Usability of 'samba-tool domain provision'

Rowland Penny repenny241155 at gmail.com
Thu Apr 28 16:38:36 UTC 2016 

On 28/04/16 17:07, Andreas Schneider wrote:
> Hi,
>
> I'm preparing a big demo for Samba XP conference. I need to get my demo
> working so I don't have time to fix stuff right now. This documents issues I
> found during provisioning. samba-tool is far away from being user friendly.
>
> I'm running master from today.
>
> Maybe someone has time to work on them (Rowland? :). Else I will start to work
> on them during SambaXP or afterwards.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> a) It isn't clear what domain is from 'samba-tool domain provison --help' it
> stats: set domain.
>
> It expects the netbios name.

That should be easy to fix, change <help="set domain"> to something like 
<help="NetBIOS domain name to use">

>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> b) The --realm option is essential but at the end of the help ...

Another easy fix, move it up to under '--domain'

>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> c) [root at smbdc ~]# samba-tool domain provision --realm=SAMBA.SITE --
> domain=samba.site --adminpass=passw0rd --use-rfc2307
> ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed -
> ProvisioningError: guess_names: 'server role=auto' in /etc/samba/smb.conf must
> match chosen server role 'active d
> irectory domain controller'!  Please remove the smb.conf file and let
> provision generate it
>
> I would expects that provision creates smb.conf until I tell it to use it.

How about deleting any created smb.conf if there is an error

>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> d) I removed /etc/smb.conf and tried to provision which failed.
>
> [root at smbdc ~]# samba-tool domain provision --realm=SAMBA.SITE --
> domain=samba.site --adminpass=passw0rd --server-role=dc --use-rfc2307
> ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed -
> ProvisioningError: guess_names: Realm 'SAMBA.SITE' must not be equal to short
> domain name 'SAMBA.SITE'!
>
> ok, --domain is not the netbios name so it failed. Next try

OK, test if realm == domain and exit if it does

>
> [root at smbdc ~]# samba-tool domain provision --realm=SAMBA.SITE --domain=SAMBA
> --adminpass=passw0rd --server-role=dc --use-rfc2307
> ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed -
> ProvisioningError: guess_names: Workgroup 'SAMBA.SITE' in smb.conf must match
> chosen domain 'SAMBA'!  Please remo
> ve the /etc/samba/smb.conf file and let provision generate it
>
> What? In the first try I set --domain wrong and it fails but creates a wrong
> smb.conf?

Again remove smb.conf on error.

> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> e) I would guess that it fails earlier if password restrictions are not met
> and not setup half the domain ...
>
> [root at smbdc ~]# samba-tool domain provision --realm=SAMBA.SITE --domain=SAMBA
> --adminpass=passw0rd --server-role=dc --use-rfc2307
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=samba,DC=site
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> ERROR(ldb): uncaught exception - 0000052D: Constraint violation -
> check_password_restrictions: the password does not meet the complexity
> criteria!

OK, check that password matches complexity before running the provision

> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> f) Note to myself
>
> samba-tool with MIT KDC needs to create /etc/krb5.conf.d/samba_ad_dc with the
> following content:
>
> [libdefaults]
>          default_realm = SAMBA.SITE
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          ticket_lifetime = 24h
>          forwardable = yes
>          allow_weak_crypto = yes
>
> [realms]
>          SAMBA.SITE = {
>                  kdc = 192.168.122.10:88
>                  admin_server = 192.168.122.10:88
>                  default_domain = samba.site
>          }
>          samba.site = {
>                  kdc = 192.168.122.10:88
>                  admin_server = 192.168.122.10:88
>                  default_domain = samba.site
>          }
>          SAMBADOMAIN = {
>                  kdc = 192.168.122.10:88
>                  admin_server = 192.168.122.10:88
>                  default_domain = samba.site
>          }
>          sambadomain = {
>                  kdc = 192.168.122.10:88
>                  admin_server = 192.168.122.10:88
>                  default_domain = samba.site
>          }
>
>

Does MIT really need all that ?

Heimdal only needs

[libdefaults]
         default_realm = SAMBA.SITE

the other two lines are the defaults

Rowland

More information about the samba-technical mailing list