[Samba] Problem to join Samba 4 DC an existing Windows AD

Rowland penny rpenny at samba.org
Thu Jun 27 15:59:29 UTC 2019


On 27/06/2019 16:32, Marcio Demetrio Bacci via samba wrote:
> Hi,
>
> I'm using Debian 9.9 and my DC's are Win 2008 Server (isn't R2).
>
> I intend replace my Windows DC by Samba 4 DC.
>
> Follows dependencies package that I have installed:
>
> apt-get install acl attr autoconf bind9utils bison build-essential
> apt-get install debhelper dnsutils docbook-xml docbook-xsl flex gdb
> libjansson-dev krb5-user
> apt-get install libacl1-dev libaio-dev libarchive-dev libattr1-dev
> libblkid-dev libbsd-dev
> apt-get install libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev
> libjson-perl
> apt-get install libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl
> apt-get install libpopt-dev libreadline-dev nettle-dev perl perl-modules
> pkg-config
> apt-get install python-all-dev python-crypto python-dbg python-dev
> python-dnspython
> apt-get install python3-dnspython python-gpgme python3-gpgme
> python-markdown python3-markdown
> apt-get install python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils
I have no idea why you have installed all the 'dev' packages required to 
compile Samba and then installed the distro packages.
>
> Ihave installed by apt-get (Samba 4.5.16)
> apt-get install samba attr winbind libpam-winbind libnss-winbind
> libpam-krb5 krb5-config krb5-user
>
>
>
> root at samba4dc1:~# cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.1.1
> nameserver 192.168.1.2
I take it that 192.168.1.1 & 192.168.1.2 are your dns servers that hold 
all the dns records
>
> root at ubatuba:~# cat /etc/hosts
> 192.168.1.19     samba4dc1.empresa.com.br       samba4dc1
> 10.133.100.135   windc1.empresa.com.br     windc1
> 10.133.100.137   windc2.empresa.com.br          windc2
> 192.168.1.4      srv-bkp.empresa.com.br         srv-bkp

You should only have the record for the computer and localhost

E.g. if your computers IP is 192.168.1.19 from above /etc/hosts should 
be this:

127.0.0.1 localhost

192.168.1.19 samba4dc1.empresa.com.br samba4dc1

>
>
>
> root at samba4dc1:~# cat /etc/krb5.conf
> [libdefaults]
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>      default_realm = EMPRESA.COM.BR
>
>
> samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator"
>
>
> root at samba4dc1:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = SAMBA4DC1
> realm = EMPRESA.COM.BR
> workgroup = SAMBA4DC1
> server role = active directory domain controller
>
> [netlogon]
> path = /var/lib/samba/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat
> group:          compat
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> Do I need change my nsswitch.conf as following?
>
> passwd:         files winbind
> group:          files winbind
Only if you want users to login into the DC.
>
>
> The follow services are running this moment
>
>
> root at samba4dc1:~# netstat -lntup
> Conexões Internet Ativas (sem os servidores)
> Proto Recv-Q Send-Q Endereço Local          Endereço Remoto         Estado
>       PID/Program name
> tcp        0      0 0.0.0.0:10050           0.0.0.0:*               OUÇA
>      393/zabbix_agentd
> tcp        0      0 0.0.0.0:3268            0.0.0.0:*               OUÇA
>      750/samba
> tcp        0      0 0.0.0.0:3269            0.0.0.0:*               OUÇA
>      750/samba
> tcp        0      0 0.0.0.0:389             0.0.0.0:*               OUÇA
>      750/samba
> tcp        0      0 0.0.0.0:135             0.0.0.0:*               OUÇA
>      746/samba
> tcp        0      0 0.0.0.0:139             0.0.0.0:*               OUÇA
>      748/smbd
> tcp        0      0 0.0.0.0:464             0.0.0.0:*               OUÇA
>      752/samba
> tcp        0      0 0.0.0.0:81              0.0.0.0:*               OUÇA
>      521/lighttpd
> tcp        0      0 0.0.0.0:53              0.0.0.0:*               OUÇA
>      758/samba
> tcp        0      0 0.0.0.0:88              0.0.0.0:*               OUÇA
>      752/samba
> tcp        0      0 127.0.0.1:25            0.0.0.0:*               OUÇA
>      624/master
> tcp        0      0 0.0.0.0:636             0.0.0.0:*               OUÇA
>      750/samba
> tcp        0      0 0.0.0.0:445             0.0.0.0:*               OUÇA
>      748/smbd
> tcp        0      0 0.0.0.0:1024            0.0.0.0:*               OUÇA
>      746/samba
> tcp        0      0 0.0.0.0:20000           0.0.0.0:*               OUÇA
>      483/sshd
> tcp6       0      0 :::10050                :::*                    OUÇA
>      393/zabbix_agentd
> tcp6       0      0 :::3268                 :::*                    OUÇA
>      750/samba
> tcp6       0      0 :::3269                 :::*                    OUÇA
>      750/samba
> tcp6       0      0 :::389                  :::*                    OUÇA
>      750/samba
> tcp6       0      0 :::135                  :::*                    OUÇA
>      746/samba
> tcp6       0      0 :::139                  :::*                    OUÇA
>      748/smbd
> tcp6       0      0 :::464                  :::*                    OUÇA
>      752/samba
> tcp6       0      0 :::81                   :::*                    OUÇA
>      521/lighttpd
> tcp6       0      0 :::53                   :::*                    OUÇA
>      758/samba
> tcp6       0      0 :::88                   :::*                    OUÇA
>      752/samba
> tcp6       0      0 ::1:25                  :::*                    OUÇA
>      624/master
> tcp6       0      0 :::636                  :::*                    OUÇA
>      750/samba
> tcp6       0      0 :::445                  :::*                    OUÇA
>      748/smbd
> tcp6       0      0 :::1024                 :::*                    OUÇA
>      746/samba
> tcp6       0      0 :::20000                :::*                    OUÇA
>      483/sshd
> udp        0      0 192.168.1.19:389         0.0.0.0:*
>        751/samba
> udp        0      0 0.0.0.0:389             0.0.0.0:*
>      751/samba
> udp        0      0 192.168.1.19:464         0.0.0.0:*
>        752/samba
> udp        0      0 0.0.0.0:464             0.0.0.0:*
>      752/samba
> udp        0      0 0.0.0.0:42524           0.0.0.0:*
>      396/rsyslogd
> udp        0      0 0.0.0.0:53              0.0.0.0:*
>      758/samba
> udp        0      0 192.168.1.19:88          0.0.0.0:*
>        752/samba
> udp        0      0 0.0.0.0:88              0.0.0.0:*
>      752/samba
> udp        0      0 192.168.1.19:137         0.0.0.0:*
>        747/samba
> udp        0      0 192.168.1.255:137      0.0.0.0:*
>      747/samba
> udp        0      0 0.0.0.0:137             0.0.0.0:*
>      747/samba
> udp        0      0 192.168.1.19:138         0.0.0.0:*
>        747/samba
> udp        0      0 192.168.1.255:138      0.0.0.0:*
>      747/samba
> udp        0      0 0.0.0.0:138             0.0.0.0:*
>      747/samba
> udp6       0      0 :::389                  :::*
>       751/samba
> udp6       0      0 :::464                  :::*
>       752/samba
> udp6       0      0 :::53                   :::*
>       758/samba
> udp6       0      0 :::88                   :::*
>       752/samba
>
>
> Do I need remove service on port 53?
>
> tcp        0      0 0.0.0.0:53              0.0.0.0:*               OUÇA
>      758/samba
NO
>
>
> There are errors in my Samba DC:
>
> /etc/init.d/samba-ad-dc status
> ● samba-ad-dc.service - Samba AD Daemon
>     Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor
> preset: enabled)
>     Active: active (running) since Thu 2019-06-27 11:16:22 -03; 1h 2min ago
>       Docs: man:samba(8)
>             man:samba(7)
>             man:smb.conf(5)
>   Main PID: 743 (samba)
>     Status: "winbindd: ready to serve connections..."
>      Tasks: 21 (limit: 4915)
>     CGroup: /system.slice/samba-ad-dc.service
>             ├─743 /usr/sbin/samba
>             ├─745 /usr/sbin/samba
>             ├─746 /usr/sbin/samba
>             ├─747 /usr/sbin/samba
>             ├─748 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>             ├─749 /usr/sbin/samba
>             ├─750 /usr/sbin/samba
>             ├─751 /usr/sbin/samba
>             ├─752 /usr/sbin/samba
>             ├─753 /usr/sbin/samba
>             ├─754 /usr/sbin/samba
>             ├─755 /usr/sbin/samba
>             ├─756 /usr/sbin/samba
>             ├─757 /usr/sbin/samba
>             ├─758 /usr/sbin/samba
>             ├─760 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>             ├─779 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>             ├─780 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>             ├─782 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>             ├─784 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>             └─822 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460019,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]:   /usr/sbin/samba_dnsupdate:     elif
> not check_dns_name(d):
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460080,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]:   /usr/sbin/samba_dnsupdate:   File
> "/usr/sbin/samba_dnsupdate", line 279, in check_dns_name
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460229,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]:   /usr/sbin/samba_dnsupdate:     raise
> Exception("Unable to contact a working DNS server while looking for %s as
> %s" % (d, normalised_name))
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460346,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]:   /usr/sbin/samba_dnsupdate: Exception:
> Unable to contact a working DNS server while looking for SRV _kerberos._
> udp.empresa.com.br samba4dc.empresa.com.b…empresa.com.br.
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.478843,  0]
> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> jun 27 12:16:23 ubatuba samba[757]:   ../source4/dsdb/dns/dns_update.c:290:
> Failed DNS update - with error code 1
> Hint: Some lines were ellipsized, use -l to show in full.
>
>
> This is my /etc/named.con on DNS Primary Server
>
> root at dns1:~# cat /etc/bind/named.conf
>
> options {
> directory "/etc/bind/";
> allow-transfer {
> 192.168.1.2;
> 10.133.100.135;
> 10.133.100.137;
> 192.168.1.19;
> };
> allow-update {
> 192.168.1.2;
> 10.133.100.135;
> 10.133.100.137;
> 192.168.1.19;
> };
> recursion yes;
> allow-recursion {0.0.0.0/0;};
> };
>
> zone "." {
> type hint;
> file "default/db.root";
> };
>
> zone "localhost" {
> type master;
> file "default/db.localhost";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "default/db.127.0.0.0";
> };
>
> zone "empresa.com.br" {
> type master;
> file "db.empresa.com.br";
> };
>
> zone "100.133.10.in-addr.arpa" {
> type master;
> file "db.10.133.100.0";
> };
>
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "db.192.168.0.0";
> };
>
>
> # Configuracao Active Directory / Windows
> zone "_msdcs.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_msdcs.empresa.com.br";
> };
>
> zone "_tcp.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_tcp.empresa.com.br";
> };
>
> zone "_udp.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_udp.empresa.com.br";
> };
>
> zone "_sites.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_sites.empresa.com.br";
> };
>
> zone "ForestDNSZones.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/ForestDNSZones.empresa.com.br";
> };
>
> zone "DomainDNSZones.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/DomainDNSZones.empresa.com.br";
> };
>
> include "/etc/bind/named.conf.log";
Those are 'flatfiles' and from what you seem to be saying are not on a DC.
>
>
> The Windows DC server aren't authoritative DNS.
I think that might be your problem, a Samba AD DC expects every DC to be 
authoritative for the DNS domain

Rowland




More information about the samba mailing list