab:5054:ff:feff:ae66
> Connecting to apt.van-belle.nl 
> (apt.van-belle.nl)|149.210.206.148|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 8684 (8.5K) [text/plain]
> Saving to: ‘STDOUT’
> 
> -                   100%[===================>]   8.48K  
> --.-KB/s    in 0s
> 
> 2018-11-30 00:03:40 (179 MB/s) - written to stdout [8684/8684]
> 
> OK
> :~$ sudo apt-get update
> Hit:1 http://ubuntu.mirrors.tds.net/ubuntu bionic InRelease
> Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
> Get:4 http://archive.ubuntu.com/ubuntu bionic-security 
> InRelease [83.2 kB]
> Get:3 http://apt.van-belle.nl/debian?bionic-samba49 main 
> InRelease [1,242 B]
> Err:3 http://apt.van-belle.nl/debian?bionic-samba49 main InRelease
>   Clearsigned file isn't valid, got 'NOSPLIT' (does the 
> network require authentication?)
> Get:5 http://archive.ubuntu.com/ubuntu bionic-updates 
> InRelease [88.7 kB]
> Reading package lists... Done
> E: Failed to fetch 
> http://apt.van-belle.nl/debian?bionic-samba49/dists/main/InRel
ease  Clearsigned file isn't valid, got 'NOSPLIT' (does the >
network require authentication?)
> E: The repository 
> 'http://apt.van-belle.nl/debian?bionic-samba49 main 
> InRelease' is not signed.
> N: Updating from such a repository can't be done securely, 
> and is therefore disabled by default.
> N: See apt-secure(8) manpage for repository creation and user 
> configuration details.
> 
> ************
> Also, since I'm stopped for now... you had me create a 
> resolv.conf file here: /etc/systemd/resolv.conf
> Yet Ubuntu has it here: /etc/resolv.conf  AND.... that is a 
> "read only" file as it is dynamically updated as Ubuntu uses 
> Netplan...  I have not uninstalled resolvd as I did before 
> under other guidance.
> 
> I created the file you directed in the How-to, but I don't 
> think it is doing anything.  Never the less the is NO problem 
> resolving to whatever valid DNS name used in nslookup.
> 
> I did not want to proceed until you let me know if there is 
> something wrong with how I am retrieving your packages.
> 
> -Barry Adkins
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 30 Nov 2018 06:11:18 +0000
"Barry D. Adkins via samba" <samba at lists.samba.org> wrote:

> Also, since I'm stopped for now... you had me create a resolv.conf
> file here: /etc/systemd/resolv.conf Yet Ubuntu has it
> here: /etc/resolv.conf  AND.... that is a "read only" file as it
is
> dynamically updated as Ubuntu uses Netplan...  I have not uninstalled
> resolvd as I did before under other guidance.
It is a link to another file and there is an easy fix:

sudo apt install ifupdown
sudo remove nplan

Configure /etc/network/interfaces

sudo rm -f /etc/resolv.conf
sudo nano /etc/resolv.conf

But this is all in my Ubuntu install instructions that I sent you ;-)

Rowland

Same problem.  Can't join as AD DC.  Secrets file missing the Machine
Secret:
If the problem is MS Exchange, then I'll have to hold off until I can dump
Exchange and get Kopano or something else.

Still getting this:
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account
password for DARAM from both secrets.ldb (Could not find entry to match 
filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
'cn=Primary Domains':
No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from 
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO


Replicating DC=ForestDnsZones,DC=daram,DC=com
Partition[DC=ForestDnsZones,DC=daram,DC=com] objects[211/211] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=daram,DC=com] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for HOUDCU01.daram.com
Adding DNS A record HOUDCU01.daram.com for IPv4 IP: 131.192.176.40
Adding DNS CNAME record 96198a82-8847-4a60-ae00-bfbbb0e78bd4._msdcs.daram.com
for HOUDCU01.daram.com
Join failed - cleaning up
Deleted CN=RID Set,CN=HOUDCU01,OU=Domain Controllers,DC=daram,DC=com
Deleted CN=HOUDCU01,OU=Domain Controllers,DC=daram,DC=com
Deleted CN=NTDS
Settings,CN=HOUDCU01,CN=Servers,CN=Houston,CN=Sites,CN=Configuration,DC=daram,DC=com
Deleted
CN=HOUDCU01,CN=Servers,CN=Houston,CN=Sites,CN=Configuration,DC=daram,DC=com
Deleted
DC=HOUDCU01,DC=daram.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=daram,DC=com
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
716, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1405, in
do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1164, in
join_add_dns_records
    None)

>We know about exchange might be a problem, the others i dont know..
>Check the windows schema levels. 
>https://wiki.samba.org/index.php/AD_Schema_Version_Support 
>You could try a clean setup as shown by my howto. 
>Before you install setup ip and hostname in the windows DNS for the linux
server.
>Make sure you use a name thats never used before, just to be sure of no side
effects.
>Then follow this to the letter. ( so use bind9_dlz ) 
>https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
>Line 31, use the windows DC's ip's
>Line 47, use the same time server as the windows DC's. 
>Until line 259, the provisioning line, change that to join. 
>And proceed with the steps. 
> -----Oorspronkelijk bericht-----
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> > 2008 Member - MS Exchange 2010
> 
> >BOING!!!         ^^^^^^^^^^^
> 
> >From my knowledge, you cannot use exchange with a Samba DC.
> 
-Barry Adkins