[Samba] Doman join issues

L.P.H. van Belle belle at bazuin.nl
Mon May 6 09:20:07 UTC 2019 

Hai, 


1) apparmor, disable it, and try again, so we can confirm if its an apparmor settings. 

2) winbind is starting from systemd while as AD-DC you should disable that. 
   - stop the member parts of samba and systemd. 
   systemctl stop winbind smbd nmbd samba
   systemctl disable winbind smbd nmbd samba
   systemctl mask winbind smbd nmbd samba

   - enable the samba-ad-dc part in systemd.
	systemctl unmask samba-ad-dc
	systemctl enable samba-ad-dc
	systemdct start samba-ad-dc 

Using bind9? 
systemctl edit samba-ad-dc
Add: 
[Unit]
After=network.target network-online.target bind9.service

systemctl edit bind9
Add: 
[Service]
ExecReload=

>    /var/lib/samba/private/krb5.conf r,
>    /var/lib/samba/private/dns.keytab r,
>    /var/lib/samba/private/named.conf r,
>    /var/lib/samba/private/dns/** rwk,

Also add in advanced for 4.9+  and apparmor. 
And if you look in that apparmor file, you will see : 
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>
So use the local/usr.sbin.named file, that tracking changes more easy. 

/var/lib/samba/bind-dns/dns/ rw,
/var/lib/samba/bind-dns/dns.keytab rw,
/var/lib/samba/bind-dns/dns/named.conf r,
/var/lib/samba/bind-dns/dns/named.conf.update r,
/var/lib/samba/bind-dns/dns/named.txt rw,

And, ive added some parts below.  

> 
> /etc/krb5.conf
> [libdefaults]
>         default_realm = lin.com
HERE : LIN.COM

>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
Remove this part as of here : 
> [realms]
>         lin.com = {
>                 kdc = linserver01
>                 admin_server = linserver01
> 
> }
To here. 

> 
> /etc/bind/named.conf
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> /etc/bind/named.conf.options
> options {
>         directory "/var/cache/bind";
> 	forwarders { 8.8.8.8; 8.8.4.4; };
>         dnssec-validation no;
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>        // auth-nxdomain no;    # conform to RFC1035
		 auth-nxdomain yes; # because this server is controling the AD domain.  
>         listen-on-v6 { any; };
> };
> 

Greetz, 

Louis

More information about the samba mailing list