[Samba] Various Samba AD questions
anders.ostling at gmail.com
Tue Feb 9 16:25:37 UTC 2021
I am struggling to learn more on how-to replacing a couple of Windows DC’s. This is a long-term plan since we have a quite well working mix of Windows and Samba, but I aim to eventually have a pure (server-side) Linux rack to handle.
So, now I have a bunch of VM’s running Debian 10 with Samba 4.9.5. Two of these are DC’s, one a FS and a third will be the management center and VPN entry point.
Domain provisioned on first DC, second DC joined successfully
The internal DNS server is running on both, and seems to sync correctly
The 2 DC’s are replicating the AD correctly (verified with samba-tool)
Sysvol share replicated using rsync
Win 10 client joined as member
Can logon on Win client using a domain account
GPO’s created for home directory and roaming profiles
Can manage both DC’s with RSAT tools for DNS, GPO, ADUC, Computer mgmnt etc.
NOT WORKING OR NOT IMPLEMENTED YET
Redundant DHCP server (ics-dhcpd on primary as of now)
Reverse DNS entries not created automatically. Also, using SAMBA-TOOL DNS ZONECREATE to create the reverse zone reported success but the zone was not correctly setup. Had to delete it using RSAT and re-create manually.
Weird permission problem on second DC for the profile share, no problem on the first DC. Opening Properties/Security on the mapped Profile share crashes the Windows Explorer hard.
Profile share defined (on both) as
root at dc2-hplts:/# cat /etc/samba/smb.conf
# Global parameters
dns forwarder = 126.96.36.199
netbios name = DC2-HPLTS
realm = HOGANAS-PLATSLAGAREN.SE
server role = active directory domain controller
workgroup = HPLTS
idmap_ldb:use rfc2307 = yes
path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts
read only = No
path = /var/lib/samba/sysvol
read only = No
path = /samba/profiles
read only = No
The ACL on the working share has been copied to the non-working
root at dc2-hplts:/# getfacl samba/profiles/
# file: samba/profiles/
# owner: root
# group: 3000000
Next thing is that on the production Samba server, the object list (wbinfo -g/u) showed up without the prefix. Now on the DC, the group names are prefixed with the Netbios name. Is that normal for an AD DC?.
root at dc1-hplts:/# wbinfo -u
root at dc1-hplts:/# wbinfo -g
HPLTS\ras and ias servers
HPLTS\allowed rodc password replication group
HPLTS\denied rodc password replication group
HPLTS\enterprise read-only domain controllers
HPLTS\group policy creator owners
HPLTS\read-only domain controllers
I am really determined to learn more on Samba’s functions, and since I prefer to read paper books, I have been looking for an reasonably up-2-date Samba book. The one I found was for v4.0, and I suspect that there have been a LOT of changes since then. The other more recent book was only available in German, so that’s no-go. Hopefully someone will find time to author, or translate, a newer one soon!
Phone: +46 768 716 165
Skype: anders.ostling at outlook.com
More information about the samba