[Samba] RE : debian wheezy, sernet samba 4.1.3 join Windows 2008R2 AD as DC. Success ( basic Howto included )

L.P.H. van Belle belle at bazuin.nl
Mon Dec 30 03:25:01 MST 2013


Hai Laurent, 

Your a bit ahead of my work, but, yes, im also making a join the domain as member server. 
Basicly what im doing, im following the wiki, but im debianizing the howto. 
So keep the wiki as guideline, the member howto will be posted also in a week maybe 2weeks. 

for the few questions you had in advance of the howto. ( but also look at the wiki, good info ;-) ) 

>Q: What will be your modifications for a member server instead of a AD? 
apt-get install 
(for  File servering,   apt-get install sernet-samba-smbd sernet-samba-nmbd)
(for only domain member, apt-get install sernet-samba-winbind ) 
and setup nsswitch, and other things, but that wil be the next howto. 

use SAMBA_START_MODE="classic" in 
>/etc/default/sernet-samba. Do you agree?  YES 

Im now bussy with squid 3.1 ( and testing squid 3.3 ) for single sing on. ( and im debianizing it and making howto of it. ) 
And yes i know, its impossible to do transparant proxy AND SSO   ;-) 
I want my people to like on OK, but they shouldn't enter username and password. 
why... any malware-virus thingy wanting internet access gets blocked by the proxy. 
these things dont klik on ok.. so if a big infection happens on the internet, 
like last summer in the nederlands with the website nu.nl,  i can see my pc's with mailware on it.
I just look at authentication errors and then i can pull the computers out of the netwerk. 
I do that even if a person access a "infected" website, reinstall it, allways. 

you need to enable acl support on a member server. 
( smb.conf global ) 
add:
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

dont forget : 
SeDiskOperatorPrivilege 
ACL rights for member/file/print server 

good info here for the shares. 
http://wiki.samba.org/index.php/Setup_and_configure_file_shares

Greetz, 

Louis


>C: My comment is about  the line 
>   chmod 755 /var/lib/samba/private/  
Yes, i understand your point, and maybe you can set it like that but ( i dont know) .... 

some files in the /var/lib/samba/private/  need root:root
I dont know whats happens, if you change it like that and i dont want to 
accedently give bind access to files it shouldnt have. 
yes, this part of sernet samba can be improved ( like steve and others also said ) 

all bind related things should also i.m.h.o. go to something linke 

/var/cache/samba/bind 

( since all bind zone related things to to /var/cache/bind ) 

But thats up to the sernet developers. Im happy already that they maked the debs :-)) 

Greetz, 

Louis





>-----Oorspronkelijk bericht-----
>Van: Hubert, Laurent [mailto:Laurent.Hubert at USherbrooke.ca] 
>Verzonden: vrijdag 27 december 2013 17:39
>Aan: L.P.H. van Belle; samba at lists.samba.org
>Onderwerp: RE : [Samba] debian wheezy, sernet samba 4.1.3 join 
>Windows 2008R2 AD as DC. Success ( basic Howto included )
>
>Thanks for your How To Louis.
>Looks like a  Chrismass gift!.
>
>Here one question and one comment.
>
>Q: What will be your modifications for a member server instead of a AD?
>I  supposed we have to remove the bind section,  install  
>sernet-samba instead of sernet-samba-ad.
>and use SAMBA_START_MODE="classic" in 
>/etc/default/sernet-samba. Do you agree?   Do you see other changes?
>
>
>C: My comment is about  the line 
>   chmod 755 /var/lib/samba/private/  
>That you set in order to allow bind to access its files in  
>/var/lib/samba/private/.
>I think that, when the setup is validated,  it is more 
>appropriate for  security in  mind 
>to set group owner of  /var/lib/samba/private/   to the bind group. 
>
>drwxr-x---  2 root bind           4096 déc  5 15:33 private
>
>As you have done for  /var/lib/samba/private/dns.keytab  and 
>/var/lib/samba/private/dns/
>
>
>Anyway thanks for this contribution.
>
>Laurent
>
>
>________________________________________
>De : samba-bounces at lists.samba.org 
>[samba-bounces at lists.samba.org] de la part de L.P.H. van Belle 
>[belle at bazuin.nl]
>Envoyé : 23 décembre 2013 02:48
>À : samba at lists.samba.org
>Objet : [Samba] debian wheezy,  sernet samba 4.1.3 join 
>Windows 2008R2 AD as DC. Success ( basic        Howto included )
>
>Hai,
>
>After serveral setups and testing if completed a successfull 
>install of sernet samba 4.1.3 which joined a windows 2008R2 AD domain.
>You can use this also on on ubuntu 12.04.
>
>This is the "HowTo" how i did my setup.
>questions improvements, please add them and share them.
>
># ( date 23-12-2013 )
># Sernet samba 4.1.3 on debian Wheezy
># Windows 2008R2 AD DC , with dhcp and dns.
># SETUP : Samba 4 AD DC with bind9 DLZOPEN , joined as DC.
>#
># info found on these site linkes:
>#
># https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
># http://wiki.samba.org/index.php/Dns-backend_bind
># https://wiki.samba.org/index.php/Configure_NTP
># https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>#
># and lots of info for the mailing list users, thank you guys 
>and girls.
>#
>#
># PRE SETUP !
># Im adding the linux hostname and IP adres in the dns server 
>of windows in front installing debian.
>#
># Install a minimal debian wheezy with only ssh-server 
>installed from the installer menu.
># use hostname AND domainname, and keep the same as windows server dns.
>#
># remove the line cdrom ( or put # infront ) of 
>/etc/apt/sources.list if needed.
>apt-get update
>apt-get install apt-transport-https mc zip bzip2 arj
>update-alternatives --config editor
># ( im choosing mcedit as default, it's what you prefer. )
>#
># setup apt : create file :
>mcedit /etc/apt/sources.list.d/sernet-samba-4.1.list
>#
># add the sernet lines to it, you need to register at sernet 
>for this, its free.
># go to http://www.enterprisesamba.com/samba/
>#
># install de sernet keys for authenticity:
>wget http://ftp.sernet.de/pub/sernet-samba-keyring_1.4_all.deb
>dpkg -i sernet-samba-keyring_1.4_all.deb
>rm sernet-samba-keyring_1.4_all.deb
>#
>apt-get update
>apt-get upgrade
># if ok, nothing to do, if not update before proceding.
>#
>#
># check the hostname and domainname of the server.
>hostname -f
># ( gives hostname.mainoffice.domain.tld )
>hostname -s
># ( gives hostname )
>hostname -d
># ( gives mainoffice.domain.tld )
>#
># check : /etc/hosts file.
>cat /etc/hosts
># you should not have 127.0.1.1 servername.domain.tld
># change the 127.0.1.1 to the correct ip ( as in DNS exists )
># check : /etc/resolve.conf
>cat /etc/resolve.conf
># this is minimal
># domain subdomain.domain.tld
># search subdomain.domain.tld
># nameserver IP_OF_AD_SERVER ( or an other server wich kan 
>resovle the windows dns and AD )
># ( you can have 3 nameservers ips!  )
>#  also im use-ing domain and search, because i have multiple 
>domains in my dns server.
># with search and domain i always have the main domain to 
>search in first.
>#
>reboot
># ( just to be sure.  )
>#
># Setup samba as DC in windows domain.
>apt-get install sernet-samba-ad bind9 acl attr quota fam 
>libnet-ldap-perl krb5-user ntp
>#
># After install rights to watch out for.
>ls -al /var/lib/samba/
># drwxr-x---  2 root root 4096 Dec  7 20:46 private
># i.m.o. this should be drwxr-xr-x  ( 755 )
># now bind cannot acces private  folder and we need to access it.
># ( we will do this AFTER the join, because the join wil reset 
>rights also )
>ls -al /var/lib/samba/private
># ( at this point empty )
>#
># stop some services before we change them.
>/etc/init.d/bind9 stop
>/etc/init.d/ntp stop
>#
># so at this point almost nothing is running, only ssh-server  
>( syslog fam )
>#
>#
># ---- SETUP Time: service NTP
># http://wiki.samba.org/index.php/Configure_NTP
># setup time server for the samba server.
># edit  /etc/ntp.conf
>mcedit /etc/ntp.conf
># add at least.:
>server IP_OF_AD_server
># If your use-ing a windows server as time source, do not add 
>external of other time server in the config.
># 1 server has external source, all other connect to the 
>internal server ( the windows AD server )
>#
># and i added
>server my_time_ad_windows_server_IP_adres
>ntpsigndsocket /var/lib/samba/ntp_signd/
>restrict default kod nomodify notrap nopeer mssntp
># start ntp
>/etc/init.d/ntp start
>#
># time wil sync, if you have more then 5 min difference, set 
>the time manualy the first time.
># reboot the server if you did set the time manual.
># on my server the bios time is set to UTC.
># on the os the time is set to UTC +1 hours ( for me, depends 
>on you time zone )
># ( set time:  date -s "2 OCT 2006 18:00:00" )
># ( set clock to hardware bios:  hwclock --systohc --utc )
>#
># reboot and check again if you changed your time. !
>#
>#
># ---- SETUP bind9: service DNS
># http://wiki.samba.org/index.php/Dns-backend_bind
># change in /etc/bind/named.options.conf
>mcedit /etc/bind/named.options.conf
># change auth-nxdomain yes
># add     allow-transfer { none; };
>#         notify no;
>#         empty-zones-enable no;
>#
>#         allow-query {
>#         127.0.0.1/32;
>#         192.168.1.0/24;        <=change to your ip range
>#         };
>#
>#         allow-recursion {
>#         127.0.0.1/32;
>#         192.168.1.0/24;       <=change to your ip range
>#         };
>#
>#  // DNS dynamic updates via Kerberos (optional, but recommended)
>#  // added before we need it, therefore the // in the next line.
>#     //    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>#
># ##
>#
># change /etc/bind/named.options.local
>mcedit /etc/bind/named.options.local
># So now just add in named.conf.local these lines: ( keep the 
>// , we remove it later )
># // adding the dlopen ( Bind DLZ ) module for samba
># //include "/var/lib/samba/private/named.conf";
>#
># ok bind is setup is ready, test it.
># start bind :
>/etc/init.d/bind9 start
>#
># test bind :
>host 127.0.0.1 127.0.0.1
>host localhost. 127.0.0.1
>#
># ----- SETUP / CHECK krb5.conf
># the debian default works out of the box, IF you set the 
>domainname correct at install of the server.
># test kerberos:
>type: kinit administrator
>type: klist
>#
># -------------------------------------------------------
>#
># ---- SETUP SAMBA: service ad / smb /nmbd
># enabled ad in /etc/default/sernet-samba for the AD server.
>mcedit /etc/default/sernet-samba
># change this to : SAMBA_START_MODE="ad"
># change      : SAMBA_RESTART_ON_UPDATE="yes"
>#
># Do not start samba yet.
>#
>#
># Join the domain.
>samba-tool domain join SUBDOMAIN.DOMAIN.TLD DC -Uadministrator 
>--realm=SUBDOMAIN.DOMAIN.TLD --dns-backend=BIND9_DLZ
># and at the end you see:
># Joined domain ROTTERDAM (SID 
>S-1-5-21-3130855540-2228390408-1497266713) as a DC
>#
># Now we recheck the rights of folders and files in 
>/var/lib/samba/private/
>#
>ls -al /var/lib/samba  ( about the same before joining)
># The important folder :
>ls -al /var/lib/samba/private/
># drwxrwx--- 3 root bind    4096 Dec 20 11:36 dns
># -rw------- 1 root root     947 Dec 20 11:36 dns.keytab
># -rw-r--r-- 1 root root    2270 Dec 20 11:36 dns_update_list
># -rw------- 1 root root 1286144 Dec 20 11:36 hklm.ldb
># -rw------- 1 root root 1286144 Dec 20 11:36 idmap.ldb
># -rw-r--r-- 1 root root     100 Dec 20 11:36 krb5.conf
># -rw-r--r-- 1 root root     575 Dec 20 11:36 named.conf
># -rw-r--r-- 1 root root    2204 Dec 20 11:36 named.txt
># -rw------- 1 root root 1286144 Dec 20 11:36 privilege.ldb
># -rw------- 1 root root 4251648 Dec 20 11:36 sam.ldb
># drwxr-x--- 2 root bind    4096 Dec 20 11:36 sam.ldb.d
># -rw------- 1 root root    1367 Dec 20 11:36 secrets.keytab
># -rw------- 1 root root 1286144 Dec 20 11:36 secrets.ldb
># -rw------- 1 root root  430080 Dec 20 11:36 secrets.tdb
># -rw------- 1 root root 1286144 Dec 20 11:36 share.ldb
># -rw-r--r-- 1 root root     955 Dec 20 11:36 spn_update_list
># drwx------ 2 root root    4096 Dec 20 11:36 tls
>#
>#
># The files generated are in /var/lib/samba/private/
># i changed the rights on the private folder so its accessable 
>for bind.
># chmod 755 /var/lib/samba/private
>#
># read /var/lib/samba/private/named.txt and for debian/ubuntu 
>we change the group from named to bind
>chgrp bind /var/lib/samba/private/dns.keytab
>chmod g+r /var/lib/samba/private/dns.keytab
>#
># compaire the sam database folders
># root at mysamba4servername:/var/lib/samba/private# ls -al dns/sam.ldb.d/
># total 27932
># drwxrwx--- 2 root bind    4096 Dec 20 11:36 .
># drwxrwx--- 3 root bind    4096 Dec 20 11:36 ..
># -rw-rw---- 1 root bind 8183808 Dec 20 11:36 
>CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 1 root bind 8986624 Dec 20 11:36 
>CN=SCHEMA,CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 2 root bind 5398528 Dec 20 11:36 
>DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 2 root bind 4317184 Dec 20 11:36 
>DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 1 root bind 1286144 Dec 20 11:36 
>DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 2 root bind  421888 Dec 20 11:36 metadata.tdb
>#
># root at mysamba4servername:/var/lib/samba/private# ls -al sam.ldb.d/
># total 34724
># drwxr-x--- 2 root bind     4096 Dec 20 11:36 .
># drwxr-x--- 5 root root     4096 Dec 20 11:36 ..
># -rw------- 1 root root 10547200 Dec 20 11:36 
>CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw------- 1 root root 10547200 Dec 20 11:36 
>CN=SCHEMA,CN=CONFIGURATION,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 2 root bind  5398528 Dec 20 11:36 
>DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 2 root bind  4317184 Dec 20 11:36 
>DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw------- 1 root root  4317184 Dec 20 11:36 
>DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 2 root bind   421888 Dec 20 11:36 metadata.tdb
>#
># 3 should be the same, these are hardlinked. ( info see 
>wiki.samba.org )
># -rw-rw---- 2 root bind   421888 Dec 20 11:36 metadata.tdb
># -rw-rw---- 2 root bind  5398528 Dec 20 11:36 
>DC=DOMAINDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
># -rw-rw---- 2 root bind  4317184 Dec 20 11:36 
>DC=FORESTDNSZONES,DC=SUBDOMAIN,DC=DOMAIN,DC=TLD.ldb
>#
>#
>#
># stop bind:
>/etc/init.d/bind9 stop
># enable the keytab line :         tkey-gssapi-keytab 
>"/var/lib/samba/private/dns.keytab";
># remove the //  infront .
># enable the  include "/var/lib/samba/private/named.conf";
>#
>#
># start bind:
>/etc/init.d/bind9 start
># check logs :
>cat /var/log/daemon.log | grep named
>#look for ( like) :
># Dec 20 12:56:36 mysamba4servername named[12362]: Loading 'AD 
>DNS Zone' using driver dlopen
># Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: 
>started for DN DC=SUBDOMAIN,DC=DOMAIN,DC=TLD
># Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: 
>starting configure
># Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: 
>configured writeable zone '249.168.192.in-addr.arpa'
># Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: 
>configured writeable zone 'SUBDOMAIN.DOMAIN.TLD'
># Dec 20 12:56:36 mysamba4servername named[12362]: samba_dlz: 
>configured writeable zone '_msdcs.SUBDOMAIN.DOMAIN.TLD'
># and
># Dec 20 12:56:36 mysamba4servername named[12362]: running
>#
># start samba
>/etc/init.d/sernet-samba-ad start
># check logs.
>cat /var/log/daemon.log
># Dec 20 12:58:34 mysamba4servername smbd[12520]: [2013/12/20 
>12:58:34.159605,  0] ../source3/printing/print_cups.c:151(cups_connect)
># Dec 20 12:58:34 mysamba4servername smbd[12520]:   Unable to 
>connect to CUPS server localhost:631 - Connection refused
># Dec 20 12:58:34 mysamba4servername smbd[12519]: [2013/12/20 
>12:58:34.160474,  0] 
>../source3/printing/print_cups.c:528(cups_async_callback)
># Dec 20 12:58:34 mysamba4servername smbd[12519]:   failed to 
>retrieve printer list: NT_STATUS_UNSUCCESSFUL
>#
># to disable these printing messages.
># add in smb.conf ( global )
># ---- disable printing completely
>#        load printers = no
>#        printing = bsd
>#        printcap name = /dev/null
>#        disable spoolss = yes
>#
># I prefer a seperated server which is only printserver.
>#
>## samba created the ntp_signd folder in /var/lib/samba
># now correct the rights so ntp can access it.
>#
>chgrp ntp /var/lib/samba/ntp_signd
>#
>/etc/init.d/sernet-samba-ad restart
>#
># test
>samba-tool drs showrepl  ( wil resolve the windows server )
>samba-tool drs showrepl mysamba4servername  ( wil resolve over 
>the sambaserver server )
>#
># you can ignore:
># Warning: No NC replicated for Connection!
># ( see faq, below on wiki 
>https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC )
>#
># This done, now you have a basic setup for samba4 is running 
>without errors.
># this server wil be DC only, only going to use the netlogon ( 
>and sysvol ) for this setup.
># user wil login on the server, only connect to sysvol/netlogon
># so no need for getent wbinfo ( etc etc )
>#
># for your info : getent passwd gives only my linux users back.
>#      : wbinfo -u ( -g )  gives only my windows AD users.
>#   for users, config your nsswitch.conf in /etc/  but you 
>better do this on the "file/member" server.
>#
>#
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list