Samba 4.12.rc DC feedback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have install last Fedora 32 x86_64 (Fedora-Server-netinst-x86_64-32-20200218.n.0.iso) and perform a minimal installation.

Then i have deploy a samba 4.12.rc2 DC + BIND + NTP Chronyd + Dhcpd .
Join a Centos8 samba member server (file server) to domain and share some folder.
Join to domain 2 Win10 workstation
Login into win10 with domain's users
Access from win10a to centos8 file server 
Share a folder on win10b and set some domain's users permission.
Try to access to win10b shared folder from win10a
....

Good! All work fine ... except add "PTR"record into reverse DNS zone via DHCP, instead add name/IP to DNS "A" record work.

Today I run "dnf update".
Many package are updates, Samba become 4.12.rc3.
After reboot I have try to update PTR into DNS reverse zone ... and ....

Also this issue is gone, now all work Fine!.

Probably is time to wipe away the "Experimental" word from Samba MIT Kerberos?

I have write a simple howto, see attached files.

If you find any mistake, let me know

Many thanks to all

-- 
Dario Lesca
(inviato dal mio Linux Fedora 31 Workstation)
#!/bin/bash

exit
# Download Fedora 32 (beta) and perform a minimal installation

# This is my Disk layout
# [root@addc1 ~]# pvscan
#   PV /dev/vda2   VG addc1           lvm2 [<9,00 GiB / <2,00 GiB free]
#   Total: 1 [<9,00 GiB] / in use: 1 [<9,00 GiB] / in no VG: 0 [0   ]
# root@addc1 ~]# df
# File system            1K-blocchi   Usati Disponib. Uso% Montato su
# /dev/mapper/addc1-root    3135488 1312856   1822632  42% /
# /dev/vda1                 1038336  149820    888516  15% /boot
# /dev/mapper/addc1-var     3135488  283348   2852140  10% /var


# jump on new vm installed
ssh 192.168.122.104

# begone root
[lesca@dhcp-192-168-122-104 ~]$ sudo -i

# remove some unused software...
yum remove  \*sss\* -y

# Set timezone
# timedatectl list-timezones
timedatectl set-timezone Europe/Rome

# disable localhost to ipv6 into /etc/hosts
sed -i '/^::1 /s/localhost localhost.localdomain //' /etc/hosts

# Set selinux permissive
sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config

reboot

# re-jump on vm installed
ssh 192.168.122.104

# set a fixed IP
ip a add 192.168.122.100/24 dev ens3

# logout and rejump on vm new IP
ssh 192.168.122.100

# Setup IP and networking
nmcli con mod ens3 ifname ens3 ipv4.method manual \
	ipv4.addr "192.168.122.100/24" \
	ipv4.gateway "192.168.122.1" \
	ipv4.dns "1.1.1.1" \
	ipv6.method link-local
nmcli device reapply ens3

# NOTE: external DNS IP is temporary
#	ipv4.dns "1.1.1.1" \

# set hostname
hostnamectl set-hostname addc1.fedora.loc

# install some useful (for me?) software...
yum install -y screen wget rsync fuse-sshfs fuse-libs mutt lftp \
	sudo xorg-x11-xauth man bash-completion net-tools \
	vim-common vim-minimal vim-filesystem vim-enhanced

# setup use vim for root
sed -i '/le 200/s/^ /#/' /etc/profile.d/vim.sh

# Install samba + BIND DNS
yum install -y samba-client samba-dc samba-winbind samba-winbind-clients \
	attr acl krb5-workstation tdb-tools ldb-tools python3 \
        bind bind-utils samba-dc-bind-dlz \

# Poweroff and ....
poweroff
# ... take a snapshot and start machine

# 
# Save and remove some files
test ! -e /etc/krb5.conf.orig && mv -v /etc/krb5.conf /etc/krb5.conf.orig
test -e /etc/krb5.conf && mv -v /etc/krb5.conf /etc/krb5.conf.$(date +%s)

test ! -e /etc/samba/smb.conf.orig && mv -v /etc/samba/smb.conf /etc/samba/smb.conf.orig
test -e /etc/samba/smb.conf && mv -v /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s)

# Deploy Samba AD-DC

par_realm='fedora.loc'
par_domain='fedora'
par_dnsbke='BIND9_DLZ'
par_adminpwd="P@ssw0rd" # Must be strong!

samba-tool domain provision \
	--realm=$par_realm \
	--domain=$par_domain \
	--dns-backend=$par_dnsbke \
	--use-rfc2307 \
	--server-role=dc \
	--function-level=2008_R2 \
	--adminpass="$par_adminpwd"
st=$?
#--use-xattr=yes \

# Test if it's good
echo $st

# install new kerberos configuration file
cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf

# (optional) Store user and admin password 
echo "export addc_admin='administrator%$par_adminpwd'" >> /root/.bashrc
source /root/.bashrc

# Setup firewall (if not disabled)
firewall-cmd --permanent --add-service={samba,samba-dc,dns,dhcp,kerberos,kpasswd,ldap,ldaps,ntp}
firewall-cmd --permanent --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp}
firewall-cmd --reload

# Configure smb.conf
sed -i '/idmap_ldb:use rfc2307 = yes/a#\n\ttemplate shell = /bin/bash\n\ttemplate homedir = /home/%U' /etc/samba/smb.conf

# configure nsswitch.conf
sed -i 's/^\(passwd\|shadow\|group\): .*/& winbind/' /etc/nsswitch.conf

# Configure DNS BIND ( https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End )
test ! -e /etc/named.conf.orig &&
	cp -a -v /etc/named.conf /etc/named.conf.orig

sed -i 's/listen-on port 53.*/listen-on port 53 { 127.0.0.1; 192.168.122.100; };/' /etc/named.conf
sed -i 's/allow-query .*/allow-query     { localhost; 192.168.122.0\/24; };/' /etc/named.conf
sed -i '/session-keyfile/a\
\n\t// send-cookie no;\
\ttkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";' /etc/named.conf
echo 'include "/var/lib/samba/bind-dns/named.conf";' >> /etc/named.conf

chcon -t named_conf_t /var/lib/samba/bind-dns/dns.keytab
chcon -R -t named_var_run_t /var/lib/samba/bind-dns/dns

sysnamed=/etc/sysconfig/named
test ! -e "$sysnamed.orig" &&
	cp -a "$sysnamed" "$sysnamed.orig"
(
# Only IPv4
grep -q "^OPTIONS=" "$sysnamed" || echo 'OPTIONS="-4"'
# Usefull to disable protection multiple rapid krb5 cache access
grep -q "^KRB5RCACHETYPE=" "$sysnamed" || echo 'KRB5RCACHETYPE="none"'
)| tee -a "$sysnamed"

systemctl enable named
systemctl restart named

# Test if work
host www.redhat.com 127.0.0.1

# set DNS IP on AD IP (do not use 127.0.0.1)
nmcli con mod ens3 ipv4.dns "192.168.122.100"
nmcli device reapply ens3

sleep 2
cat /etc/resolv.conf

# check hosts
cat /etc/hosts

# Start samba
systemctl enable samba
systemctl restart samba

# Start Test
host $(hostname)
host -t SRV _ldap._tcp.$(hostname -d)

host -al $(hostname -d)

# Try to connect
smbclient -L $(hostname) -U$addc_admin

# (Optional) Set password policy very simple
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings show

# (Optional) Change administrator password
samba-tool user setpassword administrator --newpassword="Cambi@m1"

# (Optional) Setup a new User ... and Group
samba-tool user create ospite 'Cambi@m1' --description='Ospitino Ospitale' -U$addc_admin
samba-tool user setpassword ospite --newpassword="Cambi@m1"

samba-tool group add gruppo1 -U$addc_admin
samba-tool group addmembers gruppo1 ospite -U$addc_admin
samba-tool group listmembers gruppo1 -U$addc_admin

# (Optional) Migrate other many users:
echo "user:pass:User Descri" |
 awk -vaddc_admin=$addc_admin -F: '{printf("samba-tool user create \"%s\" \"%s\" --description \"%s\" -U%s\n",$1,$2,$3,addc_admin)}' |
 sh -x

# Test kerneros
klist -e
kinit administrator

# Test Winbind
wbinfo --ping-dc

# Test ID users
id administrator
id ospite

# Test share
smbclient //$(hostname)/netlogon -U$addc_admin -c 'ls'

# Configure DNS reverse zone
samba-tool dns zonecreate $(hostname) 122.168.192.in-addr.arpa. -U$addc_admin
# add my reverse ip
samba-tool dns add $(hostname) 122.168.192.in-addr.arpa. 100 PTR $(hostname) -U$addc_admin

# Check
host $(hostname)
host 192.168.122.100

# (Some optional DNS examples)
samba-tool dns delete $(hostname) 122.168.192.in-addr.arpa. 1 PTR $(hostname) -U$addc_admin

# Add A record and PTR
samba-tool dns add $(hostname) $(hostname -d) s-mail.$(hostname -d) A '192.168.122.50' -U$addc_admin
samba-tool dns add $(hostname) 122.168.192.in-addr.arpa. 50 PTR s-mail.$(hostname -d) -U$addc_admin
host s-mail.$(hostname -d)
host 192.168.122.50

# add MX record
samba-tool dns add $(hostname) $(hostname -d) @ MX "s-mail.$(hostname -d) 10" -U$addc_admin

# A CNAME record (www, time, ecc.)
samba-tool dns add $(hostname) $(hostname -d) www CNAME ispc.$(hostname -d)  -U$addc_admin
samba-tool dns add $(hostname) $(hostname -d) time CNAME $(hostname) -U$addc_admin

# delete some record
samba-tool dns delete $(hostname) $(hostname -d) @ MX 's-mail 10' -U$addc_admin
samba-tool dns delete $(hostname) $(hostname -d) win7-1 A '192.168.122.11'  -U$addc_admin

# list all domain record.
samba-tool dns query $(hostname) $(hostname -d) @ ALL -U$addc_admin
samba-tool dns query $(hostname) 122.168.192.in-addr.arpa. @ ALL -U$addc_admin

# Install RSAT - For manage Samba from a not GNU/Linux system
# https://wiki.samba.org/index.php/Installing_RSAT

# Setup NTP SERVER
# https://wiki.samba.org/index.php/Time_Synchronisation

#CHRONYD
yum -y remove ntp

# NOTE: config file must be modify by dhcp client
rm /etc/chrony.conf
yum -y reinstall chrony

ls -ld /var/lib/samba/ntp_signd
chown root:chrony /var/lib/samba/ntp_signd
chmod 750 /var/lib/samba/ntp_signd

test ! -f /etc/chrony.conf.orig && cp -va /etc/chrony.conf /etc/chrony.conf.orig
cat <<-EOF >> /etc/chrony.conf
# samba ntp server
allow 10.0.0.0/8
allow 192.168.0.0/16
ntpsigndsocket  /var/lib/samba/ntp_signd
EOF

diff /etc/chrony.conf.orig /etc/chrony.conf

systemctl enable chronyd
systemctl restart chronyd

journalctl -u chronyd -f
# If work, you must see a '... Selected source #.#.#.#' line



# Setup DHCP
# https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

dnf install dhcp -y

samba-tool user create dhcpduser \
	--description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" \
	--random-password -U$addc_admin

samba-tool user setexpiry dhcpduser --noexpiry -U$addc_admin
samba-tool group addmembers DnsAdmins dhcpduser -U$addc_admin

# get dhcpduser.keytab
samba-tool domain exportkeytab --principal=dhcpduser@$(hostname -d|tr [a-z] [A-Z]) /etc/dhcpduser.keytab
chown dhcpd: /etc/dhcpduser.keytab
chmod 400   /etc/dhcpduser.keytab
ls -l /etc/dhcpduser.keytab

# Copy shell script from site and install it (paste to stdin)
install -v -m755 -oroot /dev/stdin /usr/local/bin/dhcp-dyndns.sh
# 

# test it (Warning: do not run the script as root, a tmp file is create [/tmp/dhcp-dyndns.cc] with wrong permission)
sudo -u dhcpd /usr/local/bin/dhcp-dyndns.sh

# Copy  dhcpd.conf example from samba site, or use the follow dhcpd.conf
test ! -f /etc/dhcp/dhcpd.conf.orig &&
	mv -v /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.orig

# Configure dhcpd.conf or use attachet example
sed "s/10.11.12/192.168.122/g;s/dominio.loc/$(hostname -d)/g" ./dhcpd.conf.example > /etc/dhcp/dhcpd.conf

# Adjusts
vim /etc/dhcp/dhcpd.conf

# Start dncpd
systemctl enable dhcpd
systemctl restart dhcpd

# End.

exit 0







# http://www.massimodonato.it/2016/02/09/installare-samba-come-active-directory-domain-controller-su-linux-centos-7/

#Qualche comando utile
LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb "cn=dns-$(hostname -s)" dn

# non va su fedora 4.7.3
samba_dnsupdate --all-names --fail-immediately
# https://lists.samba.org/archive/samba/2017-November/212035.html
net ads dns register

klist -k /var/lib/samba/bind-dns/dns.keytab

samba-tool user list

# DNS error
https://lists.samba.org/archive/samba/2013-December/177476.html

>
> The samba4 log shows the following:
>
> Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone
> ad-domain-name
> Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
> Dec 17 14:53:20 dc named[20868]: client 192.0.2.1#60404: updating zone
> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
> Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on
> zone ad-domain-name
>
> Any idea what might be happening now?
>

Yes. A previous join has failed. There are stale DNS records which have
to be removed manually. We proceeded as follows:

http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html

HTH
Steve

# Accesso a condivisioni server SMB non viene completata tramite alias CNAME DNS
# https://support.microsoft.com/it-it/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias

# Windows Usare degli alias per accedere a share SMB 
# http://civinini.net/index.php/windows/42-usare-degli-alias-per-accedere-a-share-smb

SOLUZIONE

Il controllo sul nome viene fatto non dalla macchina "chiamante" bensì dalla destinazione (il nostro server Windows 2000/2003 tanto per capirci): è sufficiente quindi dire al server di non effetturre questo controllo, aggiungendo una banale chiave di registro:
Percorso: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Type: DWORD
Nome: DisableStrictNameChecking
Valore: 1


Al successivo riavvio il server accetterà connessioni anche con nomi diversi dal proprio

#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp-server/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#
authoritative;
ddns-update-style none;

subnet 10.11.12.0 netmask 255.255.255.0 {
	option subnet-mask		255.255.255.0;
	option broadcast-address	10.11.12.255;
	option time-offset		0;

	option domain-name		"dominio.loc";
	option routers			10.11.12.1;

	option domain-name-servers	10.11.12.100, 10.11.12.1;

	option netbios-name-servers	10.11.12.100;
	option netbios-dd-server	10.11.12.100; # SMB
	option netbios-node-type	8;
	option netbios-scope		"";

	option ntp-servers		10.11.12.100, 10.11.12.1;

	pool {
		max-lease-time 1800; # 30 minutes
		range 10.11.12.101 10.11.12.199;
	}
}

on commit {
	set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
	set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
	set ClientDHCID = concat (
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
	);
	set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
	log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
	execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}

on release {
	set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
	set ClientDHCID = concat (
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
		suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
	);
	log(concat("Release: IP: ", ClientIP));
	execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

on expiry {
	set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
	# cannot get a ClientMac here, apparently this only works when actually receiving a packet
	log(concat("Expired: IP: ", ClientIP));
	# cannot get a ClientName here, for some reason that always fails
	execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}

host lesca {
	hardware ethernet       d0:67:e5:4c:47:ce; # NB Dell latitude i7/8gb
	fixed-address           10.11.12.80;
}

Attachment: samba-tool-dns.sh
Description: application/shellscript

_______________________________________________
test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux