[Samba] Samba AD DC for Debian
Rob Campbell
robcampbell08105 at gmail.com
Tue Oct 26 15:42:31 UTC 2021
*Domain Controller*
[Tue Oct 26 11:08:28] [root at DC01~$] *cat /etc/resolv.conf *
search home.test-server.lan
nameserver 10.0.0.19
[Tue Oct 26 11:08:50] [root at DC01~$] *cat /etc/hosts*
127.0.0.1 localhost
#127.0.1.1 DC01.home.test-server.lan DC01
10.0.0.19 DC01.home.test-server.lan DC01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
[Tue Oct 26 11:08:55] [root at DC01~$] *hostname*
DC01
[Tue Oct 26 11:12:47] [root at DC01~$] *cat /etc/samba/smb.conf*
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC01
realm = HOME.TEST-SERVER.LAN
server role = active directory domain controller
workgroup = HOME
idmap_ldb:use rfc2307 = yes
kerberos method = secrets and keytab
winbind refresh tickets = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/home.test-server.lan/scripts
read only = No
[Tue Oct 26 11:16:05] [root at DC01~$] *cat /etc/krb5.conf *
[libdefaults]
default_realm = HOME.TEST-SERVER.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
HOME.TEST-SERVER.LAN = {
default_domain = home.test-server.lan
}
[domain_realm]
DC01 = HOME.TEST-SERVER.LAN
*Domain Member*
[Tue Oct 26 11:10:17] [root at DSDM05/etc$] *cat /etc/resolv.conf *
search home.test-server.lan
nameserver 10.0.0.19
[Tue Oct 26 11:10:21] [root at DSDM05/etc$] *cat /etc/hosts*
127.0.0.1 localhost
#127.0.1.1 DSDM05.home.test-server.lan DSDM05
10.0.0.250 DSDM05.home.test.server.lan DSDM05
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
[Tue Oct 26 11:10:24] [root at DSDM05/etc$] *hostname*
DSDM05
[Tue Oct 26 11:17:31] [root at DSDM05/etc$] *cat /etc/samba/smb.conf*
[global]
dns forwarder = 10.0.0.19
workgroup = HOME
security = ADS
realm = HOME.TEST-SERVER.LAN
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
idmap config * : backend = autorid
idmap config * : range = 100000-2499999
template shell = /bin/bash
template homedir = /home/HOME/%U
username map = /etc/samba/user.map
[Tue Oct 26 11:36:04] [root at DSDM05/etc$] *cat /etc/krb5.conf *
[libdefaults]
default_realm = HOME.TEST-SERVER.LAN
# The following krb5.conf variables are only for MIT Kerberos.
dns_lookup_realm = false
dns_lookup_kdc = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
Just curious. Are these the only files that need to be edited for this to
work? If so, couldn't we have full samples of the files to mimic and
compare?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Tue, Oct 26, 2021 at 3:55 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 2021-10-26 at 00:54 -0400, Rob Campbell wrote:
> > First, I had a fully working exactly as expected version at one
> > point. I had the ssh authentication working with the creation of the
> > home directories on install and a domain member (also Debian). I
> > didn't write down my instructions because... I was just trying to get
> > it to work.
>
> I learnt the hard way, always take notes :-)
>
> > It actually wasn't hard that time. For some reason, it is difficult
> > now. I am starting with a clean Debian 11 DVD install (debian-
> > 11.0.0-amd64-DVD-1.iso). After completing the install, I start
> > running through the wiki. What I found is that the wiki doesn't give
> > instructions to install Samba and key packages (unless I missed it)
> > but it gave all those dependencies I mentioned. I'm not sure why now
> > the new install is having issues so I'm starting with a clean vm.
>
> As I have said, the Samba wiki is written from the point of view of a
> self-compiled Samba (mostly) and the distros are supposed to provide
> their own instructions using their packages. This is because the
> distros cannot agree on how to package Samba and what to call the
> resultant packages (or even where to place them). For instance 'libnss-
> winbind, libpam-winbind and libpam-krb5' on Debian based distros is
> just 'winbind-clients' on fedora.
>
> >
> > Domain Controller
> > Install debian-11.0.0-amd64-DVD-1.iso
> > Are there some specific configurations that I need to set here that I
> > missed the 2nd and 3rd time?
> > Fix apt so that it doesn't try to pull from dvd
> > apt-get update (just because)
> > Go through wiki
> > Hostname = DSDC01
> > Domain Name = HOME.TEST-SERVER.LAN
> > IP Address = 10.0.0.19
> > apt install samba winbind libnss-winbind libpam-winbind libpam-krb5
> > ntp binutils ldb-tools krb5-user
> > samba-tool domain provision --server-role=dc --use-rfc2307 --dns-
> > backend=SAMBA_INTERNAL --realm=HOME.TEST-SERVER.LAN --domain=HOME --
> > adminpass=1243Password
> > Need to install smbclient 'apt install smbclient'
> > All goes well, it seems.
> >
> > Domain Member
> >
> > Samba is not installed. Wiki doesn't suggest which packages to
> > install but I installed the same packages suggested in the previous
> > response #8.
>
> Good plan, you need the same package for a DC and a Unix domain member,
> it is how you configure them that matters.
>
> >
> > Everything was fine til I get to reverse lookup
> >
> > [Tue Oct 26 00:19:13] [root at DSDM05~$] nslookup 10.0.0.19
> > ** server can't find 19.0.0.10.in-addr.arpa: NXDOMAIN
>
> That should work, have you set the DC as the first nameserver in the
> Unix domain members /etc/resolv.conf ?
>
> >
> > [Tue Oct 26 00:18:20] [root at DC01~$] samba-tool dns zonecreate
> > 10.0.0.19 0.0.10.in-addr.arpa
> > Password for [administrator at HOME.TEST-SERVER.LAN]:
> > ERROR(runtime): uncaught exception - (9609,
> > 'WERR_DNS_ERROR_ZONE_ALREADY_EXISTS')
> > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> > line 186, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
> > 735, in run
> > res = dns_conn.DnssrvOperation2(client_version, 0, server, None,
>
> That has been fixed in a later version, the reverse zone existing isn't
> an error.
>
> >
> > samba-tool dns add home.test-server.lan 0.0.10.in-addr.arpa 19 PTR
> > home.test-server.lan
> > Now reverse lookup is fine: 19.0.0.10.in-addr.arpa name = home.test-
> > server.lan.
>
> Yes, you need to add the reverse record manually, I thought it says
> this in the wiki, I will check.
>
> >
> > [Tue Oct 26 00:50:35] [root at DSDM05/etc$] net ads join -U
> > Administrator
> > Enter Administrator's password:
> > Using short domain name -- HOME
> > Joined 'DSDM05' to dns domain 'home.test-server.lan'
> > DNS Update for dsdm05.home.test.server.lan failed:
> > ERROR_DNS_UPDATE_FAILED
> > DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> This is usually down to a misconfigured /etc/hosts
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list