On Mon, 2021-10-04 at 22:37 -0400, Rob Campbell via samba
wrote:> I followed these instructions:
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>
> These instructions didn't work exactly as they read. There was one
> step I
> didn't get a result because samba was stopped and it needed to be
> running
> (for dns) to get the result in the guide but other than that,
> everything
> happens as this guide says
No, it all works, you must be misunderstanding something.
> but when I try to join the domain from a vm I
> created. I have just one dc at this time. I've created a Fedora
> Server 35
> vm to add as another dc after I get it working solo bc that's how I
> really
> want to use it.
Are you using the standard fedora Samba packages ? If so, are you aware
that they are experimental when used for a DC, because they use MIT for
kerberos.
>
> $ realm join test-server.lan -U Administrator
> Password for Administrator:
> See: journalctl REALMD_OPERATION=r1171585.2732805
> realm: Couldn't join realm: Failed to join the domain
>
> $ journalctl REALMD_OPERATION=r1171585.2732805
> -- Journal begins at Fri 2021-10-01 15:39:25 EDT, ends at Mon 2021-
> 10-04
> 22:26:45 EDT. --
> Oct 04 22:24:21 fedora realmd[2732808]: * Resolving:
> _ldap._tcp.test-server.lan
> Oct 04 22:24:21 fedora realmd[2732808]: * Performing LDAP DSE lookup
> on:
> 10.0.0.10
> Oct 04 22:24:21 fedora realmd[2732808]: * Successfully discovered:
> test-server.lan
> Oct 04 22:24:30 fedora realmd[2732808]: * Required files:
> /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd,
> /usr/sbin/adcli
> Oct 04 22:24:30 fedora realmd[2732808]: * LANG=C /usr/sbin/adcli
> join
> --verbose --domain test-server.lan --domain-realm TEST-SERVER.LAN
> --domain-controller 10.0.0.10 --login-type user --login-user
> Administrator
> --stdin-password
> Oct 04 22:24:30 fedora realmd[2732808]: * Using domain name:
> test-server.lan
> Oct 04 22:24:30 fedora realmd[2732808]: * Calculated computer
> account name
> from fqdn: FEDORA
> Oct 04 22:24:30 fedora realmd[2732808]: * Using domain realm:
> test-server.lan
> Oct 04 22:24:30 fedora realmd[2732808]: * Sending NetLogon ping to
> domain
> controller: 10.0.0.10
> Oct 04 22:24:46 fedora realmd[2732808]: * Wrote out krb5.conf
> snippet to
> /var/cache/realmd/adcli-krb5-OMYnX1/krb5.d/adcli-krb5-conf-lTV3xU
> Oct 04 22:24:46 fedora realmd[2732808]: ! Couldn't authenticate as:
> Administrator at TEST-SERVER.LAN: Client 'Administrator at
TEST-SERVER.LAN'
> not
> found in Kerberos database
> Oct 04 22:24:46 fedora realmd[2732808]: adcli: couldn't connect to
> test-server.lan domain: Couldn't authenticate as:
> Administrator at TEST-SERVER.LAN: Client 'Administrator at
TEST-SERVER.LAN'
> not
> found in Kerberos database
> Oct 04 22:24:46 fedora realmd[2732808]: ! Failed to join the domain
Sorry, but you cannot use realmd to join a DC
>
> /etc/samba/smb.conf:
> # Global parameters
> [global]
> dns forwarder = 10.0.0.1
> netbios name = FS34
> realm = TEST-SERVER.LAN
> server role = active directory domain controller
> workgroup = TEST-SERVER
> idmap_ldb:use rfc2307 = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/test-server.lan/scripts
> read only = No
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> valid users = %S
> ; valid users = MYDOMAIN\%S
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
>
> # Un-comment the following and create the netlogon directory for
> Domain
> Logons:
> ; [netlogon]
> ; comment = Network Logon Service
> ; path = /var/lib/samba/netlogon
> ; guest ok = yes
> ; writable = no
> ; share modes = no
>
> # Un-comment the following to provide a specific roaming profile
> share.
> # The default is to use the user's home directory:
> ; [Profiles]
> ; path = /var/lib/samba/profiles
> ; browseable = no
> ; guest ok = yes
>
> # A publicly accessible directory that is read only, except for users
> in the
> # "staff" group (which have write permissions):
> ; [public]
> ; comment = Public Stuff
> ; path = /home/samba
> ; public = yes
> ; writable = no
> ; printable = no
> ; write list = +staff
>
> [Photos]
> comment = Photos
> path = /multimedia/Photos
>
> browseable = Yes
> read only = No
> inherit acls = Yes
>
> [Videos]
> comment = Videos
> path = /multimedia/Videos
>
> browseable = Yes
> read only = No
> inherit acls = Yes
>
> [Movies]
> comment = Videos
> path = /multimedia/Movies
>
> browseable = Yes
> read only = No
> inherit acls = Yes
>
> [Music]
> comment = Videos
> path = /multimedia/Music
>
> browseable = Yes
> read only = No
> inherit acls = Yes
>
> [seagate]
> comment = Videos
> path = /media/seagate
>
> browseable = Yes
> read only = No
> inherit acls = Yes
>
> /etc/krb5.conf:
> [libdefaults]
> default_realm = TEST-SERVER.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
>
> [realms]
> TEST-SERVER.LAN = {
> default_domain = test-server.lan
> kdc = test-server.lan
> }
>
> [domain_realm]
> fs34 = TEST-SERVER.LAN
> dc01 = TEST-SERVER.LAN
> .test-server = TEST-SERVER.LAN
> .test-server.lan = TEST-SERVER.LAN
> dc01.test-server.lan = TEST-SERVER.LAN
>
> I am able to access the shares and I have mounted them (as a user
> I've
> added).
> //test-server.lan/Photos 2.7T 1.8T 926G 66% /home/user/mnt/Photos
> //test-server.lan/Videos 2.8T 1.9T 926G 68% /home/user/mnt/Videos
> //test-server.lan/Movies 2.8T 1.9T 926G 68% /home/user/mnt/Movies
>
> # smbclient -L test-server.lan -U user
> Enter TEST-SERVER\user's password:
>
> Sharename Type Comment
> --------- ---- -------
> sysvol Disk
> netlogon Disk
> Photos Disk Photos
> Videos Disk Videos
> Movies Disk Videos
> Music Disk Videos
> seagate Disk Videos
> IPC$ IPC IPC Service (Samba 4.14.7)
> SMB1 disabled -- no workgroup available
>
Is it possible that you think you can create a DC smb.conf and then
join it as a DC with realmd ? If so, then sorry to disillusion you, but
that will never work. Also you should be aware that Samba does not
recommend using a DC as a fileserver.
Rowland