Hopefully you've noticed that I'm working on two Samba AD issues at the
same
time and have two threads, one for joining a Linux Samba server as a domain
member to a Windows AD domain, and the other (this one) setting up a new Samba
DC on an existing Linux Samba domain with the goal of promoting the new DC and
demoting/removing the old/current one. I am not the admin for the Windows AD
server, but I am the admin for the Samba AD server.
On Jul 23 16:07:32 2023 Rowland Penny via samba <samba at lists.samba.org>
wrote:
> On 23/07/2023 20:40, Mark Foley via samba wrote:
> > On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> >
> >> On 16/07/2023 07:10, Mark Foley via samba wrote:
[deleted]
> > Thanks, I'm now referencing your suggested wiki.
> >
> > Question 1: That wiki says:
> >
> > Configuring the /etc/resolv.conf
> >
> > Set the DNS server IP and AD DNS domain in your /etc/resolv.conf.
For example:
> >
> > nameserver 10.99.0.1
> > search samdom.example.com
> >
> > Is the nameserver as shown supposed to be the primary/current AD/DC?
>
> It is supposed to be another AD DC (there is no such thing as a
> 'primary' DC, they are all equal). I have added a note to the wiki
page.
Until this one gets promoted, there is only one AD DC, Samba version 4.8.2.
Hence the need to create a more up-to-date server.
> > Currently,
> > the AD/DC is 192.168.0.2 and in that host's resolv.conf the
nameserver IP is set
> > to itself. In this joined DC, should the nameserver be the
primary/current AD/DC
> > or itself (192.168.0.7)?
>
> Initially the nameserver needs to be another AD DC, once the join
> succeeds you change it to the new DCs ipaddress (aka its own ipaddress)
Done!
> >
> > Question 2: After setting krb5.conf per the wiki, the kerberos test
commands do not work:
> >
> > # kinit Administrator
> > Password for Administrator at hprs.local:
> > kinit: KDC reply did not match expectations while getting initial
credentials
> I really hope that '.local' is placeholder for the real TLD,
'.local' is
> reserved for Bonjour and Avahi and, as such, shouldn't be used.
Unfortunately, .local is the name. This whole domain started as a Windows Small
Business Server back in 2010 and I replaced the SBS AD/DC with Samba.
I did not change original the domain name (hprs.local) as I was very new at this
and
wasn't sure how that would affect the other Windows workstation in the
domain.
The other Windows AD domain I'm working on also has .local, so maybe
that's a
thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from
Windows
and Linux workstations when present.
> Provided that kerberos and dns are setup correctly, that should work.
I think they are. I followed the wiki instructs for krb5.conf, and I can see the
DC and all domain members via 'host'.
> > # klist
> > klist: No credentials cache found (filename: /tmp/krb5cc_0)
> >
> > Does something have to be running first? Note that samba is installed,
but not
> > running.
>
> Your DC needs to be able to contact a DC, preferably itself, but if the
> computer is pointing at another DC and the required packages are
> installed, then kinit should work.
>
> Rowland
"itself" is not yet a DC.
I can contact the DC and DNS seems to be working. If I run these command
on the DC I get:
> kinit
Password for Administrator at HPRS.LOCAL:
(nothing returned, 0 return status)
> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at HPRS.LOCAL
Valid starting Expires Service principal
07/23/2023 17:56:29 07/24/2023 03:56:29 krbtgt/HPRS.LOCAL at HPRS.LOCAL
renew until 07/24/2023 17:56:23
So, what do you suggest I do to get kerberos working on this wannbe-DC? It is
not yet joined to the domain, but I don't think I can do the join until
kerberos
is working. Samba is not running.
Perhaps there is an issue with which Kerberos is running on the DC versus
what's
on this new machine?
On the DC have have kerberos version Kerberos 5 version 1.11.6
On this new machine I have kerberos version Kerberos 5 version 1.19.2
The version numbers seem to indicate the same kerberos package, but it
doesn't
say whether it's Heimdal or MIT.
Thanks --Mark