[Samba] That domain could not be found

Rowland Penny rpenny at samba.org
Thu Aug 4 18:54:37 UTC 2016 

See inline comments

On Thu, 4 Aug 2016 11:34:38 -0600
Jeff Sadowski <jeff.sadowski at gmail.com> wrote:

Are you by any chance the same Jeff Sadowski that posts on
fedoraforum.org ? The one that knew something I didn't ?
The one that knew that there are unofficial fedora Samba AD DC packages
available?

> On Wed, Aug 3, 2016 at 1:43 AM, Rowland Penny <rpenny at samba.org>
> wrote:
> 
> >
> > See inline comments
> > And Please keep replies to the list
> >
> > On Tue, 2 Aug 2016 15:08:26 -0600
> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> >
> > > Samba's wiki didn't have a walk through working example from A to
> > > Z. It is great don't get me wrong but I followed it and at the
> > > end I was able to do all in the steps in it but still had the
> > > message I started this thread with. It leaves out A-F and R-Z or
> > > there abouts (It might have more or less but there are some
> > > missing parts.) I am still trying to figure out how to try and
> > > properly compile it for Fedora myself (as Fedora is my main
> > > distro of choice and I used a precompiled version from Alexander
> > > Bokovoy for F23 when I stared this thread, I had even gotten that
> > > to work following the samba wiki in the past but seem to had been
> > > having trouble when I built a vm for it).

I installed fedora 23 in a VM (I tried fedora 24 first but gave up on
that horror) and then tried to compile Samba 4.5.0rc1, found that the
package list on the Samba wiki is wrong, installed all the other
packages recommended for RHEL and compiled Samba. However I could
not get the provision to work, it errored out after 'Setting up sam.ldb
users and groups' with this:

  ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2816
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 461, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1787, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1447, in fill_samdb
    "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
    self.add(msg, controls)

Whilst trying to find out a reason for the above, I found this webpage:

http://forums.fedoraforum.org/showthread.php?t=296121

Which led to Samba packages for fedora, installed these and provisioned
Samba following the wiki and it worked.
 
> > >
> >
> > Most of the wiki was written by Marc Muehlfeld, he (as far as I am
> > aware) uses Centos, so the wiki should be relevant to fedora.
> >
> 
> I was wrong to characterize it as missing A-F and R-Z it is more like
> it is really only missing A(some more pre install necessities and
> testing should probably test that ACL's are working and test named to
> make sure it is up to par) and Z (some testing that I'm not sure how
> to replicate outside of windows and I'm not sure how to fix the
> broken cases, like joining a domain as a test and when failing
> occurred all I could do is try a different prepackaged samba) and
> more so the samba wiki has B1, B2, B3 .... so many options that it
> confused me and I went with a simple example.

If you use ext4, you don't need to test the ACLs as a matter of course,
this is because it is known to work.
If you have problems joining a computer to a Samba domain, then ask
here, this is one of the ways we find out what to put on the wiki.

> 
> Specifically I needed an example with bind as I know bind and use it.
> Once it was using bind I could do things like use the samba AD DC's
> bind as a master and use my main server as a slave without
> interfering with other Domain's I use on my main computer. And I no
> longer had to point the DNS to the VM I could use my main computer
> without worry.

There is at least one page on the wiki about using Bind with a Samba
AD DC, but you shouldn't be using it in a 'master' 'slave' way. Bind
needs to be authoritative for the domain and forward anything it
doesn't know about to another DNS server.
  
> 
> The windows test to run (after reading the error message from windows
> I was told by it to run:) "nltest /dsgetdc:<domain name>"
> Another good test is to run "dcdiag /s:<domain controller name>"
> 
> Also on windows I installed the AD tools on my Windows 10 machine to
> create accounts and GPOs
> 
> For Fedora the samba wiki worked on my main machine I used
> bind_flatfile as bind on Fedora did not support DLZ but on a vm
> following the same instructions did not work. I must not have had
> some options installed that I need for it to work properly. If and
> when I fix it maybe then I can update the wiki.

Please do not use flatfiles with Samba, they are not recommended or
supported.
 
> 
> For now I have a working Ubuntu 16.04 AD DC Samba server following the
> instructions on that linked page. I modified it with what you told
> me. I removed the forwarder in the smb.conf file, I set fstab back to
> how it was originally by the OS install, and I moved krb5.conf to
> krb5.conf.org. and linked to the one created by samba.
> 
> Most of what was on that linked page where the same tests as on the
> samba wiki.
> 
> >
> > > Samba's seems to leave out some important parts of setting up
> > > AppArmor or Selinux
> >
> > The setup of these could be improved on the wiki, care to help by
> > posting your files ?
> >
> 
> That is why I went to some other wiki I don't know this well enough I
> just copied the rules I saw on the linked page.
> And after ten years of selinux in fedora I just use the defaults that
> the package maintainers put in. since I suspected selinux I disabled
> it and rebooted but the problems where still there.
> 
> 
> The apparmor rules were as follows:
> 
> Add the following apparmor rules to the end of
> /etc/apparmor.d/usr.sbin.named inside the {..}
> 
> sudo nano /etc/apparmor.d/usr.sbin.named
> 
>    /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
>    /usr/lib/x86_64-linux-gnu/samba/** rwmk,
> 
>    /var/lib/samba/private/dns/** rwmk,
>    /var/lib/samba/private/named.conf r,
>    /var/lib/samba/private/dns.keytab r,
> 
>    /var/tmp/* rw,
> 
>    /dev/urandom rw,
> 
> 
> That worked well enough for me on the Ubuntu 16.04 install I did on a
> VM. For all I know this makes the machine super vulnerable so I am
> only testing with it and keeping an eye on it.

That is similar to what is on the wiki, one of the problems is the
different paths, another is that you are not sure if your settings are
final, once you are sure they are, then would be the time to add them
to the wiki.
 
Rowland

More information about the samba mailing list