After a several month hiatus, I'm back trying to provision a new AD/DC on Slackware 15.0, Samba 4.18.8. I'm following the guide: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller I have some questions and at least one problem. I've provisioned as follows: samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL --domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=password I have 2 network cards, one Internet facing: eth0, and one for the lan: eth1. One thing I forgot to include in my provision command was: --option="interfaces=lo eth1" --option="bind interfaces only=yes" Is this a big problem? Can I do something with this later? Should I reset everything and start over? The provision tool specifies an admin passowrd, but where is the adminstrator username specified? The wiki next gives instructions on Creating a Reverse Zone, but after the instructions it says, "You must start the Samba AD DC before you can add a reverse zone", so I skipped past that step (and maybe it should be moved to after starting the AD/DC in the wiki?). I then did the Configure Kerberos step, and here's when things weren't so clear. The insructions say, During the provisioning, Samba created a Kerberos configuration file for your DC. Copy this file to your operating system's Kerberos configuration. For example: # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf The provisioning output gave the following Kerberos related messages: Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl) INFO 2023-11-29 21:16:44,535 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342: The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf INFO 2023-11-29 21:16:44,536 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf INFO 2023-11-29 21:16:44,536 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! The 3rd message says, "A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf". This differs from the wiki instructions which indicate the config file is generated at /usr/local/samba/private/krb5.conf. Well, I figured that was a distro issue, newer samba-tool version, or some such thing so I pressed on. But where is my "operating system's Kerberos configuration" located? Scanning the drive for krb5.conf I found: # find / -name krb5.conf /usr/share/samba/setup/krb5.conf /usr/doc/krb5-1.19.2/examples/krb5.conf none of which seem to be real config files for my OS/distro, and none of my Slackware 15.0 hosts seem to be running Kerberos. So, I left the file in /var/lib/samba/private/krb5.conf, which probably contributed to my failure below. I moved on to the Testing your Samba AD DC step and started samba. According to syslog that failed the first time because it could not create the directory /var/run/samba/ncalrpc, so I created it and tried again. That failed as well with the following in syslog: Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0] ../../source4/samba/server.c:621(binary_smbd_main) Nov 29 23:25:11 DC1 samba[3990]: samba version 4.18.8 started. Nov 29 23:25:11 DC1 samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-2023 Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0] ../../source4/samba/server.c:896(binary_smbd_main) Nov 29 23:25:11 DC1 samba[3991]: binary_smbd_main: samba: using 'prefork' process model Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, 0] ../../source3/smbd/server.c:1746(main) Nov 29 23:25:11 DC1 smbd[3997]: smbd version 4.18.8 started. Nov 29 23:25:11 DC1 smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-2023 Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0] ../../source4/samba/server.c:391(samba_terminate) Nov 29 23:25:11 DC1 samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc child process exited The last message says, "mitkdc child process exited". This smells like a Kerbros issue and maybe my config file is in the wrong place since I didn't copy it anywhere. Also does the "mit" bit of this process name mean it's trying to run MIT Kerberos? I thought I had Heimdal installed. Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and message on Sat, 28 Jan 2023 10:11:44 +0000, wrote: "smbd -b | grep HAVE_LIBKADM5SRV_MIT You should get nothing returned if Samba was built using the built in Heimdal." I did that and got nothing, so Heimdal? Perhaps my theories about Kerberos issues are wrong, but in any case can someone help me get mitkdc (or whatever) process to not exit so I can get samba to start? Thanks --Mrk
On Thu, 2023-11-30 at 00:50 -0500, Mark Foley via samba wrote:> After a several month hiatus, I'm back trying to provision a new > AD/DC onSlackware 15.0, Samba 4.18.8. > I'm following the guide: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > I have some questions and at least one problem. > I've provisioned as follows: > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL -- > domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL -- > adminpass=password > I have 2 network cards, one Internet facing: eth0, and one for the > lan: eth1.One thing I forgot to include in my provision command was: > --option="interfaces=lo eth1" --option="bind interfaces only=yes" > Is this a big problem? Can I do something with this later? Should I > reseteverything and start over?Just put those into the smb.conf, that is all that happens with them.> The provision tool specifies an admin passowrd, but where is the > adminstratorusername specified?It is always administrator, but you can technically rename it.> The wiki next gives instructions on Creating a Reverse Zone, but > after theinstructions it says, "You must start the Samba AD DC before > you can add a reversezone", so I skipped past that step (and maybe it > should be moved to afterstarting the AD/DC in the wiki?). > I then did the Configure Kerberos step, and here's when things > weren't so clear. The insructions say, > During the provisioning, Samba created a Kerberos configuration file > for yourDC. Copy this file to your operating system's Kerberos > configuration. Forexample: > # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > The provisioning output gave the following Kerberos related messages: > Repacking database from v1 to v2 format (first record > DC=_kerberos._tcp.Default-First-Site- > Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones, > DC=hprs,DC=locl)INFO 2023-11-29 21:16:44,535 pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342: > The Kerberos KDC configuration for Samba AD is located at > /var/lib/samba/private/kdc.confINFO 2023-11-29 21:16:44,536 pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: > A Kerberos configuration suitable for Samba AD has been generated at > /var/lib/samba/private/krb5.confINFO 2023-11-29 21:16:44,536 pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350: > Merge the contents of this file with your system krb5.conf or replace > it with this one. Do not create a symlink! > The 3rd message says, "A Kerberos configuration suitable for Samba AD > has beengenerated at /var/lib/samba/private/krb5.conf". This differs > from the wikiinstructions which indicate the config file is generated > at/usr/local/samba/private/krb5.conf. Well, I figured that was a > distro issue,newer samba-tool version, or some such thing so I > pressed on.Correct, paths vary depending on install method.> But where is my "operating system's Kerberos configuration" located? > Scanningthe drive for krb5.conf I found: > # find / -name > krb5.conf/usr/share/samba/setup/krb5.conf/usr/doc/krb5- > 1.19.2/examples/krb5.conf/etc/krb5.conf is the system-wide path> none of which seem to be real config files for my OS/distro, and none > of mySlackware 15.0 hosts seem to be running Kerberos. So, I left the > filein /var/lib/samba/private/krb5.conf, which probably contributed > to my failurebelow. > I moved on to the Testing your Samba AD DC step and started samba. > According tosyslog that failed the first time because it could not > create the directory/var/run/samba/ncalrpc, so I created it and tried > again. That failed as wellwith the following in syslog: > Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0] > ../../source4/samba/server.c:621(binary_smbd_main)Nov 29 23:25:11 DC1 > samba[3990]: samba version 4.18.8 started.Nov 29 23:25:11 DC1 > samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992- > 2023Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0] > ../../source4/samba/server.c:896(binary_smbd_main)Nov 29 23:25:11 DC1 > samba[3991]: binary_smbd_main: samba: using 'prefork' process > modelNov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, 0] > ../../source3/smbd/server.c:1746(main)Nov 29 23:25:11 DC1 > smbd[3997]: smbd version 4.18.8 started.Nov 29 23:25:11 DC1 > smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992- > 2023Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0] > ../../source4/samba/server.c:391(samba_terminate)Nov 29 23:25:11 DC1 > samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc > child process exited > The last message says, "mitkdc child process exited". This smells > like aKerbros issue and maybe my config file is in the wrong place > since I didn't copyit anywhere. Also does the "mit" bit of this > process name mean it's trying torun MIT Kerberos? I thought I had > Heimdal installed.It certainly seems like you used an MIT KDC build, but may not have the actual KDC installed.> Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and > message on Sat, 28 Jan 2023 10:11:44+0000, wrote: > "smbd -b | grep HAVE_LIBKADM5SRV_MIT > You should get nothing returned if Samba was built using the built in > Heimdal." > I did that and got nothing, so Heimdal?You have a build for MIT Kerberos, we don't start an mitkdc task otherwise.> Perhaps my theories about Kerberos issues are wrong, but in any case > can someone helpme get mitkdc (or whatever) process to not exit so I > can get samba to start?I hope this helps, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
On Thu, 30 Nov 2023 00:50:47 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> After a several month hiatus, I'm back trying to provision a new > AD/DC on Slackware 15.0, Samba 4.18.8. > > I'm following the guide: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > I have some questions and at least one problem. > > I've provisioned as follows: > > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL > --domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL > --adminpass=password > > I have 2 network cards, one Internet facing: eth0, and one for the > lan: eth1. One thing I forgot to include in my provision command was: > > --option="interfaces=lo eth1" --option="bind interfaces only=yes" > > Is this a big problem? Can I do something with this later? Should I > reset everything and start over? > > The provision tool specifies an admin passowrd, but where is the > adminstrator username specified? > > The wiki next gives instructions on Creating a Reverse Zone, but > after the instructions it says, "You must start the Samba AD DC > before you can add a reverse zone", so I skipped past that step (and > maybe it should be moved to after starting the AD/DC in the wiki?). > > I then did the Configure Kerberos step, and here's when things > weren't so clear. The insructions say, > > During the provisioning, Samba created a Kerberos configuration file > for your DC. Copy this file to your operating system's Kerberos > configuration. For example: > > # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > The provisioning output gave the following Kerberos related messages: > > Repacking database from v1 to v2 format (first record > DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl) > INFO 2023-11-29 21:16:44,535 pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342: > The Kerberos KDC configuration for Samba AD is located at > /var/lib/samba/private/kdc.conf INFO 2023-11-29 21:16:44,536 pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: > A Kerberos configuration suitable for Samba AD has been generated at > /var/lib/samba/private/krb5.conf INFO 2023-11-29 21:16:44,536 > pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350: > Merge the contents of this file with your system krb5.conf or replace > it with this one. Do not create a symlink! > > The 3rd message says, "A Kerberos configuration suitable for Samba AD > has been generated at /var/lib/samba/private/krb5.conf". This differs > from the wiki instructions which indicate the config file is > generated at /usr/local/samba/private/krb5.conf. Well, I figured that > was a distro issue, newer samba-tool version, or some such thing so I > pressed on. > > But where is my "operating system's Kerberos configuration" located? > Scanning the drive for krb5.conf I found: > > # find / -name krb5.conf > /usr/share/samba/setup/krb5.conf > /usr/doc/krb5-1.19.2/examples/krb5.conf > > none of which seem to be real config files for my OS/distro, and none > of my Slackware 15.0 hosts seem to be running Kerberos. So, I left > the file in /var/lib/samba/private/krb5.conf, which probably > contributed to my failure below. > > I moved on to the Testing your Samba AD DC step and started samba. > According to syslog that failed the first time because it could not > create the directory /var/run/samba/ncalrpc, so I created it and > tried again. That failed as well with the following in syslog: > > Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0] > ../../source4/samba/server.c:621(binary_smbd_main) Nov 29 23:25:11 > DC1 samba[3990]: samba version 4.18.8 started. Nov 29 23:25:11 DC1 > samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-2023 > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0] > ../../source4/samba/server.c:896(binary_smbd_main) Nov 29 23:25:11 > DC1 samba[3991]: binary_smbd_main: samba: using 'prefork' process > model Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, > 0] ../../source3/smbd/server.c:1746(main) Nov 29 23:25:11 DC1 > smbd[3997]: smbd version 4.18.8 started. Nov 29 23:25:11 DC1 > smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-2023 > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0] > ../../source4/samba/server.c:391(samba_terminate) Nov 29 23:25:11 DC1 > samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc > child process exited > > The last message says, "mitkdc child process exited". This smells > like a Kerbros issue and maybe my config file is in the wrong place > since I didn't copy it anywhere. Also does the "mit" bit of this > process name mean it's trying to run MIT Kerberos? I thought I had > Heimdal installed. > > Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and > message on Sat, 28 Jan 2023 10:11:44 +0000, wrote: > > "smbd -b | grep HAVE_LIBKADM5SRV_MIT > > You should get nothing returned if Samba was built using the built in > Heimdal." > > I did that and got nothing, so Heimdal? > > Perhaps my theories about Kerberos issues are wrong, but in any case > can someone help me get mitkdc (or whatever) process to not exit so I > can get samba to start? > > Thanks --Mrk >I have edited the wiki page and hopefully it is now a bit clearer. I also, like Andrew, think you configured your Samba build to use MIT, did you pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ? Rowland