[Samba] The care and feeding of the signing socket; also NTPsec

James Browning jamesb192 at jamesb192.com
Thu Sep 19 13:44:13 UTC 2024


TLDW: I have a Samba install, and I can use help getting the signing socket to return a signature with either Chrony or NTPsec; I would appreciate some guidance on what I am doing incorrectly.
 
I partially followed the instructions at [1]; after checking and revising, I saw that adding a line to start signd appeared to have broken everything else.
 
I have attached a  list of most of the steps I have taken. After I get my web host back up tomorrow it will be mirrored at https://dell-2018.jamesb192.com/j/
 
[1] https://fedoramagazine.org/samba-as-ad-and-domain-controller/
-------------- next part --------------
# dnf install samba samba-dc samba-client krb5-workstation
# hostnamectl hostname bourbon2.jamesb192.com
# firewall-cmd --permanent --add-service samba-dc
# firewall-cmd --reload
# rm -iv /etc/samba/smb.conf
# mkdir -pv /etc/systemd/resolved.conf.d
$ ip addr
# nano /etc/systemd/resolved.conf.d/custom.conf
# systemctl restart systemd-resolved
# samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=JAMESB192.COM --domain=JAMESB192
# nano /etc/samba/smb.conf
# cp /var/lib/samba/private/krb5.conf /etc/krb5.conf.d/samba-dc
# systemctl enable samba --now
# groupadd machines
# useradd -g machines -d /var/lib/nobody -s /bin/false -c "local machine" bourbon2$
# useradd -g machines -d /var/lib/nobody -s /bin/false -c "Dell 2018" dell-2018$
# smbpasswd -a -m bourbon2
# smbpasswd -a -m dell-2018
# smbpasswd -a -m `whoami`
$ grep 1001 /etc/passwd /etc/group
/etc/passwd:bourbon2$:x:1001:1001:local machine:/var/lib/nobody:/bin/false
/etc/passwd:dell-2018$:x:1002:1001:Dell 2018:/var/lib/nobody:/bin/false
/etc/group:machines:x:1001:
# head -n 99 /etc/samba/smb.conf /etc/systemd/resolved.conf.d/custom.conf /etc/krb5.conf.d/samba-dc
==> /etc/samba/smb.conf <==
# Global parameters
[global]
        dns forwarder = 192.168.42.1
        netbios name = BOURBON2
        realm = JAMESB192.COM
        server role = active directory domain controller
        server services = ntp_signd
        workgroup = JAMESB192
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/jamesb192.com/scripts
        read only = No

==> /etc/systemd/resolved.conf.d/custom.conf <==
[Resolve]
DNSStubListener=no
Domains=jamesb192.com
DNS=192.168.42.78

==> /etc/krb5.conf.d/samba-dc <==
[libdefaults]
        default_realm = JAMESB192.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
JAMESB192.COM = {
        default_domain = jamesb192.com
}

[domain_realm]
        bourbon2 = JAMESB192.COM
==> /etc/chrony.conf <==
pool 2.fedora.pool.ntp.org iburst

sourcedir /run/chrony-dhcp

driftfile /var/lib/chrony/drift

makestep 1.0 3

rtcsync

allow 192.168.42.0/24
allow 127.0.0.1/8
allow ::1

ntsdumpdir /var/lib/chrony

leapsectz right/UTC

logdir /var/log/chrony

ntpsigndsocket /var/lib/samba/ntp_signd
$ path/to/ntpq -D2 localhost 192.168.42.78
Module/Binary version mismatch
Binary: ntpsec-1.2.3+58-gf873f69c4
Module: ntpsec-1.2.3+57-g5af01fe36-dirty
ntpdig: querying ::1 (localhost)
ntpdig: Sent to ::1:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ea 95 a8 47 54 b1 18 00 ...........GT...
00 00 03 e9 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: querying 127.0.0.1 (localhost)
ntpdig: Sent to 127.0.0.1:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ea 95 a8 4c 56 04 70 00 ...........LV.p.
00 00 03 e9 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: querying 192.168.42.78 (192.168.42.78)
ntpdig: Sent to 192.168.42.78:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ea 95 a8 51 57 79 80 00 ...........QWy..
00 00 03 e9 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: no eligible servers


More information about the samba mailing list