On 23/07/2023 23:12, Mark Foley via samba wrote:> Hopefully you've noticed that I'm working on two Samba AD issues at the same > time and have two threads, one for joining a Linux Samba server as a domain > member to a Windows AD domain, and the other (this one) setting up a new Samba > DC on an existing Linux Samba domain with the goal of promoting the new DC and > demoting/removing the old/current one. I am not the admin for the Windows AD > server, but I am the admin for the Samba AD server.Yes, I had noticed :-)>> >> It is supposed to be another AD DC (there is no such thing as a >> 'primary' DC, they are all equal). I have added a note to the wiki page. > > Until this one gets promoted, there is only one AD DC, Samba version 4.8.2. > Hence the need to create a more up-to-date server.That is a very good reason to update, 4.8.2 is ancient in the Samba world and there have been a great many improvements.>>> >>> Question 2: After setting krb5.conf per the wiki, the kerberos test commands do not work: >>> >>> # kinit Administrator >>> Password for Administrator at hprs.local: >>> kinit: KDC reply did not match expectations while getting initial credentials > >> I really hope that '.local' is placeholder for the real TLD, '.local' is >> reserved for Bonjour and Avahi and, as such, shouldn't be used. > > Unfortunately, .local is the name. This whole domain started as a Windows Small > Business Server back in 2010 and I replaced the SBS AD/DC with Samba. > I did not change original the domain name (hprs.local) as I was very new at this and > wasn't sure how that would affect the other Windows workstation in the domain. > The other Windows AD domain I'm working on also has .local, so maybe that's a > thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from Windows > and Linux workstations when present.Microsoft used to recommend '.local', they now do not, because if you use it, you have to do what you have done, turn off Bonjour and Avahi.> >> Provided that kerberos and dns are setup correctly, that should work. > > I think they are. I followed the wiki instructs for krb5.conf, and I can see the > DC and all domain members via 'host'. > >>> # klist >>> klist: No credentials cache found (filename: /tmp/krb5cc_0) >>> >>> Does something have to be running first? Note that samba is installed, but not >>> running. >> >> Your DC needs to be able to contact a DC, preferably itself, but if the >> computer is pointing at another DC and the required packages are >> installed, then kinit should work. >> >> Rowland > > "itself" is not yet a DC. > > I can contact the DC and DNS seems to be working. If I run these command > on the DC I get: > >> kinit > Password for Administrator at HPRS.LOCAL: > (nothing returned, 0 return status) > >> klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at HPRS.LOCAL > > Valid starting Expires Service principal > 07/23/2023 17:56:29 07/24/2023 03:56:29 krbtgt/HPRS.LOCAL at HPRS.LOCAL > renew until 07/24/2023 17:56:23 > > So, what do you suggest I do to get kerberos working on this wannbe-DC?It is working, you have got a ticket for Administrator from your existing DC. < It is> not yet joined to the domain, but I don't think I can do the join until kerberos > is working. Samba is not running.If everything else is set up, it looks like you now need to run the samba-tool command to join your computer as another DC.> > Perhaps there is an issue with which Kerberos is running on the DC versus what's > on this new machine?Until you join the computer as a DC and start Samba, there isn't a KDC running on the computer.> > On the DC have have kerberos version Kerberos 5 version 1.11.6Is it possible that you are using the OS's MIT kdc rather than the Heimdal built into Samba ?> > On this new machine I have kerberos version Kerberos 5 version 1.19.2 > > The version numbers seem to indicate the same kerberos package, but it doesn't > say whether it's Heimdal or MIT.It sounds to me that you are using MIT and if so, that is yet another reason to update. Using a Samba AD DC with a MIT KDC was very experimental at 4.8.x (a lot of things just didn't work, or if they did work, they had missing components), now, whilst there are still minor problems, using MIT doesn't seem to be regarded as experimental. Rowland
On Mon Jul 24 02:42:33 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> On 23/07/2023 23:12, Mark Foley via samba wrote:[deleted]> >>> Question 2: After setting krb5.conf per the wiki, the kerberos test commands do not work: > >>> > >>> # kinit Administrator > >>> Password for Administrator at hprs.local: > >>> kinit: KDC reply did not match expectations while getting initial credentials > > > >> I really hope that '.local' is placeholder for the real TLD, '.local' is > >> reserved for Bonjour and Avahi and, as such, shouldn't be used. > > > > Unfortunately, .local is the name. This whole domain started as a Windows Small > > Business Server back in 2010 and I replaced the SBS AD/DC with Samba. > > I did not change original the domain name (hprs.local) as I was very new at this and > > wasn't sure how that would affect the other Windows workstation in the domain. > > The other Windows AD domain I'm working on also has .local, so maybe that's a > > thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from Windows > > and Linux workstations when present. > > Microsoft used to recommend '.local', they now do not, because if you > use it, you have to do what you have done, turn off Bonjour and Avahi.Yes, I inherited this domain name from the pre-2010 Windows AD. I'll pass this info on to the fellow admin'ing the Windows DC. Apparently he still names the numerous Windows AD/DCs he admin's with .local. I suppose it's too late to change on my setup?> >> Provided that kerberos and dns are setup correctly, that should work. > > > > I think they are. I followed the wiki instructs for krb5.conf, and I can see the > > DC and all domain members via 'host'. > > > >>> # klist > >>> klist: No credentials cache found (filename: /tmp/krb5cc_0) > >>> > >>> Does something have to be running first? Note that samba is installed, but not > >>> running.[deleted]> > I can contact the DC and DNS seems to be working. If I run these command > > on the DC I get: > > > >> kinit > > Password for Administrator at HPRS.LOCAL: > > (nothing returned, 0 return status) > > > >> klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: Administrator at HPRS.LOCAL > > > > Valid starting Expires Service principal > > 07/23/2023 17:56:29 07/24/2023 03:56:29 krbtgt/HPRS.LOCAL at HPRS.LOCAL > > renew until 07/24/2023 17:56:23 > > > > So, what do you suggest I do to get kerberos working on this wannbe-DC? > > It is working, you have got a ticket for Administrator from your > existing DC.No, those kerberos commands were run *on* the current/old 4.8.2 AD/DC, not on this new one. As mentioned in another message, I do have another domain member Samba version 4.6.16, and the kerberos tests work on that one as well; just not on this new one.> > It is not yet joined to the domain, but I don't think I can do the join until > > kerberos is working. Samba is not running.> If everything else is set up, it looks like you now need to run the > samba-tool command to join your computer as another DC.I believe I tried that. I documented that in a follow-up email. I see that you replied to that message, so I'll look at that response.> > Perhaps there is an issue with which Kerberos is running on the DC versus what's > > on this new machine? > > Until you join the computer as a DC and start Samba, there isn't a KDC > running on the computer.Ah ha! That's what I was thinking and that's why I tried doing the join (but apparently did not join as a DC. The Joining_a_Samba_DC_to_an_Existing_Active_Directory wiki does not say to start Samba before trying the Kerberos test. The join instructions come after the Kerberos and Time Sync steps.> > On the DC have have kerberos version Kerberos 5 version 1.11.6> Is it possible that you are using the OS's MIT kdc rather than the > Heimdal built into Samba ?I have no idea. How would I determine that? 'klist -V' only gives the version number as shown below, not MIT versus Heimdal.> > On this new machine I have kerberos version Kerberos 5 version 1.19.2 > > > > The version numbers seem to indicate the same kerberos package, but it doesn't > > say whether it's Heimdal or MIT. > > It sounds to me that you are using MIT and if so, that is yet another > reason to update. Using a Samba AD DC with a MIT KDC was very > experimental at 4.8.x (a lot of things just didn't work, or if they did > work, they had missing components), now, whilst there are still minor > problems, using MIT doesn't seem to be regarded as experimental. > > RowlandThis "new" someday-DC is running Samba 4.15.13 - the most recent available on my distro. Would this not be running Heimdal? Its Kerberos version number 1.19.2 is suspiciously close to the ancient DC's kerberos version 1.11.6, so maybe they're both running the same, and I going to guess it's Heimdal since the new machine is much more recent -- but if there were a way to tell which version that would clinch the question. Thanks --Mark
After a several month hiatus, I'm back trying to provision a new AD/DC on Slackware 15.0, Samba 4.18.8. I'm following the guide: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller I have some questions and at least one problem. I've provisioned as follows: samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL --domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=password I have 2 network cards, one Internet facing: eth0, and one for the lan: eth1. One thing I forgot to include in my provision command was: --option="interfaces=lo eth1" --option="bind interfaces only=yes" Is this a big problem? Can I do something with this later? Should I reset everything and start over? The provision tool specifies an admin passowrd, but where is the adminstrator username specified? The wiki next gives instructions on Creating a Reverse Zone, but after the instructions it says, "You must start the Samba AD DC before you can add a reverse zone", so I skipped past that step (and maybe it should be moved to after starting the AD/DC in the wiki?). I then did the Configure Kerberos step, and here's when things weren't so clear. The insructions say, During the provisioning, Samba created a Kerberos configuration file for your DC. Copy this file to your operating system's Kerberos configuration. For example: # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf The provisioning output gave the following Kerberos related messages: Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl) INFO 2023-11-29 21:16:44,535 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342: The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf INFO 2023-11-29 21:16:44,536 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf INFO 2023-11-29 21:16:44,536 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! The 3rd message says, "A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf". This differs from the wiki instructions which indicate the config file is generated at /usr/local/samba/private/krb5.conf. Well, I figured that was a distro issue, newer samba-tool version, or some such thing so I pressed on. But where is my "operating system's Kerberos configuration" located? Scanning the drive for krb5.conf I found: # find / -name krb5.conf /usr/share/samba/setup/krb5.conf /usr/doc/krb5-1.19.2/examples/krb5.conf none of which seem to be real config files for my OS/distro, and none of my Slackware 15.0 hosts seem to be running Kerberos. So, I left the file in /var/lib/samba/private/krb5.conf, which probably contributed to my failure below. I moved on to the Testing your Samba AD DC step and started samba. According to syslog that failed the first time because it could not create the directory /var/run/samba/ncalrpc, so I created it and tried again. That failed as well with the following in syslog: Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0] ../../source4/samba/server.c:621(binary_smbd_main) Nov 29 23:25:11 DC1 samba[3990]: samba version 4.18.8 started. Nov 29 23:25:11 DC1 samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-2023 Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0] ../../source4/samba/server.c:896(binary_smbd_main) Nov 29 23:25:11 DC1 samba[3991]: binary_smbd_main: samba: using 'prefork' process model Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, 0] ../../source3/smbd/server.c:1746(main) Nov 29 23:25:11 DC1 smbd[3997]: smbd version 4.18.8 started. Nov 29 23:25:11 DC1 smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-2023 Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0] ../../source4/samba/server.c:391(samba_terminate) Nov 29 23:25:11 DC1 samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc child process exited The last message says, "mitkdc child process exited". This smells like a Kerbros issue and maybe my config file is in the wrong place since I didn't copy it anywhere. Also does the "mit" bit of this process name mean it's trying to run MIT Kerberos? I thought I had Heimdal installed. Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and message on Sat, 28 Jan 2023 10:11:44 +0000, wrote: "smbd -b | grep HAVE_LIBKADM5SRV_MIT You should get nothing returned if Samba was built using the built in Heimdal." I did that and got nothing, so Heimdal? Perhaps my theories about Kerberos issues are wrong, but in any case can someone help me get mitkdc (or whatever) process to not exit so I can get samba to start? Thanks --Mrk