[Samba] New AD-DC missing some DNS Information

Tue Feb 16 08:26:50 UTC 2021

On 15/02/2021 22:31, Robert Steinmetz AIA via samba wrote:
> I don't think so. systemd-resolved is not running. It is disabled and 
> masked.
> There are a gazillion proposed methods to do this and I haven't 
> figured out which one looks good.
> In the interim I locked it down with chattr +i /etc/resolv.conf I can 
> now reboot and it seems to work.

Whatever it is, then A) It has nothing to do with Samba B) You need to 
fix it.

>>
>>
>>> In my case I've added a user 'debbie'
>>> # wbinfo -u
>>> NO.STEINMETZNET\administrator
>>> NO.STEINMETZNET\guest
>>> NO.STEINMETZNET\krbtgt
>>> NO.STEINMETZNET\debbie
>>
>> Why does your Netbios domain name have a dot in it ?
> Because that is the name of the sub-domain I used. Did I misunderstand 
> something? Our domain is steinmetznet.com which was my first attempt. 
> The next attempt added the sub-domain no.steinmetznet.com. In our 
> current NT Domain the domain name is something entirely different.

Whilst the REALM is the dns domain in uppercase, the netbios domain is 
something different, it doesn't help that 'domain' is used to describe 
both. The netbios domain name (also called 'workgroup') is usually the 
lefthand part of the dns domain in uppercase, but it can be anything, 
try reading this:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou

>>
>> I figured I needed that, but I don't remember seeing that in any of 
>> the documentation I reviewed. I did find a page on configuring 
>> winbindd but not that is was required.
>

I thought it did, but I will check.

> I'm sorry I'm not following this. I added the "template shell = 
> /bin/bash' and 'template homedir= /home/%U' and 'user debbie' can now 
> login.
> What I think you're saying is that samba-tool user <username> 
> --login-shell and --unix-home don't have any effect on a DC.

Yes, that, but they also have no effect except if you use a correctly 
set up smb.conf using the winbind 'ad' backend on a Unix domain member.

> My ultimate intention is to make all of our three samba servers backup 
> domain controllers.  But before I undertake that I want to have a 
> basic understanding of the AD tools and requirements.

Then you need to start by understanding that there are no 'backup' DC's, 
all DC;s are equal.

>
>>
>>>
>>>>
>>>>>
>>
>> You are mixing up the Windows home directory and the Unix home 
>> directory.
>>
>> The Windows home directory is the one you should link to the Windows 
>> Drive letter, the Unix home directory is what the user would use if 
>> they log into a Unix domain member.
> Why can't they be the same directory? That is what we do now.

I am not saying they cannot be, they just use different attributes in AD.

Rowland