[Samba] Samba 4.7rc4. (Debian Stretch Amd64 packages/sources available)

L.P.H. van Belle belle at bazuin.nl
Thu Aug 17 10:35:49 UTC 2017

Can anyone ( one of the devs)  tell if its safe for a samba 4.7rc4 to join and samba 4.6(.7) AD DC domain. 
Any do/donts, im asking so i can test a DC join, but i want to test in my production even, since that are the best tests. 
First test of a clean ADDC install looks ok. 
Aand yes, i have already made 3 backups of the DC's, already when i go testing.  i can restore quickly.   ;-) 
If someone wants to test these 4.7rc4 Debian Stretch packages
The changelog is a not fully complete, im collecting all changes, for the next 4.7. 

Stretch experimental (TESTING/NOT FOR PRODUCTION): 
Currently samba 4.7 RC4, first builds only AMD64 packages and sources are now available for testing. 

Current package list Debian Stretch Experimental samba 4.7rc4: klik here 
The buildlogs and change logs : http://downloads.van-belle.nl/samba4/Buildlogs/stretch-experimental/ 
I used the following build parameters.
conf_args = \
                --prefix=/usr \
                --enable-fhs \
                --sysconfdir=/etc \
                --localstatedir=/var \
                --libexecdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
                --with-privatedir=/var/lib/samba/private \
                --with-smbpasswd-file=/etc/samba/smbpasswd \
                --with-piddir=/var/run/samba \
                --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
                --with-pam \
                --with-syslog \
                --with-utmp \
                --with-winbind \
                --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2,vfs_dfs_samba4,auth_samba4 \
                --with-automount \
                --with-ldap \
                --with-ads \
                --with-dnsupdate \
                --with-gpgme \
                --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
                --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
                --datadir=/usr/share \
                --with-lockdir=/var/run/samba \
                --with-statedir=/var/lib/samba \
                --with-cachedir=/var/cache/samba \
                --enable-avahi \
                --disable-rpath \
                --disable-rpath-install \
                --bundled-libraries=NONE,pytevent,iniparser,roken,wind,hx509,asn1,heimbase,hcrypto,krb5,gssapi,heimntlm,hdb,kdc,com_err,compile_et,asn1_compile \
                --builtin-libraries=replace,ccan,samba-cluster-support \
                --minimum-library-version="$(shell ./debian/autodeps.py --minimum-library-version)" \
                --with-cluster-support \
                --with-socketpath=/var/run/ctdb/ctdbd.socket \
                --with-logdir=/var/log/ctdb \
                --enable-spotlight \
                --with python2,python3

compaired to the normal debian builds, i've added : 
                --enable-spotlight \
and changed    --with python2  to   --with python2,python3
Beware, these need lots of testing, if you detect problems, please report them. 
and please run this, so i can analyse all needed settings when needed. and mail the samba-debug.txt 

for config in /etc/hosts /etc/resolv.conf /etc/samba/smb.conf /etc/samba/dhcp.conf /etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local ; do
  if [ -f $config ]; then
      echo "-- BEGIN $config --">> $LOGFILE
      cat $config >> $LOGFILE
      echo "-- END $config --" >> $LOGFILE
    echo "-- $config not present  -- " >> $LOGFILE
echo "-- BEGIN kerberos checks --" >> $LOGFILE
klist -ke >>$LOGFILE
( if you have extra test, please do add them ) 
I cant stressout enough...  keep these away from you production setup. 
That i'm testing in my production, should not give you a wildcard todo that also. If you break you production setup, your on your own. 
>>>   You cannot use these for upgrading a previous samba, setup clean. this is due incompatible packages between samba 4.6 and samba 4.7.  <<<< 
>>> for samba 4.7 packages like, tdb/ldb, are getting optimized for a multi threaded samba, these packages are only in the repo : stretch-experimental. <<< 
The repo stretch-experimental  contains a backport of krb5 ( to 1.15.1 ), you see its set to -bpo, but its not in the stretch-backports. 
This way it does not get in the way of the current stable packages of my repo. 

You cannot mix the stretch-experimental repo with the others, except the backports line. ( ! BEWARE, DONT UPGRADE YOUR SAMBA 4.5 or 4.6, i've not tested this.) 
These packages can and will...   if needed will destroy you server, ;-)  if you dont follow above advice. 
but we need some testing of the packages. 

A howto very quickly install these 4.7rc4 on a debian stretch amd64
( do no more the show below, its not needed, below results in a working AD DC server. ) 
Install a clean debian stretch, configure /etc/hosts and /etc/resolv.conf 
add the repo : 
echo "deb http://apt.van-belle.nl/debian stretch-backports main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian stretch-experimental main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
apt-get update && apt-get upgrade -y

# test install samba 4.7rc4, AD DC with bind9_DLZ
apt-get install samba winbind krb5-kdc ntp bind9 -y
configure your time server.  ( https://wiki.samba.org/index.php/Time_Synchronisation  : see:  Set up the ntpd.conf File on a DC ) 

# after the install, disable these services. 
# the default samba installs a samba standalone server. 
systemctl disable smbd.service nmbd.service winbind.service

# and stop services. 
systemctl stop smbd.service nmbd.service winbind.service ntp.service bind9.service

# provisioning samba. 
move the old smb.conf out of the way. 
mv /etc/samba/smb.conf{,.before-provisioning}

samba-tool domain provision --interactive 
or with 
samba-tool domain provision --server-role=dc --dns-backend=BIND9_DLZ --realm=SAMDOM.EXAMPLE.COM --domain=SAMDOM --adminpass=Passw0rd --use-rfc2307 

# configure bind. (https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server )
# for debian. 
named.conf (options):  auth-nxdomain yes;
named.conf (options):  add ( and adjust to your network settings the part below )

 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
 # IP addresses and network ranges allowed to query the DNS server:
    allow-query {;;

    # IP addresses and network ranges allowed to run recursive queries:
    # (Zones not served by this DNS server)
    allow-recursion {;;

    # Forward queries that can not be answered from own zones
    # to these DNS servers:
    forwarders {;;

    # Disable zone transfers 
    allow-transfer {
---------- ENDS HERE 

named.conf.local, add 
include "/var/lib/samba/private/named.conf";

# you bind setup is read now. 
#( optional : systemctl unmask bind9.service , systemctl enable bind9.service )
systemctl start bind9.service
check: cat /var/log/daemon.log| grep dlz 

Aug 17 11:38:40 ossec named[455]: samba_dlz: configured writeable zone 'internal.example.com'
Aug 17 11:38:40 ossec named[455]: samba_dlz: configured writeable zone '_msdcs.internal.example.com'

Now i did add the folloing to the debian default /etc/krb5.conf 
default_keytab_name = /var/lib/samba/private/secrets.keytab
resulting in : 
        default_realm = INTERNAL.EXAMPLE.COM
        default_keytab_name = /var/lib/samba/private/secrets.keytab
( and below here all things debian all ready did set, you can keep it. )

Last, start samba in AD mode. 
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

I suggest, now clear your logs and reboot and check logs again. 
Now go abuse your new AD.  ;-) 

Have fun with these. 

Questions, just ask? 

More information about the samba mailing list