I have install last Fedora 32 x86_64 (Fedora-Server-netinst-x86_64-32-20200218.n.0.iso) and perform a minimal installation. Then i have deploy a samba 4.12.rc2 DC + BIND + NTP Chronyd + Dhcpd . Join a Centos8 samba member server (file server) to domain and share some folder. Join to domain 2 Win10 workstation Login into win10 with domain's users Access from win10a to centos8 file server Share a folder on win10b and set some domain's users permission. Try to access to win10b shared folder from win10a .... Good! All work fine ... except add "PTR"record into reverse DNS zone via DHCP, instead add name/IP to DNS "A" record work. Today I run "dnf update". Many package are updates, Samba become 4.12.rc3. After reboot I have try to update PTR into DNS reverse zone ... and .... Also this issue is gone, now all work Fine!. Probably is time to wipe away the "Experimental" word from Samba MIT Kerberos? I have write a simple howto, see attached files. If you find any mistake, let me know Many thanks to all -- Dario Lesca (inviato dal mio Linux Fedora 31 Workstation) |
#!/bin/bash
exit
# Download Fedora 32 (beta) and perform a minimal installation
# This is my Disk layout
# [root@addc1 ~]# pvscan
# PV /dev/vda2 VG addc1 lvm2 [<9,00 GiB / <2,00 GiB free]
# Total: 1 [<9,00 GiB] / in use: 1 [<9,00 GiB] / in no VG: 0 [0 ]
# root@addc1 ~]# df
# File system 1K-blocchi Usati Disponib. Uso% Montato su
# /dev/mapper/addc1-root 3135488 1312856 1822632 42% /
# /dev/vda1 1038336 149820 888516 15% /boot
# /dev/mapper/addc1-var 3135488 283348 2852140 10% /var
# jump on new vm installed
ssh 192.168.122.104
# begone root
[lesca@dhcp-192-168-122-104 ~]$ sudo -i
# remove some unused software...
yum remove \*sss\* -y
# Set timezone
# timedatectl list-timezones
timedatectl set-timezone Europe/Rome
# disable localhost to ipv6 into /etc/hosts
sed -i '/^::1 /s/localhost localhost.localdomain //' /etc/hosts
# Set selinux permissive
sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
reboot
# re-jump on vm installed
ssh 192.168.122.104
# set a fixed IP
ip a add 192.168.122.100/24 dev ens3
# logout and rejump on vm new IP
ssh 192.168.122.100
# Setup IP and networking
nmcli con mod ens3 ifname ens3 ipv4.method manual \
ipv4.addr "192.168.122.100/24" \
ipv4.gateway "192.168.122.1" \
ipv4.dns "1.1.1.1" \
ipv6.method link-local
nmcli device reapply ens3
# NOTE: external DNS IP is temporary
# ipv4.dns "1.1.1.1" \
# set hostname
hostnamectl set-hostname addc1.fedora.loc
# install some useful (for me?) software...
yum install -y screen wget rsync fuse-sshfs fuse-libs mutt lftp \
sudo xorg-x11-xauth man bash-completion net-tools \
vim-common vim-minimal vim-filesystem vim-enhanced
# setup use vim for root
sed -i '/le 200/s/^ /#/' /etc/profile.d/vim.sh
# Install samba + BIND DNS
yum install -y samba-client samba-dc samba-winbind samba-winbind-clients \
attr acl krb5-workstation tdb-tools ldb-tools python3 \
bind bind-utils samba-dc-bind-dlz \
# Poweroff and ....
poweroff
# ... take a snapshot and start machine
#
# Save and remove some files
test ! -e /etc/krb5.conf.orig && mv -v /etc/krb5.conf /etc/krb5.conf.orig
test -e /etc/krb5.conf && mv -v /etc/krb5.conf /etc/krb5.conf.$(date +%s)
test ! -e /etc/samba/smb.conf.orig && mv -v /etc/samba/smb.conf /etc/samba/smb.conf.orig
test -e /etc/samba/smb.conf && mv -v /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s)
# Deploy Samba AD-DC
par_realm='fedora.loc'
par_domain='fedora'
par_dnsbke='BIND9_DLZ'
par_adminpwd="P@ssw0rd" # Must be strong!
samba-tool domain provision \
--realm=$par_realm \
--domain=$par_domain \
--dns-backend=$par_dnsbke \
--use-rfc2307 \
--server-role=dc \
--function-level=2008_R2 \
--adminpass="$par_adminpwd"
st=$?
#--use-xattr=yes \
# Test if it's good
echo $st
# install new kerberos configuration file
cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf
# (optional) Store user and admin password
echo "export addc_admin='administrator%$par_adminpwd'" >> /root/.bashrc
source /root/.bashrc
# Setup firewall (if not disabled)
firewall-cmd --permanent --add-service={samba,samba-dc,dns,dhcp,kerberos,kpasswd,ldap,ldaps,ntp}
firewall-cmd --permanent --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp}
firewall-cmd --reload
# Configure smb.conf
sed -i '/idmap_ldb:use rfc2307 = yes/a#\n\ttemplate shell = /bin/bash\n\ttemplate homedir = /home/%U' /etc/samba/smb.conf
# configure nsswitch.conf
sed -i 's/^\(passwd\|shadow\|group\): .*/& winbind/' /etc/nsswitch.conf
# Configure DNS BIND ( https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End )
test ! -e /etc/named.conf.orig &&
cp -a -v /etc/named.conf /etc/named.conf.orig
sed -i 's/listen-on port 53.*/listen-on port 53 { 127.0.0.1; 192.168.122.100; };/' /etc/named.conf
sed -i 's/allow-query .*/allow-query { localhost; 192.168.122.0\/24; };/' /etc/named.conf
sed -i '/session-keyfile/a\
\n\t// send-cookie no;\
\ttkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";' /etc/named.conf
echo 'include "/var/lib/samba/bind-dns/named.conf";' >> /etc/named.conf
chcon -t named_conf_t /var/lib/samba/bind-dns/dns.keytab
chcon -R -t named_var_run_t /var/lib/samba/bind-dns/dns
sysnamed=/etc/sysconfig/named
test ! -e "$sysnamed.orig" &&
cp -a "$sysnamed" "$sysnamed.orig"
(
# Only IPv4
grep -q "^OPTIONS=" "$sysnamed" || echo 'OPTIONS="-4"'
# Usefull to disable protection multiple rapid krb5 cache access
grep -q "^KRB5RCACHETYPE=" "$sysnamed" || echo 'KRB5RCACHETYPE="none"'
)| tee -a "$sysnamed"
systemctl enable named
systemctl restart named
# Test if work
host www.redhat.com 127.0.0.1
# set DNS IP on AD IP (do not use 127.0.0.1)
nmcli con mod ens3 ipv4.dns "192.168.122.100"
nmcli device reapply ens3
sleep 2
cat /etc/resolv.conf
# check hosts
cat /etc/hosts
# Start samba
systemctl enable samba
systemctl restart samba
# Start Test
host $(hostname)
host -t SRV _ldap._tcp.$(hostname -d)
host -al $(hostname -d)
# Try to connect
smbclient -L $(hostname) -U$addc_admin
# (Optional) Set password policy very simple
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings show
# (Optional) Change administrator password
samba-tool user setpassword administrator --newpassword="Cambi@m1"
# (Optional) Setup a new User ... and Group
samba-tool user create ospite 'Cambi@m1' --description='Ospitino Ospitale' -U$addc_admin
samba-tool user setpassword ospite --newpassword="Cambi@m1"
samba-tool group add gruppo1 -U$addc_admin
samba-tool group addmembers gruppo1 ospite -U$addc_admin
samba-tool group listmembers gruppo1 -U$addc_admin
# (Optional) Migrate other many users:
echo "user:pass:User Descri" |
awk -vaddc_admin=$addc_admin -F: '{printf("samba-tool user create \"%s\" \"%s\" --description \"%s\" -U%s\n",$1,$2,$3,addc_admin)}' |
sh -x
# Test kerneros
klist -e
kinit administrator
# Test Winbind
wbinfo --ping-dc
# Test ID users
id administrator
id ospite
# Test share
smbclient //$(hostname)/netlogon -U$addc_admin -c 'ls'
# Configure DNS reverse zone
samba-tool dns zonecreate $(hostname) 122.168.192.in-addr.arpa. -U$addc_admin
# add my reverse ip
samba-tool dns add $(hostname) 122.168.192.in-addr.arpa. 100 PTR $(hostname) -U$addc_admin
# Check
host $(hostname)
host 192.168.122.100
# (Some optional DNS examples)
samba-tool dns delete $(hostname) 122.168.192.in-addr.arpa. 1 PTR $(hostname) -U$addc_admin
# Add A record and PTR
samba-tool dns add $(hostname) $(hostname -d) s-mail.$(hostname -d) A '192.168.122.50' -U$addc_admin
samba-tool dns add $(hostname) 122.168.192.in-addr.arpa. 50 PTR s-mail.$(hostname -d) -U$addc_admin
host s-mail.$(hostname -d)
host 192.168.122.50
# add MX record
samba-tool dns add $(hostname) $(hostname -d) @ MX "s-mail.$(hostname -d) 10" -U$addc_admin
# A CNAME record (www, time, ecc.)
samba-tool dns add $(hostname) $(hostname -d) www CNAME ispc.$(hostname -d) -U$addc_admin
samba-tool dns add $(hostname) $(hostname -d) time CNAME $(hostname) -U$addc_admin
# delete some record
samba-tool dns delete $(hostname) $(hostname -d) @ MX 's-mail 10' -U$addc_admin
samba-tool dns delete $(hostname) $(hostname -d) win7-1 A '192.168.122.11' -U$addc_admin
# list all domain record.
samba-tool dns query $(hostname) $(hostname -d) @ ALL -U$addc_admin
samba-tool dns query $(hostname) 122.168.192.in-addr.arpa. @ ALL -U$addc_admin
# Install RSAT - For manage Samba from a not GNU/Linux system
# https://wiki.samba.org/index.php/Installing_RSAT
# Setup NTP SERVER
# https://wiki.samba.org/index.php/Time_Synchronisation
#CHRONYD
yum -y remove ntp
# NOTE: config file must be modify by dhcp client
rm /etc/chrony.conf
yum -y reinstall chrony
ls -ld /var/lib/samba/ntp_signd
chown root:chrony /var/lib/samba/ntp_signd
chmod 750 /var/lib/samba/ntp_signd
test ! -f /etc/chrony.conf.orig && cp -va /etc/chrony.conf /etc/chrony.conf.orig
cat <<-EOF >> /etc/chrony.conf
# samba ntp server
allow 10.0.0.0/8
allow 192.168.0.0/16
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
diff /etc/chrony.conf.orig /etc/chrony.conf
systemctl enable chronyd
systemctl restart chronyd
journalctl -u chronyd -f
# If work, you must see a '... Selected source #.#.#.#' line
# Setup DHCP
# https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
dnf install dhcp -y
samba-tool user create dhcpduser \
--description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" \
--random-password -U$addc_admin
samba-tool user setexpiry dhcpduser --noexpiry -U$addc_admin
samba-tool group addmembers DnsAdmins dhcpduser -U$addc_admin
# get dhcpduser.keytab
samba-tool domain exportkeytab --principal=dhcpduser@$(hostname -d|tr [a-z] [A-Z]) /etc/dhcpduser.keytab
chown dhcpd: /etc/dhcpduser.keytab
chmod 400 /etc/dhcpduser.keytab
ls -l /etc/dhcpduser.keytab
# Copy shell script from site and install it (paste to stdin)
install -v -m755 -oroot /dev/stdin /usr/local/bin/dhcp-dyndns.sh
#
# test it (Warning: do not run the script as root, a tmp file is create [/tmp/dhcp-dyndns.cc] with wrong permission)
sudo -u dhcpd /usr/local/bin/dhcp-dyndns.sh
# Copy dhcpd.conf example from samba site, or use the follow dhcpd.conf
test ! -f /etc/dhcp/dhcpd.conf.orig &&
mv -v /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.orig
# Configure dhcpd.conf or use attachet example
sed "s/10.11.12/192.168.122/g;s/dominio.loc/$(hostname -d)/g" ./dhcpd.conf.example > /etc/dhcp/dhcpd.conf
# Adjusts
vim /etc/dhcp/dhcpd.conf
# Start dncpd
systemctl enable dhcpd
systemctl restart dhcpd
# End.
exit 0
# http://www.massimodonato.it/2016/02/09/installare-samba-come-active-directory-domain-controller-su-linux-centos-7/
#Qualche comando utile
LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb "cn=dns-$(hostname -s)" dn
# non va su fedora 4.7.3
samba_dnsupdate --all-names --fail-immediately
# https://lists.samba.org/archive/samba/2017-November/212035.html
net ads dns register
klist -k /var/lib/samba/bind-dns/dns.keytab
samba-tool user list
# DNS error
https://lists.samba.org/archive/samba/2013-December/177476.html
>
> The samba4 log shows the following:
>
> Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone
> ad-domain-name
> Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
> Dec 17 14:53:20 dc named[20868]: client 192.0.2.1#60404: updating zone
> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
> Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on
> zone ad-domain-name
>
> Any idea what might be happening now?
>
Yes. A previous join has failed. There are stale DNS records which have
to be removed manually. We proceeded as follows:
http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
HTH
Steve
# Accesso a condivisioni server SMB non viene completata tramite alias CNAME DNS
# https://support.microsoft.com/it-it/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias
# Windows Usare degli alias per accedere a share SMB
# http://civinini.net/index.php/windows/42-usare-degli-alias-per-accedere-a-share-smb
SOLUZIONE
Il controllo sul nome viene fatto non dalla macchina "chiamante" bensì dalla destinazione (il nostro server Windows 2000/2003 tanto per capirci): è sufficiente quindi dire al server di non effetturre questo controllo, aggiungendo una banale chiave di registro:
Percorso: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Type: DWORD
Nome: DisableStrictNameChecking
Valore: 1
Al successivo riavvio il server accetterà connessioni anche con nomi diversi dal proprio
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp-server/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
authoritative;
ddns-update-style none;
subnet 10.11.12.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 10.11.12.255;
option time-offset 0;
option domain-name "dominio.loc";
option routers 10.11.12.1;
option domain-name-servers 10.11.12.100, 10.11.12.1;
option netbios-name-servers 10.11.12.100;
option netbios-dd-server 10.11.12.100; # SMB
option netbios-node-type 8;
option netbios-scope "";
option ntp-servers 10.11.12.100, 10.11.12.1;
pool {
max-lease-time 1800; # 30 minutes
range 10.11.12.101 10.11.12.199;
}
}
on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = concat (
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
);
set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = concat (
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
);
log(concat("Release: IP: ", ClientIP));
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}
host lesca {
hardware ethernet d0:67:e5:4c:47:ce; # NB Dell latitude i7/8gb
fixed-address 10.11.12.80;
}
Attachment:
samba-tool-dns.sh
Description: application/shellscript
_______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx
