[Samba] Migrating Samba NT4 Domain to Samba AD
Bartłomiej Solarz-Niesłuchowski
Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Sun Sep 15 18:08:37 UTC 2019
W dniu 2019-09-15 o 18:32, Rowland penny via samba pisze:
> On 15/09/2019 16:44, Bartłomiej Solarz-Niesłuchowski wrote:
>> I have some questions:
>>
>> I not currently understood - bind9 connected to AD server must be
>> used by the LAN workstations - or only via AD server?
>>
>> currently workstations are pointed to the another DNS server than AD
>> - how must be it done correctly?
>>
> Your domain workstations must use the AD DC(s) as their nameserver,
> the DC(s) will forward anything outside the AD dns domain to an
> external dns server.
>>
so i need only forward form my common DNS server querries to
ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)?
>> So i have, current open problems:
>>
>> 1. share:
>>
>> [private]
>>
>> path = %H
>>
>> does not work:
>>
>> smbd[42055]: make_connection_snum: canonicalize_connect_path
>> failed for service private, path /%H
>>
>> on console cd ~user works correctly
>>
> If this share is on the DC, then it really shouldn't be, using a DC as
> a fileserver isn't recommended.
>>
yes understood - I try to setup second AD server on which i use only
domain part of samba and on my major server I start to use only
smbd/nmbd/winbindd.
But my current problem is:
there are not working dynamic updates in bind/internal_dns...
I setup the bind:
add to named.conf:
options {
....
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
minimal-responses yes;
};
+
include "/var/lib/samba/bind-dns/named.conf";
and
oceanic:~# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/AD.WSISIZ.EDU.PL.zone
/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is
deprecated, use 'warning' instead
logger.warn("DNS records will be automatically created")
DNS records will be automatically created
DNS partitions already exist
dns-oceanic account already exists
Could not remove /var/lib/samba/private/named.conf: No such file or
directory
Could not remove /var/lib/samba/private/named.conf.update: No such file
or directory
Could not remove /var/lib/samba/private/named.txt: No such file or directory
Could not delete dir /var/lib/samba/private/dns: No such file or directory
See /var/lib/samba/bind-dns/named.conf for an example configuration
include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required
for secure DNS updates
Finished upgrading DNS
but when I check if dns updates really works:
oceanic:/var/lib/samba/bind-dns# samba_dnsupdate --verbose --all-names
--fail-immediately
IPs: ['2001:1a68:a::33', '213.135.44.33']
force update: A oceanic.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA oceanic.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: NS ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl
force update: NS _msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl
force update: A ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _ldap._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389
force update: SRV _ldap._tcp.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.7be4eeae-49f0-4b2f-9b13-9482284869f4.domains._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV _kerberos._tcp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _kerberos._udp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _kerberos._tcp.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _kpasswd._tcp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 464
force update: SRV _kpasswd._udp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 464
force update: CNAME
bab81aef-5660-4aa8-a484-761e3a426ca8._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _ldap._tcp.pdc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: A gc._msdcs.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA gc._msdcs.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _gc._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268
force update: SRV _ldap._tcp.gc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 3268
force update: SRV
_gc._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 3268
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 3268
force update: A DomainDnsZones.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA DomainDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _ldap._tcp.DomainDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: A ForestDnsZones.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA ForestDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
34 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/oceanic.ad.wsisiz.edu.pl as
OCEANIC$
update(nsupdate): A oceanic.ad.wsisiz.edu.pl 213.135.44.33
Calling nsupdate for A oceanic.ad.wsisiz.edu.pl 213.135.44.33 (add)
Successfully obtained Kerberos ticket to DNS/oceanic.ad.wsisiz.edu.pl as
OCEANIC$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
oceanic.ad.wsisiz.edu.pl. 900 IN A 213.135.44.33
dns_tkey_gssnegotiate: TKEY is unacceptable
Failed update with /tmp/tmpxkhqw31b
checking is everything ok:
oceanic:/var/lib/samba# ll /var/lib/samba/private/dns.keytab
-rw-r----- 2 root named 792 Sep 15 19:31 /var/lib/samba/private/dns.keytab
oceanic:/var/lib/samba# ls -ld /var/lib/samba/bind-dns
drwxrwx--- 3 root named 4096 Sep 15 19:55 /var/lib/samba/bind-dns
oceanic:/var/lib/samba# ls -l /var/lib/samba/bind-dns/named.conf
-rw-r--r-- 1 root root 808 Sep 15 19:53 /var/lib/samba/bind-dns/named.conf
oceanic:/var/lib/samba# cat /var/lib/samba/bind-dns/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";
};
oceanic:/var/lib/samba/bind-dns# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL
1 dns-oceanic at AD.WSISIZ.EDU.PL
1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL
1 dns-oceanic at AD.WSISIZ.EDU.PL
1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL
1 dns-oceanic at AD.WSISIZ.EDU.PL
1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL
1 dns-oceanic at AD.WSISIZ.EDU.PL
1 DNS/oceanic.ad.wsisiz.edu.pl at AD.WSISIZ.EDU.PL
1 dns-oceanic at AD.WSISIZ.EDU.PL
I cannot check presense of the account dns-oceanic but it propably exist:
dns-oceanic account already exists
oceanic:/var/lib/samba/bind-dns# ls -l /etc/krb5.conf
-rw-r--r-- 1 root root 97 Sep 15 14:39 /etc/krb5.conf
so I check everything according to manual:
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
but it does not work....
I even tried to change to: samba_upgradedns --dns-backend=SAMBA_INTERNAL
but even here i have similar problem with dns updates....
Can you help me?
(dns updates are needed e.g. for joining into this AD new samba servers
as domain members....)
>> 2. How to connect internal AD LDAP server?
>>
>> I tried with:
>>
>> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H
>> ldaps://oceanic.wsisiz.edu.pl
>> search error - 00002020: Operation unavailable without authentication
>>
> I would have thought that was fairly obvious, you need to
> authenticate, try this instead (as root):
>
> kinit Administrator
>
> Then:
>
> ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes
>
> That way, your password never leaves the machine.
not works:
oceanic:/var/lib/samba/bind-dns# ldbsearch -H
ldap://oceanic.wsisiz.edu.pl -k yes
Invalid option -k: unknown option
>> 3. How about password aging - i need it not only on Windows part but
>> on unix part it is needed too (unix have acounts/password/etc. via
>> ldap)?
>>
> A Unix user in AD is just a Windows user with RFC2307 attributes, so
> they all get the same password rules
>
> BIG NOTE: I hope that 'via ldap' means users in AD
khhm.. currently on linux workstation I use openldap for linux password
aging i use shadow attributes stored in ldap.
Thank for any help....
--
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz
More information about the samba
mailing list