[Samba] (no subject)

Jonathon Reinhart jonathon.reinhart at gmail.com
Sat Mar 2 22:57:41 UTC 2019 

Hey guys, sorry for the (no subject) message. I copy/pasted from a
previous email and missed the subject.

I really appreciate the quick feedback! I'm hoping to produce a series
of blog posts that are guaranteed to work (on Debian 9 at least) and
produce the ultimate Samba-powered Active Directory environment.

On Fri, Mar 1, 2019 at 9:04 AM L.P.H. van Belle via samba
<samba at lists.samba.org> wrote:
[snip]
> few minor points.
>
> REALM="ad.onthefive.com"
> Realm always in CAPS, this prevens problems with other programs. Most program's expect REALM in CAPS.
> For example postfix expect REALM in CAPS.

I agree with you, however:

1) The Samba Wiki [1] uses lowercase:

> Realm  --realm    Kerberos realm. This is also used as the AD DNS
>                   domain. For example: samdom.example.com.

2) samba-tool seems to do the "right thing" and capitalize this string
where required. My generated smb.conf has:

    [global]
            netbios name = SAMBA-DC
            realm = AD.ONTHEFIVE.COM
            workgroup = ONTHEFIVE

While the generated krb5.conf has:

    [libdefaults]
        default_realm = AD.ONTHEFIVE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

Since "--realm" is kind of a dual-use parameter, I'm inclined to leave
it lowercase.

> I suggest you add a note here that the DNS-domain and REALM are 2 differnt things.
> And the other sidenote on this is, often the dns-domain == REALM ( but in caps )

Yes, this is a great point. Does the term "REALM" apply to anything
besides Kerberos?

>
> The krb5.conf.  mv /etc/krb5.conf /etc/krb5.conf.old
> The default from debian, if you enter the REALM in CAPS at install is sufficient.
> Not really needed but not wrong.

The krb5.conf file generated during "samba-tool provision" contains only
what I've shown above. The Debian file has a lot of other stuff, including
various *.MIT.EDU [realms]. I felt it was better to trust "samba-tool" than
the Debian maintainers :-)

> I also suggest, add a check if the reverse zone exists.

Can you elaborate? Are you suggesting to check for a reverse DNS entry
for the IP address of the DC?


[snip]
> apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind
>
> That configures 1-2 paramaters in sshd_config and gives you direct the ability to login with kerberos.
> Note, not accounting for the missing "templates" paramters.
>
> Default: template homedir = /home/%D/%U
> Default: template shell = /bin/false
> (man smb.conf)
> And how are the homedirs created, through ADUC or mk_homedir
>
> Needed on the DC's with logins and members that used RID setup also set in /etc/nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind

I actually wrote a subsequent blog post, where I set up all of the
winbind configuration:
https://jonathonreinhart.com/posts/blog/2019/02/26/configuring-winbind-on-a-samba-ad-dc-on-debian-9

I did not include kerberos login, however, so thank you for that!

Setting uidNumber, gidNumber, etc. from Microsoft tools is deprecated, so I
plan to put together some solution to automatically assign them during/after
user creation, e.g.

- https://serverfault.com/q/764185/55544
- https://serverfault.com/q/484908/55544

I used  pam_mkhomedir to create the home directory on the DC.

Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use
"template homedir" and "template shell", and will not respect the RFC 2307
attributes in LDAP. Is that correct?

> If i may suggest. Go through these.
> https://github.com/thctlo/samba4/tree/master/howtos
> These are a bit older, im working on the update and nice layouts etc.
> Its my git link, most thing your wanting/ask are in my scripts.
>
> For example, what i dont see on the site is the check on /etc/hosts
> If you installed with dhcp you need to change 127.0.1.1 to the real ip of the server in /etc/hosts

Thanks for that reference; I will check them out.

In general, I prefer DHCP reservations over static IP addresses, and in
fact, that's how my current DC is running. But if it's safer, I will
change to use a static IP address, and update /etc/hosts, etc.

[snip]
> > Is what I'm attempting to do a valid operation? Or is it weird that
> > realmd is trying to "join" the DC to the domain?
>
> No, not strange, but realmd is "joining" the AD-DC and its trying that with member settings.
> That wont work on the DC itself ofcourse.

I abandoned the idea of using Realmd on the DC itself. I'm still hoping
to use Realmd + SSSD on my other Linux servers, like I have with
Microsoft Active Directory.

> Greetz,
>
> Louis

Thanks again for your input!

Jonathon

[1] https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Parameter_Explanation

More information about the samba mailing list