[Samba] Changing IP Scope on a Samba DC

L.P.H. van Belle belle at bazuin.nl
Mon Sep 7 10:34:04 UTC 2020 

Hai, 
?
Ow.. This is a good one, i'll add this as Note in the file. 

Its not added because, normalty this is set correctly for samba-ad?at the install already.?
Most forget/miss the dns adjustment?in netplan.? ;-) 

Thanks for the notice. 
Its added. 
?
Greetz, 
?
Louis
?

Van: Peter Pollock [mailto:peter.pollock at kingschristian.org] 
Verzonden: zaterdag 5 september 2020 8:47
Aan: Rowland penny
CC: L.P.H. van Belle; sambalist
Onderwerp: Re: [Samba] Changing IP Scope on a Samba DC



I FINALLY DID IT!!!!! 

After following Louis van Belle's walk-through to create a new DC, and having problems at the end, I realized there was nothing in the walk through about modifying?/var/lib/samba/bind-dns/named.conf to let Samba know the Bind version so I did that and Voila!


We have name resolution, can create kerberos tickets, just successfully connected a windows workstation to the domain and seem to be rocking and rolling!


Thank you for all your help everyone. Especially Rowland. I have a long way to go this weekend, but this is a good start!


On Fri, Sep 4, 2020 at 10:02 PM Peter Pollock <peter.pollock at kingschristian.org> wrote:

OK.. after school ended today, I poked around and found nothing so I started all over again. Followed Louis' instructions at? https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt? all the way through but at the end, the resolver is not working - and kinit cannot find a KDC (I'm guessing because the resolver is not working!) 

This is the only server on the network and has an IP address of 192.168.4.5 (the gateway is at 192.168.4.1)


"Service named status" gives me:


named.service - BIND Domain Name Server
? ? ?Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
? ? ?Active: active (running) since Fri 2020-09-04 21:41:41 PDT; 10min ago
? ? ? ?Docs: man:named(8)
? ?Main PID: 528 (named)
? ? ? Tasks: 14 (limit: 2282)
? ? ?Memory: 61.9M
? ? ?CGroup: /system.slice/named.service
? ? ? ? ? ? ? 528 /usr/sbin/named -f -u bind

Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:500:2d::d#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:500:1::53#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:500:9f::42#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:503:ba3e::2:30#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:500:a8::e#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:500:200::b#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:500:2f::f#53
Sep 04 21:52:22 dc01 named[528]: network unreachable resolving 'kcs/DS/IN': 2001:503:c27::2:30#53
Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving 'dc01.internal.kcs/A/IN': 8.8.8.8#53
Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving '_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53



I do not know where to start.


I took copious notes as I followed Louis' walkthrough, which I'll send if they interest you, but it's many pages!






On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org> wrote:

On 04/09/2020 15:05, Peter Pollock wrote:
> This is brand new. Created following Louis' instructions (although in 
> my install of Ubuntu 20.04, it gets a little tricky with installing 
> packages because it claims one or more don't exist after adding Louis' 
> repository and doing an apt update).
Please don't do that, say something doesn't exist without telling us 
what 'something' is ;-)
>
> Totally separate network from my Zentyal installs, on a ProxMox 
> virtual server, if that makes any difference.
No, good idea really, it doesn't matter if it is separate, it allows you 
to destroy it easily if need be.
>
> I know the admin password, I just removed it from this email, I just 
> cannot figure out why I can't initiate a kticket.
OK, if you know the password, no need to start again, but kinit should 
work. Did you check if the first nameserver in /etc/resolv.conf is the 
DC's IP ? did you run the kinit command as root and like this 'kinit 
Administrator' ?
>
> I can wipe it and start again, that's not a?problem at all. I was just 
> so close...

No, there is no need, it was just the lack of the Administrator password 
that was throwing me ;-)

Rowland

More information about the samba mailing list