On Thu, 30 Nov 2023 00:50:47 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> After a several month hiatus, I'm back trying to provision a new > AD/DC on Slackware 15.0, Samba 4.18.8. > > I'm following the guide: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > I have some questions and at least one problem. > > I've provisioned as follows: > > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL > --domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL > --adminpass=password > > I have 2 network cards, one Internet facing: eth0, and one for the > lan: eth1. One thing I forgot to include in my provision command was: > > --option="interfaces=lo eth1" --option="bind interfaces only=yes" > > Is this a big problem? Can I do something with this later? Should I > reset everything and start over? > > The provision tool specifies an admin passowrd, but where is the > adminstrator username specified? > > The wiki next gives instructions on Creating a Reverse Zone, but > after the instructions it says, "You must start the Samba AD DC > before you can add a reverse zone", so I skipped past that step (and > maybe it should be moved to after starting the AD/DC in the wiki?). > > I then did the Configure Kerberos step, and here's when things > weren't so clear. The insructions say, > > During the provisioning, Samba created a Kerberos configuration file > for your DC. Copy this file to your operating system's Kerberos > configuration. For example: > > # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > The provisioning output gave the following Kerberos related messages: > > Repacking database from v1 to v2 format (first record > DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl) > INFO 2023-11-29 21:16:44,535 pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342: > The Kerberos KDC configuration for Samba AD is located at > /var/lib/samba/private/kdc.conf INFO 2023-11-29 21:16:44,536 pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: > A Kerberos configuration suitable for Samba AD has been generated at > /var/lib/samba/private/krb5.conf INFO 2023-11-29 21:16:44,536 > pid:1224 > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350: > Merge the contents of this file with your system krb5.conf or replace > it with this one. Do not create a symlink! > > The 3rd message says, "A Kerberos configuration suitable for Samba AD > has been generated at /var/lib/samba/private/krb5.conf". This differs > from the wiki instructions which indicate the config file is > generated at /usr/local/samba/private/krb5.conf. Well, I figured that > was a distro issue, newer samba-tool version, or some such thing so I > pressed on. > > But where is my "operating system's Kerberos configuration" located? > Scanning the drive for krb5.conf I found: > > # find / -name krb5.conf > /usr/share/samba/setup/krb5.conf > /usr/doc/krb5-1.19.2/examples/krb5.conf > > none of which seem to be real config files for my OS/distro, and none > of my Slackware 15.0 hosts seem to be running Kerberos. So, I left > the file in /var/lib/samba/private/krb5.conf, which probably > contributed to my failure below. > > I moved on to the Testing your Samba AD DC step and started samba. > According to syslog that failed the first time because it could not > create the directory /var/run/samba/ncalrpc, so I created it and > tried again. That failed as well with the following in syslog: > > Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0] > ../../source4/samba/server.c:621(binary_smbd_main) Nov 29 23:25:11 > DC1 samba[3990]: samba version 4.18.8 started. Nov 29 23:25:11 DC1 > samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-2023 > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0] > ../../source4/samba/server.c:896(binary_smbd_main) Nov 29 23:25:11 > DC1 samba[3991]: binary_smbd_main: samba: using 'prefork' process > model Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, > 0] ../../source3/smbd/server.c:1746(main) Nov 29 23:25:11 DC1 > smbd[3997]: smbd version 4.18.8 started. Nov 29 23:25:11 DC1 > smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-2023 > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0] > ../../source4/samba/server.c:391(samba_terminate) Nov 29 23:25:11 DC1 > samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc > child process exited > > The last message says, "mitkdc child process exited". This smells > like a Kerbros issue and maybe my config file is in the wrong place > since I didn't copy it anywhere. Also does the "mit" bit of this > process name mean it's trying to run MIT Kerberos? I thought I had > Heimdal installed. > > Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and > message on Sat, 28 Jan 2023 10:11:44 +0000, wrote: > > "smbd -b | grep HAVE_LIBKADM5SRV_MIT > > You should get nothing returned if Samba was built using the built in > Heimdal." > > I did that and got nothing, so Heimdal? > > Perhaps my theories about Kerberos issues are wrong, but in any case > can someone help me get mitkdc (or whatever) process to not exit so I > can get samba to start? > > Thanks --Mrk >I have edited the wiki page and hopefully it is now a bit clearer. I also, like Andrew, think you configured your Samba build to use MIT, did you pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ? Rowland
Hi! As a slackware user I can confirm slackware's samba package is built against mit. I'm running several samba AD DC's and have only had to create a new rc script to start /usr/sbin/samba instead of slackware's stock samba init script, i never needed to start a kdc (which by the way slack 15 has a rc.krb5kdc script which you could set as executable but again, I didn't need to do this to run a DC) Best regards! Dave. Sent with Proton Mail secure email. On Thursday, November 30th, 2023 at 09:09, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Thu, 30 Nov 2023 00:50:47 -0500 > Mark Foley via samba samba at lists.samba.org wrote: > > > After a several month hiatus, I'm back trying to provision a new > > AD/DC on Slackware 15.0, Samba 4.18.8. > > > > I'm following the guide: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > > > I have some questions and at least one problem. > > > > I've provisioned as follows: > > > > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL > > --domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL > > --adminpass=password > > > > I have 2 network cards, one Internet facing: eth0, and one for the > > lan: eth1. One thing I forgot to include in my provision command was: > > > > --option="interfaces=lo eth1" --option="bind interfaces only=yes" > > > > Is this a big problem? Can I do something with this later? Should I > > reset everything and start over? > > > > The provision tool specifies an admin passowrd, but where is the > > adminstrator username specified? > > > > The wiki next gives instructions on Creating a Reverse Zone, but > > after the instructions it says, "You must start the Samba AD DC > > before you can add a reverse zone", so I skipped past that step (and > > maybe it should be moved to after starting the AD/DC in the wiki?). > > > > I then did the Configure Kerberos step, and here's when things > > weren't so clear. The insructions say, > > > > During the provisioning, Samba created a Kerberos configuration file > > for your DC. Copy this file to your operating system's Kerberos > > configuration. For example: > > > > # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > > > The provisioning output gave the following Kerberos related messages: > > > > Repacking database from v1 to v2 format (first record > > DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl) > > INFO 2023-11-29 21:16:44,535 pid:1224 > > /usr/lib64/python3.9/site-packages/samba/provision/init.py #2342: > > The Kerberos KDC configuration for Samba AD is located at > > /var/lib/samba/private/kdc.conf INFO 2023-11-29 21:16:44,536 pid:1224 > > /usr/lib64/python3.9/site-packages/samba/provision/init.py #2348: > > A Kerberos configuration suitable for Samba AD has been generated at > > /var/lib/samba/private/krb5.conf INFO 2023-11-29 21:16:44,536 > > pid:1224 > > /usr/lib64/python3.9/site-packages/samba/provision/init.py #2350: > > Merge the contents of this file with your system krb5.conf or replace > > it with this one. Do not create a symlink! > > > > The 3rd message says, "A Kerberos configuration suitable for Samba AD > > has been generated at /var/lib/samba/private/krb5.conf". This differs > > from the wiki instructions which indicate the config file is > > generated at /usr/local/samba/private/krb5.conf. Well, I figured that > > was a distro issue, newer samba-tool version, or some such thing so I > > pressed on. > > > > But where is my "operating system's Kerberos configuration" located? > > Scanning the drive for krb5.conf I found: > > > > # find / -name krb5.conf > > /usr/share/samba/setup/krb5.conf > > /usr/doc/krb5-1.19.2/examples/krb5.conf > > > > none of which seem to be real config files for my OS/distro, and none > > of my Slackware 15.0 hosts seem to be running Kerberos. So, I left > > the file in /var/lib/samba/private/krb5.conf, which probably > > contributed to my failure below. > > > > I moved on to the Testing your Samba AD DC step and started samba. > > According to syslog that failed the first time because it could not > > create the directory /var/run/samba/ncalrpc, so I created it and > > tried again. That failed as well with the following in syslog: > > > > Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0] > > ../../source4/samba/server.c:621(binary_smbd_main) Nov 29 23:25:11 > > DC1 samba[3990]: samba version 4.18.8 started. Nov 29 23:25:11 DC1 > > samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-2023 > > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0] > > ../../source4/samba/server.c:896(binary_smbd_main) Nov 29 23:25:11 > > DC1 samba[3991]: binary_smbd_main: samba: using 'prefork' process > > model Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, > > 0] ../../source3/smbd/server.c:1746(main) Nov 29 23:25:11 DC1 > > smbd[3997]: smbd version 4.18.8 started. Nov 29 23:25:11 DC1 > > smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-2023 > > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0] > > ../../source4/samba/server.c:391(samba_terminate) Nov 29 23:25:11 DC1 > > samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc > > child process exited > > > > The last message says, "mitkdc child process exited". This smells > > like a Kerbros issue and maybe my config file is in the wrong place > > since I didn't copy it anywhere. Also does the "mit" bit of this > > process name mean it's trying to run MIT Kerberos? I thought I had > > Heimdal installed. > > > > Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and > > message on Sat, 28 Jan 2023 10:11:44 +0000, wrote: > > > > "smbd -b | grep HAVE_LIBKADM5SRV_MIT > > > > You should get nothing returned if Samba was built using the built in > > Heimdal." > > > > I did that and got nothing, so Heimdal? > > > > Perhaps my theories about Kerberos issues are wrong, but in any case > > can someone help me get mitkdc (or whatever) process to not exit so I > > can get samba to start? > > > > Thanks --Mrk > > > I have edited the wiki page and hopefully it is now a bit clearer. > > I also, like Andrew, think you configured your Samba build to use MIT, > did you pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to > configure ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Because of issues described in thread "Joining Windows 10 Domain Member to
Samba
AD/DC", I'm trying to re-provision my DC with the curren/old domain
name
mail.hprs.local instead of the newer, more correct dc1.hprs.locl.
I've followed the steps in
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
regarding "Only Applicable if Samba was Previously Installed". For the
directory
list:
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
LOCKDIR: /var/cache/samba
STATEDIR: /var/lib/samba
CACHEDIR: /var/cache/samba
PRIVATE_DIR: /var/lib/samba/private
I did 'rm -r /var/cache/samba* /var/lib/samba/*'. I then did the
provision step
again:
samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCAL --domain=HPRS \
--server-role=dc --dns-backend=SAMBA_INTERNAL --option=interfaces="lo
eth0" \
--option="bind interfaces only=yes" --adminpass=pw
However, when I got to the 'samba-tool dns zonelist' step, I got:
Password for [administrator at HPRS.LOCL]:
Notice that it is asking for the supposedly purged realm HPRS.LOCL. There must
be more that needs to be removed other than just those egrep'ed directories.
/etc/hosts is:
127.0.0.1 localhost
192.168.1.60 mail.hprs.local mail
/etc/HOSTNAME is:
mail.hprs.local
The generated smb.conf is:
# Global parameters
[global]
bind interfaces only = Yes
dns forwarder = 192.168.1.1
interfaces = lo eth0
netbios name = MAIL
realm = HPRS.LOCAL
server role = active directory domain controller
workgroup = HPRS
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No
There are no other .tdb or .ldb files on the drive.
Where is this old realm name lurking, why is it associated with the
Administrator and how do I purge it and any remaining such vestigal
references without scratch-installing Linux?
Thanks --Mark