[Samba] Various Samba AD questions
Anders Östling
anders.ostling at gmail.com
Tue Feb 9 16:25:37 UTC 2021
I am struggling to learn more on how-to replacing a couple of Windows DC’s. This is a long-term plan since we have a quite well working mix of Windows and Samba, but I aim to eventually have a pure (server-side) Linux rack to handle.
So, now I have a bunch of VM’s running Debian 10 with Samba 4.9.5. Two of these are DC’s, one a FS and a third will be the management center and VPN entry point.
WORKING
Domain provisioned on first DC, second DC joined successfully
The internal DNS server is running on both, and seems to sync correctly
The 2 DC’s are replicating the AD correctly (verified with samba-tool)
Sysvol share replicated using rsync
Win 10 client joined as member
Can logon on Win client using a domain account
GPO’s created for home directory and roaming profiles
Can manage both DC’s with RSAT tools for DNS, GPO, ADUC, Computer mgmnt etc.
NOT WORKING OR NOT IMPLEMENTED YET
Redundant DHCP server (ics-dhcpd on primary as of now)
Reverse DNS entries not created automatically. Also, using SAMBA-TOOL DNS ZONECREATE to create the reverse zone reported success but the zone was not correctly setup. Had to delete it using RSAT and re-create manually.
Weird permission problem on second DC for the profile share, no problem on the first DC. Opening Properties/Security on the mapped Profile share crashes the Windows Explorer hard.
Profile share defined (on both) as
root at dc2-hplts:/# cat /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC2-HPLTS
realm = HOGANAS-PLATSLAGAREN.SE
server role = active directory domain controller
workgroup = HPLTS
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[profiles]
path = /samba/profiles
read only = No
The ACL on the working share has been copied to the non-working
root at dc2-hplts:/# getfacl samba/profiles/
# file: samba/profiles/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000002:rwx
user:3000004:rwx
group::rwx
group:users:rwx
group:3000000:rwx
group:3000002:rwx
group:3000004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000002:rwx
default:user:3000004:rwx
default:group::---
default:group:3000000:rwx
default:group:3000002:rwx
default:group:3000004:rwx
default:mask::rwx
default:other::---
Next thing is that on the production Samba server, the object list (wbinfo -g/u) showed up without the prefix. Now on the DC, the group names are prefixed with the Netbios name. Is that normal for an AD DC?.
root at dc1-hplts:/# wbinfo -u
HPLTS\administrator
HPLTS\guest
HPLTS\krbtgt
HPLTS\anders
root at dc1-hplts:/# wbinfo -g
HPLTS\cert publishers
HPLTS\ras and ias servers
HPLTS\allowed rodc password replication group
HPLTS\denied rodc password replication group
HPLTS\dnsadmins
HPLTS\enterprise read-only domain controllers
HPLTS\domain admins
HPLTS\domain users
HPLTS\domain guests
HPLTS\domain computers
HPLTS\domain controllers
HPLTS\schema admins
HPLTS\enterprise admins
HPLTS\group policy creator owners
HPLTS\read-only domain controllers
HPLTS\dnsupdateproxy
I am really determined to learn more on Samba’s functions, and since I prefer to read paper books, I have been looking for an reasonably up-2-date Samba book. The one I found was for v4.0, and I suspect that there have been a LOT of changes since then. The other more recent book was only available in German, so that’s no-go. Hopefully someone will find time to author, or translate, a newer one soon!
/Anders
Anders Östling
Dämmegatan 11
SE-25442 Helsingborg
Sweden
Phone: +46 768 716 165
Skype: anders.ostling at outlook.com
More information about the samba
mailing list