[Samba] Provisioning new AD Domain Controller

bd730c5053df9efb bd730c5053df9efb at proton.me
Thu Nov 30 14:54:47 UTC 2023 

Hi!

As a slackware user I can confirm slackware's samba package is built against mit. I'm running several samba AD DC's and have only had to create a new rc script to start /usr/sbin/samba instead of slackware's stock samba init script, i never needed to start a kdc (which by the way slack 15 has a rc.krb5kdc script which you could set as executable but again, I didn't need to do this to run a DC)

Best regards!
Dave.



Sent with Proton Mail secure email.

On Thursday, November 30th, 2023 at 09:09, Rowland Penny via samba <samba at lists.samba.org> wrote:


> On Thu, 30 Nov 2023 00:50:47 -0500
> Mark Foley via samba samba at lists.samba.org wrote:
> 
> > After a several month hiatus, I'm back trying to provision a new
> > AD/DC on Slackware 15.0, Samba 4.18.8.
> > 
> > I'm following the guide:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> > 
> > I have some questions and at least one problem.
> > 
> > I've provisioned as follows:
> > 
> > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL
> > --domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL
> > --adminpass=password
> > 
> > I have 2 network cards, one Internet facing: eth0, and one for the
> > lan: eth1. One thing I forgot to include in my provision command was:
> > 
> > --option="interfaces=lo eth1" --option="bind interfaces only=yes"
> > 
> > Is this a big problem? Can I do something with this later? Should I
> > reset everything and start over?
> > 
> > The provision tool specifies an admin passowrd, but where is the
> > adminstrator username specified?
> > 
> > The wiki next gives instructions on Creating a Reverse Zone, but
> > after the instructions it says, "You must start the Samba AD DC
> > before you can add a reverse zone", so I skipped past that step (and
> > maybe it should be moved to after starting the AD/DC in the wiki?).
> > 
> > I then did the Configure Kerberos step, and here's when things
> > weren't so clear. The insructions say,
> > 
> > During the provisioning, Samba created a Kerberos configuration file
> > for your DC. Copy this file to your operating system's Kerberos
> > configuration. For example:
> > 
> > # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> > 
> > The provisioning output gave the following Kerberos related messages:
> > 
> > Repacking database from v1 to v2 format (first record
> > DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl)
> > INFO 2023-11-29 21:16:44,535 pid:1224
> > /usr/lib64/python3.9/site-packages/samba/provision/init.py #2342:
> > The Kerberos KDC configuration for Samba AD is located at
> > /var/lib/samba/private/kdc.conf INFO 2023-11-29 21:16:44,536 pid:1224
> > /usr/lib64/python3.9/site-packages/samba/provision/init.py #2348:
> > A Kerberos configuration suitable for Samba AD has been generated at
> > /var/lib/samba/private/krb5.conf INFO 2023-11-29 21:16:44,536
> > pid:1224
> > /usr/lib64/python3.9/site-packages/samba/provision/init.py #2350:
> > Merge the contents of this file with your system krb5.conf or replace
> > it with this one. Do not create a symlink!
> > 
> > The 3rd message says, "A Kerberos configuration suitable for Samba AD
> > has been generated at /var/lib/samba/private/krb5.conf". This differs
> > from the wiki instructions which indicate the config file is
> > generated at /usr/local/samba/private/krb5.conf. Well, I figured that
> > was a distro issue, newer samba-tool version, or some such thing so I
> > pressed on.
> > 
> > But where is my "operating system's Kerberos configuration" located?
> > Scanning the drive for krb5.conf I found:
> > 
> > # find / -name krb5.conf
> > /usr/share/samba/setup/krb5.conf
> > /usr/doc/krb5-1.19.2/examples/krb5.conf
> > 
> > none of which seem to be real config files for my OS/distro, and none
> > of my Slackware 15.0 hosts seem to be running Kerberos. So, I left
> > the file in /var/lib/samba/private/krb5.conf, which probably
> > contributed to my failure below.
> > 
> > I moved on to the Testing your Samba AD DC step and started samba.
> > According to syslog that failed the first time because it could not
> > create the directory /var/run/samba/ncalrpc, so I created it and
> > tried again. That failed as well with the following in syslog:
> > 
> > Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0]
> > ../../source4/samba/server.c:621(binary_smbd_main) Nov 29 23:25:11
> > DC1 samba[3990]: samba version 4.18.8 started. Nov 29 23:25:11 DC1
> > samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-2023
> > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0]
> > ../../source4/samba/server.c:896(binary_smbd_main) Nov 29 23:25:11
> > DC1 samba[3991]: binary_smbd_main: samba: using 'prefork' process
> > model Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326,
> > 0] ../../source3/smbd/server.c:1746(main) Nov 29 23:25:11 DC1
> > smbd[3997]: smbd version 4.18.8 started. Nov 29 23:25:11 DC1
> > smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-2023
> > Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0]
> > ../../source4/samba/server.c:391(samba_terminate) Nov 29 23:25:11 DC1
> > samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc
> > child process exited
> > 
> > The last message says, "mitkdc child process exited". This smells
> > like a Kerbros issue and maybe my config file is in the wrong place
> > since I didn't copy it anywhere. Also does the "mit" bit of this
> > process name mean it's trying to run MIT Kerberos? I thought I had
> > Heimdal installed.
> > 
> > Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and
> > message on Sat, 28 Jan 2023 10:11:44 +0000, wrote:
> > 
> > "smbd -b | grep HAVE_LIBKADM5SRV_MIT
> > 
> > You should get nothing returned if Samba was built using the built in
> > Heimdal."
> > 
> > I did that and got nothing, so Heimdal?
> > 
> > Perhaps my theories about Kerberos issues are wrong, but in any case
> > can someone help me get mitkdc (or whatever) process to not exit so I
> > can get samba to start?
> > 
> > Thanks --Mrk
> 
> 
> I have edited the wiki page and hopefully it is now a bit clearer.
> 
> I also, like Andrew, think you configured your Samba build to use MIT,
> did you pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to
> configure ?
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list