[Samba] That domain could not be found

Jeff Sadowski jeff.sadowski at gmail.com
Thu Aug 4 20:51:42 UTC 2016 

On Thu, Aug 4, 2016 at 12:54 PM, Rowland Penny <rpenny at samba.org> wrote:

>
> See inline comments
>
> On Thu, 4 Aug 2016 11:34:38 -0600
> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
> Are you by any chance the same Jeff Sadowski that posts on
> fedoraforum.org ? The one that knew something I didn't ?
> The one that knew that there are unofficial fedora Samba AD DC packages
> available?
>

Same one I got that from Alexander Bokovoy (all credit goes to him) when he
posted that about 6 months ago to the samba mailing list :-) As you can see
I am trying to make this easy to do, you found it. Forums seem to work
better for me. And you can also see I had been waiting a long long long
time for AD DC support in Fedora. Looks like things are getting close.


> > On Wed, Aug 3, 2016 at 1:43 AM, Rowland Penny <rpenny at samba.org>
> > wrote:
> >
> > >
> > > See inline comments
> > > And Please keep replies to the list
> > >
> > > On Tue, 2 Aug 2016 15:08:26 -0600
> > > Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> > >
> > > > Samba's wiki didn't have a walk through working example from A to
> > > > Z. It is great don't get me wrong but I followed it and at the
> > > > end I was able to do all in the steps in it but still had the
> > > > message I started this thread with. It leaves out A-F and R-Z or
> > > > there abouts (It might have more or less but there are some
> > > > missing parts.) I am still trying to figure out how to try and
> > > > properly compile it for Fedora myself (as Fedora is my main
> > > > distro of choice and I used a precompiled version from Alexander
> > > > Bokovoy for F23 when I stared this thread, I had even gotten that
> > > > to work following the samba wiki in the past but seem to had been
> > > > having trouble when I built a vm for it).
>
> I installed fedora 23 in a VM (I tried fedora 24 first but gave up on
> that horror) and then tried to compile Samba 4.5.0rc1, found that the
> package list on the Samba wiki is wrong, installed all the other
> packages recommended for RHEL and compiled Samba. However I could
> not get the provision to work, it errored out after 'Setting up sam.ldb
> users and groups' with this:
>
>   ERROR(ldb): uncaught exception - operations error at
> ../source4/dsdb/samdb/ldb_modules/password_hash.c:2816
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 461, in run
>     nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 2175, in provision
>     skip_sysvolacl=skip_sysvolacl)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1787, in provision_fill
>     next_rid=next_rid, dc_rid=dc_rid)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1447, in fill_samdb
>     "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py",
> line 55, in setup_add_ldif
>     ldb.add_ldif(data, controls)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
> line 225, in add_ldif
>     self.add(msg, controls)
>
> I didn't bother compiling on Fedora 23 As I said on Fedoraforum

I read https://copr.fedorainfracloud.org/co...n/samba_ad_dc/
<https://copr.fedorainfracloud.org/coprs/asn/samba_ad_dc/>
then I ran
dnf copr enable asn/samba_ad_dc
and
dnf install samba-dc
then I was able to follow the samba wiki
and this worked fine on my original machine and up to a point on my VM
I realized a spelling error in my original domain and I wanted to upgrade
to F24 anyways that is why I pushed my domain to a VM

Currently I had been trying to work it out in rawhide and use a spec file
from a src rpm that I had posted about on another thread.
I've been trying to figure out what it is I need to do to compile it with
AD DC support in Fedora but am lost. I think I just need to wait it out a
bit longer.
And use another distro that has it precompiled as an AD DC for now.

Whilst trying to find out a reason for the above, I found this webpage:
>
> http://forums.fedoraforum.org/showthread.php?t=296121
>
> Which led to Samba packages for fedora, installed these and provisioned
> Samba following the wiki and it worked.
>
> I guess I just need to try that again but the
nltest /dsgetdc:<domain name>
test was failing for me on my VM I must have had some stuff different on my
main computer.
hmmm

> > > >
> > >
> > > Most of the wiki was written by Marc Muehlfeld, he (as far as I am
> > > aware) uses Centos, so the wiki should be relevant to fedora.
> > >
> >
> > I was wrong to characterize it as missing A-F and R-Z it is more like
> > it is really only missing A(some more pre install necessities and
> > testing should probably test that ACL's are working and test named to
> > make sure it is up to par) and Z (some testing that I'm not sure how
> > to replicate outside of windows and I'm not sure how to fix the
> > broken cases, like joining a domain as a test and when failing
> > occurred all I could do is try a different prepackaged samba) and
> > more so the samba wiki has B1, B2, B3 .... so many options that it
> > confused me and I went with a simple example.
>
> If you use ext4, you don't need to test the ACLs as a matter of course,
> this is because it is known to work.
> If you have problems joining a computer to a Samba domain, then ask
> here, this is one of the ways we find out what to put on the wiki.
>
> >
> > Specifically I needed an example with bind as I know bind and use it.
> > Once it was using bind I could do things like use the samba AD DC's
> > bind as a master and use my main server as a slave without
> > interfering with other Domain's I use on my main computer. And I no
> > longer had to point the DNS to the VM I could use my main computer
> > without worry.
>
> There is at least one page on the wiki about using Bind with a Samba
> AD DC, but you shouldn't be using it in a 'master' 'slave' way. Bind
> needs to be authoritative for the domain and forward anything it
> doesn't know about to another DNS server.
>
> I had discussed this on ISC's mailing list. At first I was looking for a
non caching DNS but quickly realized I can have a master slave relationship.

I use a master on the DC with the DLZ and push to a slave on my main
computer Fedora24 with bind and other domains
It works nice as I know it will push when a change occurs and I can
actually have multiple domains.

On my main computer I have a lines like so

zone "samdom.example.com" IN { type slave; masters { <address of my
samdom.example.com DC>; }; file "db.samdom.example.com"; };
zone "test.test.test" IN { type slave; masters { <address of my
test.test.test DC>; }; file "db.test.test.test"; };

on my DCs I have in the options section

notify yes;
also-notify { <main server's ip>; };
allow-transfer { <main server's ip>; };

If I point all machines to my main server's ip
I can get up to date records for all my domains as the DC's will push to it.

DNS didn't seem to be why mine was failing. I can verify DNS with nslookup,
dig, or host

> >
> > The windows test to run (after reading the error message from windows
> > I was told by it to run:) "nltest /dsgetdc:<domain name>"
> > Another good test is to run "dcdiag /s:<domain controller name>"
> >
> > Also on windows I installed the AD tools on my Windows 10 machine to
> > create accounts and GPOs
> >
> > For Fedora the samba wiki worked on my main machine I used
> > bind_flatfile as bind on Fedora did not support DLZ but on a vm
> > following the same instructions did not work. I must not have had
> > some options installed that I need for it to work properly. If and
> > when I fix it maybe then I can update the wiki.
>
> Please do not use flatfiles with Samba, they are not recommended or
> supported.
>
> Flat files worked OK on my main server. Yeah it duplicates the databases
but it worked without me having to recompile bind. As you saw compiling can
be hairy I don't want to think about it. I guess I can download the src rpm
and edit the spec file but flat file worked for me. I had been using a
successful AD DC on Fedora 23 from about a month before posting that forum
entry till a few days ago. And it still allowed me to do other things I
want to do with bind instead of having to use samba's DNS server. Things
like the also-notify and allow transfer that are critical for slaves that I
can use with multiple domains. Also with bind I can override by making a
subdomain that I can do whatever I want with.

> >
> > For now I have a working Ubuntu 16.04 AD DC Samba server following the
> > instructions on that linked page. I modified it with what you told
> > me. I removed the forwarder in the smb.conf file, I set fstab back to
> > how it was originally by the OS install, and I moved krb5.conf to
> > krb5.conf.org. and linked to the one created by samba.
> >
> > Most of what was on that linked page where the same tests as on the
> > samba wiki.
> >
> > >
> > > > Samba's seems to leave out some important parts of setting up
> > > > AppArmor or Selinux
> > >
> > > The setup of these could be improved on the wiki, care to help by
> > > posting your files ?
> > >
> >
> > That is why I went to some other wiki I don't know this well enough I
> > just copied the rules I saw on the linked page.
> > And after ten years of selinux in fedora I just use the defaults that
> > the package maintainers put in. since I suspected selinux I disabled
> > it and rebooted but the problems where still there.
> >
> >
> > The apparmor rules were as follows:
> >
> > Add the following apparmor rules to the end of
> > /etc/apparmor.d/usr.sbin.named inside the {..}
> >
> > sudo nano /etc/apparmor.d/usr.sbin.named
> >
> >    /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
> >    /usr/lib/x86_64-linux-gnu/samba/** rwmk,
> >
> >    /var/lib/samba/private/dns/** rwmk,
> >    /var/lib/samba/private/named.conf r,
> >    /var/lib/samba/private/dns.keytab r,
> >
> >    /var/tmp/* rw,
> >
> >    /dev/urandom rw,
> >
> >
> > That worked well enough for me on the Ubuntu 16.04 install I did on a
> > VM. For all I know this makes the machine super vulnerable so I am
> > only testing with it and keeping an eye on it.
>
> That is similar to what is on the wiki, one of the problems is the
> different paths, another is that you are not sure if your settings are
> final, once you are sure they are, then would be the time to add them
> to the wiki.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list