L.P.H. van Belle
2019-Jun-27 07:49 UTC
[Samba] Problem to join Samba 4 DC an existing Windows AD
Hai Marcio, ? I've checked the script output, that looks good. ? Just two small comments, - The hosts file, if your resolving is correctly working then you could remove the other DC's and FS from it, but it does not hurt is you keep it as is. - As long your are sure the DNS servers are ok and all needed zones are in these "proxy?dns" server. that should be fine also. ??? ( the often forgoten zone is?_msdcs.your.domain.tld. ) ? I also saw Tim's reply today also?and thats one i missed and the best way to go. ? Greetz, ? Louis ? ? ? Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] Verzonden: woensdag 26 juni 2019 17:06 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD Hi L.P.H van Belle>And the windows version was??Windows 2008 Server of 32 bits. ( not R2). AD Functional level: Win 2008 Regards, M?rcio Bacci ----------- Em qua, 26 de jun de 2019 ?s 04:50, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu: Hai,? ? ? this part. Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br I?just noticed?the same?question, (30 may 2019)???https://www.spinics.net/lists/samba/msg157397.html I looks like a bug in samba and its not reported in bugzilla. ? Can you run this for me so i can have a good look at this. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh? Just to make sure the linux side is setup correctly, anonymise where needed if needed. ? Can you report it, @ https://bugzilla.samba.org?or i can report it for you, but i do want the requested info of the script also in the bugreport, then its much more complete. ? And the windows version was? ? ? Greetz, ? louis ? Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] Verzonden: woensdag 26 juni 2019 5:54 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD Hi,>Question, does the Windows AD domain contain MS Exchange also?No.>and what does the wiki tell me. >https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory >There are three authentication methods you can us:>samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" >samba-tool domain join samdom.example.com DC -k yes >samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0I tried the 3 ways above.>I suggest this. >Kinit Administrator >Then you know kerberos auth also works.Kerberos is working properly. root at samba4dc:~# kinit administrator at EMPRESA.COM.BR Password for administrator at EMPRESA.COM.BR: root at samba4dc:~# klist -l Principal name ? ? ? ? ? ? ? ? Cache name -------------- ? ? ? ? ? ? ? ? ---------- administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0 cat /etc/krb5.conf [libdefaults] ? ? dns_lookup_realm = false ? ? dns_lookup_kdc = true ? ? default_realm = EMPRESA.COM.BR>Now, if you keep having problems with it, and your using own compiled setup, >Then show the compile parameters, or .. >Remove the compiled version and use my repo (http://apt.van-belle.nl) >And you can install 4.10.5 also on stretch with apt-get.Now, I have installed by Repository: apt-get install apt-transport-https wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add - echo "# AptVanBelle repo for samba." | tee /etc/apt/sources.list.d/van-belle.list echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib non-free" | tee -a /etc/apt/sources.list.d/van-belle.list apt-get update apt-get install -t o=AptVanBelle samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user samba -V ? ?Version 4.10.5-Debian netstat -lntup Conex?es Internet Ativas (sem os servidores) Proto Recv-Q Send-Q Endere?o Local ? ? ? ? ?Endere?o Remoto ? ? ? ? Estado ? ? ?PID/Program name tcp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:10050 ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? OU?A ? ? ? 398/zabbix_agentd tcp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:139 ? ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? OU?A ? ? ? 23945/smbd tcp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:81 ? ? ? ? ? ? ?0.0.0.0:* ? ? ? ? ? ? ? OU?A ? ? ? 550/lighttpd tcp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 127.0.0.1:25 ? ? ? ? ? ?0.0.0.0:* ? ? ? ? ? ? ? OU?A ? ? ? 655/master tcp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:445 ? ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? OU?A ? ? ? 23945/smbd tcp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:20000 ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? OU?A ? ? ? 517/sshd tcp6 ? ? ? 0 ? ? ?0 :::10050 ? ? ? ? ? ? ? ?:::* ? ? ? ? ? ? ? ? ? ?OU?A ? ? ? 398/zabbix_agentd tcp6 ? ? ? 0 ? ? ?0 :::139 ? ? ? ? ? ? ? ? ?:::* ? ? ? ? ? ? ? ? ? ?OU?A ? ? ? 23945/smbd tcp6 ? ? ? 0 ? ? ?0 :::81 ? ? ? ? ? ? ? ? ? :::* ? ? ? ? ? ? ? ? ? ?OU?A ? ? ? 550/lighttpd tcp6 ? ? ? 0 ? ? ?0 ::1:25 ? ? ? ? ? ? ? ? ?:::* ? ? ? ? ? ? ? ? ? ?OU?A ? ? ? 655/master tcp6 ? ? ? 0 ? ? ?0 :::445 ? ? ? ? ? ? ? ? ?:::* ? ? ? ? ? ? ? ? ? ?OU?A ? ? ? 23945/smbd tcp6 ? ? ? 0 ? ? ?0 :::20000 ? ? ? ? ? ? ? ?:::* ? ? ? ? ? ? ? ? ? ?OU?A ? ? ? 517/sshd udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:42969 ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 394/rsyslogd udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:68 ? ? ? ? ? ? ?0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 383/dhclient udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 192.168.255.255:137 ? ? ?0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 23992/nmbd udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 192.168.1.39:137 ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 23992/nmbd udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:137 ? ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 23992/nmbd udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 192.168.255.255:138 ? ? ?0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 23992/nmbd udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 192.168.1.39:138 ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 23992/nmbd udp ? ? ? ?0 ? ? ?0 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 0.0.0.0:138 ? ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? ? ? ? ? ? ? 23992/nmbd But the problems continue: root at samba4dc:~# samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator" INFO 2019-06-26 00:22:49,231 pid:658 /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'empresa.com.br' INFO 2019-06-26 00:22:49,241 pid:658 /usr/lib/python3/dist-packages/samba/join.py #105: Found DC windc1.empresa.com.br Password for [EMPRESA\administrator]: INFO 2019-06-26 00:22:58,016 pid:658 /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA INFO 2019-06-26 00:22:58,016 pid:658 /usr/lib/python3/dist-packages/samba/join.py #1522: realm is empresa.com.br Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br Adding CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br Deleted CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br ERROR(runtime): uncaught exception - DsAddEntry failed ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run ? ? return self.run(*args, **kwargs) ? File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699, in run ? ? backend_store=backend_store) ? File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in join_DC ? ? ctx.do_join() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in do_join ? ? ctx.join_add_objects() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in join_add_objects ? ? ctx.join_add_ntdsdsa() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in join_add_ntdsdsa ? ? ctx.DsAddEntry([rec]) ? File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in DsAddEntry ? ? raise RuntimeError("DsAddEntry failed") root at samba4dc:~# samba-tool domain join empresa.com.br DC -k yes INFO 2019-06-26 00:24:18,926 pid:666 /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'empresa.com.br' INFO 2019-06-26 00:24:18,934 pid:666 /usr/lib/python3/dist-packages/samba/join.py #105: Found DC windc1.empresa.com.br INFO 2019-06-26 00:24:19,113 pid:666 /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA INFO 2019-06-26 00:24:19,113 pid:666 /usr/lib/python3/dist-packages/samba/join.py #1522: realm is empresa.com.br Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br Adding CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br Deleted CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br ERROR(runtime): uncaught exception - DsAddEntry failed ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run ? ? return self.run(*args, **kwargs) ? File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699, in run ? ? backend_store=backend_store) ? File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in join_DC ? ? ctx.do_join() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in do_join ? ? ctx.join_add_objects() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in join_add_objects ? ? ctx.join_add_ntdsdsa() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in join_add_ntdsdsa ? ? ctx.DsAddEntry([rec]) ? File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in DsAddEntry ? ? raise RuntimeError("DsAddEntry failed") root at samba4dc:~# Do you have any other idea ? Regards, M?rcio Bacci Em ter, 25 de jun de 2019 ?s 11:20, L.P.H. van Belle <belle at bazuin.nl> escreveu: Hai Marcio, Please keep mailing to the list, that helps everybody.? ;-) Question, does the Windows AD domain contain MS Exchange also? Ow and my bad.. This : samba-tool domain tombstones expunge? You need to purge the tombstones on the windows server, but forget that all. I had a new look and noticed: root at samba4dc:/etc/init.d# samba-tool domain join empresa.com.br DC -Uadministrator --realm=empresa.com.br ( a bit of a strange folder also to be in.. ) And what does the wiki tell me. https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory There are three authentication methods you can us: samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" samba-tool domain join samdom.example.com DC -k yes samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0 And yours, what is the difference.. ? samba-tool domain join empresa.com.br DC -Uadministrator --realm=empresa.com.br I suggest this. Kinit Administrator Then you know kerberos auth also works. Then try : samba-tool domain join empresa.com.br DC -k yes And kdestroy to remove the kerberos ticket. Now, if you keep having problems with it, and your using own compiled setup, Then show the compile parameters, or .. Remove the compiled version and use my repo (http://apt.van-belle.nl) And you can install 4.10.5 also on stretch with apt-get. Greetz, Louis ________________________________ ? ? ? ? Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] ? ? ? ? Verzonden: maandag 24 juni 2019 19:11 ? ? ? ? Aan: L.P.H. van Belle ? ? ? ? Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD ? ? ? ? Hi, ? ? ? ? Follows the results of commands below executed in Samba 4: ? ? ? ? >Maybe first run : samba-tool domain tombstones expunge ? ? ? ? samba-tool domain tombstones expunge ? ? ? ? Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs ? ? ? ? dsdb_schema_from_db() failed: 32:No such object: dsdb_schema: failed to search attributeSchema and classSchema objects: No such Base DN: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br ? ? ? ? dsdb_get_schema: refresh_fn() failed ? ? ? ? schema_load_init: dsdb_get_schema failed ? ? ? ? module schema_load initialization failed : Operations error ? ? ? ? module dsdb_notification initialization failed : Operations error ? ? ? ? module rootdse initialization failed : Operations error ? ? ? ? module samba_dsdb initialization failed : Operations error ? ? ? ? Unable to load modules for tdb:///usr/local/samba/private/sam.ldb: schema_load_init: dsdb_get_schema failed ? ? ? ? ERROR(ldb): uncaught exception - schema_load_init: dsdb_get_schema failed ? ? ? ? ? File "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__init__.py", line 185, in _run ? ? ? ? ? ? return self.run(*args, **kwargs) ? ? ? ? ? File "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py", line 3913, in run ? ? ? ? ? ? credentials=creds, lp=lp) ? ? ? ? ? File "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 67, in __init__ ? ? ? ? ? ? options=options) ? ? ? ? ? File "/usr/local/samba/lib/python3.5/site-packages/samba/__init__.py", line 115, in __init__ ? ? ? ? ? ? self.connect(url, flags, options) ? ? ? ? ? File "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 82, in connect ? ? ? ? ? ? options=options) ? ? ? ? >Check the DNS if any leftovers and check with RSAT also for leftovers. ? ? ? ? There isn't leftovers. ? ? ? ? >Then run : samba-tool dbcheck --cross-nc ? ? ? ? samba-tool dbcheck --cross-nc ? ? ? ? Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs ? ? ? ? dsdb_schema_from_db() failed: 32:No such object: dsdb_schema: failed to search attributeSchema and classSchema objects: No such Base DN: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br ? ? ? ? dsdb_get_schema: refresh_fn() failed ? ? ? ? schema_load_init: dsdb_get_schema failed ? ? ? ? module schema_load initialization failed : Operations error ? ? ? ? module dsdb_notification initialization failed : Operations error ? ? ? ? module rootdse initialization failed : Operations error ? ? ? ? module samba_dsdb initialization failed : Operations error ? ? ? ? Unable to load modules for tdb:///usr/local/samba/private/sam.ldb: schema_load_init: dsdb_get_schema failed ? ? ? ? ERROR: Failed to connect to DB at None.? If this is a really old sam.ldb (before alpha9), then try again with --force-modules ? ? ? ? >DNS domain = empresa.com.br <http://empresa.com.br/>? and Kerberos domain = EMPRESA.COM.BR <http://empresa.com.br/>? ? ? ? ? >These are NOT the same. ? ? ? ? OK. ? ? ? ? root at samba4dc:~# cat /etc/krb5.conf ? ? ? ? [libdefaults] ? ? ? ? ? ? dns_lookup_realm = false ? ? ? ? ? ? dns_lookup_kdc = true ? ? ? ? ? ? default_realm = EMPRESA.COM.BR ? ? ? ? cat /etc/resolv.conf ? ? ? ? domain empresa.com.br ? ? ? ? search empresa.com.br ? ? ? ? nameserver 172.30.1.1 # is not the Windows DC ? ? ? ? nameserver 172.30.1.2 # is not the Windows DC ? ? ? ? We use bind as authorative DNS. The Windows DC only receves updates of the bind servers. ? ? ? ? Regards, ? ? ? ? M?rcio Bacci ? ? ? ? Em seg, 24 de jun de 2019 ?s 12:09, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu: ? ? ? ? ? ? ? ? > > ERROR(runtime): uncaught exception - (8639, "Failed to ? ? ? ? ? ? ? ? > > process 'chunk' of ? ? ? ? ? ? ? ? > > DRS replicated objects: DOS code 0x000021bf") ? ? ? ? ? ? ? ? 0x000021bf : ? ? ? ? ? ? ? ? The replication operation failed because the target object referred by a link value is recycled.? ? ? ? ? ? ? ? ? Maybe first run : samba-tool domain tombstones expunge ? ? ? ? ? ? ? ? Check the DNS if any leftovers and check with RSAT also for leftovers. ? ? ? ? ? ? ? ? Then run : samba-tool dbcheck --cross-nc ? ? ? ? ? ? ? ? Fix things where needed. ? ? ? ? ? ? ? ? THEN join. ? ? ? ? ? ? ? ? And use : ? ? ? ? ? ? ? ? samba-tool domain join empresa.com.br DC -Uadministrator --realm=EMPRESA.COM.BR ? ? ? ? ? ? ? ? DNS domain = empresa.com.br and Kerberos domain = EMPRESA.COM.BR ? ? ? ? ? ? ? ? These are NOT the same. ? ? ? ? ? ? ? ? Greetz, ? ? ? ? ? ? ? ? Louis ? ? ? ? ? ? ? ? -- ? ? ? ? ? ? ? ? To unsubscribe from this list go to the following URL and read the ? ? ? ? ? ? ? ? instructions:? https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
Marcio Demetrio Bacci
2019-Jun-27 15:32 UTC
[Samba] Problem to join Samba 4 DC an existing Windows AD
Hi,
I'm using Debian 9.9 and my DC's are Win 2008 Server (isn't R2).
I intend replace my Windows DC by Samba 4 DC.
Follows dependencies package that I have installed:
apt-get install acl attr autoconf bind9utils bison build-essential
apt-get install debhelper dnsutils docbook-xml docbook-xsl flex gdb
libjansson-dev krb5-user
apt-get install libacl1-dev libaio-dev libarchive-dev libattr1-dev
libblkid-dev libbsd-dev
apt-get install libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev
libjson-perl
apt-get install libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl
apt-get install libpopt-dev libreadline-dev nettle-dev perl perl-modules
pkg-config
apt-get install python-all-dev python-crypto python-dbg python-dev
python-dnspython
apt-get install python3-dnspython python-gpgme python3-gpgme
python-markdown python3-markdown
apt-get install python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils
Ihave installed by apt-get (Samba 4.5.16)
apt-get install samba attr winbind libpam-winbind libnss-winbind
libpam-krb5 krb5-config krb5-user
root at samba4dc1:~# cat /etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.1.1
nameserver 192.168.1.2
root at ubatuba:~# cat /etc/hosts
192.168.1.19 samba4dc1.empresa.com.br samba4dc1
10.133.100.135 windc1.empresa.com.br windc1
10.133.100.137 windc2.empresa.com.br windc2
192.168.1.4 srv-bkp.empresa.com.br srv-bkp
root at samba4dc1:~# cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator"
root at samba4dc1:~# cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = SAMBA4DC1
realm = EMPRESA.COM.BR
workgroup = SAMBA4DC1
server role = active directory domain controller
[netlogon]
path = /var/lib/samba/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Do I need change my nsswitch.conf as following?
passwd: files winbind
group: files winbind
The follow services are running this moment
root at samba4dc1:~# netstat -lntup
Conex?es Internet Ativas (sem os servidores)
Proto Recv-Q Send-Q Endere?o Local Endere?o Remoto Estado
PID/Program name
tcp 0 0 0.0.0.0:10050 0.0.0.0:* OU?A
393/zabbix_agentd
tcp 0 0 0.0.0.0:3268 0.0.0.0:* OU?A
750/samba
tcp 0 0 0.0.0.0:3269 0.0.0.0:* OU?A
750/samba
tcp 0 0 0.0.0.0:389 0.0.0.0:* OU?A
750/samba
tcp 0 0 0.0.0.0:135 0.0.0.0:* OU?A
746/samba
tcp 0 0 0.0.0.0:139 0.0.0.0:* OU?A
748/smbd
tcp 0 0 0.0.0.0:464 0.0.0.0:* OU?A
752/samba
tcp 0 0 0.0.0.0:81 0.0.0.0:* OU?A
521/lighttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* OU?A
758/samba
tcp 0 0 0.0.0.0:88 0.0.0.0:* OU?A
752/samba
tcp 0 0 127.0.0.1:25 0.0.0.0:* OU?A
624/master
tcp 0 0 0.0.0.0:636 0.0.0.0:* OU?A
750/samba
tcp 0 0 0.0.0.0:445 0.0.0.0:* OU?A
748/smbd
tcp 0 0 0.0.0.0:1024 0.0.0.0:* OU?A
746/samba
tcp 0 0 0.0.0.0:20000 0.0.0.0:* OU?A
483/sshd
tcp6 0 0 :::10050 :::* OU?A
393/zabbix_agentd
tcp6 0 0 :::3268 :::* OU?A
750/samba
tcp6 0 0 :::3269 :::* OU?A
750/samba
tcp6 0 0 :::389 :::* OU?A
750/samba
tcp6 0 0 :::135 :::* OU?A
746/samba
tcp6 0 0 :::139 :::* OU?A
748/smbd
tcp6 0 0 :::464 :::* OU?A
752/samba
tcp6 0 0 :::81 :::* OU?A
521/lighttpd
tcp6 0 0 :::53 :::* OU?A
758/samba
tcp6 0 0 :::88 :::* OU?A
752/samba
tcp6 0 0 ::1:25 :::* OU?A
624/master
tcp6 0 0 :::636 :::* OU?A
750/samba
tcp6 0 0 :::445 :::* OU?A
748/smbd
tcp6 0 0 :::1024 :::* OU?A
746/samba
tcp6 0 0 :::20000 :::* OU?A
483/sshd
udp 0 0 192.168.1.19:389 0.0.0.0:*
751/samba
udp 0 0 0.0.0.0:389 0.0.0.0:*
751/samba
udp 0 0 192.168.1.19:464 0.0.0.0:*
752/samba
udp 0 0 0.0.0.0:464 0.0.0.0:*
752/samba
udp 0 0 0.0.0.0:42524 0.0.0.0:*
396/rsyslogd
udp 0 0 0.0.0.0:53 0.0.0.0:*
758/samba
udp 0 0 192.168.1.19:88 0.0.0.0:*
752/samba
udp 0 0 0.0.0.0:88 0.0.0.0:*
752/samba
udp 0 0 192.168.1.19:137 0.0.0.0:*
747/samba
udp 0 0 192.168.1.255:137 0.0.0.0:*
747/samba
udp 0 0 0.0.0.0:137 0.0.0.0:*
747/samba
udp 0 0 192.168.1.19:138 0.0.0.0:*
747/samba
udp 0 0 192.168.1.255:138 0.0.0.0:*
747/samba
udp 0 0 0.0.0.0:138 0.0.0.0:*
747/samba
udp6 0 0 :::389 :::*
751/samba
udp6 0 0 :::464 :::*
752/samba
udp6 0 0 :::53 :::*
758/samba
udp6 0 0 :::88 :::*
752/samba
Do I need remove service on port 53?
tcp 0 0 0.0.0.0:53 0.0.0.0:* OU?A
758/samba
There are errors in my Samba DC:
/etc/init.d/samba-ad-dc status
? samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor
preset: enabled)
Active: active (running) since Thu 2019-06-27 11:16:22 -03; 1h 2min ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 743 (samba)
Status: "winbindd: ready to serve connections..."
Tasks: 21 (limit: 4915)
CGroup: /system.slice/samba-ad-dc.service
??743 /usr/sbin/samba
??745 /usr/sbin/samba
??746 /usr/sbin/samba
??747 /usr/sbin/samba
??748 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
??749 /usr/sbin/samba
??750 /usr/sbin/samba
??751 /usr/sbin/samba
??752 /usr/sbin/samba
??753 /usr/sbin/samba
??754 /usr/sbin/samba
??755 /usr/sbin/samba
??756 /usr/sbin/samba
??757 /usr/sbin/samba
??758 /usr/sbin/samba
??760 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
??779 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
??780 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
??782 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
??784 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
??822 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460019, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: elif
not check_dns_name(d):
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460080, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: File
"/usr/sbin/samba_dnsupdate", line 279, in check_dns_name
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460229, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: raise
Exception("Unable to contact a working DNS server while looking for %s as
%s" % (d, normalised_name))
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460346, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: Exception:
Unable to contact a working DNS server while looking for SRV _kerberos._
udp.empresa.com.br samba4dc.empresa.com.b?empresa.com.br.
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.478843, 0]
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
jun 27 12:16:23 ubatuba samba[757]: ../source4/dsdb/dns/dns_update.c:290:
Failed DNS update - with error code 1
Hint: Some lines were ellipsized, use -l to show in full.
This is my /etc/named.con on DNS Primary Server
root at dns1:~# cat /etc/bind/named.conf
options {
directory "/etc/bind/";
allow-transfer {
192.168.1.2;
10.133.100.135;
10.133.100.137;
192.168.1.19;
};
allow-update {
192.168.1.2;
10.133.100.135;
10.133.100.137;
192.168.1.19;
};
recursion yes;
allow-recursion {0.0.0.0/0;};
};
zone "." {
type hint;
file "default/db.root";
};
zone "localhost" {
type master;
file "default/db.localhost";
};
zone "127.in-addr.arpa" {
type master;
file "default/db.127.0.0.0";
};
zone "empresa.com.br" {
type master;
file "db.empresa.com.br";
};
zone "100.133.10.in-addr.arpa" {
type master;
file "db.10.133.100.0";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "db.192.168.0.0";
};
# Configuracao Active Directory / Windows
zone "_msdcs.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_msdcs.empresa.com.br";
};
zone "_tcp.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_tcp.empresa.com.br";
};
zone "_udp.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_udp.empresa.com.br";
};
zone "_sites.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_sites.empresa.com.br";
};
zone "ForestDNSZones.empresa.com.br" {
type master;
file "/etc/bind/adzonas/ForestDNSZones.empresa.com.br";
};
zone "DomainDNSZones.empresa.com.br" {
type master;
file "/etc/bind/adzonas/DomainDNSZones.empresa.com.br";
};
include "/etc/bind/named.conf.log";
The Windows DC server aren't authoritative DNS.
Can anybody help me?
Regards,
M?rcio Bacci
Em qui, 27 de jun de 2019 ?s 04:51, L.P.H. van Belle via samba <
samba at lists.samba.org> escreveu:
> Hai Marcio,
>
> I've checked the script output, that looks good.
>
> Just two small comments,
> - The hosts file, if your resolving is correctly working then you could
> remove the other DC's and FS from it, but it does not hurt is you keep
it
> as is.
> - As long your are sure the DNS servers are ok and all needed zones are in
> these "proxy dns" server. that should be fine also.
> ( the often forgoten zone is _msdcs.your.domain.tld. )
>
> I also saw Tim's reply today also and thats one i missed and the best
way
> to go.
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: woensdag 26 juni 2019 17:06
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD
>
>
>
> Hi L.P.H van Belle
>
>
> >And the windows version was?
> Windows 2008 Server of 32 bits. ( not R2).
> AD Functional level: Win 2008
>
>
> Regards,
>
>
> M?rcio Bacci
>
>
> -----------
>
>
>
> Em qua, 26 de jun de 2019 ?s 04:50, L.P.H. van Belle via samba <
> samba at lists.samba.org> escreveu:
>
> Hai,
>
>
> this part.
> Adding CN=NTDS
>
Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363,
> 'WERR_DS_NO_CROSSREF_FOR_NC')
> Join failed - cleaning up
> Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
>
> I just noticed the same question, (30 may 2019)
> https://www.spinics.net/lists/samba/msg157397.html
> I looks like a bug in samba and its not reported in bugzilla.
>
> Can you run this for me so i can have a good look at this.
>
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Just to make sure the linux side is setup correctly, anonymise where
> needed if needed.
>
>
> Can you report it, @ https://bugzilla.samba.org or i can report it for
> you, but i do want the requested info of the script also in the bugreport,
> then its much more complete.
>
> And the windows version was?
>
>
> Greetz,
>
> louis
>
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: woensdag 26 juni 2019 5:54
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD
>
>
>
> Hi,
>
> >Question, does the Windows AD domain contain MS Exchange also?
> No.
>
> >and what does the wiki tell me.
> >
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> >There are three authentication methods you can us:
>
> >samba-tool domain join samdom.example.com DC
-U"SAMDOM\administrator"
> >samba-tool domain join samdom.example.com DC -k yes
> >samba-tool domain join samdom.example.com DC
--krb5-ccache=/tmp/krb5cc_0
>
> I tried the 3 ways above.
>
> >I suggest this.
> >Kinit Administrator
> >Then you know kerberos auth also works.
>
> Kerberos is working properly.
>
> root at samba4dc:~# kinit administrator at EMPRESA.COM.BR
> Password for administrator at EMPRESA.COM.BR:
>
> root at samba4dc:~# klist -l
> Principal name Cache name
> -------------- ----------
> administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
>
> cat /etc/krb5.conf
>
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = EMPRESA.COM.BR
>
>
> >Now, if you keep having problems with it, and your using own compiled
> setup,
> >Then show the compile parameters, or ..
> >Remove the compiled version and use my repo (http://apt.van-belle.nl)
> >And you can install 4.10.5 also on stretch with apt-get.
>
> Now, I have installed by Repository:
>
> apt-get install apt-transport-https
> wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key
> add -
> echo "# AptVanBelle repo for samba." | tee
> /etc/apt/sources.list.d/van-belle.list
> echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib
> non-free" | tee -a /etc/apt/sources.list.d/van-belle.list
> apt-get update
> apt-get install -t o=AptVanBelle samba attr winbind libpam-winbind
> libnss-winbind libpam-krb5 krb5-config krb5-user
>
> samba -V
> Version 4.10.5-Debian
>
> netstat -lntup
> Conex?es Internet Ativas (sem os servidores)
> Proto Recv-Q Send-Q Endere?o Local Endere?o Remoto Estado
> PID/Program name
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:10050 0.0.0.0:* OU?A
> 398/zabbix_agentd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:139 0.0.0.0:* OU?A 23945/smbd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:81 0.0.0.0:* OU?A 550/lighttpd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 127.0.0.1:25 0.0.0.0:* OU?A 655/master
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:445 0.0.0.0:* OU?A 23945/smbd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:20000 0.0.0.0:* OU?A 517/sshd
> tcp6 0 0 :::10050 :::* OU?A
> 398/zabbix_agentd
> tcp6 0 0 :::139 :::* OU?A
> 23945/smbd
> tcp6 0 0 :::81 :::* OU?A
> 550/lighttpd
> tcp6 0 0 ::1:25 :::* OU?A
> 655/master
> tcp6 0 0 :::445 :::* OU?A
> 23945/smbd
> tcp6 0 0 :::20000 :::* OU?A
> 517/sshd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:42969 0.0.0.0:* 394/rsyslogd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:68 0.0.0.0:* 383/dhclient
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.255.255:137 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.1.39:137 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:137 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.255.255:138 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.1.39:138 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:138 0.0.0.0:* 23992/nmbd
>
>
> But the problems continue:
>
> root at samba4dc:~# samba-tool domain join empresa.com.br DC
> -U"EMPRESA\administrator"
> INFO 2019-06-26 00:22:49,231 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC
> for domain 'empresa.com.br'
> INFO 2019-06-26 00:22:49,241 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #105: Found DC
> windc1.empresa.com.br
> Password for [EMPRESA\administrator]:
> INFO 2019-06-26 00:22:58,016 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
> INFO 2019-06-26 00:22:58,016 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #1522: realm is
> empresa.com.br
> Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Adding
>
CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> Adding CN=NTDS
>
Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363,
> 'WERR_DS_NO_CROSSREF_FOR_NC')
> Join failed - cleaning up
> Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Deleted
>
CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> ERROR(runtime): uncaught exception - DsAddEntry failed
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
> 185, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py",
line 699,
> in run
> backend_store=backend_store)
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1535,
in
> join_DC
> ctx.do_join()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1427,
in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 669,
in
> join_add_objects
> ctx.join_add_ntdsdsa()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 594,
in
> join_add_ntdsdsa
> ctx.DsAddEntry([rec])
> File "/usr/lib/python3/dist-packages/samba/join.py", line 543,
in
> DsAddEntry
> raise RuntimeError("DsAddEntry failed")
>
>
>
> root at samba4dc:~# samba-tool domain join empresa.com.br DC -k yes
> INFO 2019-06-26 00:24:18,926 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC
> for domain 'empresa.com.br'
> INFO 2019-06-26 00:24:18,934 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #105: Found DC
> windc1.empresa.com.br
> INFO 2019-06-26 00:24:19,113 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
> INFO 2019-06-26 00:24:19,113 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #1522: realm is
> empresa.com.br
> Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Adding
>
CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> Adding CN=NTDS
>
Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363,
> 'WERR_DS_NO_CROSSREF_FOR_NC')
> Join failed - cleaning up
> Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Deleted
>
CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> ERROR(runtime): uncaught exception - DsAddEntry failed
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
> 185, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py",
line 699,
> in run
> backend_store=backend_store)
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1535,
in
> join_DC
> ctx.do_join()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1427,
in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 669,
in
> join_add_objects
> ctx.join_add_ntdsdsa()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 594,
in
> join_add_ntdsdsa
> ctx.DsAddEntry([rec])
> File "/usr/lib/python3/dist-packages/samba/join.py", line 543,
in
> DsAddEntry
> raise RuntimeError("DsAddEntry failed")
> root at samba4dc:~#
>
> Do you have any other idea ?
>
>
> Regards,
>
> M?rcio Bacci
>
>
>
>
>
>
>
>
> Em ter, 25 de jun de 2019 ?s 11:20, L.P.H. van Belle <belle at
bazuin.nl>
> escreveu:
>
> Hai Marcio,
>
> Please keep mailing to the list, that helps everybody. ;-)
>
> Question, does the Windows AD domain contain MS Exchange also?
> Ow and my bad.. This : samba-tool domain tombstones expunge
> You need to purge the tombstones on the windows server,
>
> but forget that all.
>
> I had a new look and noticed:
> root at samba4dc:/etc/init.d# samba-tool domain join empresa.com.br DC
> -Uadministrator --realm=empresa.com.br
> ( a bit of a strange folder also to be in.. )
>
> And what does the wiki tell me.
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> There are three authentication methods you can us:
>
> samba-tool domain join samdom.example.com DC
-U"SAMDOM\administrator"
> samba-tool domain join samdom.example.com DC -k yes
> samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
>
> And yours, what is the difference.. ?
> samba-tool domain join empresa.com.br DC -Uadministrator --realm>
empresa.com.br
>
> I suggest this.
> Kinit Administrator
> Then you know kerberos auth also works.
> Then try : samba-tool domain join empresa.com.br DC -k yes
> And kdestroy to remove the kerberos ticket.
>
> Now, if you keep having problems with it, and your using own compiled
> setup,
> Then show the compile parameters, or ..
> Remove the compiled version and use my repo (http://apt.van-belle.nl)
> And you can install 4.10.5 also on stretch with apt-get.
>
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: maandag 24 juni 2019 19:11
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing
> Windows AD
>
>
> Hi,
>
> Follows the results of commands below executed in Samba 4:
>
> >Maybe first run : samba-tool domain tombstones expunge
>
> samba-tool domain tombstones expunge
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
>
> dsdb_schema_from_db() failed: 32:No such object: dsdb_schema:
> failed to search attributeSchema and classSchema objects: No such Base DN:
> CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
> dsdb_get_schema: refresh_fn() failed
> schema_load_init: dsdb_get_schema failed
> module schema_load initialization failed : Operations error
> module dsdb_notification initialization failed : Operations error
> module rootdse initialization failed : Operations error
> module samba_dsdb initialization failed : Operations error
> Unable to load modules for tdb:///usr/local/samba/private/sam.ldb:
> schema_load_init: dsdb_get_schema failed
> ERROR(ldb): uncaught exception - schema_load_init: dsdb_get_schema
> failed
> File
>
"/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__init__.py",
> line 185, in _run
> return self.run(*args, **kwargs)
> File
>
"/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py",
line
> 3913, in run
> credentials=creds, lp=lp)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py",
line 67, in
> __init__
> options=options)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/__init__.py",
line 115,
> in __init__
> self.connect(url, flags, options)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py",
line 82, in
> connect
> options=options)
>
>
>
> >Check the DNS if any leftovers and check with RSAT also for
> leftovers.
> There isn't leftovers.
>
> >Then run : samba-tool dbcheck --cross-nc
>
> samba-tool dbcheck --cross-nc
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
>
> dsdb_schema_from_db() failed: 32:No such object: dsdb_schema:
> failed to search attributeSchema and classSchema objects: No such Base DN:
> CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
> dsdb_get_schema: refresh_fn() failed
> schema_load_init: dsdb_get_schema failed
> module schema_load initialization failed : Operations error
> module dsdb_notification initialization failed : Operations error
> module rootdse initialization failed : Operations error
> module samba_dsdb initialization failed : Operations error
> Unable to load modules for tdb:///usr/local/samba/private/sam.ldb:
> schema_load_init: dsdb_get_schema failed
> ERROR: Failed to connect to DB at None. If this is a really old
> sam.ldb (before alpha9), then try again with --force-modules
>
>
> >DNS domain = empresa.com.br <http://empresa.com.br/> and
> Kerberos domain = EMPRESA.COM.BR <http://empresa.com.br/>
> >These are NOT the same.
>
>
> OK.
>
> root at samba4dc:~# cat /etc/krb5.conf
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = EMPRESA.COM.BR
>
>
> cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 172.30.1.1 # is not the Windows DC
> nameserver 172.30.1.2 # is not the Windows DC
>
>
> We use bind as authorative DNS. The Windows DC only receves
> updates of the bind servers.
>
> Regards,
>
> M?rcio Bacci
>
>
> Em seg, 24 de jun de 2019 ?s 12:09, L.P.H. van Belle via samba <
> samba at lists.samba.org> escreveu:
>
>
>
> > > ERROR(runtime): uncaught exception - (8639,
"Failed to
> > > process 'chunk' of
> > > DRS replicated objects: DOS code
0x000021bf")
>
> 0x000021bf :
> The replication operation failed because the target object
> referred by a link value is recycled.
> Maybe first run : samba-tool domain tombstones expunge
> Check the DNS if any leftovers and check with RSAT also
> for leftovers.
>
> Then run : samba-tool dbcheck --cross-nc
> Fix things where needed.
>
> THEN join.
>
> And use :
> samba-tool domain join empresa.com.br DC -Uadministrator
> --realm=EMPRESA.COM.BR
>
> DNS domain = empresa.com.br and Kerberos domain >
EMPRESA.COM.BR
> These are NOT the same.
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland penny
2019-Jun-27 15:59 UTC
[Samba] Problem to join Samba 4 DC an existing Windows AD
On 27/06/2019 16:32, Marcio Demetrio Bacci via samba wrote:> Hi, > > I'm using Debian 9.9 and my DC's are Win 2008 Server (isn't R2). > > I intend replace my Windows DC by Samba 4 DC. > > Follows dependencies package that I have installed: > > apt-get install acl attr autoconf bind9utils bison build-essential > apt-get install debhelper dnsutils docbook-xml docbook-xsl flex gdb > libjansson-dev krb5-user > apt-get install libacl1-dev libaio-dev libarchive-dev libattr1-dev > libblkid-dev libbsd-dev > apt-get install libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev > libjson-perl > apt-get install libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl > apt-get install libpopt-dev libreadline-dev nettle-dev perl perl-modules > pkg-config > apt-get install python-all-dev python-crypto python-dbg python-dev > python-dnspython > apt-get install python3-dnspython python-gpgme python3-gpgme > python-markdown python3-markdown > apt-get install python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utilsI have no idea why you have installed all the 'dev' packages required to compile Samba and then installed the distro packages.> > Ihave installed by apt-get (Samba 4.5.16) > apt-get install samba attr winbind libpam-winbind libnss-winbind > libpam-krb5 krb5-config krb5-user > > > > root at samba4dc1:~# cat /etc/resolv.conf > domain empresa.com.br > search empresa.com.br > nameserver 192.168.1.1 > nameserver 192.168.1.2I take it that 192.168.1.1 & 192.168.1.2 are your dns servers that hold all the dns records> > root at ubatuba:~# cat /etc/hosts > 192.168.1.19 samba4dc1.empresa.com.br samba4dc1 > 10.133.100.135 windc1.empresa.com.br windc1 > 10.133.100.137 windc2.empresa.com.br windc2 > 192.168.1.4 srv-bkp.empresa.com.br srv-bkpYou should only have the record for the computer and localhost E.g. if your computers IP is 192.168.1.19 from above /etc/hosts should be this: 127.0.0.1 localhost 192.168.1.19 samba4dc1.empresa.com.br samba4dc1> > > > root at samba4dc1:~# cat /etc/krb5.conf > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = true > default_realm = EMPRESA.COM.BR > > > samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator" > > > root at samba4dc1:~# cat /etc/samba/smb.conf > # Global parameters > [global] > netbios name = SAMBA4DC1 > realm = EMPRESA.COM.BR > workgroup = SAMBA4DC1 > server role = active directory domain controller > > [netlogon] > path = /var/lib/samba/sysvol/empresa.com.br/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat > group: compat > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > Do I need change my nsswitch.conf as following? > > passwd: files winbind > group: files winbindOnly if you want users to login into the DC.> > > The follow services are running this moment > > > root at samba4dc1:~# netstat -lntup > Conex?es Internet Ativas (sem os servidores) > Proto Recv-Q Send-Q Endere?o Local Endere?o Remoto Estado > PID/Program name > tcp 0 0 0.0.0.0:10050 0.0.0.0:* OU?A > 393/zabbix_agentd > tcp 0 0 0.0.0.0:3268 0.0.0.0:* OU?A > 750/samba > tcp 0 0 0.0.0.0:3269 0.0.0.0:* OU?A > 750/samba > tcp 0 0 0.0.0.0:389 0.0.0.0:* OU?A > 750/samba > tcp 0 0 0.0.0.0:135 0.0.0.0:* OU?A > 746/samba > tcp 0 0 0.0.0.0:139 0.0.0.0:* OU?A > 748/smbd > tcp 0 0 0.0.0.0:464 0.0.0.0:* OU?A > 752/samba > tcp 0 0 0.0.0.0:81 0.0.0.0:* OU?A > 521/lighttpd > tcp 0 0 0.0.0.0:53 0.0.0.0:* OU?A > 758/samba > tcp 0 0 0.0.0.0:88 0.0.0.0:* OU?A > 752/samba > tcp 0 0 127.0.0.1:25 0.0.0.0:* OU?A > 624/master > tcp 0 0 0.0.0.0:636 0.0.0.0:* OU?A > 750/samba > tcp 0 0 0.0.0.0:445 0.0.0.0:* OU?A > 748/smbd > tcp 0 0 0.0.0.0:1024 0.0.0.0:* OU?A > 746/samba > tcp 0 0 0.0.0.0:20000 0.0.0.0:* OU?A > 483/sshd > tcp6 0 0 :::10050 :::* OU?A > 393/zabbix_agentd > tcp6 0 0 :::3268 :::* OU?A > 750/samba > tcp6 0 0 :::3269 :::* OU?A > 750/samba > tcp6 0 0 :::389 :::* OU?A > 750/samba > tcp6 0 0 :::135 :::* OU?A > 746/samba > tcp6 0 0 :::139 :::* OU?A > 748/smbd > tcp6 0 0 :::464 :::* OU?A > 752/samba > tcp6 0 0 :::81 :::* OU?A > 521/lighttpd > tcp6 0 0 :::53 :::* OU?A > 758/samba > tcp6 0 0 :::88 :::* OU?A > 752/samba > tcp6 0 0 ::1:25 :::* OU?A > 624/master > tcp6 0 0 :::636 :::* OU?A > 750/samba > tcp6 0 0 :::445 :::* OU?A > 748/smbd > tcp6 0 0 :::1024 :::* OU?A > 746/samba > tcp6 0 0 :::20000 :::* OU?A > 483/sshd > udp 0 0 192.168.1.19:389 0.0.0.0:* > 751/samba > udp 0 0 0.0.0.0:389 0.0.0.0:* > 751/samba > udp 0 0 192.168.1.19:464 0.0.0.0:* > 752/samba > udp 0 0 0.0.0.0:464 0.0.0.0:* > 752/samba > udp 0 0 0.0.0.0:42524 0.0.0.0:* > 396/rsyslogd > udp 0 0 0.0.0.0:53 0.0.0.0:* > 758/samba > udp 0 0 192.168.1.19:88 0.0.0.0:* > 752/samba > udp 0 0 0.0.0.0:88 0.0.0.0:* > 752/samba > udp 0 0 192.168.1.19:137 0.0.0.0:* > 747/samba > udp 0 0 192.168.1.255:137 0.0.0.0:* > 747/samba > udp 0 0 0.0.0.0:137 0.0.0.0:* > 747/samba > udp 0 0 192.168.1.19:138 0.0.0.0:* > 747/samba > udp 0 0 192.168.1.255:138 0.0.0.0:* > 747/samba > udp 0 0 0.0.0.0:138 0.0.0.0:* > 747/samba > udp6 0 0 :::389 :::* > 751/samba > udp6 0 0 :::464 :::* > 752/samba > udp6 0 0 :::53 :::* > 758/samba > udp6 0 0 :::88 :::* > 752/samba > > > Do I need remove service on port 53? > > tcp 0 0 0.0.0.0:53 0.0.0.0:* OU?A > 758/sambaNO> > > There are errors in my Samba DC: > > /etc/init.d/samba-ad-dc status > ? samba-ad-dc.service - Samba AD Daemon > Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor > preset: enabled) > Active: active (running) since Thu 2019-06-27 11:16:22 -03; 1h 2min ago > Docs: man:samba(8) > man:samba(7) > man:smb.conf(5) > Main PID: 743 (samba) > Status: "winbindd: ready to serve connections..." > Tasks: 21 (limit: 4915) > CGroup: /system.slice/samba-ad-dc.service > ??743 /usr/sbin/samba > ??745 /usr/sbin/samba > ??746 /usr/sbin/samba > ??747 /usr/sbin/samba > ??748 /usr/sbin/smbd -D --option=server role check:inhibit=yes > --foreground > ??749 /usr/sbin/samba > ??750 /usr/sbin/samba > ??751 /usr/sbin/samba > ??752 /usr/sbin/samba > ??753 /usr/sbin/samba > ??754 /usr/sbin/samba > ??755 /usr/sbin/samba > ??756 /usr/sbin/samba > ??757 /usr/sbin/samba > ??758 /usr/sbin/samba > ??760 /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > ??779 /usr/sbin/smbd -D --option=server role check:inhibit=yes > --foreground > ??780 /usr/sbin/smbd -D --option=server role check:inhibit=yes > --foreground > ??782 /usr/sbin/smbd -D --option=server role check:inhibit=yes > --foreground > ??784 /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > ??822 /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > > jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460019, 0] > ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) > jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: elif > not check_dns_name(d): > jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460080, 0] > ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) > jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: File > "/usr/sbin/samba_dnsupdate", line 279, in check_dns_name > jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460229, 0] > ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) > jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: raise > Exception("Unable to contact a working DNS server while looking for %s as > %s" % (d, normalised_name)) > jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460346, 0] > ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) > jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: Exception: > Unable to contact a working DNS server while looking for SRV _kerberos._ > udp.empresa.com.br samba4dc.empresa.com.b?empresa.com.br. > jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.478843, 0] > ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done) > jun 27 12:16:23 ubatuba samba[757]: ../source4/dsdb/dns/dns_update.c:290: > Failed DNS update - with error code 1 > Hint: Some lines were ellipsized, use -l to show in full. > > > This is my /etc/named.con on DNS Primary Server > > root at dns1:~# cat /etc/bind/named.conf > > options { > directory "/etc/bind/"; > allow-transfer { > 192.168.1.2; > 10.133.100.135; > 10.133.100.137; > 192.168.1.19; > }; > allow-update { > 192.168.1.2; > 10.133.100.135; > 10.133.100.137; > 192.168.1.19; > }; > recursion yes; > allow-recursion {0.0.0.0/0;}; > }; > > zone "." { > type hint; > file "default/db.root"; > }; > > zone "localhost" { > type master; > file "default/db.localhost"; > }; > > zone "127.in-addr.arpa" { > type master; > file "default/db.127.0.0.0"; > }; > > zone "empresa.com.br" { > type master; > file "db.empresa.com.br"; > }; > > zone "100.133.10.in-addr.arpa" { > type master; > file "db.10.133.100.0"; > }; > > zone "1.168.192.in-addr.arpa" { > type master; > file "db.192.168.0.0"; > }; > > > # Configuracao Active Directory / Windows > zone "_msdcs.empresa.com.br" { > type master; > file "/etc/bind/adzonas/_msdcs.empresa.com.br"; > }; > > zone "_tcp.empresa.com.br" { > type master; > file "/etc/bind/adzonas/_tcp.empresa.com.br"; > }; > > zone "_udp.empresa.com.br" { > type master; > file "/etc/bind/adzonas/_udp.empresa.com.br"; > }; > > zone "_sites.empresa.com.br" { > type master; > file "/etc/bind/adzonas/_sites.empresa.com.br"; > }; > > zone "ForestDNSZones.empresa.com.br" { > type master; > file "/etc/bind/adzonas/ForestDNSZones.empresa.com.br"; > }; > > zone "DomainDNSZones.empresa.com.br" { > type master; > file "/etc/bind/adzonas/DomainDNSZones.empresa.com.br"; > }; > > include "/etc/bind/named.conf.log";Those are 'flatfiles' and from what you seem to be saying are not on a DC.> > > The Windows DC server aren't authoritative DNS.I think that might be your problem, a Samba AD DC expects every DC to be authoritative for the DNS domain Rowland
Rowland penny
2019-Jul-04 13:55 UTC
[Samba] Problem to join Samba 4 DC an existing Windows AD
On 04/07/2019 14:47, Marcio Demetrio Bacci wrote:> Hi > > >I think that might be your problem, a Samba AD DC expects every DC to be > > authoritative for the DNS domain > > I solved DNS problems and apparently it's working OK. > > Thank you very much > > Regards, > > M?rcioCare to tell us how you fixed it, for posterity ? Rowland