[Samba] Provisioning new AD Domain Controller
Luis Peromarta
lperoma at icloud.com
Thu Nov 30 07:18:15 UTC 2023
All Samba wiki documentation for AD provisioning I have re arranged here:
http://samba.bigbird.es
Al your questions are addressed there.
Regards.
LP
On 30 Nov 2023 at 05:59 +0000, Andrew Bartlett via samba <samba at lists.samba.org>, wrote:
> On Thu, 2023-11-30 at 00:50 -0500, Mark Foley via samba wrote:
> > After a several month hiatus, I'm back trying to provision a new
> > AD/DC onSlackware 15.0, Samba 4.18.8.
> > I'm following the guide:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> >
> > I have some questions and at least one problem.
> > I've provisioned as follows:
> > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCL --
> > domain=HPRS \ --server-role=dc --dns-backend=SAMBA_INTERNAL --
> > adminpass=password
> > I have 2 network cards, one Internet facing: eth0, and one for the
> > lan: eth1.One thing I forgot to include in my provision command was:
> > --option="interfaces=lo eth1" --option="bind interfaces only=yes"
> > Is this a big problem? Can I do something with this later? Should I
> > reseteverything and start over?
>
> Just put those into the smb.conf, that is all that happens with them.
> > The provision tool specifies an admin passowrd, but where is the
> > adminstratorusername specified?
>
> It is always administrator, but you can technically rename it.
> > The wiki next gives instructions on Creating a Reverse Zone, but
> > after theinstructions it says, "You must start the Samba AD DC before
> > you can add a reversezone", so I skipped past that step (and maybe it
> > should be moved to afterstarting the AD/DC in the wiki?).
> > I then did the Configure Kerberos step, and here's when things
> > weren't so clear. The insructions say,
> > During the provisioning, Samba created a Kerberos configuration file
> > for yourDC. Copy this file to your operating system's Kerberos
> > configuration. Forexample:
> > # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> > The provisioning output gave the following Kerberos related messages:
> > Repacking database from v1 to v2 format (first record
> > DC=_kerberos._tcp.Default-First-Site-
> > Name._sites.dc,DC=_msdcs.hprs.locl,CN=MicrosoftDNS,DC=ForestDnsZones,
> > DC=hprs,DC=locl)INFO 2023-11-29 21:16:44,535 pid:1224
> > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2342:
> > The Kerberos KDC configuration for Samba AD is located at
> > /var/lib/samba/private/kdc.confINFO 2023-11-29 21:16:44,536 pid:1224
> > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2348:
> > A Kerberos configuration suitable for Samba AD has been generated at
> > /var/lib/samba/private/krb5.confINFO 2023-11-29 21:16:44,536 pid:1224
> > /usr/lib64/python3.9/site-packages/samba/provision/__init__.py #2350:
> > Merge the contents of this file with your system krb5.conf or replace
> > it with this one. Do not create a symlink!
> > The 3rd message says, "A Kerberos configuration suitable for Samba AD
> > has beengenerated at /var/lib/samba/private/krb5.conf". This differs
> > from the wikiinstructions which indicate the config file is generated
> > at/usr/local/samba/private/krb5.conf. Well, I figured that was a
> > distro issue,newer samba-tool version, or some such thing so I
> > pressed on.
>
> Correct, paths vary depending on install method.
> > But where is my "operating system's Kerberos configuration" located?
> > Scanningthe drive for krb5.conf I found:
> > # find / -name
> > krb5.conf/usr/share/samba/setup/krb5.conf/usr/doc/krb5-
> > 1.19.2/examples/krb5.conf
>
> /etc/krb5.conf is the system-wide path
> > none of which seem to be real config files for my OS/distro, and none
> > of mySlackware 15.0 hosts seem to be running Kerberos. So, I left the
> > filein /var/lib/samba/private/krb5.conf, which probably contributed
> > to my failurebelow.
> > I moved on to the Testing your Samba AD DC step and started samba.
> > According tosyslog that failed the first time because it could not
> > create the directory/var/run/samba/ncalrpc, so I created it and tried
> > again. That failed as wellwith the following in syslog:
> > Nov 29 23:25:11 DC1 samba[3990]: [2023/11/29 23:25:11.807033, 0]
> > ../../source4/samba/server.c:621(binary_smbd_main)Nov 29 23:25:11 DC1
> > samba[3990]: samba version 4.18.8 started.Nov 29 23:25:11 DC1
> > samba[3990]: Copyright Andrew Tridgell and the Samba Team 1992-
> > 2023Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.906019, 0]
> > ../../source4/samba/server.c:896(binary_smbd_main)Nov 29 23:25:11 DC1
> > samba[3991]: binary_smbd_main: samba: using 'prefork' process
> > modelNov 29 23:25:11 DC1 smbd[3997]: [2023/11/29 23:25:11.932326, 0]
> > ../../source3/smbd/server.c:1746(main)Nov 29 23:25:11 DC1
> > smbd[3997]: smbd version 4.18.8 started.Nov 29 23:25:11 DC1
> > smbd[3997]: Copyright Andrew Tridgell and the Samba Team 1992-
> > 2023Nov 29 23:25:11 DC1 samba[3991]: [2023/11/29 23:25:11.960564, 0]
> > ../../source4/samba/server.c:391(samba_terminate)Nov 29 23:25:11 DC1
> > samba[3991]: samba_terminate: samba_terminate of samba 3991: mitkdc
> > child process exited
> > The last message says, "mitkdc child process exited". This smells
> > like aKerbros issue and maybe my config file is in the wrong place
> > since I didn't copyit anywhere. Also does the "mit" bit of this
> > process name mean it's trying torun MIT Kerberos? I thought I had
> > Heimdal installed.
>
> It certainly seems like you used an MIT KDC build, but may not have the
> actual KDC installed.
> > Rowland Penny in thread "Upgrading from Samba 4.8.2 to 4.15.5" and
> > message on Sat, 28 Jan 2023 10:11:44+0000, wrote:
> > "smbd -b | grep HAVE_LIBKADM5SRV_MIT
> > You should get nothing returned if Samba was built using the built in
> > Heimdal."
> > I did that and got nothing, so Heimdal?
>
> You have a build for MIT Kerberos, we don't start an mitkdc task
> otherwise.
> > Perhaps my theories about Kerberos issues are wrong, but in any case
> > can someone helpme get mitkdc (or whatever) process to not exit so I
> > can get samba to start?
>
> I hope this helps,
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
> Samba Development and Support: https://catalyst.net.nz/services/samba
> Catalyst IT - Expert Open Source Solutions
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list