[Samba] Doman join issues
L.P.H. van Belle
belle at bazuin.nl
Mon May 6 09:20:07 UTC 2019
Hai,
1) apparmor, disable it, and try again, so we can confirm if its an apparmor settings.
2) winbind is starting from systemd while as AD-DC you should disable that.
- stop the member parts of samba and systemd.
systemctl stop winbind smbd nmbd samba
systemctl disable winbind smbd nmbd samba
systemctl mask winbind smbd nmbd samba
- enable the samba-ad-dc part in systemd.
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemdct start samba-ad-dc
Using bind9?
systemctl edit samba-ad-dc
Add:
[Unit]
After=network.target network-online.target bind9.service
systemctl edit bind9
Add:
[Service]
ExecReload=
> /var/lib/samba/private/krb5.conf r,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
Also add in advanced for 4.9+ and apparmor.
And if you look in that apparmor file, you will see :
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
So use the local/usr.sbin.named file, that tracking changes more easy.
/var/lib/samba/bind-dns/dns/ rw,
/var/lib/samba/bind-dns/dns.keytab rw,
/var/lib/samba/bind-dns/dns/named.conf r,
/var/lib/samba/bind-dns/dns/named.conf.update r,
/var/lib/samba/bind-dns/dns/named.txt rw,
And, ive added some parts below.
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = lin.com
HERE : LIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
Remove this part as of here :
> [realms]
> lin.com = {
> kdc = linserver01
> admin_server = linserver01
>
> }
To here.
>
> /etc/bind/named.conf
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> /etc/bind/named.conf.options
> options {
> directory "/var/cache/bind";
> forwarders { 8.8.8.8; 8.8.4.4; };
> dnssec-validation no;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> // auth-nxdomain no; # conform to RFC1035
auth-nxdomain yes; # because this server is controling the AD domain.
> listen-on-v6 { any; };
> };
>
Greetz,
Louis
More information about the samba
mailing list