[Samba] Samba 4.7rc4. (Debian Stretch Amd64 packages/sources available)
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 17 10:35:49 UTC 2017
Hai,
Can anyone ( one of the devs) tell if its safe for a samba 4.7rc4 to join and samba 4.6(.7) AD DC domain.
Any do/donts, im asking so i can test a DC join, but i want to test in my production even, since that are the best tests.
First test of a clean ADDC install looks ok.
Aand yes, i have already made 3 backups of the DC's, already when i go testing. i can restore quickly. ;-)
If someone wants to test these 4.7rc4 Debian Stretch packages
The changelog is a not fully complete, im collecting all changes, for the next 4.7.
Stretch experimental (TESTING/NOT FOR PRODUCTION):
Currently samba 4.7 RC4, first builds only AMD64 packages and sources are now available for testing.
Current package list Debian Stretch Experimental samba 4.7rc4: klik here
The buildlogs and change logs : http://downloads.van-belle.nl/samba4/Buildlogs/stretch-experimental/
I used the following build parameters.
conf_args = \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
--with-pam \
--with-syslog \
--with-utmp \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2,vfs_dfs_samba4,auth_samba4 \
--with-automount \
--with-ldap \
--with-ads \
--with-dnsupdate \
--with-gpgme \
--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
--datadir=/usr/share \
--with-lockdir=/var/run/samba \
--with-statedir=/var/lib/samba \
--with-cachedir=/var/cache/samba \
--enable-avahi \
--disable-rpath \
--disable-rpath-install \
--bundled-libraries=NONE,pytevent,iniparser,roken,wind,hx509,asn1,heimbase,hcrypto,krb5,gssapi,heimntlm,hdb,kdc,com_err,compile_et,asn1_compile \
--builtin-libraries=replace,ccan,samba-cluster-support \
--minimum-library-version="$(shell ./debian/autodeps.py --minimum-library-version)" \
--with-cluster-support \
--with-socketpath=/var/run/ctdb/ctdbd.socket \
--with-logdir=/var/log/ctdb \
--enable-spotlight \
--with-system-mitkrb5
--with-systemd
--with python2,python3
compaired to the normal debian builds, i've added :
--enable-spotlight \
--with-system-mitkrb5
and changed --with python2 to --with python2,python3
Beware, these need lots of testing, if you detect problems, please report them.
and please run this, so i can analyse all needed settings when needed. and mail the samba-debug.txt
LOGFILE=/tmp/samba-debug.txt
for config in /etc/hosts /etc/resolv.conf /etc/samba/smb.conf /etc/samba/dhcp.conf /etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local ; do
if [ -f $config ]; then
echo "-- BEGIN $config --">> $LOGFILE
cat $config >> $LOGFILE
echo "-- END $config --" >> $LOGFILE
else
echo "-- $config not present -- " >> $LOGFILE
fi
done
echo "-- BEGIN kerberos checks --" >> $LOGFILE
klist -ke >>$LOGFILE
( if you have extra test, please do add them )
I cant stressout enough... keep these away from you production setup.
That i'm testing in my production, should not give you a wildcard todo that also. If you break you production setup, your on your own.
>>> You cannot use these for upgrading a previous samba, setup clean. this is due incompatible packages between samba 4.6 and samba 4.7. <<<<
>>> for samba 4.7 packages like, tdb/ldb, are getting optimized for a multi threaded samba, these packages are only in the repo : stretch-experimental. <<<
The repo stretch-experimental contains a backport of krb5 ( to 1.15.1 ), you see its set to -bpo, but its not in the stretch-backports.
This way it does not get in the way of the current stable packages of my repo.
You cannot mix the stretch-experimental repo with the others, except the backports line. ( ! BEWARE, DONT UPGRADE YOUR SAMBA 4.5 or 4.6, i've not tested this.)
These packages can and will... if needed will destroy you server, ;-) if you dont follow above advice.
but we need some testing of the packages.
A howto very quickly install these 4.7rc4 on a debian stretch amd64
( do no more the show below, its not needed, below results in a working AD DC server. )
Install a clean debian stretch, configure /etc/hosts and /etc/resolv.conf
add the repo :
echo "deb http://apt.van-belle.nl/debian stretch-backports main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian stretch-experimental main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
apt-get update && apt-get upgrade -y
# test install samba 4.7rc4, AD DC with bind9_DLZ
apt-get install samba winbind krb5-kdc ntp bind9 -y
configure your time server. ( https://wiki.samba.org/index.php/Time_Synchronisation : see: Set up the ntpd.conf File on a DC )
# after the install, disable these services.
# the default samba installs a samba standalone server.
systemctl disable smbd.service nmbd.service winbind.service
# and stop services.
systemctl stop smbd.service nmbd.service winbind.service ntp.service bind9.service
# provisioning samba.
move the old smb.conf out of the way.
mv /etc/samba/smb.conf{,.before-provisioning}
samba-tool domain provision --interactive
or with
samba-tool domain provision --server-role=dc --dns-backend=BIND9_DLZ --realm=SAMDOM.EXAMPLE.COM --domain=SAMDOM --adminpass=Passw0rd --use-rfc2307
# configure bind. (https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server )
# for debian.
named.conf (options): auth-nxdomain yes;
named.conf (options): add ( and adjust to your network settings the part below )
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
10.99.1.0/24;
};
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
10.1.1.0/24;
};
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
8.8.8.8;
8.8.4.4;
};
# Disable zone transfers
allow-transfer {
none;
};
---------- ENDS HERE
named.conf.local, add
include "/var/lib/samba/private/named.conf";
# you bind setup is read now.
#( optional : systemctl unmask bind9.service , systemctl enable bind9.service )
systemctl start bind9.service
check: cat /var/log/daemon.log| grep dlz
Example:
Aug 17 11:38:40 ossec named[455]: samba_dlz: configured writeable zone 'internal.example.com'
Aug 17 11:38:40 ossec named[455]: samba_dlz: configured writeable zone '_msdcs.internal.example.com'
Now i did add the folloing to the debian default /etc/krb5.conf
default_keytab_name = /var/lib/samba/private/secrets.keytab
resulting in :
[libdefaults]
default_realm = INTERNAL.EXAMPLE.COM
default_keytab_name = /var/lib/samba/private/secrets.keytab
( and below here all things debian all ready did set, you can keep it. )
Last, start samba in AD mode.
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
I suggest, now clear your logs and reboot and check logs again.
Now go abuse your new AD. ;-)
Have fun with these.
Questions, just ask?
Greetz,
Louis
More information about the samba
mailing list