samba - Sep 2020 - Changing IP Scope on a Samba DC

OK.. after school ended today, I poked around and found nothing so I
started all over again. Followed Louis' instructions at
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
all the way through but at the end, the resolver is not working - and kinit
cannot find a KDC (I'm guessing because the resolver is not working!)

This is the only server on the network and has an IP address of 192.168.4.5
(the gateway is at 192.168.4.1)

"Service named status" gives me:

? named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor
preset: enabled)
     Active: active (running) since Fri 2020-09-04 21:41:41 PDT; 10min ago
       Docs: man:named(8)
   Main PID: 528 (named)
      Tasks: 14 (limit: 2282)
     Memory: 61.9M
     CGroup: /system.slice/named.service
             ??528 /usr/sbin/named -f -u bind

Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:500:2d::d#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:500:1::53#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:500:9f::42#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:503:ba3e::2:30#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:500:a8::e#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:500:200::b#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:500:2f::f#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN':
2001:503:c27::2:30#53
Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
'dc01.internal.kcs/A/IN': 8.8.8.8#53
Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
'_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53

I do not know where to start.

I took copious notes as I followed Louis' walkthrough, which I'll send
if
they interest you, but it's many pages!



On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org> wrote:
> On 04/09/2020 15:05, Peter Pollock wrote:
> > This is brand new. Created following Louis' instructions (although
in
> > my install of Ubuntu 20.04, it gets a little tricky with installing
> > packages because it claims one or more don't exist after adding
Louis'
> > repository and doing an apt update).
> Please don't do that, say something doesn't exist without telling
us
> what 'something' is ;-)
> >
> > Totally separate network from my Zentyal installs, on a ProxMox
> > virtual server, if that makes any difference.
> No, good idea really, it doesn't matter if it is separate, it allows
you
> to destroy it easily if need be.
> >
> > I know the admin password, I just removed it from this email, I just
> > cannot figure out why I can't initiate a kticket.
> OK, if you know the password, no need to start again, but kinit should
> work. Did you check if the first nameserver in /etc/resolv.conf is the
> DC's IP ? did you run the kinit command as root and like this
'kinit
> Administrator' ?
> >
> > I can wipe it and start again, that's not a problem at all. I was
just
> > so close...
>
> No, there is no need, it was just the lack of the Administrator password
> that was throwing me ;-)
>
> Rowland
>
>
>

I FINALLY DID IT!!!!!

After following Louis van Belle's walk-through to create a new DC, and
having problems at the end, I realized there was nothing in the walk
through about modifying /var/lib/samba/bind-dns/named.conf to let Samba
know the Bind version so I did that and Voila!

We have name resolution, can create kerberos tickets, just successfully
connected a windows workstation to the domain and seem to be rocking and
rolling!

Thank you for all your help everyone. Especially Rowland. I have a long way
to go this weekend, but this is a good start!

On Fri, Sep 4, 2020 at 10:02 PM Peter Pollock <
peter.pollock at kingschristian.org> wrote:
> OK.. after school ended today, I poked around and found nothing so I
> started all over again. Followed Louis' instructions at
>
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
> all the way through but at the end, the resolver is not working - and kinit
> cannot find a KDC (I'm guessing because the resolver is not working!)
>
> This is the only server on the network and has an IP address of
> 192.168.4.5 (the gateway is at 192.168.4.1)
>
> "Service named status" gives me:
>
> ? named.service - BIND Domain Name Server
>      Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor
> preset: enabled)
>      Active: active (running) since Fri 2020-09-04 21:41:41 PDT; 10min ago
>        Docs: man:named(8)
>    Main PID: 528 (named)
>       Tasks: 14 (limit: 2282)
>      Memory: 61.9M
>      CGroup: /system.slice/named.service
>              ??528 /usr/sbin/named -f -u bind
>
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:500:2d::d#53
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:500:1::53#53
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:500:9f::42#53
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:503:ba3e::2:30#53
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:500:a8::e#53
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:500:200::b#53
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:500:2f::f#53
> Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
> 'kcs/DS/IN': 2001:503:c27::2:30#53
> Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
> 'dc01.internal.kcs/A/IN': 8.8.8.8#53
> Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
> '_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53
>
> I do not know where to start.
>
> I took copious notes as I followed Louis' walkthrough, which I'll
send if
> they interest you, but it's many pages!
>
>
>
> On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org>
wrote:
>
>> On 04/09/2020 15:05, Peter Pollock wrote:
>> > This is brand new. Created following Louis' instructions
(although in
>> > my install of Ubuntu 20.04, it gets a little tricky with
installing
>> > packages because it claims one or more don't exist after
adding Louis'
>> > repository and doing an apt update).
>> Please don't do that, say something doesn't exist without
telling us
>> what 'something' is ;-)
>> >
>> > Totally separate network from my Zentyal installs, on a ProxMox
>> > virtual server, if that makes any difference.
>> No, good idea really, it doesn't matter if it is separate, it
allows you
>> to destroy it easily if need be.
>> >
>> > I know the admin password, I just removed it from this email, I
just
>> > cannot figure out why I can't initiate a kticket.
>> OK, if you know the password, no need to start again, but kinit should
>> work. Did you check if the first nameserver in /etc/resolv.conf is the
>> DC's IP ? did you run the kinit command as root and like this
'kinit
>> Administrator' ?
>> >
>> > I can wipe it and start again, that's not a problem at all. I
was just
>> > so close...
>>
>> No, there is no need, it was just the lack of the Administrator
password
>> that was throwing me ;-)
>>
>> Rowland
>>
>>
>>

On 05/09/2020 07:46, Peter Pollock wrote:
> I FINALLY DID IT!!!!!
>
> After following Louis van Belle's walk-through to create a new DC, and 
> having problems at the end, I realized there was nothing in the walk 
> through about modifying?/var/lib/samba/bind-dns/named.conf to let 
> Samba know the Bind version so I did that and Voila!
>
> We have name resolution, can create kerberos tickets, just 
> successfully connected a windows workstation to the domain and seem to 
> be rocking and rolling!
>
> Thank you for all your help everyone. Especially Rowland. I have a 
> long way to go this weekend, but this is a good start!
>
> On Fri, Sep 4, 2020 at 10:02 PM Peter Pollock 
> <peter.pollock at kingschristian.org 
> <mailto:peter.pollock at kingschristian.org>> wrote:
>
>     OK.. after school ended today, I poked around and found nothing so
>     I started all over again. Followed Louis' instructions at
>    
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
>     all the way through but at the end, the resolver is not working -
>     and kinit cannot find a KDC (I'm guessing because the resolver is
>     not working!)
>
>     This is the only server on the network and has an IP address of
>     192.168.4.5 (the gateway is at 192.168.4.1)
>
>     "Service named status" gives me:
>
>     ? named.service - BIND Domain Name Server
>     ? ? ?Loaded: loaded (/lib/systemd/system/named.service; enabled;
>     vendor preset: enabled)
>     ? ? ?Active: active (running) since Fri 2020-09-04 21:41:41 PDT;
>     10min ago
>     ? ? ? ?Docs: man:named(8)
>     ? ?Main PID: 528 (named)
>     ? ? ? Tasks: 14 (limit: 2282)
>     ? ? ?Memory: 61.9M
>     ? ? ?CGroup: /system.slice/named.service
>     ? ? ? ? ? ? ???528 /usr/sbin/named -f -u bind
>
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:2d::d#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:1::53#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:9f::42#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:503:ba3e::2:30#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:a8::e#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:200::b#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:2f::f#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:503:c27::2:30#53
>     Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
>     'dc01.internal.kcs/A/IN': 8.8.8.8#53
>     Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
>     '_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53
>
>     I do not know where to start.
>
>     I took copious notes as I followed Louis' walkthrough, which
I'll
>     send if they interest you, but it's many pages!
>
>
>
>     On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org
>     <mailto:rpenny at samba.org>> wrote:
>
>         On 04/09/2020 15:05, Peter Pollock wrote:
>         > This is brand new. Created following Louis' instructions
>         (although in
>         > my install of Ubuntu 20.04, it gets a little tricky with
>         installing
>         > packages because it claims one or more don't exist after
>         adding Louis'
>         > repository and doing an apt update).
>         Please don't do that, say something doesn't exist without
>         telling us
>         what 'something' is ;-)
>         >
>         > Totally separate network from my Zentyal installs, on a
ProxMox
>         > virtual server, if that makes any difference.
>         No, good idea really, it doesn't matter if it is separate, it
>         allows you
>         to destroy it easily if need be.
>         >
>         > I know the admin password, I just removed it from this
>         email, I just
>         > cannot figure out why I can't initiate a kticket.
>         OK, if you know the password, no need to start again, but
>         kinit should
>         work. Did you check if the first nameserver in
>         /etc/resolv.conf is the
>         DC's IP ? did you run the kinit command as root and like this
>         'kinit
>         Administrator' ?
>         >
>         > I can wipe it and start again, that's not a?problem at
all.
>         I was just
>         > so close...
>
>         No, there is no need, it was just the lack of the
>         Administrator password
>         that was throwing me ;-)
>
>         Rowland
>
>
Isn't it great when it all works :-)

I installed a DC on 20.04 server, to see if their was a problem.

I removed snaps and cloud-init.

I also used Louis's repo to get 4.12.6

I followed Louis's 18.04 howto to a certain extent (one thing I didn't 
do was to create the ntp_signd dir, Samba does that for you)

Everything seemed to work until it came to resolving, it didn't!!

I traced this down to two things, one was the Samba named conf wasn't 
set (it doesn't know about Bind 9.16) and? /etc/hosts. Even though the 
install (when setting a fixed IP) asks you for the dns domain name, it 
doesn't put it into /etc/hosts. If you examine /etc/hosts, you will find 
this:

127.0.1.1 <dc_short_hostname>

When it should be:

127.0.1.1 <dc_fqdn> <dc_short_hostname>

Once these were fixed, everything now works.

Rowland

Hai, 
?
Ow.. This is a good one, i'll add this as Note in the file. 

Its not added because, normalty this is set correctly for samba-ad?at the
install already.?
Most forget/miss the dns adjustment?in netplan.? ;-) 

Thanks for the notice. 
Its added. 
?
Greetz, 
?
Louis
?

Van: Peter Pollock [mailto:peter.pollock at kingschristian.org] 
Verzonden: zaterdag 5 september 2020 8:47
Aan: Rowland penny
CC: L.P.H. van Belle; sambalist
Onderwerp: Re: [Samba] Changing IP Scope on a Samba DC



I FINALLY DID IT!!!!! 

After following Louis van Belle's walk-through to create a new DC, and
having problems at the end, I realized there was nothing in the walk through
about modifying?/var/lib/samba/bind-dns/named.conf to let Samba know the Bind
version so I did that and Voila!


We have name resolution, can create kerberos tickets, just successfully
connected a windows workstation to the domain and seem to be rocking and
rolling!


Thank you for all your help everyone. Especially Rowland. I have a long way to
go this weekend, but this is a good start!


On Fri, Sep 4, 2020 at 10:02 PM Peter Pollock <peter.pollock at
kingschristian.org> wrote:

OK.. after school ended today, I poked around and found nothing so I started all
over again. Followed Louis' instructions at?
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt?
all the way through but at the end, the resolver is not working - and kinit
cannot find a KDC (I'm guessing because the resolver is not working!)

This is the only server on the network and has an IP address of 192.168.4.5 (the
gateway is at 192.168.4.1)


"Service named status" gives me:


named.service - BIND Domain Name Server
? ? ?Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset:
enabled)
? ? ?Active: active (running) since Fri 2020-09-04 21:41:41 PDT; 10min ago
? ? ? ?Docs: man:named(8)
? ?Main PID: 528 (named)
? ? ? Tasks: 14 (limit: 2282)
? ? ?Memory: 61.9M
? ? ?CGroup: /system.slice/named.service
? ? ? ? ? ? ? 528 /usr/sbin/named -f -u bind

Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:500:2d::d#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:500:1::53#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:500:9f::42#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:503:ba3e::2:30#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:500:a8::e#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:500:200::b#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:500:2f::f#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
'kcs/DS/IN': 2001:503:c27::2:30#53
Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
'dc01.internal.kcs/A/IN': 8.8.8.8#53
Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
'_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53



I do not know where to start.


I took copious notes as I followed Louis' walkthrough, which I'll send
if they interest you, but it's many pages!






On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org> wrote:

On 04/09/2020 15:05, Peter Pollock wrote:
> This is brand new. Created following Louis' instructions (although in 
> my install of Ubuntu 20.04, it gets a little tricky with installing 
> packages because it claims one or more don't exist after adding
Louis'
> repository and doing an apt update).
Please don't do that, say something doesn't exist without telling us 
what 'something' is ;-)
>
> Totally separate network from my Zentyal installs, on a ProxMox 
> virtual server, if that makes any difference.
No, good idea really, it doesn't matter if it is separate, it allows you 
to destroy it easily if need be.
>
> I know the admin password, I just removed it from this email, I just 
> cannot figure out why I can't initiate a kticket.
OK, if you know the password, no need to start again, but kinit should 
work. Did you check if the first nameserver in /etc/resolv.conf is the 
DC's IP ? did you run the kinit command as root and like this 'kinit 
Administrator' ?
>
> I can wipe it and start again, that's not a?problem at all. I was just 
> so close...
No, there is no need, it was just the lack of the Administrator password 
that was throwing me ;-)

Rowland