[Samba] debian 10: errors with my server samba-ad
L.P.H. van Belle
belle at bazuin.nl
Mon May 13 10:16:52 UTC 2019
Hai Nathalie,
The generation/provioning is ok.
The "local SID message is normal, that because your joining the domain and havent started samba at that point.
You can ignore that.
Did you install and configure bind9?
The provisioning command shows that you are setting up with it.
But this shows bind is not found, which is a bit off.
> BIND version unknown, please modify
> /var/lib/samba/bind-dns/named.conf manually.
> See /var/lib/samba/bind-dns/named.conf for an example
> configuration include file for BIND
> and /var/lib/samba/bind-dns/named.txt for further
> documentation required for secure DNS updates
> Setting up sam.ldb rootDSE marking as synchronized
Your configs and all output except above and this part :
> LENZSPITZE2\administrator:*:0:100::/home/LENZSPITZE2/administrator:/bin/bash
This can be correct, but i dont trust the 100 as GID here, because thats the users group in debian.
And i would expected to see "domain users" / ( minimaal GID) 10000
Or did you map "Domain users" into "user"
You should review you bind9 config, a base you can start with is this :
First make it work, then adjust where needed. ( with care ).
/etc/bind/named.conf.options
// Defined ACL Begin
acl thisserverip {
192.168.X.X; // IP of this serfver.
};
acl all-networks {
// you lan ranges.
192.168.X.X/24;
};
// Defined ACL End
options {
directory "/var/cache/bind";
version "0.0.7"; // hide the versionnumer of bind.
forwarders { 8.8.4.4; 8.8.8.8; };
dnssec-validation no;
auth-nxdomain yes; # conform to RFC1035 = No, but this server is the Authoritive server for the zones in the AD.
listen-on-v6 { "none"; };
listen-on port 53 { "thisserverip"; 127.0.0.1; };
notify no;
empty-zones-enable no; // yes can conflict with your zones.
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "all-networks"; 127.0.0.1/32; };
// Add any subnets or hosts you want to allow to use recursive queries
allow-recursion { "all-networks"; 127.0.0.1/32; };
// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // before samba 4.9.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // samba 4.9. and up.
// Do check where the file dns.keytab is, if needed move it manualy to /var/lib/samba/bind-dns/
// and check if you rights are root:bind with 640.
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
/etc/bind/named.conf.local
// adding the dlopen ( Bind DLZ ) module for samba,
include "/var/lib/samba/bind-dns/named.conf";
Now in your case, after you adjusted bind, check the above file : /var/lib/samba/bind-dns/named.conf
Bind 9.11 should be enabled.
See if above helps you, if not, post again, i have more, but lets start here.
I also advice to disable bind9 reloading.
systemctl edit bind9 and Add:
[Service]
ExecReload=
And for samba-ad-dc
systemctl edit samba-ad-dc
Add:
[Unit]
After=network.target network-online.target bind9.service
Then after all is done,
systemctl disable samba smbd nmbd winbind
systemctl mask samba smbd nmbd winbind
systemctl unmask samba-ad-dc bind9
systemctl enable samba-ad-dc bind9
systemctl start bind9 samba-ad-dc
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> nathalie ramat via samba
> Verzonden: maandag 13 mei 2019 11:19
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] debian 10: errors with my server samba-ad
>
> Hello,
>
> Sorry for my english and for this very long email.
>
>
> I want to create samba-ad server with the package debian buster.
> I have follow the url :
>
> https://github.com/thctlo/samba4/blob/master/howtos/stretch-ba
> se-2.0-samba-minimal-ad.txt
>
>
>
> I have generated mon samba ad with the following command :
>
> samba-tool domain provision --use-rfc2307 --interactive
> Realm [LENZSPITZE2.CALAIS.FR]:
> Domain [LENZSPITZE2]:
> Server Role (dc, member, standalone) [dc]: dc
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
> [SAMBA_INTERNAL]: BIND9_DLZ
> Administrator password:
> Retype password:
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> *Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs*
>
> Adding DomainDN: DC=lenzspitze2,DC=calais,DC=fr
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers and extended rights
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=lenzspitze2,DC=calais,DC=fr
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> BIND version unknown, please modify
> /var/lib/samba/bind-dns/named.conf manually.
> See /var/lib/samba/bind-dns/named.conf for an example
> configuration include file for BIND
> and /var/lib/samba/bind-dns/named.txt for further
> documentation required for secure DNS updates
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba AD has been
> generated at /var/lib/samba/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or
> replace it with this one. Do not create a symlink!
> Setting up fake yp server settings
> Once the above files are installed, your Samba AD server will
> be ready to use
> Server Role: active directory domain controller
> Hostname: debiantest
> NetBIOS Domain: LENZSPITZE2
> DNS Domain: lenzspitze2.calais.fr
> DOMAIN SID: S-1-5-21-114952022-3178926164-3586775662
>
>
> I don't understand why I have
>
> *Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs *but the provision was
> generated correctly apparently**and give me SID for my domain.
> **when I execute /usr/sbin/samba -i I have the following errors
>
> samba version 4.9.5-Debian started.
> Copyright Andrew Tridgell and the Samba Team 1992-2018
> binary_smbd_main: samba: using 'standard' process model
> /usr/sbin/smbd: smbd version 4.9.5-Debian started.
> /usr/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2018
> /usr/sbin/smbd: INFO: Profiling support unavailable in this build.
> /usr/sbin/winbindd: winbindd version 4.9.5-Debian started.
> /usr/sbin/winbindd: Copyright Andrew Tridgell and the Samba
> Team 1992-2018
> /usr/sbin/winbindd: initialize_winbindd_cache: clearing cache
> and re-creating with version number 2
> /usr/sbin/winbindd: daemon_ready: STATUS=daemon 'winbindd'
> finished starting up and ready to serve connections
> ../source4/dsdb/dns/dns_update.c:330: Failed DNS update -
> with error code 4
> /usr/sbin/smbd: daemon_ready: STATUS=daemon 'smbd' finished
> starting up and ready to serve connections
> /usr/sbin/smbd: Failed to fetch record!
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 8012
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3141
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 8019
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7840
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3181
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7872
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7843
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 8020
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7850
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 5986
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7896
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 5984
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3128
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 8033
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3173
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3189
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7879
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7837
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 5989
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 5982
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3190
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 7849
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3107
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 8006
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3139
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3094
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 3140
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 8034
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 8032
> failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> Doing a full scan on
> DC=ForestDnsZones,DC=lenzspitze2,DC=calais,DC=fr and looking
> for deleted objects
> Doing a full scan on
> DC=DomainDnsZones,DC=lenzspitze2,DC=calais,DC=fr and looking
> for deleted objects
> Doing a full scan on
> CN=Configuration,DC=lenzspitze2,DC=calais,DC=fr and looking
> for deleted objects
> Doing a full scan on DC=lenzspitze2,DC=calais,DC=fr and
> looking for deleted objects
> **
> Perharps ,the daemon smbd can't acces a .tdb file ? because
> of my first mistabke ? a file has not been created ?
>
> */usr/sbin/smbd: Failed to fetch record! /usr/sbin/smbd: send_all_fn:
> messaging_send_buf to 8012 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND*
>
>
> But when i execute the command getent passwd administrator
> I get a good response
>
> LENZSPITZE2\administrator:*:0:100::/home/LENZSPITZE2/administr
> ator:/bin/bash
>
>
> I give my smb.conf generated by the provision :
>
> # Global parameters
> [global]
> netbios name = DEBIANTEST
> realm = LENZSPITZE2.CALAIS.FR
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = LENZSPITZE2
> idmap_ldb:use rfc2307 = yes
> log level = 1
> log file = /var/log/samba/log.%m
> max log size = 1000
> template shell = /bin/bash
>
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/lenzspitze2.calais.fr/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> When i execute nslookup debiantest.lenzspitze2.calais.fr I
> get get this response
>
> Server: 192.168.22.37
> Address: 192.168.22.37#53
>
> Name: debiantest.lenzspitze2.calais.fr
> Address: 192.168.22.37
>
> I think my dns work.
>
>
> When I run smbclient -L localhost -U administrator
> Enter LENZSPITZE2\administrator's password:
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba 4.9.5-Debian)
> Reconnecting with SMB1 for workgroup listing.
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
>
> I don't have any information for my server.
>
> I think I have more errors on my configuration - but I can
> not find the errors .
> Can you help me to find and understand my errors.
>
>
> Thank you for your help
>
>
> --
> Nathalie RAMAT-LECLERCQ
>
> Service Informatique
>
> Universite du Littoral-Côte d'Opale
> SCoSI - Service Commun du Système d'Information
> Pôle Systèmes et réseaux
>
> Centre de Gestion Universitaire de Calais
> 50 rue ferdinand Buisson
> C.S 80699
> 62228 CALAIS CEDEX
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list