[Samba] DC's are unavailable when PDC halted

Rowland Penny rpenny at samba.org
Wed Nov 8 12:12:20 UTC 2017 

See inline comments, extraneous lines removed from post:

On Wed, 8 Nov 2017 12:43:16 +0100
Ervin Hegedüs <airween at gmail.com> wrote:

> > You would be better using the DCs ipaddress rather than '127.0.0.1'.
> > You should also remove '10.10.0.1' it doesn't seem to be a DC.
> 
> yes, that's the forwarder (see in smb.conf). Most documents
> notives that keep it in resolv.conf.

And most documents get it wrong, The DC is a DNS server and your
clients should use it as their nameserver. Your DC should forward
anything unknown to the nameserver that is set in the DCs smb.conf if
using the internal DNS server, or if in the named conf files if using
Bind9

>  
> > > --------
> > > /etc/samba/smb.conf
> > > # Global parameters
> > > [global]
> > > 	netbios name = OPEN-LDAP
> > > 	realm = CORE.MYDOMAIN.HU
> > > 	workgroup = CORE
> > > 	dns forwarder = 10.10.10.1
> > > 	server role = active directory domain controller
> > > 	idmap_ldb:use rfc2307 = yes
> > > 
> > > 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > > 	ntlm auth = yes
> > > 	lanman auth = yes
> > > 	client ntlmv2 auth = yes
> > 
> > I would investigate upgrading security on the clients, rather than
> > turning it down on the DC
> 
> I'm sorry, what do you think about exactly?

You have set 'ntlm auth = yes' in the smb.conf, this means your clients
can use NTLMv1, this is insecure, you would be better off removing this
line and then make your clients use NTLMv2 (at least) by default.

> 
> > > ========
> > > client:
> > > 
> > > --------
> > > /etc/krb5.conf
> > 
> > The krb5.conf only needs to match the ones on the DCs, so you don't
> > need all of the following.
> 
> does it mean that the krb5.conf should be empty?

No, the /etc/krb5.conf on all the machines needs to be only this:

[libdefaults]
 	default_realm = CORE.MYDOMAIN.HU
 	dns_lookup_realm = false
 	dns_lookup_kdc = true

> 
> > If not, good, but you need to READ all of this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> I've followed this page (may be I forgot something - I review it
> again)
>  
> > and probably this:
> > 
> > https://wiki.samba.org/index.php/Idmap_config_rid
> 
> I'm afraid I don't need to that :)

Yes you do :)

windbind needs to map your windows users & groups to Unix IDs in the
'CORE' domain, not the '*' domain. The '*' domain is reserved for the
well known SIDs and anything outside the 'CORE' domain.
 
> 
> I don't want to build the fileserver, I just need the user
> management - these blocks stayed from the previous install.

Then why have the Unix domain member ???

>  
> > > Sorry again for the confusing post.
> > 
> > No problem, just don't refer to your first DC as a 'PDC' again, it
> > just confuses things, every DC is equal ;-)
> 
> yes, in meantime I've discussed with a Windows engineer, he said
> that there aren't primary and backup roles.
> 

There were Primary and Backup roles, but this was with NT4-style domains

> Just one thing remains: what do you mean about here:
> 
> > I would investigate upgrading security on the clients, rather
> > than turning it down on the DC
> 
> and is it enough an empty krb5.conf file on client?

Hopefully I have answered these questions above.

Rowland

More information about the samba mailing list