Turritopsis Dohrnii Teo En Ming
2020-Feb-15 06:14 UTC
[Samba] Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC)
Subject: Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC) Subject: Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC) PUBLISHED 15 FEB 2020 SATURDAY, SINGAPORE, SINGAPORE, SINGAPORE This manual/guide is meant for small and medium businesses (SMB) which do not want to spend a lot of money on Windows Server 2016/2019 licensing. REFERENCE GUIDE ============== Guide: Setting up Samba as an Active Directory Domain Controller Link: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING'S MANUAL ====================================================== Starting CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine on Ubuntu 18.04.3 LTS Desktop Host ================================================================================================== Virtual Machine Manager (virt-manager) depends on libvirtd service. $ sudo systemctl start libvirtd.service Start the Virtual Machine Manager. $ sudo virt-manager Select the CentOS 8.1 QEMU/KVM virtual machine and click "Power on the virtual machine". REFERENCE GUIDE ============== Guide: ENABLING HOST-GUEST NETWORKING WITH KVM, MACVLAN AND MACVTAP Link: https://www.furorteutonicus.eu/2013/08/04/enabling-host-guest-networking-with-kvm-macvlan-and-macvtap/ Still on the Ubuntu 18.04.3 LTS Desktop host. $ nano /home/teo-en-ming/macvlan.sh #!/bin/bash # Adapted by Teo En Ming on 14 Feb 2020 Friday (Valentine's Day in Singapore). # let host and guests talk to each other over macvlan # configures a macvlan interface on the hypervisor # run this on the hypervisor (e.g. in /etc/rc.local) # made for IPv4; need modification for IPv6 # meant for a simple network setup with only eth0 or enp5s0 on the host, # and a static (manual) ip config # Original Author: Evert Mouw, 2013 (European Union) #HWLINK=eth0 HWLINK=enp5s0 MACVLN=macvlan0 TESTHOST=www.google.com # ------------ # wait for network availability # ------------ # IPv4 pings only while ! ping -4 -q -c 1 $TESTHOST > /dev/null do echo "$0: Cannot ping $TESTHOST, waiting another 5 secs..." sleep 5 done # ------------ # get network config # ------------ IP=$(ip address show dev $HWLINK | grep "inet " | awk '{print $2}') NETWORK=$(ip -o route | grep $HWLINK | grep -v default | grep -v 169 | awk '{print $1}') GATEWAY=$(ip -o route | grep default | awk '{print $3}') # ------------ # setting up $MACVLN interface # ------------ ip link add link $HWLINK $MACVLN type macvlan mode bridge ip address add $IP dev $MACVLN ip link set dev $MACVLN up # ------------ # routing table # ------------ # empty routes ip route flush dev $HWLINK ip route flush dev $MACVLN # add routes ip route add $NETWORK dev $MACVLN metric 0 # add the default gateway ip route add default via $GATEWAY ===END OF LINUX SHELL SCRIPT== $ sudo chmod +x /home/teo-en-ming/macvlan.sh $ sudo /home/teo-en-ming/macvlan.sh 192.168.1.122 is the IP address (DHCP auto configuration) of the CentOS 8.1 Linux Server. ssh into the CentOS 8.1 Linux Server. ssh teo-en-ming at 192.168.1.122 PREPARING THE INSTALLATION ON CENTOS 8.1 LINUX SERVER ==================================================== Setting hostname of CentOS 8.1 Linux Server. =========================================== # hostnamectl set-hostname dc1 To see the hostname: # hostnamectl Output: Static hostname: dc1 Icon name: computer-vm Chassis: vm Machine ID: 668fdf5de7214d56be0ef8b65f7166e9 Boot ID: 5691a1a2dacd41c4ab5871d25885e138 Virtualization: kvm Operating System: CentOS Linux 8 (Core) CPE OS Name: cpe:/o:centos:centos:8 Kernel: Linux 4.18.0-147.el8.x86_64 Architecture: x86-64 How to set static IP address 192.168.1.10 on CentOS 8.1 Linux Server =================================================================== # cd /etc/sysconfig/network-scripts/ # nano ifcfg-ens3 TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="static" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME="ens3" UUID="8e179c97-1388-48ee-a8be-d173ee3ff40c" DEVICE="ens3" ONBOOT="yes" IPADDR="192.168.1.10" PREFIX="24" GATEWAY="192.168.1.1" DNS1="8.8.8.8" ===>>> (IF YOU USE THIS LINE, NETWORK MANAGER WILL ALWAYS OVERWRITE /etc/resolv.conf, which is undesirable) # reboot ssh into CentOS 8.1 Linux Server with static IP address 192.168.1.10. $ ssh teo-en-ming at 192.168.1.10 Check if Samba processes are running: # ps ax | egrep "samba|smbd|nmbd|winbindd" # nano /etc/hosts Contents of file: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.10 dc1.teo-en-ming.corp dc1 Backup the original /etc/krb5.conf # mv /etc/krb5.conf /etc/krb5.conf.bak INSTALLING SAMBA 4.11.6 ON CENTOS 8.1 LINUX SERVER QEMU/KVM VIRTUAL MACHINE ========================================================================== REFERENCE GUIDE ============== Guide: Build Samba from Source Link: https://wiki.samba.org/index.php/Build_Samba_from_Source Installing package dependencies before building Samba on CentOS 8.1 Linux Server. # yum -y install dnf-plugins-core # yum config-manager --set-enabled PowerTools # yum install docbook-style-xsl gcc gdb gnutls-devel gpgme-devel jansson-devel # yum install keyutils-libs-devel krb5-workstation libacl-devel libaio-devel # yum install libarchive-devel libattr-devel libblkid-devel libtasn1 libtasn1-tools # yum install libxml2-devel libxslt openldap-devel pam-devel perl # yum install perl-ExtUtils-MakeMaker perl-Parse-Yapp popt-devel python3-cryptography # yum install python3-dns python3-gpg python36-devel readline-devel rpcgen systemd-devel # yum install tar zlib-devel Compulsory Packages NOT installed at the moment: lmdb-devel Download Samba current stable release 4.11.6. # wget https://download.samba.org/pub/samba/stable/samba-4.11.6.tar.gz # tar -zxf samba-4.11.6.tar.gz # cd samba-4.11.6/ # ./configure Output: Samba AD DC and --enable-selftest requires lmdb 0.9.16 or later # yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm # yum install lmdb-devel Run ./configure again. # ./configure Output: 'configure' finished successfully (42.262s) Make full use of all 4 cores on my AMD Ryzen 3 3200G processor. # make -j 4 Output: Waf: Leaving directory `/root/samba-4.11.6/bin/default' 'build' finished successfully (9m24.396s) # make install Output: Waf: Leaving directory `/root/samba-4.11.6/bin/default' 'install' finished successfully (2m58.171s) # nano /etc/profile Append the following line: export PATH=$PATH:/usr/local/samba/bin/:/usr/local/samba/sbin/ PROVISIONING A SAMBA ACTIVE DIRECTORY DOMAIN CONTROLLER ====================================================== Provisioning Samba AD DC in Interactive Mode. The original intention was to use SAMBA_INTERNAL DNS backend. # samba-tool domain provision --use-rfc2307 --interactive Output: Realm [TEO-EN-MING.CORP]: TEO-EN-MING.CORP Domain [TEO-EN-MING]: TEO-EN-MING Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: 8.8.8.8 Administrator password: Retype password: INFO 2020-02-14 22:56:13,700 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses WARNING 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10 INFO 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses WARNING 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2 INFO 2020-02-14 22:56:14,152 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb INFO 2020-02-14 22:56:14,595 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb INFO 2020-02-14 22:56:14,848 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry INFO 2020-02-14 22:56:16,031 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database INFO 2020-02-14 22:56:16,721 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db INFO 2020-02-14 22:56:17,155 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db INFO 2020-02-14 22:56:17,263 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings INFO 2020-02-14 22:56:17,266 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE INFO 2020-02-14 22:56:17,331 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2020-02-14 22:56:17,548 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp INFO 2020-02-14 22:56:17,646 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container INFO 2020-02-14 22:56:17,722 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema INFO 2020-02-14 22:56:21,121 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data INFO 2020-02-14 22:56:21,263 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers INFO 2020-02-14 22:56:23,502 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights INFO 2020-02-14 22:56:23,543 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container INFO 2020-02-14 22:56:23,545 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container INFO 2020-02-14 22:56:23,547 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container INFO 2020-02-14 22:56:23,549 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container INFO 2020-02-14 22:56:23,550 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data INFO 2020-02-14 22:56:23,695 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals INFO 2020-02-14 22:56:23,760 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups INFO 2020-02-14 22:56:24,075 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join Repacking database from v1 to v2 format (first record CN=ms-DS-Replication-Notify-First-DSA-Delay,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=interSiteTransport-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp) INFO 2020-02-14 22:56:27,001 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts INFO 2020-02-14 22:56:27,377 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp INFO 2020-02-14 22:56:27,401 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions INFO 2020-02-14 22:56:27,620 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record DC=_ldap._tcp.dc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp) INFO 2020-02-14 22:56:28,660 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized INFO 2020-02-14 22:56:28,734 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs INFO 2020-02-14 22:56:29,720 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf INFO 2020-02-14 22:56:29,720 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2020-02-14 22:56:30,078 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings INFO 2020-02-14 22:56:30,277 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use INFO 2020-02-14 22:56:30,277 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1 INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-3028196010-72872391-2123559056 Configuring the DNS Resolver. Network Manager will keep overwriting /etc/resolv.conf. This problem will be resolved later. # nano /etc/resolv.conf Contents of file: search teo-en-ming.corp nameserver 192.168.1.10 REFERENCE GUIDE ============== Guide: Managing the Samba AD DC Service Using Systemd Link: https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service_Using_Systemd # systemctl mask smbd nmbd winbind # systemctl disable smbd nmbd winbind # nano /etc/systemd/system/samba-ad-dc.service Contents of file: [Unit] Description=Samba Active Directory Domain Controller After=network.target remote-fs.target nss-lookup.target [Service] Type=forking ExecStart=/usr/local/samba/sbin/samba -D PIDFile=/usr/local/samba/var/run/samba.pid ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target # systemctl daemon-reload # systemctl enable samba-ad-dc # systemctl start samba-ad-dc Output: Job for samba-ad-dc.service failed because the control process exited with error code. See "systemctl status samba-ad-dc.service" and "journalctl -xe" for details. The SAMBA AD DC service cannot start because SELINUX is enabled on CentOS 8.1. We will see later. # systemctl status samba-ad-dc Output: ? samba-ad-dc.service - Samba Active Directory Domain Controller Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sat 2020-02-15 08:39:58 +08; 46s ago Process: 6967 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=203/EXEC) Main PID: 1595 (code=exited, status=203/EXEC) Feb 15 08:39:58 dc1 systemd[1]: Starting Samba Active Directory Domain Controller... Feb 15 08:39:58 dc1 systemd[1]: samba-ad-dc.service: Control process exited, code=exited status=203 Feb 15 08:39:58 dc1 systemd[1]: samba-ad-dc.service: Failed with result 'exit-code'. Feb 15 08:39:58 dc1 systemd[1]: Failed to start Samba Active Directory Domain Controller. SAMBA AD DC service cannot start because SELINUX is enabled on CentOS 8.1. We will see later. # reboot Start Samba AD DC manually. # samba -D Create a reverse zone in Samba Internal DNS Backend. # samba-tool dns zonecreate 192.168.1.10 1.168.192.in-addr.arpa -U administrator Output: Password for [TEO-EN-MING\administrator]: Zone 1.168.192.in-addr.arpa created successfully Configuring Kerberos =================== cp /usr/local/samba/private/krb5.conf /etc/krb5.conf Starting Samba AD DC Manually. # samba -D Verifying the File Server. ========================= $ smbclient -L localhost -U% Output: Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.11.6) SMB1 disabled -- no workgroup available $ smbclient //localhost/netlogon -UAdministrator -c 'ls' Output: Enter TEO-EN-MING\Administrator's password: . D 0 Fri Feb 14 22:56:17 2020 .. D 0 Fri Feb 14 22:56:24 2020 17811456 blocks of size 1024. 12025652 blocks available Verifying DNS (Failed) ===================== # killall dnsmasq $ host -t SRV _ldap._tcp.teo-en-ming.corp. Output: Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN) $ host -t SRV _kerberos._udp.teo-en-ming.corp. Output: Host _kerberos._udp.teo-en-ming.corp. not found: 3(NXDOMAIN) $ host -t A dc1.teo-en-ming.corp. Output: Host dc1.teo-en-ming.corp. not found: 3(NXDOMAIN) I am unable to find the above DNS records because Network Manager keeps overwriting /etc/resolv.conf As a result, I am always looking up the WRONG DNS server. Verifying Kerberos ================= $ kinit administrator Output: kinit: Cannot find KDC for realm "TEO-EN-MING.CORP" while getting initial credentials The above problem is also due to Network Manager keeps overwriting /etc/resolv.conf. As a result, I am always looking up the WRONG DNS server. TROUBLESHOOTING: DISABLE SELINUX ON CENTOS 8.1 ============================================= $ sestatus Output: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 # nano /etc/sysconfig/selinux Change from SELINUX=enforcing to SELINUX=disabled # reboot $ sestatus SELinux status: disabled After disabling SELINUX, now we can start Samba AD DC successfully. # systemctl status samba-ad-dc Output: ? samba-ad-dc.service - Samba Active Directory Domain Controller Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2020-02-15 08:50:22 +08; 1min 0s ago Process: 1084 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS) Main PID: 1131 (samba) Tasks: 44 (limit: 23972) Memory: 261.8M CGroup: /system.slice/samba-ad-dc.service ??1131 /usr/local/samba/sbin/samba -D ??1375 /usr/local/samba/sbin/samba -D ??1376 /usr/local/samba/sbin/samba -D ??1377 /usr/local/samba/sbin/samba -D ??1379 /usr/local/samba/sbin/samba -D ??1380 /usr/local/samba/sbin/samba -D ??1387 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??1389 /usr/local/samba/sbin/samba -D ??1391 /usr/local/samba/sbin/samba -D ??1392 /usr/local/samba/sbin/samba -D ??1393 /usr/local/samba/sbin/samba -D ??1396 /usr/local/samba/sbin/samba -D ??1398 /usr/local/samba/sbin/samba -D ??1399 /usr/local/samba/sbin/samba -D ??1403 /usr/local/samba/sbin/samba -D ??1404 /usr/local/samba/sbin/samba -D ??1407 /usr/local/samba/sbin/samba -D ??1408 /usr/local/samba/sbin/samba -D ??1409 /usr/local/samba/sbin/samba -D ??1411 /usr/local/samba/sbin/samba -D ??1412 /usr/local/samba/sbin/samba -D ??1413 /usr/local/samba/sbin/samba -D ??1415 /usr/local/samba/sbin/samba -D ??1416 /usr/local/samba/sbin/samba -D ??1418 /usr/local/samba/sbin/samba -D ??1419 /usr/local/samba/sbin/samba -D ??1420 /usr/local/samba/sbin/samba -D ??1422 /usr/local/samba/sbin/samba -D ??1423 /usr/local/samba/sbin/samba -D ??1424 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ??1426 /usr/local/samba/sbin/samba -D ??1427 /usr/local/samba/sbin/samba -D ??1429 /usr/local/samba/sbin/samba -D ??1464 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??1465 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??1469 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??1490 /usr/local/samba/sbin/samba -D ??1492 /usr/local/samba/sbin/samba -D ??1493 /usr/local/samba/sbin/samba -D ??1495 /usr/local/samba/sbin/samba -D ??1496 /usr/local/samba/sbin/samba -D ??1498 /usr/local/samba/sbin/samba -D ??1499 /usr/local/samba/sbin/samba -D ??1501 /usr/local/samba/sbin/samba -D Feb 15 08:50:25 dc1 samba[1131]: [2020/02/15 08:50:25.778777, 0] ../../source4/smbd/process_prefork.c:512(prefork_child_pipe_handler) Feb 15 08:50:25 dc1 samba[1131]: prefork_child_pipe_handler: Parent 1131, Child 1406 exited with status 0 Feb 15 08:50:27 dc1 smbd[1387]: [2020/02/15 08:50:27.634592, 0] ../../lib/util/become_daemon.c:136(daemon_ready) Feb 15 08:50:27 dc1 smbd[1387]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections Feb 15 08:50:27 dc1 winbindd[1424]: [2020/02/15 08:50:27.761081, 0] ../../source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache) Feb 15 08:50:27 dc1 winbindd[1424]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Feb 15 08:50:27 dc1 winbindd[1424]: [2020/02/15 08:50:27.770049, 0] ../../lib/util/become_daemon.c:136(daemon_ready) Feb 15 08:50:27 dc1 winbindd[1424]: daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections Feb 15 08:50:27 dc1 samba[1426]: [2020/02/15 08:50:27.870385, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Feb 15 08:50:27 dc1 samba[1426]: /usr/local/samba/sbin/samba_dnsupdate: WARNING: no network interfaces found We need to kill dnsmasq so that Samba's internal DNS server can start. # killall dnsmasq # systemctl restart samba-ad-dc # systemctl status samba-ad-dc ? samba-ad-dc.service - Samba Active Directory Domain Controller Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2020-02-15 08:53:28 +08; 21s ago Process: 2512 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS) Main PID: 2514 (samba) Tasks: 58 (limit: 23972) Memory: 215.6M CGroup: /system.slice/samba-ad-dc.service ??2514 /usr/local/samba/sbin/samba -D ??2516 /usr/local/samba/sbin/samba -D ??2517 /usr/local/samba/sbin/samba -D ??2518 /usr/local/samba/sbin/samba -D ??2519 /usr/local/samba/sbin/samba -D ??2520 /usr/local/samba/sbin/samba -D ??2521 /usr/local/samba/sbin/samba -D ??2522 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??2523 /usr/local/samba/sbin/samba -D ??2524 /usr/local/samba/sbin/samba -D ??2525 /usr/local/samba/sbin/samba -D ??2526 /usr/local/samba/sbin/samba -D ??2527 /usr/local/samba/sbin/samba -D ??2528 /usr/local/samba/sbin/samba -D ??2529 /usr/local/samba/sbin/samba -D ??2530 /usr/local/samba/sbin/samba -D ??2531 /usr/local/samba/sbin/samba -D ??2532 /usr/local/samba/sbin/samba -D ??2533 /usr/local/samba/sbin/samba -D ??2534 /usr/local/samba/sbin/samba -D ??2535 /usr/local/samba/sbin/samba -D ??2536 /usr/local/samba/sbin/samba -D ??2537 /usr/local/samba/sbin/samba -D ??2538 /usr/local/samba/sbin/samba -D ??2539 /usr/local/samba/sbin/samba -D ??2540 /usr/local/samba/sbin/samba -D ??2541 /usr/local/samba/sbin/samba -D ??2542 /usr/local/samba/sbin/samba -D ??2543 /usr/local/samba/sbin/samba -D ??2544 /usr/local/samba/sbin/samba -D ??2545 /usr/local/samba/sbin/samba -D ??2546 /usr/local/samba/sbin/samba -D ??2547 /usr/local/samba/sbin/samba -D ??2548 /usr/local/samba/sbin/samba -D ??2549 /usr/local/samba/sbin/samba -D ??2550 /usr/local/samba/sbin/samba -D ??2551 /usr/local/samba/sbin/samba -D ??2552 /usr/local/samba/sbin/samba -D ??2553 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ??2554 /usr/local/samba/sbin/samba -D ??2555 /usr/local/samba/sbin/samba -D ??2556 /usr/local/samba/sbin/samba -D ??2557 /usr/local/samba/sbin/samba -D ??2558 /usr/local/samba/sbin/samba -D ??2559 /usr/local/samba/sbin/samba -D ??2560 /usr/local/samba/sbin/samba -D ??2562 /usr/local/samba/sbin/samba -D ??2569 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??2570 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??2571 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??2572 /usr/local/samba/sbin/samba -D ??2573 /usr/local/samba/sbin/samba -D ??2574 /usr/local/samba/sbin/samba -D ??2575 /usr/local/samba/sbin/samba -D ??2576 /usr/local/samba/sbin/samba -D ??2577 /usr/local/samba/sbin/samba -D ??2578 /usr/local/samba/sbin/samba -D ??2579 /usr/local/samba/sbin/samba -D Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742774, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 945, in run Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742787, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: raise e Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742800, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 941, in run Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742813, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: 0, server, zone, name, add_rec_buf, None) Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.767521, 0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done) Feb 15 08:53:38 dc1 samba[2556]: dnsupdate_nameupdate_done: Failed DNS update with exit code 39 Testing your Samba AD DC ======================= # killall dnsmasq # systemctl restart samba-ad-dc Verifying the File Server ======================== $ smbclient -L localhost -U% Output: Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.11.6) SMB1 disabled -- no workgroup available $ smbclient //localhost/netlogon -UAdministrator -c 'ls' Output: Enter TEO-EN-MING\Administrator's password: . D 0 Fri Feb 14 22:56:17 2020 .. D 0 Fri Feb 14 22:56:24 2020 17811456 blocks of size 1024. 12018876 blocks available Verifying DNS (Failed again) =========================== $ host -t SRV _ldap._tcp.teo-en-ming.corp. Output: Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN) Unable to find above DNS record because Network Manager is always overwriting /etc/resolv.conf As a result, I am always looking up the WRONG DNS server. # systemctl stop samba-ad-dc TROUBLESHOOTING AGAIN ==================== Re-provisioning the Samba AD DC, using Samba Internal DNS Backend again. # samba-tool domain provision --use-rfc2307 --interactive Output: Realm [TEO-EN-MING.CORP]: Domain [TEO-EN-MING]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: Administrator password: Retype password: INFO 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses WARNING 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10 INFO 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses WARNING 2020-02-15 09:01:10,639 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2 INFO 2020-02-15 09:01:11,057 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb INFO 2020-02-15 09:01:11,436 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry INFO 2020-02-15 09:01:11,620 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database INFO 2020-02-15 09:01:12,200 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db INFO 2020-02-15 09:01:12,667 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db INFO 2020-02-15 09:01:12,817 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings INFO 2020-02-15 09:01:12,820 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE INFO 2020-02-15 09:01:12,893 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2020-02-15 09:01:13,093 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp INFO 2020-02-15 09:01:13,201 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container INFO 2020-02-15 09:01:13,342 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema INFO 2020-02-15 09:01:16,649 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data INFO 2020-02-15 09:01:16,794 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers INFO 2020-02-15 09:01:19,013 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights INFO 2020-02-15 09:01:19,053 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container INFO 2020-02-15 09:01:19,056 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container INFO 2020-02-15 09:01:19,057 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container INFO 2020-02-15 09:01:19,060 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container INFO 2020-02-15 09:01:19,061 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data INFO 2020-02-15 09:01:19,199 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals INFO 2020-02-15 09:01:19,261 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups INFO 2020-02-15 09:01:19,564 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join Repacking database from v1 to v2 format (first record CN=MSMQ-Sign-Certificates-Mig,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=lostAndFound-Display,CN=411,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp) INFO 2020-02-15 09:01:21,879 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts INFO 2020-02-15 09:01:22,122 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp INFO 2020-02-15 09:01:22,144 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions INFO 2020-02-15 09:01:22,393 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record DC=gc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp) INFO 2020-02-15 09:01:23,163 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized INFO 2020-02-15 09:01:23,213 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs INFO 2020-02-15 09:01:24,265 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf INFO 2020-02-15 09:01:24,265 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2020-02-15 09:01:24,581 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1 INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-3427788993-2190856266-1509719656 # systemctl start samba-ad-dc Verifying DNS (Failed again) ============ host -t SRV _ldap._tcp.teo-en-ming.corp. Output: Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN) Unable to find above DNS record because Network Manager is always overwriting /etc/resolv.conf As a result, I am always looking up the WRONG DNS server. Installing BIND DNS Server and Using it as the DNS Backend for Samba =================================================================== # yum install bind # systemctl stop samba-ad-dc We are going to use BIND9 as the Samba DNS backend this time. I changed my mind. I decided not to use Samba's Internal DNS backend. # samba-tool domain provision --use-rfc2307 --interactive Output: Realm [TEO-EN-MING.CORP]: Domain [TEO-EN-MING]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ Administrator password: Retype password: INFO 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses WARNING 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10 INFO 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses WARNING 2020-02-15 09:13:53,977 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2 INFO 2020-02-15 09:13:54,381 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb INFO 2020-02-15 09:13:54,704 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry INFO 2020-02-15 09:13:54,888 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database INFO 2020-02-15 09:13:55,478 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db INFO 2020-02-15 09:13:55,819 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db INFO 2020-02-15 09:13:55,886 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings INFO 2020-02-15 09:13:55,888 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE INFO 2020-02-15 09:13:55,945 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2020-02-15 09:13:56,187 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp INFO 2020-02-15 09:13:56,362 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container INFO 2020-02-15 09:13:56,518 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema INFO 2020-02-15 09:13:59,846 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data INFO 2020-02-15 09:13:59,991 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers INFO 2020-02-15 09:14:02,238 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights INFO 2020-02-15 09:14:02,279 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container INFO 2020-02-15 09:14:02,280 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container INFO 2020-02-15 09:14:02,282 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container INFO 2020-02-15 09:14:02,283 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container INFO 2020-02-15 09:14:02,284 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data INFO 2020-02-15 09:14:02,425 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals INFO 2020-02-15 09:14:02,489 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups INFO 2020-02-15 09:14:02,777 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join Repacking database from v1 to v2 format (first record CN=MS-TS-Property02,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=localPolicy-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record CN=PolicyType,CN=WMIPolicy,CN=System,DC=teo-en-ming,DC=corp) INFO 2020-02-15 09:14:05,299 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts INFO 2020-02-15 09:14:05,558 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp INFO 2020-02-15 09:14:05,587 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions INFO 2020-02-15 09:14:05,778 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=_ldap._tcp.DomainDnsZones,DC=teo-en-ming.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp) INFO 2020-02-15 09:14:07,207 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND INFO 2020-02-15 09:14:07,207 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates INFO 2020-02-15 09:14:07,333 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized INFO 2020-02-15 09:14:07,383 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs INFO 2020-02-15 09:14:08,576 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf INFO 2020-02-15 09:14:08,576 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2020-02-15 09:14:09,009 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings INFO 2020-02-15 09:14:09,200 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1 INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-3153339276-3256266220-4030185391 # nano /etc/named.conf Append the following line: include "/usr/local/samba/bind-dns/named.conf"; # named -v Output: BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el8 (Extended Support Version) <id:7107deb> # nano /usr/local/samba/bind-dns/named.conf Contents of file: # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/usr/local/samba/bind-dns/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; # For BIND 9.9.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so"; # For BIND 9.11.x database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so"; # For BIND 9.12.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so"; }; Setting up BIND9 options and keytab for Kerberos =============================================== # nano /etc/named.conf Add the following to the options {} section of your main BIND named.conf file. For example: options { [...] tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; minimal-responses yes; }; Verify that your /etc/krb5.conf Kerberos client configuration file is readable by your BIND user. For example: # ls -l /etc/krb5.conf Output: -rw-r--r--. 1 root root 97 Feb 15 00:49 /etc/krb5.conf # chown root:named /etc/krb5.conf Verify that the nsupdate utility exists on your domain controller (DC): # which nsupdate /usr/bin/nsupdate Starting the BIND DNS Service ============================ # named-checkconf # systemctl enable named.service # systemctl start named.service # systemctl status named.service Output: ? named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2020-02-15 09:28:54 +08; 26s ago Process: 3670 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 3667 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disab> Main PID: 3673 (named) Tasks: 4 (limit: 23972) Memory: 73.1M CGroup: /system.slice/named.service ??3673 /usr/sbin/named -u named -c /etc/named.conf Feb 15 09:28:54 dc1 named[3673]: zone 0.in-addr.arpa/IN: loaded serial 0 Feb 15 09:28:54 dc1 named[3673]: zone localhost/IN: loaded serial 0 Feb 15 09:28:54 dc1 named[3673]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Feb 15 09:28:54 dc1 named[3673]: zone localhost.localdomain/IN: loaded serial 0 Feb 15 09:28:54 dc1 named[3673]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Feb 15 09:28:54 dc1 named[3673]: all zones loaded Feb 15 09:28:54 dc1 named[3673]: running Feb 15 09:28:54 dc1 systemd[1]: Started Berkeley Internet Name Domain (DNS). Feb 15 09:29:04 dc1 named[3673]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out Feb 15 09:29:04 dc1 named[3673]: resolver priming query complete I still cannot find the mandatory DNS records. Re-provisioning Samba AD DC again. # cd /usr/local/samba/etc # mv smb.conf smb.conf.bak # samba-tool domain provision --use-rfc2307 --interactive Realm [TEO-EN-MING.CORP]: Domain [TEO-EN-MING]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ Administrator password: Retype password: INFO 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses WARNING 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10 INFO 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses WARNING 2020-02-15 09:34:24,412 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2 INFO 2020-02-15 09:34:24,817 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb INFO 2020-02-15 09:34:25,101 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry INFO 2020-02-15 09:34:25,269 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database INFO 2020-02-15 09:34:25,783 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db INFO 2020-02-15 09:34:26,233 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db INFO 2020-02-15 09:34:26,316 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings INFO 2020-02-15 09:34:26,317 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE INFO 2020-02-15 09:34:26,367 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2020-02-15 09:34:26,551 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp INFO 2020-02-15 09:34:26,684 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container INFO 2020-02-15 09:34:26,791 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema INFO 2020-02-15 09:34:30,087 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data INFO 2020-02-15 09:34:30,230 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers INFO 2020-02-15 09:34:32,425 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights INFO 2020-02-15 09:34:32,465 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container INFO 2020-02-15 09:34:32,467 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container INFO 2020-02-15 09:34:32,467 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container INFO 2020-02-15 09:34:32,469 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container INFO 2020-02-15 09:34:32,470 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data INFO 2020-02-15 09:34:32,608 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals INFO 2020-02-15 09:34:32,667 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups INFO 2020-02-15 09:34:32,967 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join Repacking database from v1 to v2 format (first record CN=userPKCS12,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=pKICertificateTemplate-Display,CN=406,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record CN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp) INFO 2020-02-15 09:34:35,720 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts INFO 2020-02-15 09:34:35,963 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp INFO 2020-02-15 09:34:35,982 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions INFO 2020-02-15 09:34:36,248 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp) INFO 2020-02-15 09:34:37,633 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND INFO 2020-02-15 09:34:37,633 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates INFO 2020-02-15 09:34:37,763 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized INFO 2020-02-15 09:34:37,804 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs INFO 2020-02-15 09:34:38,781 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf INFO 2020-02-15 09:34:38,781 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2020-02-15 09:34:39,223 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings INFO 2020-02-15 09:34:39,438 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1 INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-2121330042-1058780221-1881093528 # cat /usr/local/samba/etc/smb.conf # Global parameters [global] netbios name = DC1 realm = TEO-EN-MING.CORP server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TEO-EN-MING idmap_ldb:use rfc2307 = yes [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [netlogon] path = /usr/local/samba/var/locks/sysvol/teo-en-ming.corp/scripts read only = No # systemctl start samba-ad-dc TROUBLESHOOTING SAMBA INSTALLATION BY RE-COMPILING SAMBA FROM SOURCE AGAIN ========================================================================= I was afraid that SELINUX might affect the previous build of Samba from source. # cd /root # rm -rf samba-4.11.6 # systemctl stop samba-ad-dc # cd /usr/local # rm -rf samba/ # cd /root # tar xfvz samba-4.11.6.tar.gz # cd samba-4.11.6/ # ./configure # make -j 4 Output: Waf: Leaving directory `/root/samba-4.11.6/bin/default' 'build' finished successfully (9m21.630s) # make install Output: Waf: Leaving directory `/root/samba-4.11.6/bin/default' 'install' finished successfully (2m47.846s) Provisioning Samba AD DC from scratch after rebuilding Samba from source. # samba-tool domain provision --use-rfc2307 --interactive Realm [TEO-EN-MING.CORP]: Domain [TEO-EN-MING]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ Administrator password: Retype password: INFO 2020-02-15 10:00:20,082 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses WARNING 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10 INFO 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses WARNING 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2 INFO 2020-02-15 10:00:20,505 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb INFO 2020-02-15 10:00:20,871 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb INFO 2020-02-15 10:00:21,131 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry INFO 2020-02-15 10:00:22,314 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database INFO 2020-02-15 10:00:22,838 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db INFO 2020-02-15 10:00:23,230 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db INFO 2020-02-15 10:00:23,322 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings INFO 2020-02-15 10:00:23,324 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE INFO 2020-02-15 10:00:23,398 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2020-02-15 10:00:23,573 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp INFO 2020-02-15 10:00:23,653 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container INFO 2020-02-15 10:00:23,749 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema INFO 2020-02-15 10:00:27,115 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data INFO 2020-02-15 10:00:27,261 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers INFO 2020-02-15 10:00:29,491 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights INFO 2020-02-15 10:00:29,531 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container INFO 2020-02-15 10:00:29,532 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container INFO 2020-02-15 10:00:29,533 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container INFO 2020-02-15 10:00:29,534 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container INFO 2020-02-15 10:00:29,535 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data INFO 2020-02-15 10:00:29,674 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals INFO 2020-02-15 10:00:29,735 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups INFO 2020-02-15 10:00:30,058 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join Repacking database from v1 to v2 format (first record CN=rpc-Ns-Bindings,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=nTFRSSubscriber-Display,CN=40C,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record CN=Incoming Forest Trust Builders,CN=Builtin,DC=teo-en-ming,DC=corp) INFO 2020-02-15 10:00:33,052 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts INFO 2020-02-15 10:00:33,285 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp INFO 2020-02-15 10:00:33,305 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions INFO 2020-02-15 10:00:33,511 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=@,DC=teo-en-ming.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp) Repacking database from v1 to v2 format (first record DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp) INFO 2020-02-15 10:00:34,921 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND INFO 2020-02-15 10:00:34,921 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates INFO 2020-02-15 10:00:35,045 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized INFO 2020-02-15 10:00:35,095 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs INFO 2020-02-15 10:00:36,238 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf INFO 2020-02-15 10:00:36,238 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2020-02-15 10:00:36,771 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings INFO 2020-02-15 10:00:37,012 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1 INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-4032533190-753116703-2394070240 # systemctl start samba-ad-dc TROUBLESHOOTING THE BIND9_DLZ BACKEND ==================================== # samba_upgradedns --dns-backend=BIND9_DLZ Output: Reading domain information DNS accounts already exist No zone file /usr/local/samba/bind-dns/dns/TEO-EN-MING.CORP.zone DNS records will be automatically created DNS partitions already exist dns-dc1 account already exists See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS TROUBLESHOOTING "MISSING" MANDATORY SAMBA DNS RECORDS ==================================================== REFERENCE ======== Finally! I found the problem and discovered the solution. Guide: CentOS 7 NetworkManager Keeps Overwriting /etc/resolv.conf Link: https://ma.ttias.be/centos-7-networkmanager-keeps-overwriting-etcresolv-conf/ To prevent Network Manager to overwrite your resolv.conf changes, remove the DNS1, DNS2, ? lines from /etc/sysconfig/network-scripts/ifcfg-*. # cd /etc/sysconfig/network-scripts/ # nano ifcfg-ens3 Remove DNS1 entry. To make BIND listen on all interfaces ==================================== # nano /etc/named.conf Change the following entry: listen-on port 53 { any; }; # systemctl restart named # netstat -anp | grep -v unix | grep LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 28855/samba tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 29436/named tcp 0 0 192.168.1.10:53 0.0.0.0:* LISTEN 29436/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 29436/named tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1090/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1087/cupsd tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 28855/samba tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 29436/named tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 28847/samba tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 28839/smbd tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 28837/samba tcp 0 0 0.0.0.0:49153 0.0.0.0:* LISTEN 28845/samba tcp 0 0 0.0.0.0:49154 0.0.0.0:* LISTEN 28845/samba tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 28847/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 28847/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 28847/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 28845/samba tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 28839/smbd tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1597/systemd-resolv tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::464 :::* LISTEN 28855/samba tcp6 0 0 ::1:53 :::* LISTEN 29436/named tcp6 0 0 :::22 :::* LISTEN 1090/sshd tcp6 0 0 ::1:631 :::* LISTEN 1087/cupsd tcp6 0 0 :::88 :::* LISTEN 28855/samba tcp6 0 0 ::1:953 :::* LISTEN 29436/named tcp6 0 0 :::636 :::* LISTEN 28847/samba tcp6 0 0 :::445 :::* LISTEN 28839/smbd tcp6 0 0 :::49152 :::* LISTEN 28837/samba tcp6 0 0 :::49153 :::* LISTEN 28845/samba tcp6 0 0 :::49154 :::* LISTEN 28845/samba tcp6 0 0 :::3268 :::* LISTEN 28847/samba tcp6 0 0 :::3269 :::* LISTEN 28847/samba tcp6 0 0 :::389 :::* LISTEN 28847/samba tcp6 0 0 :::135 :::* LISTEN 28845/samba tcp6 0 0 :::5355 :::* LISTEN 1597/systemd-resolv tcp6 0 0 :::139 :::* LISTEN 28839/smbd Modify /etc/resolv.conf again. This is the crux of the problem. # nano /etc/resolv.conf search teo-en-ming.corp nameserver 192.168.1.10 Verifying DNS (Successful this time) =================================== $ host -t SRV _ldap._tcp.teo-en-ming.corp. Output: _ldap._tcp.teo-en-ming.corp has SRV record 0 100 389 dc1.teo-en-ming.corp. $ host -t SRV _kerberos._udp.teo-en-ming.corp. Output: _kerberos._udp.teo-en-ming.corp has SRV record 0 100 88 dc1.teo-en-ming.corp. $ host -t A dc1.teo-en-ming.corp. Output: dc1.teo-en-ming.corp has address 192.168.122.1 dc1.teo-en-ming.corp has address 192.168.1.10 Verifying Kerberos (Successful this time) ======================================== # kninit administrator Output: Password for administrator at TEO-EN-MING.CORP: Warning: Your password will expire in 41 days on Sat 28 Mar 2020 10:00:30 AM +08 # klist Output: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at TEO-EN-MING.CORP Valid starting Expires Service principal 02/15/2020 10:56:56 02/15/2020 20:56:56 krbtgt/TEO-EN-MING.CORP at TEO-EN-MING.CORP renew until 02/16/2020 10:56:53 OVERWHELMING SUCCESS! ==================== Joining Domain from Windows 10 Pro QEMU/KVM virtual machine ========================================================== Install Windows 10 Pro version 1909 as a QEMU/KVM virtual machine. Ping Samba AD DC from Windows. ping 192.168.1.10 SUCCESS! Configure Preferred DNS Server as 192.168.1.10 for your virtual NIC. Alternate DNS Server: 8.8.8.8 (Compulsory for internet access) REFERENCE GUIDE ============== Guide: DNS Administration Link: https://wiki.samba.org/index.php/DNS_Administration Listing zone records =================== # samba-tool dns query 192.168.1.10 teo-en-ming.corp @ ALL -U administrator Output: Password for [TEO-EN-MING\administrator]: Name=, Records=6, Children=0 SOA: serial=241, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc1.teo-en-ming.corp., email=hostmaster.teo-en-ming.corp. (flags=600000f0, serial=241, ttl=3600) NS: dc1.teo-en-ming.corp. (flags=600000f0, serial=1, ttl=900) A: 192.168.1.10 (flags=600000f0, serial=1, ttl=900) AAAA: 2401:7400:c802:de67:0000:0000:0000:14c2 (flags=600000f0, serial=1, ttl=900) A: 192.168.122.1 (flags=600000f0, serial=26, ttl=900) AAAA: 2401:7400:c802:de67:0d19:690d:f659:ad40 (flags=600000f0, serial=27, ttl=900) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Name=dc1, Records=4, Children=0 A: 192.168.1.10 (flags=f0, serial=1, ttl=900) AAAA: 2401:7400:c802:de67:0000:0000:0000:14c2 (flags=f0, serial=1, ttl=900) A: 192.168.122.1 (flags=f0, serial=24, ttl=900) AAAA: 2401:7400:c802:de67:0d19:690d:f659:ad40 (flags=f0, serial=25, ttl=900) Name=DomainDnsZones, Records=0, Children=2 Name=ForestDnsZones, Records=0, Children=2 Disable IPv6 on Windows 10 Pro QEMU/KVM virtual machine. Deleting Unneccessary DNS Records (OPTIONAL TASK) ================================================ # samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp A 192.168.122.1 -U administrator # samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp AAAA 2401:7400:c802:de67:0000:0000:0000:14c2 -U administrator # samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp AAAA 2401:7400:c802:de67:0d19:690d:f659:ad40 -U administrator # samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 A 192.168.122.1 -U administrator # samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 AAAA 2401:7400:c802:de67:0000:0000:0000:14c2 -U administrator # samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 AAAA 2401:7400:c802:de67:0d19:690d:f659:ad40 -U administrator Disabling the Firewall on CentOS 8.1 ==================================== # systemctl stop firewalld # systemctl disable firewalld Join Domain from Windows 10 Pro QEMU/KVM Virtual Machine ======================================================= Domain: teo-en-ming.corp Welcome to the teo-en-ming.corp domain. Download and install Microsoft Remote Server Administration Tools (RSAT) for Windows 10. Restart Windows 10 Pro QEMU/KVM virtual machine. Login as domain administrator. User: TEO-EN-MING\administrator Password: Unknown Open Active Directory Users and Computers. Final Success! ============= AUTHOR: MR. TURRITOPSIS DOHRNII TEO EN MING, SINGAPORE -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE-----