On 09/02/2021 16:25, Anders ?stling via samba wrote:> I am struggling to learn more on how-to replacing a couple of Windows DC?s.
This is a long-term plan since we have a quite well working mix of Windows and
Samba, but I aim to eventually have a pure (server-side) Linux rack to handle.
>
> So, now I have a bunch of VM?s running Debian 10 with Samba 4.9.5. Two of
these are DC?s, one a FS and a third will be the management center and VPN entry
point.
>
> WORKING
>
> Domain provisioned on first DC, second DC joined successfully
> The internal DNS server is running on both, and seems to sync correctly
> The 2 DC?s are replicating the AD correctly (verified with samba-tool)
> Sysvol share replicated using rsync
> Win 10 client joined as member
> Can logon on Win client using a domain account
> GPO?s created for home directory and roaming profiles
> Can manage both DC?s with RSAT tools for DNS, GPO, ADUC, Computer mgmnt
etc.
>
> NOT WORKING OR NOT IMPLEMENTED YET
>
> Redundant??DHCP server (ics-dhcpd on primary as of now)
> Reverse DNS entries not created automatically. Also, using SAMBA-TOOL DNS
ZONECREATE to create the reverse zone reported success but the zone was not
correctly setup. Had to delete it using RSAT and re-create manually.
Creating the reverse zone with samba-tool should have worked, always has
for myself:
sudo samba-tool dns zonecreate u2004dc 0.168.192.in-addr.arpa -U
Administrator
How are you running the dhcp server, have you read this:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
Ignore the 'bind9' bit, I must rename that page ?
> Weird permission problem on second DC for the profile share, no problem on
the first DC. Opening Properties/Security on the mapped Profile share crashes
the Windows Explorer hard.
Are you syncing the profile share between DC's ? Also most people just
place the profiles on a Unix domain member.
>
> Profile share defined (on both) as
>
> root at dc2-hplts:/# cat /etc/samba/smb.conf
>
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8
> netbios name = DC2-HPLTS
> realm = HOGANAS-PLATSLAGAREN.SE
> server role = active directory domain controller
> workgroup = HPLTS
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [profiles]
> path = /samba/profiles
> read only = No
>
> The ACL on the working share has been copied to the non-working
>
> root at dc2-hplts:/# getfacl samba/profiles/
> # file: samba/profiles/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000002:rwx
> user:3000004:rwx
> group::rwx
> group:users:rwx
> group:3000000:rwx
> group:3000002:rwx
> group:3000004:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:user:3000004:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000002:rwx
> default:group:3000004:rwx
> default:mask::rwx
> default:other::---
The windows permissions are stored in an EA called 'security.NTACL', you
can read this with 'samba-tool ntacl get <file> --as-sddl'
>
> Next thing is that on the production Samba server, the object list (wbinfo
-g/u) showed up without the prefix. Now on the DC, the group names are prefixed
with the Netbios name. Is that normal for an AD DC?.
Yes and you cannot remove the netbios name.
>
>
>
> I am really determined to learn more on Samba?s functions, and since I
prefer to read paper books, I have been looking for an reasonably up-2-date
Samba book. The one I found was for v4.0, and I suspect that there have been a
LOT of changes since then. The other more recent book was only available in
German, so that?s??no-go. Hopefully someone will find time to author, or
translate, a newer one soon!
>
The only really recent documentation is what is written in the Samba
wiki (and if anyone notices an error or omission, please report it).
Your best option, as you seem to have found out, is to ask questions here.
Rowland