[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Rowland Penny
rpenny at samba.org
Fri Mar 22 16:07:37 UTC 2019
On Fri, 22 Mar 2019 15:03:51 +0000
Stephen via samba <samba at lists.samba.org> wrote:
> Hello I wonder if anyone here could possibly help me? I am using
> Samba version 4.5.16-Debian (version information taken from sudo
> smbstatus) on Raspbian and attempting to prototype some future
> network infrastructure with a couple of Raspberry Pis.
>
> So far I have sucessfully created a Samba 4 AD DC
> ad1.samdom.example.com. I have successfully joined my Windows 10
> dekstop client to the SAMDOM domain provided by ad1 and it
> authenticated OK, and appears to synchronise the network time
> correctly. So far so good! Ideally I would now like to add to this
> basic setup by creating an additional DC, ad2, with ip
> ad2.samdom.example.com, and join this to the existing SAMDOM domain
> provided by ad1 to provide some extra redundancy and failover.
>
> This is where my problems begin unfortunately.
>
> I have used two separate shell-scripts to commission my two servers
> ad1.sh and ad2.sh (please find both scripts attached for scrutiny)
>
> * These two scripts are based heavily upon the tutorial series found
> at TechMint here:
> https://www.tecmint.com/install-samba4-active-directory-ubuntu/
> * The script to build ad1 is the main DC and is based upon section 1
> and 2 of the tutorial, and as far as I can tell appears to work
> correctly. As discussed I can connect to the server that results
> from a Windows 10 client.
> * The script to build the second DC used for failover is based upon
> part 5 of the linked tutorial series, and this is where I am
> having problems.
> * Both ad1 and ad2 are assigned static ips, ad1 = 192.168.1.229 and
> ad2=192.168.1.228.
>
> I am encountering baffling issues with LDAP when I run my script
> ad2.sh. What I don't understand here is that I am apparently able to
> join domain SAMDOM without issue, ie in the ad2 script when I do
>
> pi at ad2 $ sudo samba-tool domain join samdom DC
> -U"SAMDOM\administrator" --dns-backend=SAMBA_INTERNAL
> --option='idmap_ldb:use rfc2307 = yes' --option="dns forwarder =
> $EXTERNAL_DNS2 $EXTERNAL_DNS3 $EXTERNAL_DNS4"
>
> This appears to work just fine, and I obtain the following seemingly
> plausible output from this command:
>
> Finding a writeable DC for domain 'samdom.example.com'
> Found DC ad1.samdom.example.com
> Password for [=SAMDOM\administrator]:
> workgroup is SAMDOM
> realm is samdom.example.com
> Adding CN=AD2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
> Adding
> CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> Adding CN=NTDS
> Settings,CN=AD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> Adding SPNs to CN=AD2,OU=Domain
> Controllers,DC=samdom,DC=example,DC=com Setting account password for
> AD2$ Enabling account
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> A Kerberos configuration suitable for Samba 4 has been generated at
> /var/lib/samba/private/krb5.conf
> Provision OK for domain DN DC=samdom,DC=example,DC=com
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[402/1614] linked_values[0/0]
> Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[804/1614] linked_values[0/0]
> Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[1206/1614] linked_values[0/0]
> Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[1608/1614] linked_values[0/0]
> Partition[CN=Configuration,DC=samdom,DC=example,DC=com]
> objects[1614/1614] linked_values[30/0]
> Replicating critical objects from the base DN of the domain
> Partition[DC=samdom,DC=example,DC=com] objects[97/97]
> linked_values[23/0] Partition[DC=samdom,DC=example,DC=com]
> objects[360/263] linked_values[23/0] Done with always replicated NC
> (base, config, schema) Replicating
> DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com]
> objects[40/40] linked_values[0/0] Replicating
> DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com]
> objects[18/18] linked_values[0/0] Committing SAM database
> Sending DsReplicaUpdateRefs for all the replicated partitions
> Setting isSynchronized and dsServiceName
> Setting up secrets database
> Joined domain SAMDOM (SID S-1-5-21-1810456019-651403982-3541939936)
> as a DC
>
> Unfortunately it is after this I then have major problems after that
> with LDAP when I try and perform the actual replication. When I
> attempt:
>
> pi at ad2 ~ $ sudo systemctl unmask samba-ad-dc
>
> pi at ad2 ~ $ sudo systemctl restart samba-ad-dc
>
> pi at ad2 ~ $ sudo samba-tool drs showrepl
>
> I get the following error messages:
>
> 17) Replicate Samba Account Details between Primary and Secondary DCs
> Failed to connect to ldap URL 'ldap://ad2.samdom.example.com' - LDAP
> client internal error: NT_STATUS_CONNECTION_REFUSED
> Failed to connect to 'ldap://ad2.samdom.example.com' with backend
> 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
> ERROR(ldb): LDAP connection to ad2.samdom.example.com failed - LDAP
> client internal error: NT_STATUS_CONNECTION_REFUSED
>
> Initially I thought this was something simple such as an error in
> name or host resolution due to network misconfiguration. But I have
> double checked my /etc/hosts file content and my resolv.conf on ad2
> and I believe these to be correct, please find these below for ad2
> along with my smb.conf file:
>
> pi at ad2:~ $ cat /etc/hosts
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.1.229 ad1.samdom.example.com ad1
> 192.168.1.228 ad2.samdom.example.com ad2
>
> pi at ad2:~ $ cat /etc/hostname
> ad2
>
> pi at ad2:~ $ cat /etc/resolv.conf
> # Generated by resolvconf
> search samdom.example.com
> nameserver 192.168.1.229
> nameserver 192.168.1.228
> nameserver 88.215.63.255
> nameserver 88.215.61.255
> nameserver 8.8.8.8
>
> pi at ad2:~ $ ifconfig
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.1.228 netmask 255.255.255.0 broadcast
> 192.168.1.255 inet6 fe80::1cb0:8751:ad6b:6df0 prefixlen 64 scopeid
> 0x20<link> ether b8:27:eb:9c:98:34 txqueuelen 1000 (Ethernet)
> RX packets 703 bytes 136445 (133.2 KiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 308 bytes 49680 (48.5 KiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> pi at ad2:~ $ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = AD2
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> pi at ad2:~ $ ping ad1.samdom.example.com
>
> PING ad1.samdom.example.com (192.168.1.229) 56(84) bytes of data.
> 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=1
> ttl=64 time=0.604 ms
> 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=2
> ttl=64 time=0.460 ms
> 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=3
> ttl=64 time=0.353 ms
> 64 bytes from ad1.samdom.example.com (192.168.1.229): icmp_seq=4
> ttl=64 time=0.361 ms
>
> pi at ad2:~ $ host -tA ad1.samdom.example.com
> ad1.samdom.example.com has address 192.168.1.229
>
>
> Likewise for ad1:
>
> pi at ad1:~ $ cat /etc/hosts
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.1.229 ad1.samdom.example.com ad1
> 192.168.1.228 ad2.samdom.example.com ad2
>
> pi at ad1:~ $ cat /etc/hostname
> ad1
>
> pi at ad1:~ $ cat /etc/resolv.conf
> # Generated by resolvconf
> search samdom.example.com
> nameserver 192.168.1.229
> nameserver 192.168.1.228
> nameserver 88.215.63.255
> nameserver 88.215.61.255
> nameserver 8.8.8.8
>
> pi at ad1:~ $ ifconfig
>
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.1.229 netmask 255.255.255.0 broadcast
> 192.168.1.255 inet6 fe80::446b:2bdc:7765:11e2 prefixlen 64 scopeid
> 0x20<link> ether b8:27:eb:2f:93:7d txqueuelen 1000 (Ethernet)
> RX packets 5724 bytes 572625 (559.2 KiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 7476 bytes 9492118 (9.0 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
>
> pi at ad1:~ $ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = AD1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> dns forwarder = 8.8.8.8
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> pi at ad1:~ $ ping ad2.samdom.example.com
> PING ad2.samdom.example.com (192.168.1.228) 56(84) bytes of data.
> 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=1
> ttl=64 time=0.497 ms
> 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=2
> ttl=64 time=0.469 ms
> 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=3
> ttl=64 time=0.353 ms
> 64 bytes from ad2.samdom.example.com (192.168.1.228): icmp_seq=4
> ttl=64 time=0.327 ms
>
> Interestingly I note that when I do a host lookup on ad1 I get:
>
> pi at ad1:~ $ host -tA ad2.samdom.example.com
> Host ad2.samdom.example.com not found: 3(NXDOMAIN)
>
> There are some official samba articles that suggest that for Samba
> <4.6 you need to manually setup DNS entries manually on AD1 prior to
> configuring AD2 ie
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record,
> but this seems a bit of a hacky workaround. This advice appears to
> contradict the TechMint tutorials and other advice I have seen
> elsewhere on the net though so I am unsure how much weight to lend to
> this.
>
> Can anyone advise what I am doing wrong here?
not much, apart from adding 'acl' to /etc/fstab, this isn't required,
it is one of ext4's defaults.
There are things I would do differently (the main one would be 'apt-get
purge dhcpcd5). I also don't really understand why you are running the
provision interactively in a script.
Have you tried restarting Samba on the second DC ?
If this doesn't work, try adding this to its smb.conf:
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
restart Samba and see if this helps
Rowland
More information about the samba
mailing list