[Samba] [SOLVED] replace Windows 2003 dc

Dustin C. Hatch admiralnemo at gmail.com
Fri Feb 22 16:58:51 MST 2013 

On 2/22/2013 15:22, Peter Beck wrote:
> Dustin C. Hatch <admiralnemo at gmail.com> quatschte am Fri, Feb 22, 2013 at 12:31:05PM -0600:
>> On 2/22/2013 11:13, Sérgio Henrique wrote:
>>> I guess the comunication beetween MS AD and Samba4 is by kerberos, i have
>>> copied the /opt/samba/private/krb5.conf to /etc after joined to domain
>>>
>>> I have installed a windows server at 2003 forest level as PDC then
>>> installed samba4.0.3
>>> join domain but everytime i am getting problems with forest and domain dns
>>> zones...
>>>
>> I have the same issue. I've tried countless times to add a Samba DC
>> to my (test) AD environment, but every time, it fails to add and
>> outbound connection for the DomainDnsZones and ForestDnsZones
>> directory partitions. In addition, the Samba server is not listed as
>> a name server for either the root zone or the _msdcs zone.
>
> yes, the basic setup is like it's written down in the Wiki pages at
> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC.
>
This is the document I've been following to try to get this working as well.

> I get kerberos tickets without any issue. I think the domain forest
> level is also important to raise up to 2003 (I can remember I also had
> issues earlier and then I've just raised the domain operation level).
> The forest operation level was something I've changed later...
> After raising up the operation level I always reboot the Windows Dc. Not
> sure if that is really needed...
>
> I for one will in future raise both levels up to 2003 _before_ I start
> deploying samba.
>
My samba server works perfectly fine for all AD DC roles (including 
Kerberos) except DNS. In my real and test environments, the forest and 
domain functional levels are 2008 R2.

> my krb.conf looks like this:
>
> [libdefaults]
> default_realm = ADLAB.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
Same as mine, as defined in the wiki article.

> and this is my smb.conf, not sure if allow dns updates is need or not.
>
> # Global parameters
> [global]
> 	server role = active directory domain controller
> 	workgroup = ADLAB
> 	realm = adlab.local
> 	netbios name = LAB07
> 	passdb backend = samba4
I don't see `samba4` as an option for `passdb backend` in smb.conf(5). 
Values listed are "smbpasswd" "tdbsam" (default) and "ldapsam".

> 	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
> 	lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> 	backupkey, dnsserver, winreg, srvsvc
I don't see a list of values for this property in smb.conf(5); where did 
you find this setting?

> 	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns
According to smb.conf(5), this is the default value for `server 
services`, less s3fs and plus smb. I don't think either of these would 
matter in this case.

> 	dns recursive queries = yes
This only affects DNS queries for names outside the AD domain, so its 
value wouldn't matter

> 	allow dns updates = true
The default value, according to smb.conf(5) is `secure only`, the same 
as the Windows default, which should be fine.

>          dns forwarder = 8.8.8.8
Again, this only affects queries outside the AD domain, so it shouldn't 
matter. I do have it set, though.

>
> 	[netlogon]
> 	path = /var/lib/samba/sysvol/adlab.local/scripts
> 	read only = No
>
> 	[sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
>
These are the same for me as well.

> The samba server is not configured as nameserver by default. you can at
> it either on windows if you right click the zone and add it to the
> "nameserver" tab or if you use samba-tool dns add. I prefer the second
> one. to add it for example to the zone "adlab.local" you can use
> samba-tool dns add <winserver> adlab.local adlab.local NS <sambaserver>.adlab.local
> this will add an ns record for the zone "adlab.local" which looks like
> the existing entry for the windows dns "(same as parent folder)" and it
> will also automatically add the sambaserver into the "nameserver" tab of
> the zone.
>
Yes, that adds the NS records to the domain, and I've tried that. Since 
the Samba server is a DNS server, this should be done automatically 
anyway. In any case, it doesn't help.

> after adding these records / checking other dns records (_ldap._tcp,
> _kerberos etc) I've just did
>
These also should be added automatically if the Samba server is to be a 
DNS server, but adding them manually doesn't help either.

> samba-tool drs replicate <samba-dc> <win-dc> dc=adlab,dc=local --local
This works fine

> samba-tool drs replicate <samba-dc> <win-dc> dc=forestdnszones,dc=adlab,dc=local --local
> samba-tool drs replicate <samba-dc> <win-dc> dc=domaindnszones,dc=adlab,dc=local --local
These both fail because there is no outbound connection from the Samba 
server to the Windows server for these directory partitions. Adding them 
manually with repadmin works temporarily, but the KCC eventually removes 
them.

>
> if everything is well (which was the case each time I've tested it), i
> moved the fsmo roles with samba-tool fsmo transfer --role=....
>
Since Samba 4.0.3, which has a fix for the timeout problem, I have had 
no trouble moving the FSMO roles around. Regardless, until the 
DomainDnsZones and ForestDnsZones are replicated correctly, I cannot 
demote the Windows DC.

> But as I mentioned before - I am also still testing at the moment ;-)
> hope that helps
>
Thanks for the information. This seems to be a problem for a number of 
people, so hopefully we'll get to the bottom of it soon

> Regards
> Peter
>

-- 
♫Dustin

More information about the samba mailing list