[Samba] Problem to join Samba 4 DC an existing Windows AD
Rowland penny
rpenny at samba.org
Thu Jun 27 15:59:29 UTC 2019
On 27/06/2019 16:32, Marcio Demetrio Bacci via samba wrote:
> Hi,
>
> I'm using Debian 9.9 and my DC's are Win 2008 Server (isn't R2).
>
> I intend replace my Windows DC by Samba 4 DC.
>
> Follows dependencies package that I have installed:
>
> apt-get install acl attr autoconf bind9utils bison build-essential
> apt-get install debhelper dnsutils docbook-xml docbook-xsl flex gdb
> libjansson-dev krb5-user
> apt-get install libacl1-dev libaio-dev libarchive-dev libattr1-dev
> libblkid-dev libbsd-dev
> apt-get install libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev
> libjson-perl
> apt-get install libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl
> apt-get install libpopt-dev libreadline-dev nettle-dev perl perl-modules
> pkg-config
> apt-get install python-all-dev python-crypto python-dbg python-dev
> python-dnspython
> apt-get install python3-dnspython python-gpgme python3-gpgme
> python-markdown python3-markdown
> apt-get install python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils
I have no idea why you have installed all the 'dev' packages required to
compile Samba and then installed the distro packages.
>
> Ihave installed by apt-get (Samba 4.5.16)
> apt-get install samba attr winbind libpam-winbind libnss-winbind
> libpam-krb5 krb5-config krb5-user
>
>
>
> root at samba4dc1:~# cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.1.1
> nameserver 192.168.1.2
I take it that 192.168.1.1 & 192.168.1.2 are your dns servers that hold
all the dns records
>
> root at ubatuba:~# cat /etc/hosts
> 192.168.1.19 samba4dc1.empresa.com.br samba4dc1
> 10.133.100.135 windc1.empresa.com.br windc1
> 10.133.100.137 windc2.empresa.com.br windc2
> 192.168.1.4 srv-bkp.empresa.com.br srv-bkp
You should only have the record for the computer and localhost
E.g. if your computers IP is 192.168.1.19 from above /etc/hosts should
be this:
127.0.0.1 localhost
192.168.1.19 samba4dc1.empresa.com.br samba4dc1
>
>
>
> root at samba4dc1:~# cat /etc/krb5.conf
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = EMPRESA.COM.BR
>
>
> samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator"
>
>
> root at samba4dc1:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = SAMBA4DC1
> realm = EMPRESA.COM.BR
> workgroup = SAMBA4DC1
> server role = active directory domain controller
>
> [netlogon]
> path = /var/lib/samba/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat
> group: compat
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
> Do I need change my nsswitch.conf as following?
>
> passwd: files winbind
> group: files winbind
Only if you want users to login into the DC.
>
>
> The follow services are running this moment
>
>
> root at samba4dc1:~# netstat -lntup
> Conexões Internet Ativas (sem os servidores)
> Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado
> PID/Program name
> tcp 0 0 0.0.0.0:10050 0.0.0.0:* OUÇA
> 393/zabbix_agentd
> tcp 0 0 0.0.0.0:3268 0.0.0.0:* OUÇA
> 750/samba
> tcp 0 0 0.0.0.0:3269 0.0.0.0:* OUÇA
> 750/samba
> tcp 0 0 0.0.0.0:389 0.0.0.0:* OUÇA
> 750/samba
> tcp 0 0 0.0.0.0:135 0.0.0.0:* OUÇA
> 746/samba
> tcp 0 0 0.0.0.0:139 0.0.0.0:* OUÇA
> 748/smbd
> tcp 0 0 0.0.0.0:464 0.0.0.0:* OUÇA
> 752/samba
> tcp 0 0 0.0.0.0:81 0.0.0.0:* OUÇA
> 521/lighttpd
> tcp 0 0 0.0.0.0:53 0.0.0.0:* OUÇA
> 758/samba
> tcp 0 0 0.0.0.0:88 0.0.0.0:* OUÇA
> 752/samba
> tcp 0 0 127.0.0.1:25 0.0.0.0:* OUÇA
> 624/master
> tcp 0 0 0.0.0.0:636 0.0.0.0:* OUÇA
> 750/samba
> tcp 0 0 0.0.0.0:445 0.0.0.0:* OUÇA
> 748/smbd
> tcp 0 0 0.0.0.0:1024 0.0.0.0:* OUÇA
> 746/samba
> tcp 0 0 0.0.0.0:20000 0.0.0.0:* OUÇA
> 483/sshd
> tcp6 0 0 :::10050 :::* OUÇA
> 393/zabbix_agentd
> tcp6 0 0 :::3268 :::* OUÇA
> 750/samba
> tcp6 0 0 :::3269 :::* OUÇA
> 750/samba
> tcp6 0 0 :::389 :::* OUÇA
> 750/samba
> tcp6 0 0 :::135 :::* OUÇA
> 746/samba
> tcp6 0 0 :::139 :::* OUÇA
> 748/smbd
> tcp6 0 0 :::464 :::* OUÇA
> 752/samba
> tcp6 0 0 :::81 :::* OUÇA
> 521/lighttpd
> tcp6 0 0 :::53 :::* OUÇA
> 758/samba
> tcp6 0 0 :::88 :::* OUÇA
> 752/samba
> tcp6 0 0 ::1:25 :::* OUÇA
> 624/master
> tcp6 0 0 :::636 :::* OUÇA
> 750/samba
> tcp6 0 0 :::445 :::* OUÇA
> 748/smbd
> tcp6 0 0 :::1024 :::* OUÇA
> 746/samba
> tcp6 0 0 :::20000 :::* OUÇA
> 483/sshd
> udp 0 0 192.168.1.19:389 0.0.0.0:*
> 751/samba
> udp 0 0 0.0.0.0:389 0.0.0.0:*
> 751/samba
> udp 0 0 192.168.1.19:464 0.0.0.0:*
> 752/samba
> udp 0 0 0.0.0.0:464 0.0.0.0:*
> 752/samba
> udp 0 0 0.0.0.0:42524 0.0.0.0:*
> 396/rsyslogd
> udp 0 0 0.0.0.0:53 0.0.0.0:*
> 758/samba
> udp 0 0 192.168.1.19:88 0.0.0.0:*
> 752/samba
> udp 0 0 0.0.0.0:88 0.0.0.0:*
> 752/samba
> udp 0 0 192.168.1.19:137 0.0.0.0:*
> 747/samba
> udp 0 0 192.168.1.255:137 0.0.0.0:*
> 747/samba
> udp 0 0 0.0.0.0:137 0.0.0.0:*
> 747/samba
> udp 0 0 192.168.1.19:138 0.0.0.0:*
> 747/samba
> udp 0 0 192.168.1.255:138 0.0.0.0:*
> 747/samba
> udp 0 0 0.0.0.0:138 0.0.0.0:*
> 747/samba
> udp6 0 0 :::389 :::*
> 751/samba
> udp6 0 0 :::464 :::*
> 752/samba
> udp6 0 0 :::53 :::*
> 758/samba
> udp6 0 0 :::88 :::*
> 752/samba
>
>
> Do I need remove service on port 53?
>
> tcp 0 0 0.0.0.0:53 0.0.0.0:* OUÇA
> 758/samba
NO
>
>
> There are errors in my Samba DC:
>
> /etc/init.d/samba-ad-dc status
> ● samba-ad-dc.service - Samba AD Daemon
> Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor
> preset: enabled)
> Active: active (running) since Thu 2019-06-27 11:16:22 -03; 1h 2min ago
> Docs: man:samba(8)
> man:samba(7)
> man:smb.conf(5)
> Main PID: 743 (samba)
> Status: "winbindd: ready to serve connections..."
> Tasks: 21 (limit: 4915)
> CGroup: /system.slice/samba-ad-dc.service
> ├─743 /usr/sbin/samba
> ├─745 /usr/sbin/samba
> ├─746 /usr/sbin/samba
> ├─747 /usr/sbin/samba
> ├─748 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
> ├─749 /usr/sbin/samba
> ├─750 /usr/sbin/samba
> ├─751 /usr/sbin/samba
> ├─752 /usr/sbin/samba
> ├─753 /usr/sbin/samba
> ├─754 /usr/sbin/samba
> ├─755 /usr/sbin/samba
> ├─756 /usr/sbin/samba
> ├─757 /usr/sbin/samba
> ├─758 /usr/sbin/samba
> ├─760 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ├─779 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
> ├─780 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
> ├─782 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
> ├─784 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> └─822 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460019, 0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: elif
> not check_dns_name(d):
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460080, 0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: File
> "/usr/sbin/samba_dnsupdate", line 279, in check_dns_name
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460229, 0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: raise
> Exception("Unable to contact a working DNS server while looking for %s as
> %s" % (d, normalised_name))
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460346, 0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: Exception:
> Unable to contact a working DNS server while looking for SRV _kerberos._
> udp.empresa.com.br samba4dc.empresa.com.b…empresa.com.br.
> jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.478843, 0]
> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> jun 27 12:16:23 ubatuba samba[757]: ../source4/dsdb/dns/dns_update.c:290:
> Failed DNS update - with error code 1
> Hint: Some lines were ellipsized, use -l to show in full.
>
>
> This is my /etc/named.con on DNS Primary Server
>
> root at dns1:~# cat /etc/bind/named.conf
>
> options {
> directory "/etc/bind/";
> allow-transfer {
> 192.168.1.2;
> 10.133.100.135;
> 10.133.100.137;
> 192.168.1.19;
> };
> allow-update {
> 192.168.1.2;
> 10.133.100.135;
> 10.133.100.137;
> 192.168.1.19;
> };
> recursion yes;
> allow-recursion {0.0.0.0/0;};
> };
>
> zone "." {
> type hint;
> file "default/db.root";
> };
>
> zone "localhost" {
> type master;
> file "default/db.localhost";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "default/db.127.0.0.0";
> };
>
> zone "empresa.com.br" {
> type master;
> file "db.empresa.com.br";
> };
>
> zone "100.133.10.in-addr.arpa" {
> type master;
> file "db.10.133.100.0";
> };
>
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "db.192.168.0.0";
> };
>
>
> # Configuracao Active Directory / Windows
> zone "_msdcs.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_msdcs.empresa.com.br";
> };
>
> zone "_tcp.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_tcp.empresa.com.br";
> };
>
> zone "_udp.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_udp.empresa.com.br";
> };
>
> zone "_sites.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/_sites.empresa.com.br";
> };
>
> zone "ForestDNSZones.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/ForestDNSZones.empresa.com.br";
> };
>
> zone "DomainDNSZones.empresa.com.br" {
> type master;
> file "/etc/bind/adzonas/DomainDNSZones.empresa.com.br";
> };
>
> include "/etc/bind/named.conf.log";
Those are 'flatfiles' and from what you seem to be saying are not on a DC.
>
>
> The Windows DC server aren't authoritative DNS.
I think that might be your problem, a Samba AD DC expects every DC to be
authoritative for the DNS domain
Rowland
More information about the samba
mailing list