On 16/09/2019 17:26, Bart?omiej Solarz-Nies?uchowski wrote:> W dniu 2019-09-16 o?16:30, Rowland penny via samba pisze: >> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote: >>> Well it was worth checking.. We just dont know what you already >>> checked.. > > now I setup the Ubuntu Server 18.04.3 LTS + > > http://apt.van-belle.nl/ + > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268 > > + i changed krb (default is ... MIT!) to heimdal > > apt install heimdal-clients > > > > So now I have some success.... > > 1. I add the second AD controler "themes" as stated in > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > > > 2. bind configured and it looks like working: > > root at themes:~# samba_dnsupdate --verbose --all-names > > ... > > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 (add) > Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl > as THEMES$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 > themes.ad.wsisiz.edu.pl. > > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl > themes.ad.wsisiz.edu.pl 389 (add) > Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl > as THEMES$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl. > 900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl. > > 3. when I try to join another samba server (but as AD member!): > > [root at mask ~]# net ads join -U administrator > Using short domain name -- WSISIZ.EDU.PL > Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl' > DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR > DNS update failed: NT_STATUS_UNSUCCESSFUL > > message looks not good BUT domain connection in fact works..... > > [root at mask ~]# wbinfo --ping-dc > checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to > "oceanic.ad.wsisiz.edu.pl" succeeded > > > So how can I drop DC "oceanic" and reconnect whole network to DC > "themes"? > > (when I do it DC will be on server which has no shares (only netlogon > + sysvol?))If 'oceanic' was the first AD DC you created, then it will hold the FSMO roles, you can check this with: samba-tool fsmo show If you see 'oceanic' amongst the output, then run this command on 'themes'' samba-tool fsmo transfer --role=all -U Administrator You can then demote 'oceanic' by running this command on 'oceanic': samba-tool domain demote -U Administrator> > > And after disconnecting oceanic as DC - i want to make cleaning with > ldap/AD ldap.At this point you can just remove Samba entirely> > > I have workstation based both on windows and linux. > > Currently for windows workstations source of user data is Samba AD , > but for linux workstations is openldap. > > Problems are two: > > on windows worstation we use "NThash" on linux workstations we use > "SHA512" hash. > > So how can i arrange that if user change password via CTRL+ALT+DEL via > windows if fact pasword changing procedure changes both hash?If you must keep your openldap machine (and you haven't actually told us what auths from it) you will need to script around this: See here for an example (in French): https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP However, if you are referring to Linux workstations running as Unix domain members, then you do not need to do anything, they and the users will auth directly from the Samba AD DC, provided that Samba is set up correctly. If you run: getent passwd <a domain user> on a Unix domain member, you should get something like this: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> > in NT4 domain it was used > > pam password change = Yes > > which changes BOTH hashes. > > > What I need to do to conserve this feature?I am not 100% convinced you need to do anything like this. What do you use the openldap for ? A mailserver or something else ? You may be able to extend the AD schema with whatever it is you are using openldap for. Rowland
Bartłomiej Solarz-Niesłuchowski
2019-Sep-16 19:39 UTC
[Samba] Migrating Samba NT4 Domain to Samba AD
W dniu 2019-09-16 o?19:43, Rowland penny via samba pisze:> On 16/09/2019 17:26, Bart?omiej Solarz-Nies?uchowski wrote: >> So how can I drop DC "oceanic" and reconnect whole network to DC >> "themes"? >> >> (when I do it DC will be on server which has no shares (only netlogon >> + sysvol?)) > > If 'oceanic' was the first AD DC you created, then it will hold the > FSMO roles, you can check this with: > > samba-tool fsmo show > > If you see 'oceanic' amongst the output, then run this command on > 'themes'' > > samba-tool fsmo transfer --role=all -U Administrator > > You can then demote 'oceanic' by running this command on 'oceanic': > > samba-tool domain demote -U Administrator >DONE - only online demoting was unsuccessful - i use offline demoting https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC How many AD DC servers are recommended for network my size (600+ workstations?) 2? 3? more?>> >> >> And after disconnecting oceanic as DC - i want to make cleaning with >> ldap/AD ldap. > At this point you can just remove Samba entirelysnip... -removed and added as domain member - %H works>> >> >> I have workstation based both on windows and linux. >> >> Currently for windows workstations source of user data is Samba AD , >> but for linux workstations is openldap. >> >> Problems are two: >> >> on windows worstation we use "NThash" on linux workstations we use >> "SHA512" hash. >> >> So how can i arrange that if user change password via CTRL+ALT+DEL >> via windows if fact pasword changing procedure changes both hash? > > If you must keep your openldap machine (and you haven't actually told > us what auths from it) you will need to script around this: > > See here for an example (in French): > > https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP >it looks like this synchronizes change of password for windows side to openldap one... - so i must check it...> > However, if you are referring to Linux workstations running as Unix > domain members, then you do not need to do anything, they and the > users will auth directly from the Samba AD DC, provided that Samba is > set up correctly. If you run:linux workstation aren't samba domain member... they use ldap as source for passwd and authentication - thru e.g. nslcd> I am not 100% convinced you need to do anything like this. > > What do you use the openldap for ? > > A mailserver or something else ?mailserver, ssh, as source of authentication for users for e.g. apache, email aliases database for postfix> > You may be able to extend the AD schema with whatever it is you are > using openldap for.May I please ssome link how to extend AD schema (I made it on openldap but on samba ldap I have no idea how add custom schema)? Best Regards -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 404, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
On 16/09/2019 20:39, Bart?omiej Solarz-Nies?uchowski via samba wrote:> > How many AD DC servers are recommended for network my size (600+ > workstations?) 2? 3? more?At least two, but if you can afford it, more are better.> >>> >>> > > linux workstation aren't samba domain member... they use ldap as > source for passwd and authentication - thru e.g. nslcdThen join them to the domain, that way you will not need nslcd, the 'getent' example I posted came from a Unix domain member aka Linux workstation.> > > >> I am not 100% convinced you need to do anything like this. >> >> What do you use the openldap for ? >> >> A mailserver or something else ? > mailserver, ssh, as source of authentication for users for e.g. > apache, email aliases database for postfixLouis, can you help here, this sounds right up your street ;-) You should be able to do most, if not all, of this from AD, for a start see here: https://wiki.samba.org/index.php/Authenticating_other_services_against_Samba_AD>> >> You may be able to extend the AD schema with whatever it is you are >> using openldap for. > > May I please ssome link how to extend AD schema (I made it on openldap > but on samba ldap I have no idea how add custom schema)? >It is very similar to adding a schema to openldap, you just need the schema in a format suitable for AD, having said that, you can use kerberos for ssh without having to extend the schema, for the basics, see here: https://wiki.samba.org/index.php/Samba_AD_schema_extensions Rowland
Gooood morning guys,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: maandag 16 september 2019 22:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Migrating Samba NT4 Domain to Samba AD > > On 16/09/2019 20:39, Bart??omiej Solarz-Nies??uchowski via > samba wrote: > > > > How many AD DC servers are recommended for network my size (600+ > > workstations?) 2? 3? more? > At least two, but if you can afford it, more are better. > > > >>> > >>> > > > > linux workstation aren't samba domain member... they use ldap as > > source for passwd and authentication - thru e.g. nslcd > Then join them to the domain, that way you will not need nslcd, the > 'getent' example I posted came from a Unix domain member aka Linux > workstation.Yes, this is what i do also, all my servers are in the samba AD domain. Just configure ldap (client), setup you ssl certificates where needed. And try to use kerberos as authentication first with ldap as fallback.> > > > > > > >> I am not 100% convinced you need to do anything like this. > >> > >> What do you use the openldap for ? > >> > >> A mailserver or something else ? > > mailserver, ssh, as source of authentication for users for e.g. > > apache, email aliases database for postfix > > Louis, can you help here, this sounds right up your street ;-)Sure, I use this on debian buster: Setup.. - if only auth it needed i only install : winbind krb5-user acl - if i need access shares samba winbind acl All server do have there own certificates, managed by my own CA root. Once that set/done. Ssh # Use Dns for kerberos auth UseDNS yes # Enable kerberos GSSAPI tickets GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes Mail/postfix aliases. ( against kopano ) server_host = ldaps://ldap1.internal.domain.tld:636 ldaps://ldap2.internal.domain.tld:636 # ldap1/2 are CNAMES to my DC1 and DC2, that saves time if you switch in DC names. search_base = DC=internal,DC=domain,DC=tld version = 3 bind_dn = CN=ldap-connect,OU=SA,OU=Company,DC=internal,DC=domain,DC=tld bind_pw = YouMayGuessIt. # adapt the query_filter to you needs. scope = sub Aliases mail adres: query_filter = (&(objectClass=user)(otherMailbox=%s)) result_attribute = mail #samba, just make sure you have at least. winbind refresh tickets = yes Do you kerberos tickets of the server dont expire. # apache, a nice example here. https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory #squid.. Already on the list. See : https://www.spinics.net/lists/samba/msg159262.html Anything i missed ;-) ? NFSv4 kerberized mounts.. See: https://www.spinics.net/lists/samba/msg156758.html> > You should be able to do most, if not all, of this from AD, > for a start > see here: > > https://wiki.samba.org/index.php/Authenticating_other_services > _against_Samba_AD > > >> > >> You may be able to extend the AD schema with whatever it > is you are > >> using openldap for. > > > > May I please ssome link how to extend AD schema (I made it > on openldap > > but on samba ldap I have no idea how add custom schema)?Which schema's do you want to add, any examples? That might help to see if more i needed.> > > It is very similar to adding a schema to openldap, you just need the > schema in a format suitable for AD, having said that, you can use > kerberos for ssh without having to extend the schema, for the basics, > see here: > > https://wiki.samba.org/index.php/Samba_AD_schema_extensions > > Rowland > > >Greetz, Louis