[Samba] Doman join issues

Praveen Ghimire PGhimire at sundata.com.au
Mon May 6 08:56:29 UTC 2019 

Hi Rowland,

 Haven't altered AD . The changes I made post the upgrade were around the apparmor (usr.sbin.named) , have included that in the email toward the end
I have been using the domain administrator account for the domain join. Have run the kinit and seems to be ok.

Also, saw an "id structure is invalid" message when trying to add to the domain initially. A restart of the samba services seems to have fixed that.


Here are the details

/etc/resolv.conf
search lin.com
nameserver 192.168.14.10

/etc/hostname
linserver01

/etc/hosts
127.0.0.1 localhost
192.168.14.10 linserver01.lin.com linserver01

/etc/krb5.conf
[libdefaults]
        default_realm = lin.com
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        lin.com = {
                kdc = linserver01
                admin_server = linserver01

}

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bind/named.conf.options
options {
        directory "/var/cache/bind";
	forwarders { 8.8.8.8; 8.8.4.4; };
        dnssec-validation no;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};


/etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


/etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


host -t SRV _kerberos._udp.lin.com.
_kerberos._udp.lin.com has SRV record 0 100 88 linserver01.lin.com.

host -t SRV _ldap._tcp.lin.com.
_ldap._tcp.lin.com has SRV record 0 100 389 linserver01.lin.com.

host -t A linserver01.lin.com.
linserver01.lin.com has address 192.168.14.10

/var/lib/samba/private/named.conf

dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};

Added the following to apparmor.d/usr.sbin.named

   /var/lib/samba/private/krb5.conf r,
   /var/lib/samba/private/dns.keytab r,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns/** rwk,
   /usr/lib/x86_64-linux-gnu/samba/** m,
   /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,


Regards,
Praveen Ghimire

















-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Monday, 6 May 2019 5:51 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Doman join issues

On Mon, 6 May 2019 07:35:07 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> I get the same error messages even with the following smb.conf, 
> generated by the migration process.
> 
> [global]
>           workgroup = LIN
>          realm = LIN.COM
>          netbios name = LINSERVER01
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 4
> [netlogon]
>         path = /var/lib/samba/sysvol/lin.com/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 

Have you altered AD in anyway ?

Can you post the following files:

/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

What user are you using to join the Windows machine ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

More information about the samba mailing list