[Samba] DC's are unavailable when PDC halted
Ervin Hegedüs
airween at gmail.com
Wed Nov 8 11:43:16 UTC 2017
Hi Rowland,
many thanks for your help,
On Wed, Nov 08, 2017 at 11:00:59AM +0000, Rowland Penny wrote:
>
> On Wed, 8 Nov 2017 11:18:10 +0100
> Ervin Hegedüs <airween at gmail.com> wrote:
>
>
> > ========
> > open-ldap:
...
> > --------
> > /etc/resolv.conf
> > search core.mydomain.hu
> > nameserver 127.0.0.1
> > nameserver 10.10.10.1
>
> You would be better using the DCs ipaddress rather than '127.0.0.1'.
> You should also remove '10.10.0.1' it doesn't seem to be a DC.
yes, that's the forwarder (see in smb.conf). Most documents
notives that keep it in resolv.conf.
> > --------
> > /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > netbios name = OPEN-LDAP
> > realm = CORE.MYDOMAIN.HU
> > workgroup = CORE
> > dns forwarder = 10.10.10.1
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> >
> > log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > ntlm auth = yes
> > lanman auth = yes
> > client ntlmv2 auth = yes
>
> I would investigate upgrading security on the clients, rather than
> turning it down on the DC
I'm sorry, what do you think about exactly?
> >
> > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
>
> The above line contains all the defaults, so you can remove it.
ok, I just missed up to remove, I just tested it... now I removed
it.
> > ========
> > open-ldap2:
> >
...
everything is done,
> > ========
> > client:
> >
> > --------
> > /etc/krb5.conf
>
> The krb5.conf only needs to match the ones on the DCs, so you don't
> need all of the following.
does it mean that the krb5.conf should be empty?
> > --------
> > /etc/samba/smb.conf
> >
> > [global]
> >
> > workgroup = CORE
> > security = ads
> > realm = CORE.MYDOMAIN.HU
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
>
> Are you using sssd ?
no,
> If not, good, but you need to READ all of this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I've followed this page (may be I forgot something - I review it
again)
> and probably this:
>
> https://wiki.samba.org/index.php/Idmap_config_rid
I'm afraid I don't need to that :)
> You are trying to put EVERYTHING into the '*' domain, this is wrong.
right,
> > syslog = 0
> > panic action = /usr/share/samba/panic-action %d
> >
> > server role = standalone server
>
> Oh no its not, it is a Unix domain member, remove the above line.
ok, removed,
> > passdb backend = tdbsam
> > obey pam restrictions = yes
> > unix password sync = yes
>
> You CANNOT have a user in /etc/passwd and in AD with the same username,
> so you cannot have the above line.
this condition is met - line removed,
> > [homes]
> > comment = Home Directories
> > browseable = no
> > read only = yes
> > create mask = 0700
> > directory mask = 0700
> > valid users = %S
> >
> > [printers]
> > comment = All Printers
> > browseable = no
> > path = /var/spool/samba
> > printable = yes
> > guest ok = no
> > read only = yes
> > create mask = 0700
> >
> > [print$]
> > comment = Printer Drivers
> > path = /var/lib/samba/printers
> > browseable = yes
> > read only = yes
> > guest ok = no
> >
> You would be better setting the permissions from windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
I don't want to build the fileserver, I just need the user
management - these blocks stayed from the previous install.
> > Sorry again for the confusing post.
>
> No problem, just don't refer to your first DC as a 'PDC' again, it just
> confuses things, every DC is equal ;-)
yes, in meantime I've discussed with a Windows engineer, he said
that there aren't primary and backup roles.
Thanks again, I'll review the client config, and check it again.
Just one thing remains: what do you mean about here:
> I would investigate upgrading security on the clients, rather
> than turning it down on the DC
and is it enough an empty krb5.conf file on client?
Regards,
a.
More information about the samba
mailing list