[Samba] Samba4 Kerberos Authentication Error

[Rowland Penny]

On Fri, 7 Dec 2018 09:43:50 -0500
Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:

> 
> On 12/6/2018 9:33 AM, Rowland Penny via samba wrote:
> > On Thu, 6 Dec 2018 09:12:03 -0500
> > Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:
> > 
> >>>>
> >>>> I'm basically trying to set up one Linux appliance to handle
> >>>> overall authentication and let two other machines simply
> >>>> serve files.
> >>>>
> >>>
> >>> I would do it slightly differently, two DC's and then whatever
> >>> fileservers are required. The Centos Samba packages are usable
> >>> for a domain member, they just cannot be used for a DC.
> >>>
> >>> Rowland
> >>
> >> Why 2 DC's?  My understanding is that a file server should
> >> not simultaneously serve as a DC in an Active Directory setup.
> > 
> > I never said use a DC as a fileserver, I was just picking up on what
> > you said 'one Linux appliance to handle overall authentication '. I
> > took it you meant use one Samba AD DC and two Samba AD DC's are
> > always better.
> > 
> >>
> >> I have a small office.  While I have no issue making one of
> >> the file servers also function as a backup DC, I really don't
> >> want to add yet another server to the mix to handle a single
> >> role.
> > 
> > I know Windows sysadmins refer to DC's via various different names,
> > but AD RWDC's are all the same apart from the FSMO roles and they
> > can be on any DC.
> > 
> > If resources are limited, you can use a DC as a fileserver, you just
> > have to be aware of the limitations.
> > 
> > Rowland
> > 
> 
> I'm newbie lost with the terminology :)
> 
> Currently I have two servers:
> 1) Centos Server handling file server duties and functioning as
>     a PDC in a NT4 style domain.
> 2) Centos Server functioning as a member server holding
>     supplemental files.
> 
> New setup:
> 1) Ebox Appliance running Debian 9 w/ samba as an AD DC
>     (got this up and running w/o an issue - Fedora was the problem)
> 2) Main File server as a member server (stay on Centos?) on
>     the AD domain
> 3) Secondary server as a member server (stay on Centos?)on
>     the AD domain
> 
> Both the centos servers need upgrading, but since I don't have
> extra servers to move the files around to, that will take a
> little bit of work.
> 
> When moving the file servers to samba4, do I set them up as
> "member servers" or something else?  For that matter, do I
> migrate samba or do I follow an uninstall/fresh install path?
> 

In an AD domain there are DC's and these can be either RWDC's (read
and writable) or RODC's (read only). The RWDC's are all identical
apart from the FSMO roles and any DC can hold any or all the FSMO
roles.

The clients are described as 'domain members', they may serve files,
but they are not servers. To differentiate from windows machines, Unix
machines are described as 'Unix domain members'.

By Ebox, I take it you mean Zentyal and using this traps you into
using whatever version of Samba that comes with it, but for most
people this is probably not a problem.

You could stay with Centos on the 2 fileservers, but this would mean
having two slightly different setups and ways of doing things.

OK, here is what I would do:

On the main DC (Ebox) run another instance of Debian in a VM and use
this as a Unix domain member to serve files.
Use the 'Main File server' as another DC, two DC's are better than one.
Use the 'Secondary server' as a Unix domain member to serve files.

Rowland