On 05/09/2020 07:46, Peter Pollock wrote:> I FINALLY DID IT!!!!! > > After following Louis van Belle's walk-through to create a new DC, and > having problems at the end, I realized there was nothing in the walk > through about modifying?/var/lib/samba/bind-dns/named.conf to let > Samba know the Bind version so I did that and Voila! > > We have name resolution, can create kerberos tickets, just > successfully connected a windows workstation to the domain and seem to > be rocking and rolling! > > Thank you for all your help everyone. Especially Rowland. I have a > long way to go this weekend, but this is a good start! > > On Fri, Sep 4, 2020 at 10:02 PM Peter Pollock > <peter.pollock at kingschristian.org > <mailto:peter.pollock at kingschristian.org>> wrote: > > OK.. after school ended today, I poked around and found nothing so > I started all over again. Followed Louis' instructions at > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt > all the way through but at the end, the resolver is not working - > and kinit cannot find a KDC (I'm guessing because the resolver is > not working!) > > This is the only server on the network and has an IP address of > 192.168.4.5 (the gateway is at 192.168.4.1) > > "Service named status" gives me: > > ? named.service - BIND Domain Name Server > ? ? ?Loaded: loaded (/lib/systemd/system/named.service; enabled; > vendor preset: enabled) > ? ? ?Active: active (running) since Fri 2020-09-04 21:41:41 PDT; > 10min ago > ? ? ? ?Docs: man:named(8) > ? ?Main PID: 528 (named) > ? ? ? Tasks: 14 (limit: 2282) > ? ? ?Memory: 61.9M > ? ? ?CGroup: /system.slice/named.service > ? ? ? ? ? ? ???528 /usr/sbin/named -f -u bind > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:500:2d::d#53 > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:500:1::53#53 > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:500:9f::42#53 > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:503:ba3e::2:30#53 > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:500:a8::e#53 > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:500:200::b#53 > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:500:2f::f#53 > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > 'kcs/DS/IN': 2001:503:c27::2:30#53 > Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving > 'dc01.internal.kcs/A/IN': 8.8.8.8#53 > Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving > '_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53 > > I do not know where to start. > > I took copious notes as I followed Louis' walkthrough, which I'll > send if they interest you, but it's many pages! > > > > On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 04/09/2020 15:05, Peter Pollock wrote: > > This is brand new. Created following Louis' instructions > (although in > > my install of Ubuntu 20.04, it gets a little tricky with > installing > > packages because it claims one or more don't exist after > adding Louis' > > repository and doing an apt update). > Please don't do that, say something doesn't exist without > telling us > what 'something' is ;-) > > > > Totally separate network from my Zentyal installs, on a ProxMox > > virtual server, if that makes any difference. > No, good idea really, it doesn't matter if it is separate, it > allows you > to destroy it easily if need be. > > > > I know the admin password, I just removed it from this > email, I just > > cannot figure out why I can't initiate a kticket. > OK, if you know the password, no need to start again, but > kinit should > work. Did you check if the first nameserver in > /etc/resolv.conf is the > DC's IP ? did you run the kinit command as root and like this > 'kinit > Administrator' ? > > > > I can wipe it and start again, that's not a?problem at all. > I was just > > so close... > > No, there is no need, it was just the lack of the > Administrator password > that was throwing me ;-) > > Rowland > >Isn't it great when it all works :-) I installed a DC on 20.04 server, to see if their was a problem. I removed snaps and cloud-init. I also used Louis's repo to get 4.12.6 I followed Louis's 18.04 howto to a certain extent (one thing I didn't do was to create the ntp_signd dir, Samba does that for you) Everything seemed to work until it came to resolving, it didn't!! I traced this down to two things, one was the Samba named conf wasn't set (it doesn't know about Bind 9.16) and? /etc/hosts. Even though the install (when setting a fixed IP) asks you for the dns domain name, it doesn't put it into /etc/hosts. If you examine /etc/hosts, you will find this: 127.0.1.1 <dc_short_hostname> When it should be: 127.0.1.1 <dc_fqdn> <dc_short_hostname> Once these were fixed, everything now works. Rowland
I just found the /etc/hosts thing two seconds before reading your email. A couple of questions: 1) The install also did nothing to krb5.conf - do I need to merge it with the file that the install generated? 2) When adding a DC to this domain, do I follow the same walk-through but just use samba-tool domain join instead of domain provision? 3) What tests should I run? I can join a computer to the domain and shortly (it took me 3 hours last time, so not particularly shortly at all) will be trying to join another DC, are there any standard commands or tests I should be running other than that? On Sat, Sep 5, 2020 at 1:01 AM Rowland penny <rpenny at samba.org> wrote:> On 05/09/2020 07:46, Peter Pollock wrote: > > I FINALLY DID IT!!!!! > > > > After following Louis van Belle's walk-through to create a new DC, and > > having problems at the end, I realized there was nothing in the walk > > through about modifying /var/lib/samba/bind-dns/named.conf to let > > Samba know the Bind version so I did that and Voila! > > > > We have name resolution, can create kerberos tickets, just > > successfully connected a windows workstation to the domain and seem to > > be rocking and rolling! > > > > Thank you for all your help everyone. Especially Rowland. I have a > > long way to go this weekend, but this is a good start! > > > > On Fri, Sep 4, 2020 at 10:02 PM Peter Pollock > > <peter.pollock at kingschristian.org > > <mailto:peter.pollock at kingschristian.org>> wrote: > > > > OK.. after school ended today, I poked around and found nothing so > > I started all over again. Followed Louis' instructions at > > > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt > > all the way through but at the end, the resolver is not working - > > and kinit cannot find a KDC (I'm guessing because the resolver is > > not working!) > > > > This is the only server on the network and has an IP address of > > 192.168.4.5 (the gateway is at 192.168.4.1) > > > > "Service named status" gives me: > > > > ? named.service - BIND Domain Name Server > > Loaded: loaded (/lib/systemd/system/named.service; enabled; > > vendor preset: enabled) > > Active: active (running) since Fri 2020-09-04 21:41:41 PDT; > > 10min ago > > Docs: man:named(8) > > Main PID: 528 (named) > > Tasks: 14 (limit: 2282) > > Memory: 61.9M > > CGroup: /system.slice/named.service > > ??528 /usr/sbin/named -f -u bind > > > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:500:2d::d#53 > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:500:1::53#53 > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:500:9f::42#53 > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:503:ba3e::2:30#53 > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:500:a8::e#53 > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:500:200::b#53 > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:500:2f::f#53 > > Sep 04 21:52:22 dc01 named[528]: network unreachable resolving > > 'kcs/DS/IN': 2001:503:c27::2:30#53 > > Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving > > 'dc01.internal.kcs/A/IN': 8.8.8.8#53 > > Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving > > '_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53 > > > > I do not know where to start. > > > > I took copious notes as I followed Louis' walkthrough, which I'll > > send if they interest you, but it's many pages! > > > > > > > > On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org > > <mailto:rpenny at samba.org>> wrote: > > > > On 04/09/2020 15:05, Peter Pollock wrote: > > > This is brand new. Created following Louis' instructions > > (although in > > > my install of Ubuntu 20.04, it gets a little tricky with > > installing > > > packages because it claims one or more don't exist after > > adding Louis' > > > repository and doing an apt update). > > Please don't do that, say something doesn't exist without > > telling us > > what 'something' is ;-) > > > > > > Totally separate network from my Zentyal installs, on a ProxMox > > > virtual server, if that makes any difference. > > No, good idea really, it doesn't matter if it is separate, it > > allows you > > to destroy it easily if need be. > > > > > > I know the admin password, I just removed it from this > > email, I just > > > cannot figure out why I can't initiate a kticket. > > OK, if you know the password, no need to start again, but > > kinit should > > work. Did you check if the first nameserver in > > /etc/resolv.conf is the > > DC's IP ? did you run the kinit command as root and like this > > 'kinit > > Administrator' ? > > > > > > I can wipe it and start again, that's not a problem at all. > > I was just > > > so close... > > > > No, there is no need, it was just the lack of the > > Administrator password > > that was throwing me ;-) > > > > Rowland > > > > > Isn't it great when it all works :-) > > I installed a DC on 20.04 server, to see if their was a problem. > > I removed snaps and cloud-init. > > I also used Louis's repo to get 4.12.6 > > I followed Louis's 18.04 howto to a certain extent (one thing I didn't > do was to create the ntp_signd dir, Samba does that for you) > > Everything seemed to work until it came to resolving, it didn't!! > > I traced this down to two things, one was the Samba named conf wasn't > set (it doesn't know about Bind 9.16) and /etc/hosts. Even though the > install (when setting a fixed IP) asks you for the dns domain name, it > doesn't put it into /etc/hosts. If you examine /etc/hosts, you will find > this: > > 127.0.1.1 <dc_short_hostname> > > When it should be: > > 127.0.1.1 <dc_fqdn> <dc_short_hostname> > > Once these were fixed, everything now works. > > Rowland > > > >
On 05/09/2020 09:12, Peter Pollock wrote:> I just found the /etc/hosts thing two seconds before reading your email. > > A couple of questions: > > 1) The install also did nothing to krb5.conf - do I need to merge it > with the file that the install generated?No, the one the distro created is enough.> 2) When adding a DC to this domain, do I follow the same walk-through > but just use samba-tool domain join instead of domain provision?Yes, it is a join instead of provision (you only run provision once in a domain), but you will need to initially use the first DC as the new DC's nameserver> 3) What tests should I run? I can join a computer to the domain and > shortly (it took me 3 hours last time, so not particularly shortly at > all) will be trying to join another DC, are there any standard > commands or tests I should be running other than that?Create a few users and groups on your new DC and join a client, if your users can login, then it is probably working okay, basically just 'play' with it ;-) Rowland