On 2/22/2013 15:22, Peter Beck wrote:
Dustin C. Hatch <[email protected]> quatschte am Fri, Feb 22, 2013 at
12:31:05PM -0600:
On 2/22/2013 11:13, Sérgio Henrique wrote:
I guess the comunication beetween MS AD and Samba4 is by kerberos, i have
copied the /opt/samba/private/krb5.conf to /etc after joined to domain
I have installed a windows server at 2003 forest level as PDC then
installed samba4.0.3
join domain but everytime i am getting problems with forest and domain dns
zones...
I have the same issue. I've tried countless times to add a Samba DC
to my (test) AD environment, but every time, it fails to add and
outbound connection for the DomainDnsZones and ForestDnsZones
directory partitions. In addition, the Samba server is not listed as
a name server for either the root zone or the _msdcs zone.
yes, the basic setup is like it's written down in the Wiki pages at
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC.
This is the document I've been following to try to get this working as well.
I get kerberos tickets without any issue. I think the domain forest
level is also important to raise up to 2003 (I can remember I also had
issues earlier and then I've just raised the domain operation level).
The forest operation level was something I've changed later...
After raising up the operation level I always reboot the Windows Dc. Not
sure if that is really needed...
I for one will in future raise both levels up to 2003 _before_ I start
deploying samba.
My samba server works perfectly fine for all AD DC roles (including
Kerberos) except DNS. In my real and test environments, the forest and
domain functional levels are 2008 R2.
my krb.conf looks like this:
[libdefaults]
default_realm = ADLAB.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
Same as mine, as defined in the wiki article.
and this is my smb.conf, not sure if allow dns updates is need or not.
# Global parameters
[global]
server role = active directory domain controller
workgroup = ADLAB
realm = adlab.local
netbios name = LAB07
passdb backend = samba4
I don't see `samba4` as an option for `passdb backend` in smb.conf(5).
Values listed are "smbpasswd" "tdbsam" (default) and "ldapsam".
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
I don't see a list of values for this property in smb.conf(5); where did
you find this setting?
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate, smb, dns
According to smb.conf(5), this is the default value for `server
services`, less s3fs and plus smb. I don't think either of these would
matter in this case.
dns recursive queries = yes
This only affects DNS queries for names outside the AD domain, so its
value wouldn't matter
allow dns updates = true
The default value, according to smb.conf(5) is `secure only`, the same
as the Windows default, which should be fine.
dns forwarder = 8.8.8.8
Again, this only affects queries outside the AD domain, so it shouldn't
matter. I do have it set, though.
[netlogon]
path = /var/lib/samba/sysvol/adlab.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
These are the same for me as well.
The samba server is not configured as nameserver by default. you can at
it either on windows if you right click the zone and add it to the
"nameserver" tab or if you use samba-tool dns add. I prefer the second
one. to add it for example to the zone "adlab.local" you can use
samba-tool dns add <winserver> adlab.local adlab.local NS
<sambaserver>.adlab.local
this will add an ns record for the zone "adlab.local" which looks like
the existing entry for the windows dns "(same as parent folder)" and it
will also automatically add the sambaserver into the "nameserver" tab of
the zone.
Yes, that adds the NS records to the domain, and I've tried that. Since
the Samba server is a DNS server, this should be done automatically
anyway. In any case, it doesn't help.
after adding these records / checking other dns records (_ldap._tcp,
_kerberos etc) I've just did
These also should be added automatically if the Samba server is to be a
DNS server, but adding them manually doesn't help either.
samba-tool drs replicate <samba-dc> <win-dc> dc=adlab,dc=local --local
This works fine
samba-tool drs replicate <samba-dc> <win-dc>
dc=forestdnszones,dc=adlab,dc=local --local
samba-tool drs replicate <samba-dc> <win-dc>
dc=domaindnszones,dc=adlab,dc=local --local
These both fail because there is no outbound connection from the Samba
server to the Windows server for these directory partitions. Adding them
manually with repadmin works temporarily, but the KCC eventually removes
them.
if everything is well (which was the case each time I've tested it), i
moved the fsmo roles with samba-tool fsmo transfer --role=....
Since Samba 4.0.3, which has a fix for the timeout problem, I have had
no trouble moving the FSMO roles around. Regardless, until the
DomainDnsZones and ForestDnsZones are replicated correctly, I cannot
demote the Windows DC.
But as I mentioned before - I am also still testing at the moment ;-)
hope that helps
Thanks for the information. This seems to be a problem for a number of
people, so hopefully we'll get to the bottom of it soon
Regards
Peter
--
♫Dustin
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
