I have install last Fedora 32 x86_64 (Fedora-Server-netinst-x86_64-32-20200218.n.0.iso) and perform a minimal installation. Then i have deploy a samba 4.12.rc2 DC + BIND + NTP Chronyd + Dhcpd . Join a Centos8 samba member server (file server) to domain and share some folder. Join to domain 2 Win10 workstation Login into win10 with domain's users Access from win10a to centos8 file server Share a folder on win10b and set some domain's users permission. Try to access to win10b shared folder from win10a .... Good! All work fine ... except add "PTR"record into reverse DNS zone via DHCP, instead add name/IP to DNS "A" record work. Today I run "dnf update". Many package are updates, Samba become 4.12.rc3. After reboot I have try to update PTR into DNS reverse zone ... and .... Also this issue is gone, now all work Fine!. Probably is time to wipe away the "Experimental" word from Samba MIT Kerberos? I have write a simple howto, see attached files. If you find any mistake, let me know Many thanks to all -- Dario Lesca (inviato dal mio Linux Fedora 31 Workstation) |
#!/bin/bash exit # Download Fedora 32 (beta) and perform a minimal installation # This is my Disk layout # [root@addc1 ~]# pvscan # PV /dev/vda2 VG addc1 lvm2 [<9,00 GiB / <2,00 GiB free] # Total: 1 [<9,00 GiB] / in use: 1 [<9,00 GiB] / in no VG: 0 [0 ] # root@addc1 ~]# df # File system 1K-blocchi Usati Disponib. Uso% Montato su # /dev/mapper/addc1-root 3135488 1312856 1822632 42% / # /dev/vda1 1038336 149820 888516 15% /boot # /dev/mapper/addc1-var 3135488 283348 2852140 10% /var # jump on new vm installed ssh 192.168.122.104 # begone root [lesca@dhcp-192-168-122-104 ~]$ sudo -i # remove some unused software... yum remove \*sss\* -y # Set timezone # timedatectl list-timezones timedatectl set-timezone Europe/Rome # disable localhost to ipv6 into /etc/hosts sed -i '/^::1 /s/localhost localhost.localdomain //' /etc/hosts # Set selinux permissive sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config reboot # re-jump on vm installed ssh 192.168.122.104 # set a fixed IP ip a add 192.168.122.100/24 dev ens3 # logout and rejump on vm new IP ssh 192.168.122.100 # Setup IP and networking nmcli con mod ens3 ifname ens3 ipv4.method manual \ ipv4.addr "192.168.122.100/24" \ ipv4.gateway "192.168.122.1" \ ipv4.dns "1.1.1.1" \ ipv6.method link-local nmcli device reapply ens3 # NOTE: external DNS IP is temporary # ipv4.dns "1.1.1.1" \ # set hostname hostnamectl set-hostname addc1.fedora.loc # install some useful (for me?) software... yum install -y screen wget rsync fuse-sshfs fuse-libs mutt lftp \ sudo xorg-x11-xauth man bash-completion net-tools \ vim-common vim-minimal vim-filesystem vim-enhanced # setup use vim for root sed -i '/le 200/s/^ /#/' /etc/profile.d/vim.sh # Install samba + BIND DNS yum install -y samba-client samba-dc samba-winbind samba-winbind-clients \ attr acl krb5-workstation tdb-tools ldb-tools python3 \ bind bind-utils samba-dc-bind-dlz \ # Poweroff and .... poweroff # ... take a snapshot and start machine # # Save and remove some files test ! -e /etc/krb5.conf.orig && mv -v /etc/krb5.conf /etc/krb5.conf.orig test -e /etc/krb5.conf && mv -v /etc/krb5.conf /etc/krb5.conf.$(date +%s) test ! -e /etc/samba/smb.conf.orig && mv -v /etc/samba/smb.conf /etc/samba/smb.conf.orig test -e /etc/samba/smb.conf && mv -v /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s) # Deploy Samba AD-DC par_realm='fedora.loc' par_domain='fedora' par_dnsbke='BIND9_DLZ' par_adminpwd="P@ssw0rd" # Must be strong! samba-tool domain provision \ --realm=$par_realm \ --domain=$par_domain \ --dns-backend=$par_dnsbke \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 \ --adminpass="$par_adminpwd" st=$? #--use-xattr=yes \ # Test if it's good echo $st # install new kerberos configuration file cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf # (optional) Store user and admin password echo "export addc_admin='administrator%$par_adminpwd'" >> /root/.bashrc source /root/.bashrc # Setup firewall (if not disabled) firewall-cmd --permanent --add-service={samba,samba-dc,dns,dhcp,kerberos,kpasswd,ldap,ldaps,ntp} firewall-cmd --permanent --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp} firewall-cmd --reload # Configure smb.conf sed -i '/idmap_ldb:use rfc2307 = yes/a#\n\ttemplate shell = /bin/bash\n\ttemplate homedir = /home/%U' /etc/samba/smb.conf # configure nsswitch.conf sed -i 's/^\(passwd\|shadow\|group\): .*/& winbind/' /etc/nsswitch.conf # Configure DNS BIND ( https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End ) test ! -e /etc/named.conf.orig && cp -a -v /etc/named.conf /etc/named.conf.orig sed -i 's/listen-on port 53.*/listen-on port 53 { 127.0.0.1; 192.168.122.100; };/' /etc/named.conf sed -i 's/allow-query .*/allow-query { localhost; 192.168.122.0\/24; };/' /etc/named.conf sed -i '/session-keyfile/a\ \n\t// send-cookie no;\ \ttkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";' /etc/named.conf echo 'include "/var/lib/samba/bind-dns/named.conf";' >> /etc/named.conf chcon -t named_conf_t /var/lib/samba/bind-dns/dns.keytab chcon -R -t named_var_run_t /var/lib/samba/bind-dns/dns sysnamed=/etc/sysconfig/named test ! -e "$sysnamed.orig" && cp -a "$sysnamed" "$sysnamed.orig" ( # Only IPv4 grep -q "^OPTIONS=" "$sysnamed" || echo 'OPTIONS="-4"' # Usefull to disable protection multiple rapid krb5 cache access grep -q "^KRB5RCACHETYPE=" "$sysnamed" || echo 'KRB5RCACHETYPE="none"' )| tee -a "$sysnamed" systemctl enable named systemctl restart named # Test if work host www.redhat.com 127.0.0.1 # set DNS IP on AD IP (do not use 127.0.0.1) nmcli con mod ens3 ipv4.dns "192.168.122.100" nmcli device reapply ens3 sleep 2 cat /etc/resolv.conf # check hosts cat /etc/hosts # Start samba systemctl enable samba systemctl restart samba # Start Test host $(hostname) host -t SRV _ldap._tcp.$(hostname -d) host -al $(hostname -d) # Try to connect smbclient -L $(hostname) -U$addc_admin # (Optional) Set password policy very simple samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --history-length=0 samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=0 samba-tool domain passwordsettings show # (Optional) Change administrator password samba-tool user setpassword administrator --newpassword="Cambi@m1" # (Optional) Setup a new User ... and Group samba-tool user create ospite 'Cambi@m1' --description='Ospitino Ospitale' -U$addc_admin samba-tool user setpassword ospite --newpassword="Cambi@m1" samba-tool group add gruppo1 -U$addc_admin samba-tool group addmembers gruppo1 ospite -U$addc_admin samba-tool group listmembers gruppo1 -U$addc_admin # (Optional) Migrate other many users: echo "user:pass:User Descri" | awk -vaddc_admin=$addc_admin -F: '{printf("samba-tool user create \"%s\" \"%s\" --description \"%s\" -U%s\n",$1,$2,$3,addc_admin)}' | sh -x # Test kerneros klist -e kinit administrator # Test Winbind wbinfo --ping-dc # Test ID users id administrator id ospite # Test share smbclient //$(hostname)/netlogon -U$addc_admin -c 'ls' # Configure DNS reverse zone samba-tool dns zonecreate $(hostname) 122.168.192.in-addr.arpa. -U$addc_admin # add my reverse ip samba-tool dns add $(hostname) 122.168.192.in-addr.arpa. 100 PTR $(hostname) -U$addc_admin # Check host $(hostname) host 192.168.122.100 # (Some optional DNS examples) samba-tool dns delete $(hostname) 122.168.192.in-addr.arpa. 1 PTR $(hostname) -U$addc_admin # Add A record and PTR samba-tool dns add $(hostname) $(hostname -d) s-mail.$(hostname -d) A '192.168.122.50' -U$addc_admin samba-tool dns add $(hostname) 122.168.192.in-addr.arpa. 50 PTR s-mail.$(hostname -d) -U$addc_admin host s-mail.$(hostname -d) host 192.168.122.50 # add MX record samba-tool dns add $(hostname) $(hostname -d) @ MX "s-mail.$(hostname -d) 10" -U$addc_admin # A CNAME record (www, time, ecc.) samba-tool dns add $(hostname) $(hostname -d) www CNAME ispc.$(hostname -d) -U$addc_admin samba-tool dns add $(hostname) $(hostname -d) time CNAME $(hostname) -U$addc_admin # delete some record samba-tool dns delete $(hostname) $(hostname -d) @ MX 's-mail 10' -U$addc_admin samba-tool dns delete $(hostname) $(hostname -d) win7-1 A '192.168.122.11' -U$addc_admin # list all domain record. samba-tool dns query $(hostname) $(hostname -d) @ ALL -U$addc_admin samba-tool dns query $(hostname) 122.168.192.in-addr.arpa. @ ALL -U$addc_admin # Install RSAT - For manage Samba from a not GNU/Linux system # https://wiki.samba.org/index.php/Installing_RSAT # Setup NTP SERVER # https://wiki.samba.org/index.php/Time_Synchronisation #CHRONYD yum -y remove ntp # NOTE: config file must be modify by dhcp client rm /etc/chrony.conf yum -y reinstall chrony ls -ld /var/lib/samba/ntp_signd chown root:chrony /var/lib/samba/ntp_signd chmod 750 /var/lib/samba/ntp_signd test ! -f /etc/chrony.conf.orig && cp -va /etc/chrony.conf /etc/chrony.conf.orig cat <<-EOF >> /etc/chrony.conf # samba ntp server allow 10.0.0.0/8 allow 192.168.0.0/16 ntpsigndsocket /var/lib/samba/ntp_signd EOF diff /etc/chrony.conf.orig /etc/chrony.conf systemctl enable chronyd systemctl restart chronyd journalctl -u chronyd -f # If work, you must see a '... Selected source #.#.#.#' line # Setup DHCP # https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 dnf install dhcp -y samba-tool user create dhcpduser \ --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" \ --random-password -U$addc_admin samba-tool user setexpiry dhcpduser --noexpiry -U$addc_admin samba-tool group addmembers DnsAdmins dhcpduser -U$addc_admin # get dhcpduser.keytab samba-tool domain exportkeytab --principal=dhcpduser@$(hostname -d|tr [a-z] [A-Z]) /etc/dhcpduser.keytab chown dhcpd: /etc/dhcpduser.keytab chmod 400 /etc/dhcpduser.keytab ls -l /etc/dhcpduser.keytab # Copy shell script from site and install it (paste to stdin) install -v -m755 -oroot /dev/stdin /usr/local/bin/dhcp-dyndns.sh # # test it (Warning: do not run the script as root, a tmp file is create [/tmp/dhcp-dyndns.cc] with wrong permission) sudo -u dhcpd /usr/local/bin/dhcp-dyndns.sh # Copy dhcpd.conf example from samba site, or use the follow dhcpd.conf test ! -f /etc/dhcp/dhcpd.conf.orig && mv -v /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.orig # Configure dhcpd.conf or use attachet example sed "s/10.11.12/192.168.122/g;s/dominio.loc/$(hostname -d)/g" ./dhcpd.conf.example > /etc/dhcp/dhcpd.conf # Adjusts vim /etc/dhcp/dhcpd.conf # Start dncpd systemctl enable dhcpd systemctl restart dhcpd # End. exit 0 # http://www.massimodonato.it/2016/02/09/installare-samba-come-active-directory-domain-controller-su-linux-centos-7/ #Qualche comando utile LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb "cn=dns-$(hostname -s)" dn # non va su fedora 4.7.3 samba_dnsupdate --all-names --fail-immediately # https://lists.samba.org/archive/samba/2017-November/212035.html net ads dns register klist -k /var/lib/samba/bind-dns/dns.keytab samba-tool user list # DNS error https://lists.samba.org/archive/samba/2013-December/177476.html > > The samba4 log shows the following: > > Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone > ad-domain-name > Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed > Dec 17 14:53:20 dc named[20868]: client 192.0.2.1#60404: updating zone > 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED) > Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on > zone ad-domain-name > > Any idea what might be happening now? > Yes. A previous join has failed. There are stale DNS records which have to be removed manually. We proceeded as follows: http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html HTH Steve # Accesso a condivisioni server SMB non viene completata tramite alias CNAME DNS # https://support.microsoft.com/it-it/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias # Windows Usare degli alias per accedere a share SMB # http://civinini.net/index.php/windows/42-usare-degli-alias-per-accedere-a-share-smb SOLUZIONE Il controllo sul nome viene fatto non dalla macchina "chiamante" bensì dalla destinazione (il nostro server Windows 2000/2003 tanto per capirci): è sufficiente quindi dire al server di non effetturre questo controllo, aggiungendo una banale chiave di registro: Percorso: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters Type: DWORD Nome: DisableStrictNameChecking Valore: 1 Al successivo riavvio il server accetterà connessioni anche con nomi diversi dal proprio
# # DHCP Server Configuration file. # see /usr/share/doc/dhcp-server/dhcpd.conf.example # see dhcpd.conf(5) man page # authoritative; ddns-update-style none; subnet 10.11.12.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 10.11.12.255; option time-offset 0; option domain-name "dominio.loc"; option routers 10.11.12.1; option domain-name-servers 10.11.12.100, 10.11.12.1; option netbios-name-servers 10.11.12.100; option netbios-dd-server 10.11.12.100; # SMB option netbios-node-type 8; option netbios-scope ""; option ntp-servers 10.11.12.100, 10.11.12.1; pool { max-lease-time 1800; # 30 minutes range 10.11.12.101 10.11.12.199; } } on commit { set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address)); set ClientIP = binary-to-ascii(10, 8, ".", leased-address); set ClientDHCID = concat ( suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2) ); set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname); log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName)); execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName); } on release { set ClientIP = binary-to-ascii(10, 8, ".", leased-address); set ClientDHCID = concat ( suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2) ); log(concat("Release: IP: ", ClientIP)); execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID); } on expiry { set ClientIP = binary-to-ascii(10, 8, ".", leased-address); # cannot get a ClientMac here, apparently this only works when actually receiving a packet log(concat("Expired: IP: ", ClientIP)); # cannot get a ClientName here, for some reason that always fails execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0"); } host lesca { hardware ethernet d0:67:e5:4c:47:ce; # NB Dell latitude i7/8gb fixed-address 10.11.12.80; }
Attachment:
samba-tool-dns.sh
Description: application/shellscript
_______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx