On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> On 24/07/2023 17:46, Mark Foley via samba wrote: > > I removed the new computer from the domain and deleted the smb.conf file. I then > > did: > > > > samba-tool domain join hprs.local DC --option='idmap_ldb:use rfc2307 = yes' -U Administrator[deleted]> It sounds like you now have a DC :-)> > Note that I did not specify any --dns-backend. I hope that's OK as I > > provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC. I do > > have LAN members not part of the domain that need to have DNS service, so I may > > have to redo this later. > > If you didn't specify a dns backend, then the default internal dns > server will be used. > > > Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's > > IP, but that didn't work -- couldn't see any other host, so I reverted back to > > the original DC's IP. However, that's not working either, even after a reboot. I > > switched back to the new DC's IP and rebooted. Again, not working. So, something > > is wrong with the DNS setup. > > The dns problem is probably because there are no records in AD, you need > to either transfer the records from the flat files (you will probably > have to create the reverse zone) or let your Windows computers create > them in AD.OK, I'll look at that after the sync Sysvol. On the original DC, that machine was already the DNS w/o Samba with all the named.conf, zones, etc. configured. It was easy to adapt that to the then supported --dns-backend=BIND9_FLATFILE. I think I can research this a bit and sort it out. [deleted]> > Next I ran 'net cache flush' on the new DC; seemed to work (no error). > > > > Next 'samba-tool ntacl sysvolreset', but I had a problem with that: > > > > # samba-tool ntacl sysvolreset > > set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND[deleted]> > What did I do wrong? Note that samba is not yet running. > > Did you also sync Sysvol ? > On a newly joined DC, there is very little in sysvol, it needs to be > synced from a DC that holds all the GPO's.The wiki says, "You will now need to sync Sysvol to the new DC." I thought then sysvolreset was that. Is there a wiki/howto on how to sync Sysvol?> ... it is just that Debian (and Debian base distros, > Ubuntu for instance) has been the goto distro for a Samba AD DC since > Samba 4.0.0 and there is a lot of Knowledge out there. I run two Samba > AD DCs on Raspberry pi OS (Debian based), so I can vouch that it works well. > > RowlandWow, on a Raspberry pi, eh? That's impressive for a Raspberry! I may be the only one running this on Slackware. However, I don't really think the actual setup is much different by distro other than certainly what Samba version it supports. Slackware tends to lag, on purpose -- let others be the delta-tester. I hope this exercise does't prove me wrong. Thanks --Mark
On 25.07.23 07:53, Mark Foley via samba wrote:> Wow, on a Raspberry pi, eh? That's impressive for a Raspberry! I may be > the only one running this on Slackware. However, I don't really think > the actual setup is much different by distro other than certainly what > Samba version it supports. Slackware tends to lag, on purpose -- let > others be the delta-tester. I hope this exercise does't prove me wrong.Just to point this out. I think Slackware is using MIT Kerberos. Not that it matters for your current problem. But as MIT Kerberos support in Samba is still experimental I wanted to point this out. Regards Christian
On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> > Did you also sync Sysvol ? > > On a newly joined DC, there is very little in sysvol, it needs to be > > synced from a DC that holds all the GPO's. > > The wiki says, "You will now need to sync Sysvol to the new DC." I thought then > sysvolreset was that. Is there a wiki/howto on how to sync Sysvol?To "sync Sysvol to the new DC", can I just rsync from the current DC to the new DC? rsync -tvr /var/lib/samba/sysvol/ DC1://var/lib/samba/sysvol or tar the old sysvol and untar on the new DC? sysvol has ACLs and ATTRs that I don't think> > > On 24/07/2023 17:46, Mark Foley via samba wrote: > > > I removed the new computer from the domain and deleted the smb.conf file. I then > > > did: > > > > > > samba-tool domain join hprs.local DC --option='idmap_ldb:use rfc2307 = yes' -U Administrator > > [deleted] > > > It sounds like you now have a DC :-) > > > > Note that I did not specify any --dns-backend. I hope that's OK as I > > > provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC. I do > > > have LAN members not part of the domain that need to have DNS service, so I may > > > have to redo this later. > > > > If you didn't specify a dns backend, then the default internal dns > > server will be used. > > > > > Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's > > > IP, but that didn't work -- couldn't see any other host, so I reverted back to > > > the original DC's IP. However, that's not working either, even after a reboot. I > > > switched back to the new DC's IP and rebooted. Again, not working. So, something > > > is wrong with the DNS setup. > > > > The dns problem is probably because there are no records in AD, you need > > to either transfer the records from the flat files (you will probably > > have to create the reverse zone) or let your Windows computers create > > them in AD. > > OK, I'll look at that after the sync Sysvol. On the original DC, that machine > was already the DNS w/o Samba with all the named.conf, zones, etc. configured. > It was easy to adapt that to the then supported --dns-backend=BIND9_FLATFILE. I > think I can research this a bit and sort it out. > > [deleted] > > > > Next I ran 'net cache flush' on the new DC; seemed to work (no error). > > > > > > Next 'samba-tool ntacl sysvolreset', but I had a problem with that: > > > > > > # samba-tool ntacl sysvolreset > > > set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND > > [deleted] > > > > What did I do wrong? Note that samba is not yet running. > > > > Did you also sync Sysvol ? > > On a newly joined DC, there is very little in sysvol, it needs to be > > synced from a DC that holds all the GPO's. > > The wiki says, "You will now need to sync Sysvol to the new DC." I thought then > sysvolreset was that. Is there a wiki/howto on how to sync Sysvol? > > > ... it is just that Debian (and Debian base distros, > > Ubuntu for instance) has been the goto distro for a Samba AD DC since > > Samba 4.0.0 and there is a lot of Knowledge out there. I run two Samba > > AD DCs on Raspberry pi OS (Debian based), so I can vouch that it works well. > > > > Rowland > > Wow, on a Raspberry pi, eh? That's impressive for a Raspberry! I may be the only > one running this on Slackware. However, I don't really think the actual setup is > much different by distro other than certainly what Samba version it supports. > Slackware tends to lag, on purpose -- let others be the delta-tester. I hope this > exercise does't prove me wrong. > > Thanks --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
> On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> > > Next 'samba-tool ntacl sysvolreset', but I had a problem with that: > > > > > > # samba-tool ntacl sysvolreset > > > set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND > > > > What did I do wrong? Note that samba is not yet running. > > > > Did you also sync Sysvol ? > > On a newly joined DC, there is very little in sysvol, it needs to be > > synced from a DC that holds all the GPO's. > > The wiki says, "You will now need to sync Sysvol to the new DC." I thought then > sysvolreset was that. Is there a wiki/howto on how to sync Sysvol?To "sync Sysvol to the new DC", can I just rsync from the current DC to the new DC? rsync -tvr /var/lib/samba/sysvol/ DC1:/var/lib/samba/sysvol or tar the old sysvol and untar on the new DC? sysvol has ACLs and ATTRs that I don't think tar or rsync preserves, but I do have all the ACLs and ATTRs backed up and I could restore those with setattr, setfacl ... OR is that what 'samba-tool ntacl sysvolreset' is supposed to do? OR - is there some offical samba tool to sync sysvol? Thanks --Mark
While awaiting feedback on the error results of my "samba-tool ntacl sysvolreset" (ref. my message, same thread, of Fri, 28 Jul 2023 17:04:21), I'm going to look at this problem with the DNS ... On Tue Jul 25 01:54:45 2023 Mark Foley via samba <samba at lists.samba.org> wrote:> On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at lists.samba.org> wrote: > > > On 24/07/2023 17:46, Mark Foley via samba wrote:[deleted]> > > Note that I did not specify any --dns-backend [when joining the new DC]. I hope that's OK as I > > > provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC. I do > > > have LAN members not part of the domain that need to have DNS service, so I may > > > have to redo this later. > > > > If you didn't specify a dns backend, then the default internal dns > > server will be used. > > > > > Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's > > > IP, but that didn't work -- couldn't see any other host, so I reverted back to > > > the original DC's IP. > > > > The dns problem is probably because there are no records in AD, you need > > to either transfer the records from the flat files (you will probably > > have to create the reverse zone) or let your Windows computers create > > them in AD. > > OK, I'll look at that after the sync Sysvol. On the original DC, that machine > was already the DNS w/o Samba with all the named.conf, zones, etc. configured. > It was easy to adapt that to the then supported --dns-backend=BIND9_FLATFILE. I > think I can research this a bit and sort it out.[deleted] Prior to provisioning the current DC, that host was running as the LAN nameserver and I had created the named.conf containing zones and other options. As mentioned, I provisioned with --dns-backend=BIND9_FLATFILE and it was a relatively simple matter to add include "/var/lib/samba/private/named.conf"; to /etc/named.conf, and in put needed zone into into that file. So now I'm going step-by-step on this DNS thing. In the wiki, after doing the join, I am following the instructions under "Verifying the DNS Entries". That sections says, "If you join a Samba DC that runs Samba 4.7 and later, samba-tool created all required DNS entries automatically. To manually create the records on an earlier version, see Verifying and Creating a DC DNS Record." The current DC is version 4.8.2, but I thought I should go ahead and do the verify steps in https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record. Note that the current DC is host MAIL, IP 192.168.0.2, and the new DC is host DC1, IP 192.168.0.7. Wiki test results - all these commands are run on the current AD MAIL: (Domain Controller A Record - good!)> host -t A DC1.hprs.local.DC1.hprs.local has address 192.168.0.7 (Determining a DCs objectGUID)> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid: # record 1 dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local objectGUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0 # record 2 dn: CN=NTDS Settings,CN=MAIL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local objectGUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c # returned 2 records # 2 entries # 0 referrals (objectGUID for DC1 is 0d2a3ba9-4ade-45de-85c7-321ba69caee0) (Verifying and Creating the objectGUID Record. Note that the objectGUID for MAIL is found, not shown here)> host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not found: 3(NXDOMAIN) (manually add the objectGUID)> samba-tool dns add MAIL _msdcs.hprs.local 0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -UadministratorGENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Password for [HPRS\administrator]: gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680 gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea820 gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1064] gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeea820/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0xeea9b0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070] gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680 gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea4f0 gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_OK tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1071] gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeea4f0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0xeea680)] timer[(nil)] finish[../auth/gensec/spnego.c:2070] gensec_update_send: spnego[0xeea1e0]: subreq: 0xeec350 gensec_update_done: spnego[0xeea1e0]: NT_STATUS_OK tevent_req[0xeec350/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0xeec4e0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e This didn't work as the 'host -t CNAME' command still says not found. What am I doing wrong? THX --Mark