[Samba] Migrating Samba NT4 Domain to Samba AD
Bartłomiej Solarz-Niesłuchowski
Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Sun Sep 15 19:19:20 UTC 2019
W dniu 2019-09-15 o 20:38, Rowland penny via samba pisze:
> On 15/09/2019 19:08, Bartłomiej Solarz-Niesłuchowski wrote:
>> W dniu 2019-09-15 o 18:32, Rowland penny via samba pisze:
>>> On 15/09/2019 16:44, Bartłomiej Solarz-Niesłuchowski wrote:
>>>> I have some questions:
>>>>
>>>> I not currently understood - bind9 connected to AD server must be
>>>> used by the LAN workstations - or only via AD server?
>>>>
>>>> currently workstations are pointed to the another DNS server than
>>>> AD - how must be it done correctly?
>>>>
>>> Your domain workstations must use the AD DC(s) as their nameserver,
>>> the DC(s) will forward anything outside the AD dns domain to an
>>> external dns server.
>>>>
>> so i need only forward form my common DNS server querries to
>> ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)?
> From any domain joined computers, yes. They would ask the DC for any
> dns info they require, if it is something inside the AD domain, the DC
> will return the data, if it is something outside the AD domain e.g.
> google.com, the DC would ask its forwarder and then return whatever
> the forwarder returns.
tommorow I correctly fix it.
>>
>>
>>>> So i have, current open problems:
>>>>
>>>> 1. share:
>>>>
>>>> [private]
>>>>
>>>> path = %H
>>>>
>>>> does not work:
>>>>
>>>> smbd[42055]: make_connection_snum: canonicalize_connect_path
>>>> failed for service private, path /%H
>>>>
>>>> on console cd ~user works correctly
>>>>
>>> If this share is on the DC, then it really shouldn't be, using a DC
>>> as a fileserver isn't recommended.
>>>>
>>
>> yes understood - I try to setup second AD server on which i use only
>> domain part of samba and on my major server I start to use only
>> smbd/nmbd/winbindd.
>
> I take it that you are referring to a Unix domain member being used as
> a fileserver
>
>>
>>
>> But my current problem is:
>>
>> there are not working dynamic updates in bind/internal_dns...
>>
>>
>> Can you help me?
>>
>> (dns updates are needed e.g. for joining into this AD new samba
>> servers as domain members....)
>
> Try adding this to the DC smb.conf:
>
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
added: not helps
oceanic:/etc# samba_dnsupdate --use-samba-tool --verbose --all-names
--fail-immediately
IPs: ['2001:1a68:a::33', '213.135.44.33']
force update: A oceanic.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA oceanic.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: NS ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl
force update: NS _msdcs.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl
force update: A ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _ldap._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 389
force update: SRV _ldap._tcp.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.7be4eeae-49f0-4b2f-9b13-9482284869f4.domains._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV _kerberos._tcp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _kerberos._udp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _kerberos._tcp.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _kpasswd._tcp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 464
force update: SRV _kpasswd._udp.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 464
force update: CNAME
bab81aef-5660-4aa8-a484-761e3a426ca8._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 88
force update: SRV _ldap._tcp.pdc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: A gc._msdcs.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA gc._msdcs.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _gc._tcp.ad.wsisiz.edu.pl oceanic.ad.wsisiz.edu.pl 3268
force update: SRV _ldap._tcp.gc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 3268
force update: SRV
_gc._tcp.Default-First-Site-Name._sites.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 3268
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 3268
force update: A DomainDnsZones.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA DomainDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _ldap._tcp.DomainDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: A ForestDnsZones.ad.wsisiz.edu.pl 213.135.44.33
force update: AAAA ForestDnsZones.ad.wsisiz.edu.pl 2001:1a68:a::33
force update: SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl
oceanic.ad.wsisiz.edu.pl 389
34 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/oceanic.ad.wsisiz.edu.pl as
OCEANIC$
update (samba-tool): A oceanic.ad.wsisiz.edu.pl 213.135.44.33
Calling samba-tool dns for A oceanic.ad.wsisiz.edu.pl 213.135.44.33 (add)
Calling samba-tool dns add -k no -P ['2001:1a68:a::33',
'ad.wsisiz.edu.pl', 'oceanic', 'A', '213.135.44.33']
ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python3.7/site-packages/samba/netcmd/__init__.py",
line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python3.7/site-packages/samba/netcmd/dns.py", line
945, in run
raise e
File "/usr/lib64/python3.7/site-packages/samba/netcmd/dns.py", line
941, in run
0, server, zone, name, add_rec_buf, None)
on domain member in spe:
[root at mask ~]# net ads join -U administrator%XXXXXX
Using short domain name -- WSISIZ.EDU.PL
Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl'
DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL
>
>>
>>
>>>> 2. How to connect internal AD LDAP server?
>>>>
>>>> I tried with:
>>>>
>>>> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H
>>>> ldaps://oceanic.wsisiz.edu.pl
>>>> search error - 00002020: Operation unavailable without authentication
>>>>
>>> I would have thought that was fairly obvious, you need to
>>> authenticate, try this instead (as root):
>>>
>>> kinit Administrator
>>>
>>> Then:
>>>
>>> ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes
>>>
>>> That way, your password never leaves the machine.
>>
>> not works:
>>
>> oceanic:/var/lib/samba/bind-dns# ldbsearch -H
>> ldap://oceanic.wsisiz.edu.pl -k yes
>> Invalid option -k: unknown option
>
> When I run it, I get this:
>
> ldbsearch -H ldap://dc4.samdom.example.com -k yes
>
> What OS is this and what Samba packages did you install ?
>
[root at oceanic etc]# which ldbsearch
/usr/bin/ldbsearch
[root at oceanic etc]# rpm -qf /usr/bin/ldbsearch
ldb-tools-1.5.5-1.fc30.x86_64
>>
>>>> 3. How about password aging - i need it not only on Windows part
>>>> but on unix part it is needed too (unix have acounts/password/etc.
>>>> via ldap)?
>>>>
>>> A Unix user in AD is just a Windows user with RFC2307 attributes, so
>>> they all get the same password rules
>>>
>>> BIG NOTE: I hope that 'via ldap' means users in AD
>>
>>
>> khhm.. currently on linux workstation I use openldap for linux
>> password aging i use shadow attributes stored in ldap
>
> I think you will find that it is now 'I used openldap'
>
> You can sync passwords etc between AD and openldap, but you will
> probably find that it easier to migrate whatever you have in openldap
> to AD and then have just one point of maintenance.
yes it is true if I correctly setup replication (I need about 3 ldap
servers for performance reasons)
>
> So, what do you have in openldap ?
[root at oceanic etc]# smbldap-usershow solarz
dn: uid=solarz,ou=Users,dc=wsisiz,dc=edu,dc=pl
mail: solarz at wsisiz.edu.pl
givenName;lang-en: Bartlomiej
uid: solarz
sambaPwdCanChange: 1176363610
sambaBadPasswordCount: 0
sambaKickoffTime: 2147483647
cn;lang-en: Bartlomiej Solarz-Niesluchowski
sambaLogoffTime: 2147483647
objectClass:
person,organizationalPerson,inetOrgPerson,posixAccount,top,kerberosSecurityObject,shadowAccount,sambaSamAccount
sambaProfilePath: \\oceanic\solarz\profile
uidNumber: 1761
sn: Solarz-Niesłuchowski
gidNumber: 101
gecos: Bartlomiej Solarz-Niesluchowski
shadowFlag: 134540276
sambaLogonScript: login.bat
sambaLogonTime: 0
shadowWarning: 14
sn;lang-en: Solarz-Niesluchowski
cn: Bartłomiej Solarz-Niesłuchowski
givenName;lang-pl: Bartłomiej
krbName: solarz at WSISIZ.EDU.PL
sambaBadPasswordTime: 0
sambaHomeDrive: z:
cn;lang-pl: Bartłomiej Solarz-Niesłuchowski
homeDirectory: /home/staff/solarz
givenName: Bartłomiej
displayName: Bartłomiej Solarz-Niesłuchowski
shadowInactive: 14
sambaSID: S-1-5-21-3156691614-3416019035-1284015310-4522
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPrimaryGroupSID: S-1-5-21-3156691614-3416019035-1284015310-513
shadowMax: 120
sn;lang-pl: Solarz-Niesłuchowski
loginShell: /bin/bash
preferredLanguage: pl
sambaHomePath: \\oceanic\solarz
sambaPwdMustChange: 1558009952
sambaAcctFlags: [U]
userPassword: {SSHA}XXXXXXXXXXXXX
sambaNTPassword: XXXXXXXXXXXXX
sambaPwdLastSet: 1563822645
shadowLastChange: 18099
and I have tree with rfc882MailMember
dn: cn=B.Solarz-Niesluchowski,ou=Aliases,dc=wsisiz,dc=edu,dc=pl
rfc822MailMember: solarz
objectClass: nisMailAlias
objectClass: top
cn: B.Solarz-Niesluchowski
structuralObjectClass: nisMailAlias
--
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz
More information about the samba
mailing list