[Samba] Provisioning new AD Domain Controller
Andrew Bartlett
abartlet at samba.org
Thu Nov 30 05:59:16 UTC 2023
On Thu, 2023-11-30 at 00:50 -0500, Mark Foley via samba wrote:
> After a several month hiatus, I'm back trying to provision a new
> AD/DC onSlackware 15.0, Samba 4.18.8.
> I'm following the guide:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>
> I have some questions and at least one problem.
> I've provisioned as follows:
> samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL --
> domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL --
> adminpass=password
> I have 2 network cards, one Internet facing: eth0, and one for the
> lan: eth1.One thing I forgot to include in my provision command was:
> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
> Is this a big problem? Can I do something with this later? Should I
> reseteverything and start over?
Just put those into the smb.conf, that is all that happens with them.
> The provision tool specifies an admin passowrd, but where is the
> adminstratorusername specified?
It is always administrator, but you can technically rename it.
> The wiki next gives instructions on Creating a Reverse Zone, but
> after theinstructions it says, "You must start the Samba AD DC before
> you can add a reversezone", so I skipped past that step (and maybe it
> should be moved to afterstarting the AD/DC in the wiki?).
> I then did the Configure Kerberos step, and here's when things
> weren't so clear. The insructions say,
> During the provisioning, Samba created a Kerberos configuration file
> for yourDC. Copy this file to your operating system's Kerberos
> configuration. Forexample:
> # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> The provisioning output gave the following Kerberos related messages:
> Repacking database from v1 to v2 format (first record
> DC=_kerberos._tcp.Default-First-Site-
> Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,
> DC=hprs,DC=locl)INFO 2023-11-29 21:16:44,535 pid:1224
> /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342:
> The Kerberos KDC configuration for Samba AD is located at
> /var/lib/samba/private/kdc.confINFO 2023-11-29 21:16:44,536 pid:1224
> /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348:
> A Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.confINFO 2023-11-29 21:16:44,536 pid:1224
> /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350:
> Merge the contents of this file with your system krb5.conf or replace
> it with this one. Do not create a symlink!
> The 3rd message says, "A Kerberos configuration suitable for Samba AD
> has beengenerated at /var/lib/samba/private/krb5.conf". This differs
> from the wikiinstructions which indicate the config file is generated
> at/usr/local/samba/private/krb5.conf. Well, I figured that was a
> distro issue,newer samba-tool version, or some such thing so I
> pressed on.
Correct, paths vary depending on install method.
> But where is my "operating system's Kerberos configuration" located?
> Scanningthe drive for krb5.conf I found:
> # find / -name
> krb5.conf/usr/share/samba/setup/krb5.conf/usr/doc/krb5-
> 1.19.2/examples/krb5.conf
/etc/krb5.conf is the system-wide path
> none of which seem to be real config files for my OS/distro, and none
> of mySlackware 15.0 hosts seem to be running Kerberos. So, I left the
> filein /var/lib/samba/private/krb5.conf, which probably contributed
> to my failurebelow.
> I moved on to the Testing your Samba AD DC step and started samba.
> According tosyslog that failed the first time because it could not
> create the directory/var/run/samba/ncalrpc, so I created it and tried
> again. That failed as wellwith the following in syslog:
> Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0]
> ../../source4/samba/server.c:621(binary_smbd_main)Nov 29 23:25:11 DC1
> samba[3990]: samba version 4.18.8 started.Nov 29 23:25:11 DC1
> samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-
> 2023Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0]
> ../../source4/samba/server.c:896(binary_smbd_main)Nov 29 23:25:11 DC1
> samba[3991]: binary_smbd_main: samba: using 'prefork' process
> modelNov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, 0]
> ../../source3/smbd/server.c:1746(main)Nov 29 23:25:11 DC1
> smbd[3997]: smbd version 4.18.8 started.Nov 29 23:25:11 DC1
> smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-
> 2023Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0]
> ../../source4/samba/server.c:391(samba_terminate)Nov 29 23:25:11 DC1
> samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc
> child process exited
> The last message says, "mitkdc child process exited". This smells
> like aKerbros issue and maybe my config file is in the wrong place
> since I didn't copyit anywhere. Also does the "mit" bit of this
> process name mean it's trying torun MIT Kerberos? I thought I had
> Heimdal installed.
It certainly seems like you used an MIT KDC build, but may not have the
actual KDC installed.
> Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and
> message on Sat, 28 Jan 2023 10:11:44+0000, wrote:
> "smbd -b | grep HAVE_LIBKADM5SRV_MIT
> You should get nothing returned if Samba was built using the built in
> Heimdal."
> I did that and got nothing, so Heimdal?
You have a build for MIT Kerberos, we don't start an mitkdc task
otherwise.
> Perhaps my theories about Kerberos issues are wrong, but in any case
> can someone helpme get mitkdc (or whatever) process to not exit so I
> can get samba to start?
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list