[Samba] Samba AD DC for Debian

[Rowland Penny]

On Tue, 2021-10-26 at 00:54 -0400, Rob Campbell wrote:
> First, I had a fully working exactly as expected version at one
> point.  I had the ssh authentication working with the creation of the
> home directories on install and a domain member (also Debian).  I
> didn't write down my instructions because... I was just trying to get
> it to work. 

I learnt the hard way, always take notes :-)

>  It actually wasn't hard that time.  For some reason, it is difficult
> now.  I am starting with a clean Debian 11 DVD install (debian-
> 11.0.0-amd64-DVD-1.iso).  After completing the install, I start
> running through the wiki.  What I found is that the wiki doesn't give
> instructions to install Samba and key packages (unless I missed it)
> but it gave all those dependencies I mentioned.  I'm not sure why now
> the new install is having issues so I'm starting with a clean vm.

As I have said, the Samba wiki is written from the point of view of a
self-compiled Samba (mostly) and the distros are supposed to provide
their own instructions using their packages. This is because the
distros cannot agree on how to package Samba and what to call the
resultant packages (or even where to place them). For instance 'libnss-
winbind, libpam-winbind and libpam-krb5' on Debian based distros is
just 'winbind-clients' on fedora.
 
> 
> Domain Controller
> Install debian-11.0.0-amd64-DVD-1.iso
> Are there some specific configurations that I need to set here that I
> missed the 2nd and 3rd time?
> Fix apt so that it doesn't try to pull from dvd
> apt-get update (just because)
> Go through wiki
> Hostname = DSDC01
> Domain Name = HOME.TEST-SERVER.LAN
> IP Address = 10.0.0.19
> apt install samba winbind libnss-winbind libpam-winbind libpam-krb5
> ntp binutils ldb-tools krb5-user
> samba-tool domain provision --server-role=dc --use-rfc2307 --dns-
> backend=SAMBA_INTERNAL --realm=HOME.TEST-SERVER.LAN --domain=HOME --
> adminpass=1243Password
> Need to install smbclient 'apt install smbclient'
> All goes well, it seems.
> 
> Domain Member
> 
> Samba is not installed.  Wiki doesn't suggest which packages to
> install but I installed the same packages suggested in the previous
> response #8.

Good plan, you need the same package for a DC and a Unix domain member,
it is how you configure them that matters.

> 
> Everything was fine til I get to reverse lookup
> 
> [Tue Oct 26 00:19:13] [root at DSDM05~$] nslookup 10.0.0.19
> ** server can't find 19.0.0.10.in-addr.arpa: NXDOMAIN

That should work, have you set the DC as the first nameserver in the
Unix domain members /etc/resolv.conf ?

> 
> [Tue Oct 26 00:18:20] [root at DC01~$] samba-tool dns zonecreate
> 10.0.0.19 0.0.10.in-addr.arpa
> Password for [administrator at HOME.TEST-SERVER.LAN]:
> ERROR(runtime): uncaught exception - (9609,
> 'WERR_DNS_ERROR_ZONE_ALREADY_EXISTS')
>   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 186, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
> 735, in run
>     res = dns_conn.DnssrvOperation2(client_version, 0, server, None,

That has been fixed in a later version, the reverse zone existing isn't
an error.

> 
> samba-tool dns add home.test-server.lan 0.0.10.in-addr.arpa 19 PTR
> home.test-server.lan
> Now reverse lookup is fine: 19.0.0.10.in-addr.arpa name = home.test-
> server.lan.

Yes, you need to add the reverse record manually, I thought it says
this in the wiki, I will check.

> 
> [Tue Oct 26 00:50:35] [root at DSDM05/etc$] net ads join -U
> Administrator
> Enter Administrator's password:
> Using short domain name -- HOME
> Joined 'DSDM05' to dns domain 'home.test-server.lan'
> DNS Update for dsdm05.home.test.server.lan failed:
> ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL

This is usually down to a misconfigured /etc/hosts

Rowland