Dustin C. Hatch <[email protected]> quatschte am Fri, Feb 22, 2013 at 12:31:05PM -0600: > On 2/22/2013 11:13, Sérgio Henrique wrote: > >I guess the comunication beetween MS AD and Samba4 is by kerberos, i have > >copied the /opt/samba/private/krb5.conf to /etc after joined to domain > > > >I have installed a windows server at 2003 forest level as PDC then > >installed samba4.0.3 > >join domain but everytime i am getting problems with forest and domain dns > >zones... > > > I have the same issue. I've tried countless times to add a Samba DC > to my (test) AD environment, but every time, it fails to add and > outbound connection for the DomainDnsZones and ForestDnsZones > directory partitions. In addition, the Samba server is not listed as > a name server for either the root zone or the _msdcs zone.
yes, the basic setup is like it's written down in the Wiki pages at https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC. I get kerberos tickets without any issue. I think the domain forest level is also important to raise up to 2003 (I can remember I also had issues earlier and then I've just raised the domain operation level). The forest operation level was something I've changed later... After raising up the operation level I always reboot the Windows Dc. Not sure if that is really needed... I for one will in future raise both levels up to 2003 _before_ I start deploying samba. my krb.conf looks like this: [libdefaults] default_realm = ADLAB.LOCAL dns_lookup_realm = true dns_lookup_kdc = true and this is my smb.conf, not sure if allow dns updates is need or not. # Global parameters [global] server role = active directory domain controller workgroup = ADLAB realm = adlab.local netbios name = LAB07 passdb backend = samba4 dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns dns recursive queries = yes allow dns updates = true dns forwarder = 8.8.8.8 [netlogon] path = /var/lib/samba/sysvol/adlab.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No The samba server is not configured as nameserver by default. you can at it either on windows if you right click the zone and add it to the "nameserver" tab or if you use samba-tool dns add. I prefer the second one. to add it for example to the zone "adlab.local" you can use samba-tool dns add <winserver> adlab.local adlab.local NS <sambaserver>.adlab.local this will add an ns record for the zone "adlab.local" which looks like the existing entry for the windows dns "(same as parent folder)" and it will also automatically add the sambaserver into the "nameserver" tab of the zone. after adding these records / checking other dns records (_ldap._tcp, _kerberos etc) I've just did samba-tool drs replicate <samba-dc> <win-dc> dc=adlab,dc=local --local samba-tool drs replicate <samba-dc> <win-dc> dc=forestdnszones,dc=adlab,dc=local --local samba-tool drs replicate <samba-dc> <win-dc> dc=domaindnszones,dc=adlab,dc=local --local if everything is well (which was the case each time I've tested it), i moved the fsmo roles with samba-tool fsmo transfer --role=.... But as I mentioned before - I am also still testing at the moment ;-) hope that helps Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
