[Samba] samba4 AD - winbind Could not write result

mathias dufresne infractory at gmail.com
Tue May 24 09:15:35 UTC 2016 

Hi,

A word about DNS resolver set up on DC.

MS really advise to set first resolver pointing to some other DC. The
reason Microsoft gave to me is:
when booting a MS DC waits for [others than DNS] AD [parts] to be up before
running before starting DNS service but to start [others than DNS] AD
[parts] Windows server send some DNS requests, without response to these
DNS requests Windows server do not start [others than DNS] AD [parts]...
After some time MS Windows Servers finally start DNS service and the rest
of AD : )

To work around that issue MS advise to set up DNS resolver on DC to aim
another DC.

IIRC this limitation was removed with MS Windows Server 2012.

Here all my Samba4 DC are running DNS service, all of them are configured
to send DNS requests to themselves and all these DC are working well,
starting well, synching well.

What all that means:
Samba team developed its software nicely enough to avoid that mistake MS
did and so the need to set up DC's resolver to aim another DC is not needed
at all on Samba DC.

Have a nice day all,

mathias

2016-05-23 18:18 GMT+02:00 Rowland penny <rpenny at samba.org>:

> On 23/05/16 16:36, Sam wrote:
>
>> Le 23/05/2016 à 14:46, Rowland penny a écrit :
>>
>>> On 23/05/16 12:56, Sam wrote:
>>>
>>>>
>>>>
>>> It looks like your problems have nothing to do with dhcp, one problem
>>> appears to be related to dnssec:
>>>
>>> May 23 10:52:27 S4 named[2162]: validating @0x7eff24296b50:
>>> choices.truste.com A: no valid signature found
>>>
>>> If you have 'dnssec-validation yes;' in 'named.conf.options', change it
>>> to 'dnssec-validation auto;'
>>>
>>> Your main problem has been reported before, not sure if a fix was found,
>>> can I suggest you upgrade to the latest Sernet 4.2 package (4.2.12), this
>>> may contain a fix. If it doesn't, can you post the smb.conf from the DCs,
>>> also both resolv.conf files, raise the log level to 10 and see if anything
>>> else pops out.
>>>
>>>
> Rowland
>>>
>>> ||
>>>
>> Hello Rowland,
>> in named.conf.options, dnssec-validation is already set to auto.
>> Ok I put syslog = 10 in smb.conf and tell if I get more details.
>>
>> I prefer not trying to upgrade, the servers are in production.
>>
>> here is the files :
>>
>> S4bis smb.conf file :
>> # Global parameters
>> [global]
>>         workgroup = ARIANE
>>         realm = ariane.intra
>>         netbios name = S4BIS
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>>
>>         ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>>         ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>         sdb:schema update allowed = no
>>
>>         ## Dont forget to set the idmap_ldb on ALL DC's if you use it
>>        idmap_ldb:use rfc2307 = yes
>>
>>         idmap config * :backend = tdb
>>         idmap config * :range = 2000-9999
>>         idmap config ARIANE : backend = ad
>>         idmap config ARIANE : range = 10000-3999999
>>
>>         #when using idmap backend RID enable these
>>          #template shell = /bin/sh
>>         template homedir = /home/users/%ACCOUNTNAME%
>>
>>         winbind nss info = rfc2307
>>         winbind trusted domains only = no
>>         winbind use default domain = yes
>>         winbind max clients = 800
>>
>>         interfaces = 127.0.0.1 172.20.2.3
>>         bind interfaces only = yes
>>         time server = yes
>>         wins support = yes
>>
>>         # Disable printing completely
>>         load printers = no
>>         printing = bsd
>>         printcap name = /dev/null
>>         disable spoolss = yes
>>
>>  kerberos method = system keytab
>>  client ldap sasl wrapping = sign
>>  allow dns updates = secure
>>  nsupdate command =  /usr/bin/nsupdate -g
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/ariane.intra/scripts
>>         read only = No
>>         acl_xattr:ignore system acl = yes
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>         acl_xattr:ignore system acl = yes
>>
>> S4bis Resolv.conf file :
>> search ariane.intra
>> nameserver 172.20.2.2
>> nameserver 172.20.2.3
>>
>> S4 smb.conf file :
>> # Global parameters
>> [global]
>>         workgroup = ARIANE
>>         realm = ariane.intra
>>         netbios name = S4
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>>
>>         ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>>         ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>>         sdb:schema update allowed = no
>>
>>         ## Dont forget to set the idmap_ldb on ALL DC's if you use it
>>        idmap_ldb:use rfc2307 = yes
>>
>>         idmap config * :backend = tdb
>>         idmap config * :range = 2000-9999
>>         idmap config ARIANE : backend = ad
>>         idmap config ARIANE : range = 10000-3999999
>>
>>         #when using idmap backend RID enable these
>>          #template shell = /bin/sh
>>         template homedir = /home/users/%ACCOUNTNAME%
>>
>>         winbind nss info = rfc2307
>>         winbind trusted domains only = no
>>         winbind use default domain = yes
>>         winbind max clients = 800
>>
>>         interfaces = 127.0.0.1 172.20.2.2
>>         bind interfaces only = yes
>>         time server = yes
>>         wins support = yes
>>
>>         # Disable printing completely
>>         load printers = no
>>         printing = bsd
>>         printcap name = /dev/null
>>         disable spoolss = yes
>>
>>  kerberos method = system keytab
>>  client ldap sasl wrapping = sign
>>  allow dns updates = secure
>>  nsupdate command =  /usr/bin/nsupdate -g
>>
>> syslog = 10
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/ariane.intra/scripts
>>         read only = No
>>         acl_xattr:ignore system acl = yes
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>         acl_xattr:ignore system acl = yes
>>
>> S4bis Resolv.conf file :
>> search ariane.intra
>> nameserver 172.20.2.3
>> nameserver 172.20.2.2
>>
>> Thank you!
>> Sam
>>
>
>
> OK, you have a few lines in smb.conf that do nothing or are defaults:
>
> These do nothing on an AD DC:
>
>         idmap config * :backend = tdb
>         idmap config * :range = 2000-9999
>         idmap config ARIANE : backend = ad
>         idmap config ARIANE : range = 10000-3999999
>
> You only need this when it is set to 'yes':
>
>         ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>         ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>         sdb:schema update allowed = no
>
> These are default lines:
>
>         winbind trusted domains only = no
>  client ldap sasl wrapping = sign
>  nsupdate command =  /usr/bin/nsupdate -g
> allow dns updates = secure # Note: it is actually 'secure only' and that
> is the default.
>
> Your resolv.conf files seem to be wrong, each DC should point to the other
> first and then themselves.
>
> As for upgrading, this is of course your decision, but I should point out
> that there was a major security update recently and the Samba version you
> are running is liable to a possible MITM attack.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list