[Samba] Various Samba AD questions

Tue Feb 9 16:57:36 UTC 2021

On 09/02/2021 16:25, Anders Östling via samba wrote:
> I am struggling to learn more on how-to replacing a couple of Windows DC’s. This is a long-term plan since we have a quite well working mix of Windows and Samba, but I aim to eventually have a pure (server-side) Linux rack to handle.
>
> So, now I have a bunch of VM’s running Debian 10 with Samba 4.9.5. Two of these are DC’s, one a FS and a third will be the management center and VPN entry point.
>
> WORKING
>
> Domain provisioned on first DC, second DC joined successfully
> The internal DNS server is running on both, and seems to sync correctly
> The 2 DC’s are replicating the AD correctly (verified with samba-tool)
> Sysvol share replicated using rsync
> Win 10 client joined as member
> Can logon on Win client using a domain account
> GPO’s created for home directory and roaming profiles
> Can manage both DC’s with RSAT tools for DNS, GPO, ADUC, Computer mgmnt etc.
>
> NOT WORKING OR NOT IMPLEMENTED YET
>
> Redundant  DHCP server (ics-dhcpd on primary as of now)
> Reverse DNS entries not created automatically. Also, using SAMBA-TOOL DNS ZONECREATE to create the reverse zone reported success but the zone was not correctly setup. Had to delete it using RSAT and re-create manually.

Creating the reverse zone with samba-tool should have worked, always has 
for myself:

sudo samba-tool dns zonecreate u2004dc 0.168.192.in-addr.arpa -U 
Administrator

How are you running the dhcp server, have you read this: 
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Ignore the 'bind9' bit, I must rename that page 😁

> Weird permission problem on second DC for the profile share, no problem on the first DC. Opening Properties/Security on the mapped Profile share crashes the Windows Explorer hard.

Are you syncing the profile share between DC's ? Also most people just 
place the profiles on a Unix domain member.

>
> Profile share defined (on both) as
>
> root at dc2-hplts:/# cat /etc/samba/smb.conf
>
> # Global parameters
> [global]
> 	dns forwarder = 8.8.8.8
> 	netbios name = DC2-HPLTS
> 	realm = HOGANAS-PLATSLAGAREN.SE
> 	server role = active directory domain controller
> 	workgroup = HPLTS
> 	idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> 	path = /var/lib/samba/sysvol/hoganas-platslagaren.se/scripts
> 	read only = No
>
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
>
> [profiles]
> 	path = /samba/profiles
> 	read only = No
>
> The ACL on the working share has been copied to the non-working
>
> root at dc2-hplts:/# getfacl samba/profiles/
> # file: samba/profiles/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000002:rwx
> user:3000004:rwx
> group::rwx
> group:users:rwx
> group:3000000:rwx
> group:3000002:rwx
> group:3000004:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:user:3000004:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000002:rwx
> default:group:3000004:rwx
> default:mask::rwx
> default:other::---

The windows permissions are stored in an EA called 'security.NTACL', you 
can read this with 'samba-tool ntacl get <file> --as-sddl'

>
> Next thing is that on the production Samba server, the object list (wbinfo -g/u) showed up without the prefix. Now on the DC, the group names are prefixed with the Netbios name. Is that normal for an AD DC?.

Yes and you cannot remove the netbios name.

>
>
>
> I am really determined to learn more on Samba’s functions, and since I prefer to read paper books, I have been looking for an reasonably up-2-date Samba book. The one I found was for v4.0, and I suspect that there have been a LOT of changes since then. The other more recent book was only available in German, so that’s  no-go. Hopefully someone will find time to author, or translate, a newer one soon!
>

The only really recent documentation is what is written in the Samba 
wiki (and if anyone notices an error or omission, please report it). 
Your best option, as you seem to have found out, is to ask questions here.

Rowland