[Samba] Setup a new samba AD DC

Dario Lesca d.lesca at solinos.it
Wed Apr 26 09:49:08 UTC 2017 

Il giorno mer, 26/04/2017 alle 07.27 +0100, Rowland Penny via samba ha
scritto:
> On Wed, 26 Apr 2017 01:55:16 +0200
> Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> Your problem is that you need to find out just who dhcpd runs as on
> fedora. On Devuan it is root and everything just works.

Yes, on Debian work.

And with this patch:

[root at fedora-addc ~]# diff -Nau /etc/samba/bin/dhcp-dyndns.sh.old /etc/samba/bin/dhcp-dyndns.sh
--- /etc/samba/bin/dhcp-dyndns.sh.old	2017-04-26 11:06:30.930347314 +0200
+++ /etc/samba/bin/dhcp-dyndns.sh	2017-04-26 11:45:16.072373036 +0200
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# /etc/bin/dhcp-dyndns.sh
+# /etc/samba/bin/dhcp-dyndns.sh
 
 # This script is for secure DDNS updates on Samba 4
 # Version: 0.8.8
@@ -24,6 +24,12 @@
 # krbcc ticket cache
 export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
 
+if [ -f "$KRB5CCNAME" -a ! -r "$KRB5CCNAME" ]
+then
+    echo "File krbcc ticket cache $KRB5CCNAME is not readable. Remove it with 'rm -f $KRB5CCNAME'"
+    exit 1
+fi
+
 # Kerberos principal
 SETPRINCIPAL="dhcpduser@${REALM}"
 # Kerberos keytab
@@ -43,13 +49,15 @@
 fi
 
 # Check for Kerberos keytab
-if [ ! -f /etc/dhcp/dhcpduser.keytab ]; then
-    echo "Required keytab /etc/dhcpduser.keytab not found, it needs to be created."
+dhcpduser_keytab='/etc/samba/dhcpduser.keytab'
+#dhcpduser_keytab=/etc/dhcp/dhcpduser.keytab
+if [ ! -f $dhcpduser_keytab ]; then
+    echo "Required keytab $dhcpduser_keytab not found, it needs to be created."
     echo "Use the following commands as root"
-    echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL} /etc/dhcpduser.keytab"
-    echo "chown XXXX:XXXX /etc/dhcpduser.keytab"
+    echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL} $dhcpduser_keytab"
+    echo "chown XXXX:XXXX $dhcpduser_keytab"
     echo "Replace 'XXXX:XXXX' with the user & group that dhcpd runs as on your distro"
-    echo "chmod 400 /etc/dhcpduser.keytab"
+    echo "chmod 400 $dhcpduser_keytab"
     exit 1
 fi
 
@@ -75,12 +83,13 @@
 
 # Check for valid kerberos ticket
 #logger "${test} [dyndns] : Running check for valid kerberos ticket"
-klist -c /tmp/dhcp-dyndns.cc -s
+klist -c "$KRB5CCNAME" -s
 if [ "$?" != "0" ]; then
-    logger "${test} [dyndns] : Getting new ticket, old one has expired"
-    kinit -F -k -t /etc/dhcp/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc "${SETPRINCIPAL}"
+    logger "${test} [dyndns] : Getting new ticket, old one has expired."
+    cmd="kinit -F -k -t $dhcpduser_keytab -c '$KRB5CCNAME' '${SETPRINCIPAL}'"
+    eval $cmd
     if [ "$?" != "0" ]; then
-        logger "${test} [dyndns] : dhcpd kinit for dynamic DNS failed"
+        logger "${test} [dyndns] : dhcpd kinit for dynamic DNS failed [$cmd]"
         exit 1;
     fi
 fi

can work also on Centos and Fedora.

On more system that script work, more person can use it.


> Whilst you seem to have created the '12.11.10.in-addr.arpa'
> reversezone, it seems to be trying to update the '10.IN-ADDR.ARPA'
> reversezone. Can you check what zones you have now.

Now This is my zones:

# samba-tool dns zonelist $(hostname)
  3 zone(s) found

  pszZoneName                 : 12.11.10.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.solinos.loc

  pszZoneName                 : solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.solinos.loc

  pszZoneName                 : _msdcs.solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : ForestDnsZones.solinos.loc


Yesterday I have also try to force the use of this zone into shell ,

> nsupdate -g ${NSUPDFLAGS} << UPDATE
> server 127.0.0.1
> realm ${REALM}
> zone 12.11.10.in-addr.arpa       <---<<<
> update delete ${ptr} 3600 PTR
> update add ${ptr} 3600 PTR ${name}.${domain}
> send 
> UPDATE

but none is changed, the error log is the same.

Furthermore this morning after I have start my AD-DC server test kinit
not work anymore:

# kinit -F -k -t /etc/samba/dhcpduser.keytab -c '/tmp/dhcp-dyndns.cc' 'dhcpduser at SOLINOS.LOC'
kinit: Cannot contact any KDC for realm 'SOLINOS.LOC' while getting initial credentials

then the dhcpd script not work anymore

The rest work as expected :

[root at fedora-addc ~]# wbinfo --ping-dc
checking the NETLOGON for domain[SOLINOS] dc connection to "fedora-addc.solinos.loc" succeeded
[root at fedora-addc ~]# id ospite
uid=3000017(SOLINOS\ospite) gid=100(users) gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users)
[root at fedora-addc ~]# !smbcl:p
smbclient //$(hostname)/netlogon -Uospite%P at ssw0rd -c 'cd test;mkdir ospite'
[root at fedora-addc ~]# smbclient //$(hostname)/netlogon -Uospite%P at ssw0rd -c 'ls'
Domain=[SOLINOS] OS=[Windows 6.1] Server=[Samba 4.5.8]
  .                                   D        0  Tue Apr 25 09:31:16 2017
  ..                                  D        0  Tue Apr 25 08:25:55 2017
  test                                D        0  Tue Apr 25 09:31:16 2017

		2291712 blocks of size 1024. 603824 blocks available


this is AD final config files:

[root at fedora-addc ~]# cat /etc/krb5.conf
[libdefaults]
	default_realm = SOLINOS.LOC
	dns_lookup_realm = false
	dns_lookup_kdc = true
[root at fedora-addc ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
	netbios name = FEDORA-ADDC
	realm = SOLINOS.LOC
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = SOLINOS
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

	template shell = /bin/bash
	template homedir = /home/%U

[netlogon]
	path = /var/lib/samba/sysvol/solinos.loc/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

obviously on the member server something not work:

[root at fed-build-addc ~]# kinit administrator at SOLINOS.LOC
kinit: Cannot contact any KDC for realm 'SOLINOS.LOC' while getting initial credentials
[root at fed-build-addc ~]# wbinfo --ping-dc
checking the NETLOGON for domain[SOLINOS] dc connection to "" failed
wbcPingDc2(SOLINOS): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

What kind of problem is this?

 
Thanks for reply some suggest.

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

More information about the samba mailing list