[Samba] Provisioning new AD Domain Controller

Mark Foley mfoley at novatec-inc.com
Thu Nov 30 05:50:47 UTC 2023


After a several month hiatus, I'm back trying to provision a new AD/DC on
Slackware 15.0, Samba 4.18.8.

I'm following the guide: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

I have some questions and at least one problem.

I've provisioned as follows:

samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL --domain=HPRS \
  --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=password

I have 2 network cards, one Internet facing: eth0, and one for the lan: eth1.
One thing I forgot to include in my provision command was:

  --option="interfaces=lo eth1" --option="bind interfaces only=yes"

Is this a big problem? Can I do something with this later? Should I reset
everything and start over?

The provision tool specifies an admin passowrd, but where is the adminstrator
username specified?

The wiki next gives instructions on Creating a Reverse Zone, but after the
instructions it says, "You must start the Samba AD DC before you can add a reverse
zone", so I skipped past that step (and maybe it should be moved to after
starting the AD/DC in the wiki?).

I then did the Configure Kerberos step, and here's when things weren't so clear. 
The insructions say,

During the provisioning, Samba created a Kerberos configuration file for your
DC.  Copy this file to your operating system's Kerberos configuration.  For
example:

# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

The provisioning output gave the following Kerberos related messages:

Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hprs,DC=locl)
INFO 2023-11-29 21:16:44,535 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342: The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf
INFO 2023-11-29 21:16:44,536 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
INFO 2023-11-29 21:16:44,536 pid:1224 /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!

The 3rd message says, "A Kerberos configuration suitable for Samba AD has been
generated at /var/lib/samba/private/krb5.conf". This differs from the wiki
instructions which indicate the config file is generated at
/usr/local/samba/private/krb5.conf. Well, I figured that was a distro issue,
newer samba-tool version, or some such thing so I pressed on.

But where is my "operating system's Kerberos configuration" located? Scanning
the drive for krb5.conf I found:

# find / -name krb5.conf
/usr/share/samba/setup/krb5.conf
/usr/doc/krb5-1.19.2/examples/krb5.conf

none of which seem to be real config files for my OS/distro, and none of my
Slackware 15.0 hosts seem to be running Kerberos. So, I left the file
in /var/lib/samba/private/krb5.conf, which probably contributed to my failure
below.

I moved on to the Testing your Samba AD DC step and started samba. According to
syslog that failed the first time because it could not create the directory
/var/run/samba/ncalrpc, so I created it and tried again. That failed as well
with the following in syslog:

Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033,  0] ../../source4/samba/server.c:621(binary_smbd_main)
Nov 29 23:25:11 DC1 samba[3990]:   samba version 4.18.8 started.
Nov 29 23:25:11 DC1 samba[3990]:   Copyright Andrew Tridgell and the Samba Team 1992-2023
Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019,  0] ../../source4/samba/server.c:896(binary_smbd_main)
Nov 29 23:25:11 DC1 samba[3991]:   binary_smbd_main: samba: using 'prefork' process model
Nov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326,  0] ../../source3/smbd/server.c:1746(main)
Nov 29 23:25:11 DC1 smbd[3997]:   smbd version 4.18.8 started.
Nov 29 23:25:11 DC1 smbd[3997]:   Copyright Andrew Tridgell and the Samba Team 1992-2023
Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564,  0] ../../source4/samba/server.c:391(samba_terminate)
Nov 29 23:25:11 DC1 samba[3991]:   samba_terminate: samba_terminate of samba 3991: mitkdc child process exited

The last message says, "mitkdc child process exited".  This smells like a
Kerbros issue and maybe my config file is in the wrong place since I didn't copy
it anywhere.  Also does the "mit" bit of this process name mean it's trying to
run MIT Kerberos? I thought I had Heimdal installed. 

Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and message on Sat, 28 Jan 2023 10:11:44
+0000, wrote:

"smbd -b | grep HAVE_LIBKADM5SRV_MIT

You should get nothing returned if Samba was built using the built in Heimdal."

I did that and got nothing, so Heimdal?

Perhaps my theories about Kerberos issues are wrong, but in any case can someone help
me get mitkdc (or whatever) process to not exit so I can get samba to start?

Thanks --Mrk



More information about the samba mailing list