samba - Aug 2019 - TLS_REQCERT and Samba AD DC

Hai, 

I re-checked your config that looks all good, few minor things. 

Now, i noticed this in Andrews comment. 
Quote: 
The problem here is that Samba's python libraries are trying to find
the DNS record they just added over RPC, but can't using LDAP.  They do
this to fix the ownership of the records, as otherwise they will be
owed by the administrator, not the DC.

What is in /etc/ldap/ldap.conf
Does it have : TLS_REQCERT allow ? 
If not add it. 

Then one small thing..  /etc/hosts  , rowland also mentioned it. 
Remove the # from the localhost line, enable it, its the default keep it there. 
I also notice you removed the IPv6 parts, that is not wrong, but for future
things, is suggest leave it in.
I dont have seen problem with distro upgrades with samba, but i have seen it
with mail/spamassassin.
That if ipv6 was disabled, dist-upgrades failed but easy to fix if you know how.

That is why I really suggest you setup your hosts file like this.

/etc/hosts
127.0.0.1 localhost
192.168.1.19 samba4-dc3.empresa.com.br samba4-dc3

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Can you try to join like this. 
The verbose and -d output might show bit more, i might help finding what is off.

kinit administrator 
samba-tool domain join empresa.com.br DC -k yes
--server=samba4-dc1.empresa.com.br --verbose -d5

One more options to try is, set in both DC's this parameter.
	ldap server require strong auth = no 

Purely for this join test. 

If that all fails, post the output and all i can say then is:
  you have, as far i can tell atm, 2 options left.  

1) try a join with bind9_dlz as backend, follow the steps below. 
I never used internal dns of samba, i use bind9_dlz as of samba 4.1, why,
because i needs bind. Simple.

Setup the bind config, i'll show a minimal bind9 setup so we can test this
also.
apt install bind9 bind9utils

cp -R /etc/bind{,.org-debian}

editor /etc/bind/named.conf.options

And set the following in "global/options" ( adjust the defaults, keep
everything else as is ).

dnssec-validation no;
listen-on-v6 { "none"; }; 
empty-zones-enable no;
auth-nxdomain yes;

// DNS dynamic updates via Kerberos (optional, but recommended)
// check where you dns.keytab is and enable that line. 
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";


Then add this just below the global part, this matches the debian defaults. 

include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
//     inet ::1 allow { ::1; } keys { rndc-key; };
};

Save it. 

cat << EOF >> /etc/bind/named.conf.local
// Adding the dlopen ( Bind DLZ ) module for samba.
// At install debian already sets the correct bind9.XX version in this file
below.
// Source installs might need to change the path to named.conf and check if the
content matched the bind version.
include "/var/lib/samba/private/named.conf";

EOF

Adjust bind so it starts with ipv4 only to match above settings. 
sed -i 's/OPTIONS="-u bind"/OPTIONS="-u bind -4"/g'
/etc/default/bind9

# avoid bind reload problems with samba. 
echo "[Service]
ExecReload> /etc/systemd/system/bind9.service.d/override.conf

systemctl daemon-reload
systemctl restart bind9

And check the startup. 
systemctl status bind9

Now lets try to join again. 
samba-tool domain join empresa.com.br DC -k yes
--server=samba4-dc1.empresa.com.br --dns-backend=BIND9_DLZ --verbose -d3


2) upgrade the samba-ad-dc from 4.5.16 to 4.8 then 4.9 then to 4.10. 
I know the upgrade path is save, all my servers have done this, 
i upgrade from 4.1 all the way up to 4.10 now. 
You enabled my repo, then enable the stretch-samba48
Upgrade. 
Run : samba-tool dbcheck --cross-nc 
Fix if needed. 

systemctl stop samba-ad-dc && systemctl start samba-ad-dc
Run again : samba-tool dbcheck --cross-nc 
All fixed, 0 errors. 

Upgrade to 4.9.
Repeat for 4.10. 

Your configs are checked, if you want a re-check on that before you upgrade, 
to be more convinced these are good, then get the debug script again and and
post the output again.

And just one last question. 
You installed a new server, why did you not choose debian buster but installed
debian stretch?
Just interested in you answer here, because i would have installed debian
buster.
It would have saved you from one release upgrade, as said, just wondering. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Demetrio Bacci via samba
> Verzonden: woensdag 28 augustus 2019 1:26
> Aan: Andrew Bartlett
> CC: sambalist
> Onderwerp: Re: [Samba] Problems joining station in domain
> 
> Hi,
> 
>  >What is the original source of this domain?  Did it come 
> from Windows or
> was it provisioned by Samba?
> I had two Windows Server 2008 and I had many problems to join 
>  in domain
> the Samba 4 DC .
> 
> The Samba 4.10, 4.9 and 4.8 (compiled or packges of the 
> Debian) didn't get
> join the domain, this way I had use the Samba 4.5.16 and got it.
> 
> I previously thought of joining a new Samba 4.10.7 DC in the 
> domain and if
> all went well, upgrade my production DCs.
> 
> Now I don't know if I'd better upgrade the production DC 
> first and then add
> a new DC with Samba 4.10 later.
> 
> I'm afraid to "break" the production DC.
> 
> >We need to improve this area, and we need to allow some of 
> this to fail
> >more gracefully.  So much work to do!
> The work of the Samba 4 team is very good! Congratulations!
> 
> Regards,
> 
> M?rcio Bacci
> 
> Em ter, 27 de ago de 2019 ?s 19:28, Andrew Bartlett 
> <abartlet at samba.org>
> escreveu:
> 
> > On Tue, 2019-08-27 at 16:28 -0300, Marcio Demetrio Bacci via samba
> > wrote:
> > > ERROR(runtime): uncaught exception - (9003,
> > > 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
> > >   File
> > > 
> "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__i
> nit__.py",
> > > line 185, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
> > > 
>
"/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py",
> > line
> > > 700, in run
> > >     backend_store=backend_store)
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/join.py",
line
> > > 1544, in join_DC
> > >     ctx.do_join()
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/join.py",
line
> > > 1445, in do_join
> > >     ctx.join_add_dns_records()
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/join.py",
line
> > > 1213, in join_add_dns_records
> > >     dns_partition=forestdns_zone_dn)
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py",
> > line
> > > 1069, in dns_lookup
> > >     dns_partition=dns_partition)
> >
> > G'Day Marcio,
> >
> > Sorry about this.  What is the original source of this 
> domain?  Did it
> > come from Windows or was it provisioned by Samba?
> >
> > The problem here is that Samba's python libraries are trying to
find
> > the DNS record they just added over RPC, but can't using 
> LDAP.  They do
> > this to fix the ownership of the records, as otherwise they will be
> > owed by the administrator, not the DC.
> >
> > This has become a weak point in our DC join process, but 
> replaces the
> > previous weak point where we didn't create the records 
> during the join
> > and hoped that they would get created and replicated 
> correctly on first
> > startup (this often failed).
> >
> > Sadly we have multiple different codebases involved here (the old
> > existing DC and new versions of Samba joining) and while the remote
> > server has found and created the records, the local codebase
can't.
> >
> > None of this is a massive help to you right now, sorry!
> >
> > We need to improve this area, and we need to allow some of 
> this to fail
> > more gracefully.  So much work to do!
> >
> > Sorry,
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett
> > https://samba.org/~abartlet/
> > Authentication Developer, Samba Team         https://samba.org
> > Samba Development and Support, Catalyst IT
> > https://catalyst.net.nz/services/samba
> >
> >
> >
> >
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba
wrote:
> Hai, 
> 
> I re-checked your config that looks all good, few minor things. 
> 
> Now, i noticed this in Andrews comment. 
> Quote: 
> The problem here is that Samba's python libraries are trying to find
> the DNS record they just added over RPC, but can't using LDAP.  They do
> this to fix the ownership of the records, as otherwise they will be
> owed by the administrator, not the DC.
The relevance is that, as mentioned, the domain started with Windows. 
We have a problem there, which is why the extreme measure of joining
with a really old version was needed.

Sadly that now means that the domain is in a slightly different
arrangement to what we expect, and no amount of fiddling settings will
fix it, it is 'just' a code bug/db layout issue.

Sorry!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba
wrote:
> 
> What is in /etc/ldap/ldap.conf
> Does it have : TLS_REQCERT allow ? 
> If not add it. 
I would just like to clarify that no aspect of the Samba AD DC uses
this config file or TLS_REQCERT.  We have smb.conf options that control
this behaviour.  See 'tls verify peer'.

Also, TLS_REQCERT is dangerous:

    TLS_REQCERT <level>
              Specifies what checks to perform on server certificates in a TLS
              session, if any. The <level> can be specified as one of the
fol?
              lowing keywords:

..

              allow  The server certificate is requested. If no certificate is
                     provided,  the  session  proceeds normally. If a bad cer?
                     tificate is provided, it will be ignored and the  session
                     proceeds normally.

It totally removes the mutual authentication properties of TLS.  It
should not be used, instead a proper certificate should be used and the
CA should be trusted.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hai Andrew,
> -----Oorspronkelijk bericht-----
> Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> Verzonden: woensdag 28 augustus 2019 10:19
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: TLS_REQCERT and Samba AD DC
> 
> On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> > 
> > What is in /etc/ldap/ldap.conf
> > Does it have : TLS_REQCERT allow ? 
> > If not add it. 
> 
> I would just like to clarify that no aspect of the Samba AD DC uses
> this config file or TLS_REQCERT.  We have smb.conf options 
> that control
> this behaviour.  See 'tls verify peer'.
> 
> Also, TLS_REQCERT is dangerous:
> 
>     TLS_REQCERT <level>
>               Specifies what checks to perform on server 
> certificates in a TLS
>               session, if any. The <level> can be specified 
> as one of the fol???
>               lowing keywords:
> 
> ..
> 
>               allow  The server certificate is requested. If 
> no certificate is
>                      provided,  the  session  proceeds 
> normally. If a bad cer???
>                      tificate is provided, it will be ignored 
> and the  session
>                      proceeds normally.
> 
> It totally removes the mutual authentication properties of TLS.  It
> should not be used, instead a proper certificate should be 
> used and the
> CA should be trusted.
Thank you for clarifying this. 

Hmm. this is one I set based on samba's adviced install. 
Please note, from years a go.. !samba 4.1-4.2 or so. 
Later on in 4.5 i used it most probely to avoid bug: 
https://bugzilla.samba.org/show_bug.cgi?id=13124 

And yes, this is a bit of a risk. 
But if i ask who did configure a CA for there Samba AD-DC's, I expect only
20% to say yes.

I adviced this because, i did see that he did not configure tls in his config
for the DC.
So to avoid errors from a "client" perspective on the server and not
"samba-ad-dc server" prespective.

I say set it because it is a simple adjustment, from the client perspective on
the server,
you "might" want to try this if you have errors. 

Now that 'tls verify peer',  now this is one i totaly missed. 
Good you pointed this out. 
I've been able to back track this to changes 4.4.0-> 4.4.1 and i'll
adjust my setups for it.

Thanks so far, 


Greetz, 

Louis

Good day Andrew, 

Thank you for your quick responce on this. 
> -----Oorspronkelijk bericht-----
> Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> Verzonden: woensdag 28 augustus 2019 10:15
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems joining station in domain
> 
> On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> > Hai, 
> > 
> > I re-checked your config that looks all good, few minor things. 
> > 
> > Now, i noticed this in Andrews comment. 
> > Quote: 
> > The problem here is that Samba's python libraries are trying to
find
> > the DNS record they just added over RPC, but can't using 
> LDAP.  They do
> > this to fix the ownership of the records, as otherwise they will be
> > owed by the administrator, not the DC.
> 
> The relevance is that, as mentioned, the domain started with Windows. 
> We have a problem there, which is why the extreme measure of joining
> with a really old version was needed.
Yes, i know. I hoped, that the join part with DLZ works out differently. 
So if i understand it right and i found a few older threads on this. 

Then we are left with the 2 possible workarounds as mentions in the list before.
See: https://www.spinics.net/lists/samba/msg158588.html
Adjust the code of samba a bit. 

Dennis pointed out, and option to upgrade/create partitions on w2k3 before the
joins.
Found here: https://lists.samba.org/archive/samba/2019-July/224515.html
But as far i know that server is gone. 

The last option is this bug to be fixed.

Why i posted the last parts, so you understand my thoughts. 
Before i want to try these, i want to be sure the other parts are all checked. 
I was hoping to find that a join with bind9_dlz would help out. I dont know
that.

But if you really sure it is not, please tell, then im left without options, 
and then is up too you guys. Do you want a bug report on it? 

Looks like this one is releated: 
https://bugzilla.samba.org/show_bug.cgi?id=14045 

> 
> Sadly that now means that the domain is in a slightly different
> arrangement to what we expect, and no amount of fiddling settings will
> fix it, it is 'just' a code bug/db layout issue.
> 
> Sorry!
Well, nothing to be sorry about, but maybe its time to start a bughunt on this
one,
because this should get a higher. 

You guys to that fast, i can follow all changes, i try to but that hard todo.

Thank you (again) so far. 

Greetz,

Louis

Hi,
>What is in /etc/ldap/ldap.conf
>Does it have : TLS_REQCERT allow ?
>If not add it.
Do I add this to all DC's?
>You installed a new server, why did you not choose debian buster but
installed debian stretch?
Because our Debian distribution is customized and packaged according to the
institution's security rules. I depend on making this distribution
available in Debian 10.

Regards,

M?rcio Bacci

Em qua, 28 de ago de 2019 ?s 05:09, L.P.H. van Belle via samba <
samba at lists.samba.org> escreveu:
> Hai,
>
> I re-checked your config that looks all good, few minor things.
>
> Now, i noticed this in Andrews comment.
> Quote:
> The problem here is that Samba's python libraries are trying to find
> the DNS record they just added over RPC, but can't using LDAP.  They do
> this to fix the ownership of the records, as otherwise they will be
> owed by the administrator, not the DC.
>
> What is in /etc/ldap/ldap.conf
> Does it have : TLS_REQCERT allow ?
> If not add it.
>
> Then one small thing..  /etc/hosts  , rowland also mentioned it.
> Remove the # from the localhost line, enable it, its the default keep it
> there.
> I also notice you removed the IPv6 parts, that is not wrong, but for
> future things, is suggest leave it in.
> I dont have seen problem with distro upgrades with samba, but i have seen
> it with mail/spamassassin.
> That if ipv6 was disabled, dist-upgrades failed but easy to fix if you
> know how.
>
> That is why I really suggest you setup your hosts file like this.
>
> /etc/hosts
> 127.0.0.1 localhost
> 192.168.1.19 samba4-dc3.empresa.com.br samba4-dc3
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> Can you try to join like this.
> The verbose and -d output might show bit more, i might help finding what
> is off.
>
> kinit administrator
> samba-tool domain join empresa.com.br DC -k yes --server>
samba4-dc1.empresa.com.br --verbose -d5
>
> One more options to try is, set in both DC's this parameter.
>         ldap server require strong auth = no
>
> Purely for this join test.
>
> If that all fails, post the output and all i can say then is:
>   you have, as far i can tell atm, 2 options left.
>
> 1) try a join with bind9_dlz as backend, follow the steps below.
> I never used internal dns of samba, i use bind9_dlz as of samba 4.1, why,
> because i needs bind. Simple.
>
> Setup the bind config, i'll show a minimal bind9 setup so we can test
this
> also.
> apt install bind9 bind9utils
>
> cp -R /etc/bind{,.org-debian}
>
> editor /etc/bind/named.conf.options
>
> And set the following in "global/options" ( adjust the defaults,
keep
> everything else as is ).
>
> dnssec-validation no;
> listen-on-v6 { "none"; };
> empty-zones-enable no;
> auth-nxdomain yes;
>
> // DNS dynamic updates via Kerberos (optional, but recommended)
> // check where you dns.keytab is and enable that line.
> //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
>
> Then add this just below the global part, this matches the debian
> defaults.
>
> include "/etc/bind/rndc.key";
>     controls {
>      inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
> //     inet ::1 allow { ::1; } keys { rndc-key; };
> };
>
> Save it.
>
> cat << EOF >> /etc/bind/named.conf.local
> // Adding the dlopen ( Bind DLZ ) module for samba.
> // At install debian already sets the correct bind9.XX version in this
> file below.
> // Source installs might need to change the path to named.conf and check
> if the content matched the bind version.
> include "/var/lib/samba/private/named.conf";
>
> EOF
>
> Adjust bind so it starts with ipv4 only to match above settings.
> sed -i 's/OPTIONS="-u bind"/OPTIONS="-u bind
-4"/g' /etc/default/bind9
>
> # avoid bind reload problems with samba.
> echo "[Service]
> ExecReload> > /etc/systemd/system/bind9.service.d/override.conf
>
> systemctl daemon-reload
> systemctl restart bind9
>
> And check the startup.
> systemctl status bind9
>
> Now lets try to join again.
> samba-tool domain join empresa.com.br DC -k yes --server>
samba4-dc1.empresa.com.br --dns-backend=BIND9_DLZ --verbose -d3
>
>
> 2) upgrade the samba-ad-dc from 4.5.16 to 4.8 then 4.9 then to 4.10.
> I know the upgrade path is save, all my servers have done this,
> i upgrade from 4.1 all the way up to 4.10 now.
> You enabled my repo, then enable the stretch-samba48
> Upgrade.
> Run : samba-tool dbcheck --cross-nc
> Fix if needed.
>
> systemctl stop samba-ad-dc && systemctl start samba-ad-dc
> Run again : samba-tool dbcheck --cross-nc
> All fixed, 0 errors.
>
> Upgrade to 4.9.
> Repeat for 4.10.
>
> Your configs are checked, if you want a re-check on that before you
> upgrade,
> to be more convinced these are good, then get the debug script again and
> and post the output again.
>
> And just one last question.
> You installed a new server, why did you not choose debian buster but
> installed debian stretch?
> Just interested in you answer here, because i would have installed debian
> buster.
> It would have saved you from one release upgrade, as said, just wondering.
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Marcio Demetrio Bacci via samba
> > Verzonden: woensdag 28 augustus 2019 1:26
> > Aan: Andrew Bartlett
> > CC: sambalist
> > Onderwerp: Re: [Samba] Problems joining station in domain
> >
> > Hi,
> >
> >  >What is the original source of this domain?  Did it come
> > from Windows or
> > was it provisioned by Samba?
> > I had two Windows Server 2008 and I had many problems to join
> >  in domain
> > the Samba 4 DC .
> >
> > The Samba 4.10, 4.9 and 4.8 (compiled or packges of the
> > Debian) didn't get
> > join the domain, this way I had use the Samba 4.5.16 and got it.
> >
> > I previously thought of joining a new Samba 4.10.7 DC in the
> > domain and if
> > all went well, upgrade my production DCs.
> >
> > Now I don't know if I'd better upgrade the production DC
> > first and then add
> > a new DC with Samba 4.10 later.
> >
> > I'm afraid to "break" the production DC.
> >
> > >We need to improve this area, and we need to allow some of
> > this to fail
> > >more gracefully.  So much work to do!
> > The work of the Samba 4 team is very good! Congratulations!
> >
> > Regards,
> >
> > M?rcio Bacci
> >
> > Em ter, 27 de ago de 2019 ?s 19:28, Andrew Bartlett
> > <abartlet at samba.org>
> > escreveu:
> >
> > > On Tue, 2019-08-27 at 16:28 -0300, Marcio Demetrio Bacci via
samba
> > > wrote:
> > > > ERROR(runtime): uncaught exception - (9003,
> > > > 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
> > > >   File
> > > >
> > "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__i
> > nit__.py",
> > > > line 185, in _run
> > > >     return self.run(*args, **kwargs)
> > > >   File
> > > >
> >
"/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py",
> > > line
> > > > 700, in run
> > > >     backend_store=backend_store)
> > > >   File
> >
"/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > > 1544, in join_DC
> > > >     ctx.do_join()
> > > >   File
> >
"/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > > 1445, in do_join
> > > >     ctx.join_add_dns_records()
> > > >   File
> >
"/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > > 1213, in join_add_dns_records
> > > >     dns_partition=forestdns_zone_dn)
> > > >   File
> >
"/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py",
> > > line
> > > > 1069, in dns_lookup
> > > >     dns_partition=dns_partition)
> > >
> > > G'Day Marcio,
> > >
> > > Sorry about this.  What is the original source of this
> > domain?  Did it
> > > come from Windows or was it provisioned by Samba?
> > >
> > > The problem here is that Samba's python libraries are trying
to find
> > > the DNS record they just added over RPC, but can't using
> > LDAP.  They do
> > > this to fix the ownership of the records, as otherwise they will
be
> > > owed by the administrator, not the DC.
> > >
> > > This has become a weak point in our DC join process, but
> > replaces the
> > > previous weak point where we didn't create the records
> > during the join
> > > and hoped that they would get created and replicated
> > correctly on first
> > > startup (this often failed).
> > >
> > > Sadly we have multiple different codebases involved here (the old
> > > existing DC and new versions of Samba joining) and while the
remote
> > > server has found and created the records, the local codebase
can't.
> > >
> > > None of this is a massive help to you right now, sorry!
> > >
> > > We need to improve this area, and we need to allow some of
> > this to fail
> > > more gracefully.  So much work to do!
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett
> > > https://samba.org/~abartlet/
> > > Authentication Developer, Samba Team         https://samba.org
> > > Samba Development and Support, Catalyst IT
> > > https://catalyst.net.nz/services/samba
> > >
> > >
> > >
> > >
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hai Marcio, 


________________________________

	Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
	Verzonden: woensdag 28 augustus 2019 15:57
	Aan: L.P.H. van Belle; sambalist
	Onderwerp: Re: [Samba] Problems joining station in domain
	
	
	Hi,
	
	>What is in /etc/ldap/ldap.conf
	>Does it have : TLS_REQCERT allow ? 
	>If not add it. 
	Do I add this to all DC's? 
	 
Yes, but as Andrew did say, we could/should use an other setting these days. 
He confirmed its still a bug in the DNS partitioning. 
What i hoped it to try to "upgrade"  you internal DNS to bind9_dlz 
And with doing that, avoid this bug. 

I suggest you read:
Then we are left with the 2 possible workarounds as mentions in the list before.
See: https://www.spinics.net/lists/samba/msg158588.html
Adjust the code of samba a bit. 

Dennis pointed out, and option to upgrade/create partitions on w2k3 before the
joins.
Found here: https://lists.samba.org/archive/samba/2019-July/224515.html
But as far i know that server is gone. 


	>You installed a new server, why did you not choose debian buster but
installed debian stretch?
	Because our Debian distribution is customized and packaged according to the
institution's security rules. I depend on making this distribution available
in Debian 10.

Well ok, i can only respect this. 
Then i strongly suggeset you also read the subject on the list : TLS_REQCERT and
Samba AD DC
Because if you have security rules, then this should not be an option, and you
should have your own CA running.


Sso far, (office is closing), untill tomorrow. 


Greetz, 

Louis

Hi,
>What i hoped it to try to "upgrade"  you internal DNS to bind9_dlz
>And with doing that, avoid this bug.
My production DCs use DNS Internal, so can I join a new DC using Bin9_dlz
without problems?

Regards,

M?rcio Bacci

Em qua, 28 de ago de 2019 ?s 12:14, L.P.H. van Belle via samba <
samba at lists.samba.org> escreveu:
> Hai Marcio,
>
>
> ________________________________
>
>         Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
>         Verzonden: woensdag 28 augustus 2019 15:57
>         Aan: L.P.H. van Belle; sambalist
>         Onderwerp: Re: [Samba] Problems joining station in domain
>
>
>         Hi,
>
>         >What is in /etc/ldap/ldap.conf
>         >Does it have : TLS_REQCERT allow ?
>         >If not add it.
>         Do I add this to all DC's?
>
> Yes, but as Andrew did say, we could/should use an other setting these
> days.
> He confirmed its still a bug in the DNS partitioning.
> What i hoped it to try to "upgrade"  you internal DNS to
bind9_dlz
> And with doing that, avoid this bug.
>
> I suggest you read:
> Then we are left with the 2 possible workarounds as mentions in the list
> before.
> See: https://www.spinics.net/lists/samba/msg158588.html
> Adjust the code of samba a bit.
>
> Dennis pointed out, and option to upgrade/create partitions on w2k3 before
> the joins.
> Found here: https://lists.samba.org/archive/samba/2019-July/224515.html
> But as far i know that server is gone.
>
>
>         >You installed a new server, why did you not choose debian
buster
> but installed debian stretch?
>         Because our Debian distribution is customized and packaged
> according to the institution's security rules. I depend on making this
> distribution available in Debian 10.
>
> Well ok, i can only respect this.
> Then i strongly suggeset you also read the subject on the list :
> TLS_REQCERT and Samba AD DC
> Because if you have security rules, then this should not be an option, and
> you should have your own CA running.
>
>
> Sso far, (office is closing), untill tomorrow.
>
>
> Greetz,
>
> Louis
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 2019-08-28 at 11:24 +0200, L.P.H. van Belle via samba
wrote:
> Hai Andrew,
> 
> > -----Oorspronkelijk bericht-----
> > Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> > Verzonden: woensdag 28 augustus 2019 10:19
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: TLS_REQCERT and Samba AD DC
> > 
> > On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> > > What is in /etc/ldap/ldap.conf
> > > Does it have : TLS_REQCERT allow ? 
> > > If not add it. 
> > 
> > I would just like to clarify that no aspect of the Samba AD DC uses
> > this config file or TLS_REQCERT.  We have smb.conf options 
> > that control
> > this behaviour.  See 'tls verify peer'.
> > 
> > Also, TLS_REQCERT is dangerous:
> > 
> >     TLS_REQCERT <level>
> >               Specifies what checks to perform on server 
> > certificates in a TLS
> >               session, if any. The <level> can be specified 
> > as one of the fol???
> >               lowing keywords:
> > 
> > ..
> > 
> >               allow  The server certificate is requested. If 
> > no certificate is
> >                      provided,  the  session  proceeds 
> > normally. If a bad cer???
> >                      tificate is provided, it will be ignored 
> > and the  session
> >                      proceeds normally.
> > 
> > It totally removes the mutual authentication properties of TLS.  It
> > should not be used, instead a proper certificate should be 
> > used and the
> > CA should be trusted.
> 
> Thank you for clarifying this. 
> 
> Hmm. this is one I set based on samba's adviced install. 
> Please note, from years a go.. !samba 4.1-4.2 or so. 
> Later on in 4.5 i used it most probely to avoid bug: 
> https://bugzilla.samba.org/show_bug.cgi?id=13124 
To be clear, that specific, very narrow part of the codebase
(connecting to AD using SSL, not SASL) is both not used on the AD DC
itself, it is very much not recommended because of this and related
problems.  I explain a bit more below. 
> And yes, this is a bit of a risk. 
> But if i ask who did configure a CA for there Samba AD-DC's, I expect
only 20% to say yes.
Which is why we prefer to connect with Kerberos and get our session
integrity and mutual authentication from that source. 
> I adviced this because, i did see that he did not configure tls in his
config for the DC.
> So to avoid errors from a "client" perspective on the server and
not "samba-ad-dc server" prespective.
> 
> I say set it because it is a simple adjustment, from the client perspective
on the server,
> you "might" want to try this if you have errors. 
The problem is this:  

We have, over the 27 years Samba has been around, developed a lot of
'lore'.  

Settings, often quite wrong, mostly just mildly infuriating, passed
down from mailing list post to blog, to wiki, to users.  We have been
trying really hard to disrupt that with good wiki pages and similar,
but it also means I need to occasionally jump in here and say PLEASE
NO.
> Now that 'tls verify peer',  now this is one i totaly missed. 
> Good you pointed this out. 
> I've been able to back track this to changes 4.4.0-> 4.4.1 and
i'll adjust my setups for it.
The winbindd use case, if forced to use ldaps:// or START-TLS for some
reason, could still require it if you don't have a CA, but the correct
fix is not to use TLS for LDAP.  As I say above, because we can't
connect the inner Kerberos authentication to the outer TLS, it is much
less secure than using Kerberos alone.  For this reason Samba as an AD
DC disallows it (see ldap require strong auth).

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba