On 15/09/2019 19:08, Bart?omiej Solarz-Nies?uchowski wrote:> W dniu 2019-09-15 o?18:32, Rowland penny via samba pisze: >> On 15/09/2019 16:44, Bart?omiej Solarz-Nies?uchowski wrote: >>> I have some questions: >>> >>> I not currently understood - bind9 connected to AD server must be >>> used by the LAN workstations - or only via AD server? >>> >>> currently workstations are pointed to the another DNS server than AD >>> - how must be it done correctly? >>> >> Your domain workstations must use the AD DC(s) as their nameserver, >> the DC(s) will forward anything outside the AD dns domain to an >> external dns server. >>> > so i need only forward form my common DNS server querries to > ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)?From any domain joined computers, yes. They would ask the DC for any dns info they require, if it is something inside the AD domain, the DC will return the data, if it is something outside the AD domain e.g. google.com, the DC would ask its forwarder and then return whatever the forwarder returns.> > >>> So i have, current open problems: >>> >>> 1. share: >>> >>> [private] >>> >>> path = %H >>> >>> does not work: >>> >>> ?smbd[42055]:?? make_connection_snum: canonicalize_connect_path >>> failed for service private, path /%H >>> >>> on console cd ~user works correctly >>> >> If this share is on the DC, then it really shouldn't be, using a DC >> as a fileserver isn't recommended. >>> > > yes understood - I try to setup second AD server on which i use only > domain part of samba and on my major server I start to use only > smbd/nmbd/winbindd.I take it that you are referring to a Unix domain member being used as a fileserver> > > But my current problem is: > > there are not working dynamic updates in bind/internal_dns... > > > Can you help me? > > (dns updates are needed e.g. for joining into this AD new samba > servers as domain members....)Try adding this to the DC smb.conf: dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool> > >>> 2. How to connect internal AD LDAP server? >>> >>> I tried with: >>> >>> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H >>> ldaps://oceanic.wsisiz.edu.pl >>> search error - 00002020: Operation unavailable without authentication >>> >> I would have thought that was fairly obvious, you need to >> authenticate, try this instead (as root): >> >> kinit Administrator >> >> Then: >> >> ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes >> >> That way, your password never leaves the machine. > > not works: > > oceanic:/var/lib/samba/bind-dns# ldbsearch -H > ldap://oceanic.wsisiz.edu.pl -k yes > Invalid option -k: unknown optionWhen I run it, I get this: ldbsearch -H ldap://dc4.samdom.example.com -k yes # record 1 dn: CN=W10PRO,CN=Computers,DC=samdom,DC=example,DC=com cn: W10PRO instanceType: 4 whenCreated: 20190704082927.0Z uSNCreated: 555788 .......................................... ................................. ....................... # record 457 dn: CN=RID Set,CN=DC4,OU=Domain Controllers,DC=samdom,DC=example,DC=com objectClass: top objectClass: rIDSet cn: RID Set instanceType: 4 whenCreated: 20180324201834.0Z whenChanged: 20180324201834.0Z uSNCreated: 4097 uSNChanged: 4097 showInAdvancedViewOnly: TRUE name: RID Set objectGUID: 2ac1e0a9-4e65-4681-9592-0ee6a87ed379 rIDAllocationPool: 5100-5599 rIDUsedPool: 0 objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC ?com rIDPreviousAllocationPool: 5100-5599 rIDNextRID: 5176 distinguishedName: CN=RID Set,CN=DC4,OU=Domain Controllers,DC=samdom,DC=exampl ?e,DC=com # Referral ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com # returned 460 records # 457 entries # 3 referrals What OS is this and what Samba packages did you install ?> >>> 3. How about password aging - i need it not only on Windows part but >>> on unix part it is needed too (unix have acounts/password/etc. via >>> ldap)? >>> >> A Unix user in AD is just a Windows user with RFC2307 attributes, so >> they all get the same password rules >> >> BIG NOTE: I hope that 'via ldap' means users in AD > > > khhm.. currently on linux workstation I use openldap for linux > password aging i use shadow attributes stored in ldapI think you will find that it is now 'I used openldap' You can sync passwords etc between AD and openldap, but you will probably find that it easier to migrate whatever you have in openldap to AD and then have just one point of maintenance. So, what do you have in openldap ? Rowland
Bartłomiej Solarz-Niesłuchowski
2019-Sep-15 19:19 UTC
[Samba] Migrating Samba NT4 Domain to Samba AD
W dniu 2019-09-15 o?20:38, Rowland penny via samba pisze:> On 15/09/2019 19:08, Bart?omiej Solarz-Nies?uchowski wrote: >> W dniu 2019-09-15 o?18:32, Rowland penny via samba pisze: >>> On 15/09/2019 16:44, Bart?omiej Solarz-Nies?uchowski wrote: >>>> I have some questions: >>>> >>>> I not currently understood - bind9 connected to AD server must be >>>> used by the LAN workstations - or only via AD server? >>>> >>>> currently workstations are pointed to the another DNS server than >>>> AD - how must be it done correctly? >>>> >>> Your domain workstations must use the AD DC(s) as their nameserver, >>> the DC(s) will forward anything outside the AD dns domain to an >>> external dns server. >>>> >> so i need only forward form my common DNS server querries to >> ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)? > From any domain joined computers, yes. They would ask the DC for any > dns info they require, if it is something inside the AD domain, the DC > will return the data, if it is something outside the AD domain e.g. > google.com, the DC would ask its forwarder and then return whatever > the forwarder returns.tommorow I correctly fix it.>> >> >>>> So i have, current open problems: >>>> >>>> 1. share: >>>> >>>> [private] >>>> >>>> path = %H >>>> >>>> does not work: >>>> >>>> ?smbd[42055]:?? make_connection_snum: canonicalize_connect_path >>>> failed for service private, path /%H >>>> >>>> on console cd ~user works correctly >>>> >>> If this share is on the DC, then it really shouldn't be, using a DC >>> as a fileserver isn't recommended. >>>> >> >> yes understood - I try to setup second AD server on which i use only >> domain part of samba and on my major server I start to use only >> smbd/nmbd/winbindd. > > I take it that you are referring to a Unix domain member being used as > a fileserver > >> >> >> But my current problem is: >> >> there are not working dynamic updates in bind/internal_dns... >> >> >> Can you help me? >> >> (dns updates are needed e.g. for joining into this AD new samba >> servers as domain members....) > > Try adding this to the DC smb.conf: > > dns update command = /usr/sbin/samba_dnsupdate --use-samba-tooladded: not helps oceanic:/etc# samba_dnsupdate --use-samba-tool --verbose --all-names --fail-immediately IPs: ['2001:1a68:a::33', '213.135.44.33'] force update: A oceanic.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA oceanic.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: NS ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl force update: NS _msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl force update: A ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _ldap._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.7be4eeae-49f0-4b2f-9b13-9482284869f4.domains._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _kerberos._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kerberos._udp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kerberos._tcp.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kpasswd._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 464 force update: SRV _kpasswd._udp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 464 force update: CNAME bab81aef-5660-4aa8-a484-761e3a426ca8._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 88 force update: SRV _ldap._tcp.pdc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: A gc._msdcs.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA gc._msdcs.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _gc._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: SRV _ldap._tcp.gc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: SRV _gc._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268 force update: A DomainDnsZones.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA DomainDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _ldap._tcp.DomainDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: A ForestDnsZones.ad.wsisiz.edu.pl 213.135.44.33 force update: AAAA ForestDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33 force update: SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389 34 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/oceanic.ad.wsisiz.edu.pl as OCEANIC$ update (samba-tool): A oceanic.ad.wsisiz.edu.pl 213.135.44.33 Calling samba-tool dns for A oceanic.ad.wsisiz.edu.pl 213.135.44.33 (add) Calling samba-tool dns add -k no -P ['2001:1a68:a::33', 'ad.wsisiz.edu.pl', 'oceanic', 'A', '213.135.44.33'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') ? File "/usr/lib64/python3.7/site-packages/samba/netcmd/__init__.py", line 185, in _run ??? return self.run(*args, **kwargs) ? File "/usr/lib64/python3.7/site-packages/samba/netcmd/dns.py", line 945, in run ??? raise e ? File "/usr/lib64/python3.7/site-packages/samba/netcmd/dns.py", line 941, in run ??? 0, server, zone, name, add_rec_buf, None) on domain member in spe: [root at mask ~]# net ads join -U administrator%XXXXXX Using short domain name -- WSISIZ.EDU.PL Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl' DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL> >> >> >>>> 2. How to connect internal AD LDAP server? >>>> >>>> I tried with: >>>> >>>> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H >>>> ldaps://oceanic.wsisiz.edu.pl >>>> search error - 00002020: Operation unavailable without authentication >>>> >>> I would have thought that was fairly obvious, you need to >>> authenticate, try this instead (as root): >>> >>> kinit Administrator >>> >>> Then: >>> >>> ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes >>> >>> That way, your password never leaves the machine. >> >> not works: >> >> oceanic:/var/lib/samba/bind-dns# ldbsearch -H >> ldap://oceanic.wsisiz.edu.pl -k yes >> Invalid option -k: unknown option > > When I run it, I get this: > > ldbsearch -H ldap://dc4.samdom.example.com -k yes > > What OS is this and what Samba packages did you install ? >[root at oceanic etc]# which ldbsearch /usr/bin/ldbsearch [root at oceanic etc]# rpm -qf /usr/bin/ldbsearch ldb-tools-1.5.5-1.fc30.x86_64>> >>>> 3. How about password aging - i need it not only on Windows part >>>> but on unix part it is needed too (unix have acounts/password/etc. >>>> via ldap)? >>>> >>> A Unix user in AD is just a Windows user with RFC2307 attributes, so >>> they all get the same password rules >>> >>> BIG NOTE: I hope that 'via ldap' means users in AD >> >> >> khhm.. currently on linux workstation I use openldap for linux >> password aging i use shadow attributes stored in ldap > > I think you will find that it is now 'I used openldap' > > You can sync passwords etc between AD and openldap, but you will > probably find that it easier to migrate whatever you have in openldap > to AD and then have just one point of maintenance.yes it is true if I correctly setup replication (I need about 3 ldap servers for performance reasons)> > So, what do you have in openldap ?[root at oceanic etc]# smbldap-usershow? solarz dn: uid=solarz,ou=Users,dc=wsisiz,dc=edu,dc=pl mail: solarz at wsisiz.edu.pl givenName;lang-en: Bartlomiej uid: solarz sambaPwdCanChange: 1176363610 sambaBadPasswordCount: 0 sambaKickoffTime: 2147483647 cn;lang-en: Bartlomiej Solarz-Niesluchowski sambaLogoffTime: 2147483647 objectClass: person,organizationalPerson,inetOrgPerson,posixAccount,top,kerberosSecurityObject,shadowAccount,sambaSamAccount sambaProfilePath: \\oceanic\solarz\profile uidNumber: 1761 sn: Solarz-Nies?uchowski gidNumber: 101 gecos: Bartlomiej Solarz-Niesluchowski shadowFlag: 134540276 sambaLogonScript: login.bat sambaLogonTime: 0 shadowWarning: 14 sn;lang-en: Solarz-Niesluchowski cn: Bart?omiej Solarz-Nies?uchowski givenName;lang-pl: Bart?omiej krbName: solarz at WSISIZ.EDU.PL sambaBadPasswordTime: 0 sambaHomeDrive: z: cn;lang-pl: Bart?omiej Solarz-Nies?uchowski homeDirectory: /home/staff/solarz givenName: Bart?omiej displayName: Bart?omiej Solarz-Nies?uchowski shadowInactive: 14 sambaSID: S-1-5-21-3156691614-3416019035-1284015310-4522 sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000 sambaPrimaryGroupSID: S-1-5-21-3156691614-3416019035-1284015310-513 shadowMax: 120 sn;lang-pl: Solarz-Nies?uchowski loginShell: /bin/bash preferredLanguage: pl sambaHomePath: \\oceanic\solarz sambaPwdMustChange: 1558009952 sambaAcctFlags: [U] userPassword: {SSHA}XXXXXXXXXXXXX sambaNTPassword: XXXXXXXXXXXXX sambaPwdLastSet: 1563822645 shadowLastChange: 18099 and I have tree with rfc882MailMember dn: cn=B.Solarz-Niesluchowski,ou=Aliases,dc=wsisiz,dc=edu,dc=pl rfc822MailMember: solarz objectClass: nisMailAlias objectClass: top cn: B.Solarz-Niesluchowski structuralObjectClass: nisMailAlias -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
On 15/09/2019 20:19, Bart?omiej Solarz-Nies?uchowski wrote:>> What OS is this and what Samba packages did you install ? >> > [root at oceanic etc]# which ldbsearch > /usr/bin/ldbsearch > [root at oceanic etc]# rpm -qf /usr/bin/ldbsearch > ldb-tools-1.5.5-1.fc30.x86_64 >Is your DC Running Fedora ? If so, then I am sorry, but I must advise you that running a Samba AD DC on Fedora is experimental due to the use of MIT kerberos and you should not use it in production. Rowland