[Samba] Provisioning new AD Domain Controller

Rowland Penny rpenny at samba.org
Thu Nov 30 12:09:11 UTC 2023 

On Thu, 30 Nov 2023 00:50:47 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> After a several month hiatus, I'm back trying to provision a new
> AD/DC on Slackware 15.0, Samba 4.18.8.
> 
> I'm following the guide:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> 
> I have some questions and at least one problem.
> 
> I've provisioned as follows:
> 
> samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL
> --domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL
> --adminpass=password
> 
> I have 2 network cards, one Internet facing: eth0, and one for the
> lan: eth1. One thing I forgot to include in my provision command was:
> 
>   --option="interfaces=lo eth1" --option="bind interfaces only=yes"
> 
> Is this a big problem? Can I do something with this later? Should I
> reset everything and start over?
> 
> The provision tool specifies an admin passowrd, but where is the
> adminstrator username specified?
> 
> The wiki next gives instructions on Creating a Reverse Zone, but
> after the instructions it says, "You must start the Samba AD DC
> before you can add a reverse zone", so I skipped past that step (and
> maybe it should be moved to after starting the AD/DC in the wiki?).
> 
> I then did the Configure Kerberos step, and here's when things
> weren't so clear. The insructions say,
> 
> During the provisioning, Samba created a Kerberos configuration file
> for your DC.  Copy this file to your operating system's Kerberos
> configuration.  For example:
> 
> # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> 
> The provisioning output gave the following Kerberos related messages:
> 
> Repacking database from v1 to v2 format (first record
> DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl)
> INFO 2023-11-29 21:16:44,535 pid:1224
> /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342:
> The Kerberos KDC configuration for Samba AD is located at
> /var/lib/samba/private/kdc.conf INFO 2023-11-29 21:16:44,536 pid:1224
> /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348:
> A Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf INFO 2023-11-29 21:16:44,536
> pid:1224
> /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350:
> Merge the contents of this file with your system krb5.conf or replace
> it with this one. Do not create a symlink!
> 
> The 3rd message says, "A Kerberos configuration suitable for Samba AD
> has been generated at /var/lib/samba/private/krb5.conf". This differs
> from the wiki instructions which indicate the config file is
> generated at /usr/local/samba/private/krb5.conf. Well, I figured that
> was a distro issue, newer samba-tool version, or some such thing so I
> pressed on.
> 
> But where is my "operating system's Kerberos configuration" located?
> Scanning the drive for krb5.conf I found:
> 
> # find / -name krb5.conf
> /usr/share/samba/setup/krb5.conf
> /usr/doc/krb5-1.19.2/examples/krb5.conf
> 
> none of which seem to be real config files for my OS/distro, and none
> of my Slackware 15.0 hosts seem to be running Kerberos. So, I left
> the file in /var/lib/samba/private/krb5.conf, which probably
> contributed to my failure below.
> 
> I moved on to the Testing your Samba AD DC step and started samba.
> According to syslog that failed the first time because it could not
> create the directory /var/run/samba/ncalrpc, so I created it and
> tried again. That failed as well with the following in syslog:
> 
> Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033,  0]
> ../../source4/samba/server.c:621(binary_smbd_main) Nov 29 23:25:11
> DC1 samba[3990]:   samba version 4.18.8 started. Nov 29 23:25:11 DC1
> samba[3990]:   Copyright Andrew Tridgell and the Samba Team 1992-2023
> Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019,  0]
> ../../source4/samba/server.c:896(binary_smbd_main) Nov 29 23:25:11
> DC1 samba[3991]:   binary_smbd_main: samba: using 'prefork' process
> model Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326,
> 0] ../../source3/smbd/server.c:1746(main) Nov 29 23:25:11 DC1
> smbd[3997]:   smbd version 4.18.8 started. Nov 29 23:25:11 DC1
> smbd[3997]:   Copyright Andrew Tridgell and the Samba Team 1992-2023
> Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564,  0]
> ../../source4/samba/server.c:391(samba_terminate) Nov 29 23:25:11 DC1
> samba[3991]:   samba_terminate: samba_terminate of samba 3991: mitkdc
> child process exited
> 
> The last message says, "mitkdc child process exited".  This smells
> like a Kerbros issue and maybe my config file is in the wrong place
> since I didn't copy it anywhere.  Also does the "mit" bit of this
> process name mean it's trying to run MIT Kerberos? I thought I had
> Heimdal installed. 
> 
> Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and
> message on Sat, 28 Jan 2023 10:11:44 +0000, wrote:
> 
> "smbd -b | grep HAVE_LIBKADM5SRV_MIT
> 
> You should get nothing returned if Samba was built using the built in
> Heimdal."
> 
> I did that and got nothing, so Heimdal?
> 
> Perhaps my theories about Kerberos issues are wrong, but in any case
> can someone help me get mitkdc (or whatever) process to not exit so I
> can get samba to start?
> 
> Thanks --Mrk
> 

I have edited the wiki page and hopefully it is now a bit clearer.

I also, like Andrew, think you configured your Samba build to use MIT,
did you pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to
configure ?

Rowland

More information about the samba mailing list