{"id":900,"date":"2018-04-12T09:29:10","date_gmt":"2018-04-12T06:29:10","guid":{"rendered":"https:\/\/helia.ee\/koolitus\/?page_id=900"},"modified":"2019-11-04T15:53:42","modified_gmt":"2019-11-04T13:53:42","slug":"debian-samba4-ad-dc-ubuntu-14-04","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=900","title":{"rendered":"Debian &#8211; Samba4 AD DC on Ubuntu 14.04 (\u00f5ige \u00f5petus)"},"content":{"rendered":"<div class=\"entry-content\">\n<p>Samba 4 is a good bit of software. If only that last few tweaks could be done to finish it and the documentation off it would be great software. I have found lot of ways to set up Samba4 as a AD DC most of which fail to work only this one series of steps worked. Samba4 configuration is really really flaky! The <a href=\"https:\/\/wiki.samba.org\/index.php\/User_Documentation\">official Samba documentation<\/a> is getting better and beginning to cover some of the configuration pitfalls.<\/p>\n<p>For this how to we are building on some of my other howtos.<\/p>\n<ul>\n<li><a href=\"https:\/\/blogging.dragon.org.uk\/setup-a-test-networking-lab-with-virtualbox\/\">Setup a Test Networking Lab with VirtualBox<\/a><\/li>\n<li><a href=\"https:\/\/blogging.dragon.org.uk\/ubuntu-minimal-install-with-mate-as-the-desktop-14-04-lts\/\">Ubuntu minimal Install with MATE as the Desktop 14.04 LTS<\/a><\/li>\n<li><a href=\"https:\/\/blogging.dragon.org.uk\/bind9-dns-and-dhcp-on-ubuntu-14-04\/\">Bind9, DNS and DHCP on Ubuntu 14.04<\/a><\/li>\n<\/ul>\n<p>We will be building this:<\/p>\n<ul>\n<li><strong>AD DC Hostname:<\/strong> lab-addc1<\/li>\n<li><strong>AD DNS Domain Name:<\/strong> black.dragon.lab<\/li>\n<li><strong>Kerberos Realm:<\/strong> black.dragon.lab<\/li>\n<li><strong>Domain Name\/NetBIOS Name:<\/strong> black<\/li>\n<li><strong>IP Address:<\/strong> 10.1.200.3<\/li>\n<li><strong>Forwarder DNS Server:<\/strong> 10.1.200.3<\/li>\n<li><strong>Gateway:<\/strong> 10.1.200.3<\/li>\n<li><strong>Subnet Mask:<\/strong> 255.255.255.0<\/li>\n<li><strong>Server Role:<\/strong> Primary Domain Controller (PDC)<\/li>\n<li><strong>Domain Admin Password:<\/strong> Admin1234<\/li>\n<li><strong>Backend DNS:<\/strong> BIND9 DLZ<\/li>\n<\/ul>\n<h2>Update Ubuntu To The Latest<\/h2>\n<p>Always use the latest bug fixes and security patches. Also Samba is still being updated with bug fixes and newer features so get them too.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">apt-get update<\/span>\r\n<span class=\"kw2\">sudo<\/span> <span class=\"kw2\">apt-get dist-upgrade<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h2>OS Requirements<\/h2>\n<p>A functioning DNS and usually a DHCP server see above. Kerberos requires that all systems have the same time, you will therefore need a functioning NTP server. See my post about <a href=\"https:\/\/blogging.dragon.org.uk\/setting-upntp-on-ubuntu-14-04\/\">setting up an NTP server process.<\/a><\/p>\n<p>To use the full functionality of Samba when sharing file systems you need acl and both user and system xattr additions. Although using your AD DC as a file share is not a good idea, as the file system could be overloaded sharing files and be slow or unable to check credentials of users.<\/p>\n<p>Make sure the acl and attr packages are installed.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">apt-get install<\/span> acl attr<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>These can be turned on by updating your \/etc\/fstab. Be careful when setting these get it wrong an the system will not be bootable. You did do that full backup, didn\u2019t you?!<\/p>\n<p>To add the features add <strong>user_xattr,acl,barrier=1<\/strong> to each file system you want to use for shares. Try it out on a file system that is not required during the booting process, e.g. Create a small temporary fs and mount that as \/data.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">nano<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>fstab<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">\/dev\/sdb1   \/data   ext4 user_xattr,acl,barrier=<span class=\"nu0\">1<\/span>,noatime  <span class=\"nu0\">0<\/span>  <span class=\"nu0\">0<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Test it out without booting first, when you get the fs mounted without errors then proceed to the others and reboot before proceeding.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">umount<\/span> <span class=\"sy0\">\/<\/span>data\r\n<span class=\"kw2\">mount<\/span> <span class=\"re5\">-a<\/span>\r\n<span class=\"kw2\">mount<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw2\">grep<\/span> <span class=\"st_h\">'\/data '<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">\/dev\/sdb1 on \/ type ext4 <span class=\"br0\">(<\/span>rw,user_xattr,acl,barrier=<span class=\"nu0\">1<\/span>,noatime<span class=\"br0\">)<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>and all other file systems on the server where they are going to be accessed via Samaba using Windows ACL\u2019s<\/p>\n<p>Once you are sure you have your fstab correct you should reboot, to take those changes into use.<\/p>\n<h3>Check ACL\u2019s are working<\/h3>\n<p>This next part is almost direct lift from the <a href=\"https:\/\/wiki.samba.org\/index.php\/OS_Requirements\">Samba docs<\/a>, it seemed pointless reinventing the wheel for this part.<br \/>\nSome of the names have been changed to protect the innocent.<\/p>\n<p>All these commands should be run as root, either su to root or give yourself a root shell with sudo -i.<\/p>\n<p>Create a test file, to play around with:<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">touch<\/span> testing_acl.txt<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Add some extended attributes with the name <strong>user.test<\/strong>, adding a value of <strong>test<\/strong>. Then add a second set named security.test and a valuer of test2.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> setfattr <span class=\"re5\">-n<\/span> user.test <span class=\"re5\">-v<\/span> <span class=\"kw3\">test<\/span> testing_acl.txt\r\n<span class=\"kw2\">sudo<\/span> setfattr <span class=\"re5\">-n<\/span> security.test <span class=\"re5\">-v<\/span> test2 testing_acl.txt<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>View the ACL\u2019s just added to the test file.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> getfattr <span class=\"re5\">-d<\/span> testing_acl.txt<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\"># file: testing_acl.txt\r\nuser.test=\"test\"<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> getfattr <span class=\"re5\">-n<\/span> security.test <span class=\"re5\">-d<\/span> testing_acl.txt<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\"># file: testing_acl.txt\r\nsecurity.test=\"test2\"<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Now add some file access control list, ACL, permissions to our test file. For the users who have the Linux group adm give them, additionally, read\/write and execute permissions.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> setfacl <span class=\"re5\">-m<\/span> g:adm:rwx testing_acl.txt\r\n<span class=\"kw2\">sudo<\/span> getfacl testing_acl.txt<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\"># file: testing_acl.txt\r\n# owner: root\r\n# group: root\r\nuser::rw-\r\ngroup::r--\r\ngroup:adm:rwx\r\nmask::rwx\r\nother::r--<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Only continue on if all went as above. If it did not go back top your backup and start again.<\/p>\n<h2>Installing even more software<\/h2>\n<p>Depending on how you installed your system some of these packages may already be installed.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">apt-get install<\/span> samba smbclient  build-essential libacl1-dev libattr1-dev \\\r\n   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \\\r\n   python-dnspython <span class=\"kw2\">gdb<\/span> pkg-config libpopt-dev libldap2-dev \\\r\n   dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools\r\n\r\n<strong>apt-get install winbind libnss-winbind libpam-winbind (need tuleb ka kindlasti installida)<\/strong><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>During the installation process you will be asked some questions:<\/p>\n<ul>\n<li>Configuring Kerberos Authentication: <strong>BLACK.DRAGON.LAB<\/strong><\/li>\n<li>hostname of Kerberos servers in the BLACK.DRAGON.LAB: <strong>lab-addc1<\/strong><\/li>\n<li>hostname of the Administrative (password changing) servers: <strong>lab-addc1<\/strong><\/li>\n<\/ul>\n<p>Pitfall: If you get these wrong your AD DC will not work and you will have to start again!<\/p>\n<p>Once that lot is installed, without errors, delete the Samba configuration file created by the system. The provisioning tool fails if it already exists. (Why don\u2019t the Samba guys update the provisioning tool to do that or ask you?)<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">rm<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>samba<span class=\"sy0\">\/<\/span>smb.conf<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Now to provision the AD. Pitfall: Be very careful and precise here you only get one shot at this!<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\"><strong>#selle k\u00e4suga saab domeeni \u00e4ra seadistada<\/strong>\r\nsudo<\/span> samba-tool domain provision <span class=\"re5\">--use-rfc2307<\/span> <span class=\"re5\">--interactive\r\n<\/span>\r\n<strong>#all siis kirjeldatud mis tuleb ridade peale kirjutada ( see on n\u00e4idis domeen).\r\n<\/strong><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The only inputs you should been to change are:<\/p>\n<ul>\n<li>Realm: <strong>tapavpk.ee<\/strong><\/li>\n<li>Domain: <strong>domeen (see l\u00e4heb smb.conf failis workgroup nimeks)<br \/>\n<\/strong><\/li>\n<li>Server Role: <strong>dc<\/strong><\/li>\n<li>DNS Backend:\u00a0SAMBA_INTERNAL<\/li>\n<li>Administrator password:<\/li>\n<\/ul>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">Realm <span class=\"br0\">[<\/span>DRAGON.LAB<span class=\"br0\">]<\/span>: BLACK.DRAGON.LAB\r\n Domain <span class=\"br0\">[<\/span>BLACK<span class=\"br0\">]<\/span>: \r\n Server Role <span class=\"br0\">(<\/span>dc, member, standalone<span class=\"br0\">)<\/span> <span class=\"br0\">[<\/span>dc<span class=\"br0\">]<\/span>: \r\n DNS backend <span class=\"br0\">(<\/span>SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE<span class=\"br0\">)<\/span> <span class=\"br0\">[<\/span>SAMBA_INTERNAL<span class=\"br0\">]<\/span>: BIND9_DLZ\r\nAdministrator password: \r\nRetype password: \r\nLooking up IPv4 addresses\r\nLooking up IPv6 addresses\r\nNo IPv6 address will be assigned\r\nSetting up share.ldb\r\nSetting up secrets.ldb\r\nSetting up the registry\r\nSetting up the privileges database\r\nSetting up idmap db\r\nSetting up SAM db\r\nSetting up sam.ldb partitions and settings\r\nSetting up sam.ldb rootDSE\r\nPre-loading the Samba <span class=\"nu0\">4<\/span> and AD schema\r\nAdding DomainDN: DC=black,DC=dragon,DC=lab\r\nAdding configuration container\r\nSetting up sam.ldb schema\r\nSetting up sam.ldb configuration data\r\nSetting up display specifiers\r\nModifying display specifiers\r\nAdding users container\r\nModifying users container\r\nAdding computers container\r\nModifying computers container\r\nSetting up sam.ldb data\r\nSetting up well known security principals\r\nSetting up sam.ldb users and groups\r\nSetting up self join\r\nAdding DNS accounts\r\nCreating CN=MicrosoftDNS,CN=System,DC=black,DC=dragon,DC=lab\r\nCreating DomainDnsZones and ForestDnsZones partitions\r\nPopulating DomainDnsZones and ForestDnsZones partitions\r\nSee \/var\/lib\/samba\/private\/named.conf for an example configuration include file for BIND\r\nand \/var\/lib\/samba\/private\/named.txt for further documentation required for secure DNS updates\r\nSetting up sam.ldb rootDSE marking as synchronized\r\nFixing provision GUIDs\r\nA Kerberos configuration suitable for Samba <span class=\"nu0\">4<\/span> has been generated at \/var\/lib\/samba\/private\/krb5.conf\r\nSetting up fake yp server settings\r\nOnce the above files are installed, your Samba4 server will be ready to use\r\nServer Role:           active directory domain controller\r\nHostname:              lab-addc1\r\nNetBIOS Domain:        BLACK\r\nDNS Domain:            black.dragon.lab\r\nDOMAIN SID:            S-<span class=\"nu0\">1<\/span>-<span class=\"nu0\">5<\/span>-<span class=\"nu0\">21<\/span>-<span class=\"nu0\">1234567890<\/span>-<span class=\"nu0\">1234567890<\/span>-<span class=\"nu0\">1234567890<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h2>Configuring Samba and Bind<\/h2>\n<p>Edit the file <strong>\/etc\/samba\/smb.conf<\/strong> and add the following lines to the end of the <strong>[global]<\/strong> section.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">nano<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>samba<span class=\"sy0\">\/<\/span>smb.conf<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">allow dns updates = nonsecure and secure \r\n        dns forwarder = 10.1.200.3\r\n\u00a0\r\n        # Thanks to Lars for this fix, it stops the syslog\r\n        # being spammed by the lack of a CUPS server.\r\n        printing = CUPS\r\n        printcap name = \/dev\/null\r\n\r\n<\/pre>\n<pre class=\"de1\"><span class=\"re5\"><strong>#########samba konfi tuleb lisada need read<\/strong><\/span><\/pre>\n<p># Global parameters<br \/>\n[global]<br \/>\nworkgroup = HKHK<br \/>\nrealm = HKHK.EDU.EE<br \/>\nnetbios name = MYYR<br \/>\nserver role = active directory domain controller<br \/>\ndns forwarder = 172.21.0.3<br \/>\nidmap config *:backend = tdb<br \/>\n# idmap config *:range = 5000-9999<br \/>\n# idmap config HKHK:backend = ad<br \/>\n# idmap config HKHK:schema_mode = rfc2307<br \/>\nidmap config HKHK:range = 10000-30000<\/p>\n<p>idmap_ldb:use rfc2307 = yes<br \/>\ninterfaces = lo eth0<br \/>\nallow dns updates = nonsecure<\/p>\n<p>winbind nss info = rfc2307<\/p>\n<p>#[homes]<br \/>\n# comment = Home Directories<br \/>\n# path = \/home\/<br \/>\n# valid users = %S<br \/>\n# read only = No<br \/>\n# browseable = No<\/p>\n<p>[netlogon]<br \/>\npath = \/var\/lib\/samba\/sysvol\/hkhk.edu.ee\/scripts<br \/>\nread only = No<\/p>\n<p>[sysvol]<br \/>\npath = \/var\/lib\/samba\/sysvol<br \/>\nread only = No<\/p>\n<p>[home]<br \/>\npath = \/home\/<br \/>\nread only = No<\/p>\n<p>[Profiles]<br \/>\npath = \/home\/profiles\/<br \/>\n# browseable = no<br \/>\n# guest ok = no<br \/>\n# writable = yes<br \/>\n# public = no<br \/>\nread only = No<br \/>\ncreate mask = 0600<br \/>\ndirectory mask = 0700<br \/>\ncsc policy = disable<br \/>\nprofile acls = yes<br \/>\nstore dos attributes = yes<\/p>\n<pre class=\"de1\"><strong><span class=\"re5\">#########samba konfi tuleb lisada need read\r\n\r\n#############\/etc\/nsswitch.conf-i tuleb lisada need read\r\npasswd: taha tuleb lisada juurde winbind ja sama asi ka group: taha\r\n\r\nn\u00e4ide siin:\r\n\r\npasswd: compat winbind\r\ngroup: compat winbind\r\n#############\/etc\/nsswitch.conf-i tuleb lisada need read<\/span><\/strong><\/pre>\n<pre class=\"de1\"><strong>samba konfi tuleb lisada juurde allow dns update = nonsecure and secure #L\u00f5pus tuleb lasta l\u00e4bi ka need k\u00e4sud <\/strong><\/pre>\n<pre class=\"de1\"><strong>systemctl disable nmbd\r\nsystemctl disable smbd\r\nsystemctl unmask samba-ad-dc\r\nsystemctl enable samba-ad-dc\r\nservice samba-ad-dc restart\r\n\r\n<\/strong><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Add the following to \/etc\/bind\/named.conf.options at the end of the <strong>options{\u2026}<\/strong> block. You may need to comment out any existing lines as duplicate settings are not allowed.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">nano<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>bind<span class=\"sy0\">\/<\/span>named.conf.options<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">   auth-nxdomain yes;  \r\n   empty-zones-enable no;\r\n\u00a0\r\n   \/\/ Adding this Samba generated file will allow for automatic DDNS updates\r\n   tkey-gssapi-keytab \"\/var\/lib\/samba\/private\/dns.keytab\";<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Edit <strong>\/var\/lib\/samba\/private\/named.conf<\/strong> for the version of bind9 see the comments in the file, to find out the version of bind run the following and look at the last line there is a lot of output here which is the usage text for the command.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"sy0\">\/<\/span>usr<span class=\"sy0\">\/<\/span>sbin<span class=\"sy0\">\/<\/span>rndc <span class=\"re5\">--version<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">Version: 9.9.5-3ubuntu0.2-Ubuntu<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">nano<\/span> <span class=\"sy0\">\/<\/span>var<span class=\"sy0\">\/<\/span>lib<span class=\"sy0\">\/<\/span>samba<span class=\"sy0\">\/<\/span>private<span class=\"sy0\">\/<\/span>named.conf<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">dlz \"AD DNS Zone\" <span class=\"br0\">{<\/span>\r\n    # For BIND 9.8.0\r\n#    database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9.so\";\r\n\u00a0\r\n    # For BIND 9.9.0\r\n     database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_9.so\";\r\n<span class=\"br0\">}<\/span>;<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Add the following to \/etc\/bind\/named.conf as the second include line.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">nano<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>bind<span class=\"sy0\">\/<\/span>named.conf<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">include \"\/var\/lib\/samba\/private\/named.conf\";<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Change the permissions on the private dns.keytab file so it is readable by your bind group.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">chgrp<\/span> <span class=\"kw3\">bind<\/span> <span class=\"sy0\">\/<\/span>var<span class=\"sy0\">\/<\/span>lib<span class=\"sy0\">\/<\/span>samba<span class=\"sy0\">\/<\/span>private<span class=\"sy0\">\/<\/span>dns.keytab\r\n<span class=\"kw2\">sudo<\/span> <span class=\"kw2\">chmod<\/span> g+r <span class=\"sy0\">\/<\/span>var<span class=\"sy0\">\/<\/span>lib<span class=\"sy0\">\/<\/span>samba<span class=\"sy0\">\/<\/span>private<span class=\"sy0\">\/<\/span>dns.keytab<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Add the following apparmor rules to the end of \/etc\/apparmor.d\/usr.sbin.named inside the {..}<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> <span class=\"kw2\">nano<\/span> <span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>apparmor.d<span class=\"sy0\">\/<\/span>usr.sbin.named<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">   \/usr\/lib\/x86_64-linux-gnu\/ldb\/** rwmk,\r\n   \/usr\/lib\/x86_64-linux-gnu\/samba\/** rwmk,\r\n\u00a0\r\n   \/var\/lib\/samba\/private\/dns\/** rwmk,\r\n   \/var\/lib\/samba\/private\/named.conf r,\r\n   \/var\/lib\/samba\/private\/dns.keytab r,\r\n\u00a0\r\n   \/var\/tmp\/* rw,\r\n\u00a0\r\n   \/dev\/urandom rw,<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><strong>Pitfall:<\/strong> If you followed all of the above <strong>and<\/strong> the software for Samba, Kerberos <strong>and<\/strong> Bind has not changed <strong>and<\/strong> the configuration requirements have not changed for anything, your AD DC <em>should<\/em> work. Check it all through once more before rebooting. If it fails to work after the reboot it will be quicker to just start again. ?<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> reboot<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Testing it all <del datetime=\"2015-05-09T11:24:59+00:00\">still<\/del> works.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">smbclient <span class=\"re5\">-L<\/span> localhost -U<span class=\"sy0\">%<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">Domain=<span class=\"br0\">[<\/span>BLACK<span class=\"br0\">]<\/span> OS=<span class=\"br0\">[<\/span>Unix<span class=\"br0\">]<\/span> Server=<span class=\"br0\">[<\/span>Samba 4.1.6-Ubuntu<span class=\"br0\">]<\/span>\r\n\u00a0\r\n\tSharename       Type      Comment\r\n\t---------       ----      -------\r\n\tnetlogon        Disk      \r\n\tsysvol          Disk      \r\n\tIPC$            IPC       IPC Service <span class=\"br0\">(<\/span>Samba 4.1.6-Ubuntu<span class=\"br0\">)<\/span>\r\nDomain=<span class=\"br0\">[<\/span>BLACK<span class=\"br0\">]<\/span> OS=<span class=\"br0\">[<\/span>Unix<span class=\"br0\">]<\/span> Server=<span class=\"br0\">[<\/span>Samba 4.1.6-Ubuntu<span class=\"br0\">]<\/span>\r\n\u00a0\r\n\tServer               Comment\r\n\t---------            -------\r\n\u00a0\r\n\tWorkgroup            Master\r\n\t---------            -------\r\n\tWORKGROUP            LAB-ADDC1<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">smbclient <span class=\"sy0\">\/\/<\/span>localhost<span class=\"sy0\">\/<\/span>netlogon <span class=\"re5\">-UAdministrator<\/span> <span class=\"re5\">-c<\/span> <span class=\"st_h\">'ls'<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">Enter Administrator's password: \r\nDomain=<span class=\"br0\">[<\/span>BLACK<span class=\"br0\">]<\/span> OS=<span class=\"br0\">[<\/span>Unix<span class=\"br0\">]<\/span> Server=<span class=\"br0\">[<\/span>Samba 4.1.6-Ubuntu<span class=\"br0\">]<\/span>\r\n  .                                   D        <span class=\"nu0\">0<\/span>  Sat May  <span class=\"nu0\">9<\/span> <span class=\"nu0\">12<\/span>:<span class=\"nu0\">20<\/span>:08 <span class=\"nu0\">2015<\/span>\r\n  ..                                  D        <span class=\"nu0\">0<\/span>  Sat May  <span class=\"nu0\">9<\/span> <span class=\"nu0\">12<\/span>:<span class=\"nu0\">20<\/span>:<span class=\"nu0\">14<\/span> <span class=\"nu0\">2015<\/span>\r\n\u00a0\r\n\t\t<span class=\"nu0\">41773<\/span> blocks of size <span class=\"nu0\">262144<\/span>. <span class=\"nu0\">27672<\/span> blocks available<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">host <span class=\"re5\">-t<\/span> SRV _ldap._tcp.black.dragon.lab.<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">_ldap._tcp.black.dragon.lab has SRV record <span class=\"nu0\">0<\/span> <span class=\"nu0\">100<\/span> <span class=\"nu0\">389<\/span> lab-addc1.black.dragon.lab.<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">host <span class=\"re5\">-t<\/span> SRV _kerberos._udp.black.dragon.lab.<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">_kerberos._udp.black.dragon.lab has SRV record <span class=\"nu0\">0<\/span> <span class=\"nu0\">100<\/span> <span class=\"nu0\">88<\/span> lab-addc1.black.dragon.lab.<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">host <span class=\"re5\">-t<\/span> A lab-addc1.black.dragon.lab.<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">lab-addc1.black.dragon.lab has address 10.1.200.3<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h2>Kerberos testing<\/h2>\n<p><strong>kerberos confi tuleb lisada juurde \/etc\/krb5.conf <\/strong><\/p>\n<p><strong>lisada need read <\/strong><\/p>\n<p><strong>forwardable = true<\/strong><br \/>\n<strong> dns_lookup_realm = false<\/strong><br \/>\n<strong> dns_lookup_kdc = true<\/strong><br \/>\n<strong> rdns = false<\/p>\n<p><\/strong><\/p>\n<h3>####Algus####Windowsi masinasse esimene sisse logimine<\/h3>\n<\/div>\n<p>#esimene sisselogimine windowsisse<\/p>\n<p>kasutajanimi domeeninimi\\Administrator<br \/>\nparool (see parool, mis kerberose installi ajal pandi)<\/p>\n<p>nt. kasutaja: tapavpk.ee\\Administrator<br \/>\nparool: 123456<\/p>\n<h3>####L\u00f5pp####Windowsi masinasse esimene sisse logimine<\/h3>\n<p>&nbsp;<\/p>\n<div class=\"entry-content\">\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">kinit administrator<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">Password for administrator@BLACK.DRAGON.LAB: \r\nWarning: Your password will expire in <span class=\"nu0\">41<\/span> days on Sat <span class=\"nu0\">20<\/span> Jun <span class=\"nu0\">2015<\/span> <span class=\"nu0\">12<\/span>:<span class=\"nu0\">20<\/span>:<span class=\"nu0\">13<\/span> BST<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">klist<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">Ticket cache: FILE:\/tmp\/krb5cc_1000\r\nDefault principal: administrator@BLACK.DRAGON.LAB\r\n\u00a0\r\nValid starting     Expires            Service principal\r\n09\/05\/<span class=\"nu0\">15<\/span> <span class=\"nu0\">12<\/span>:<span class=\"nu0\">33<\/span>:07  09\/05\/<span class=\"nu0\">15<\/span> <span class=\"nu0\">22<\/span>:<span class=\"nu0\">33<\/span>:07  krbtgt\/BLACK.DRAGON.LAB@BLACK.DRAGON.LAB\r\n\trenew until <span class=\"nu0\">10<\/span>\/05\/<span class=\"nu0\">15<\/span> <span class=\"nu0\">12<\/span>:<span class=\"nu0\">32<\/span>:<span class=\"nu0\">59<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\">samba-tool dns query lab-addc1 BLACK.DRAGON.LAB <span class=\"sy0\">@<\/span> ALL<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">  Name=, Records=<span class=\"nu0\">3<\/span>, Children=<span class=\"nu0\">0<\/span>\r\n    SOA: serial=<span class=\"nu0\">1<\/span>, refresh=<span class=\"nu0\">900<\/span>, retry=<span class=\"nu0\">600<\/span>, expire=<span class=\"nu0\">86400<\/span>, minttl=<span class=\"nu0\">0<\/span>, ns=lab-addc1.black.dragon.lab., email=hostmaster.black.dragon.lab. <span class=\"br0\">(<\/span>flags=600000f0, serial=<span class=\"nu0\">1<\/span>, ttl=<span class=\"nu0\">3600<\/span><span class=\"br0\">)<\/span>\r\n    NS: lab-addc1.black.dragon.lab. <span class=\"br0\">(<\/span>flags=600000f0, serial=<span class=\"nu0\">1<\/span>, ttl=<span class=\"nu0\">900<\/span><span class=\"br0\">)<\/span>\r\n    A: 10.1.200.3 <span class=\"br0\">(<\/span>flags=600000f0, serial=<span class=\"nu0\">1<\/span>, ttl=<span class=\"nu0\">900<\/span><span class=\"br0\">)<\/span>\r\n  Name=_msdcs, Records=<span class=\"nu0\">0<\/span>, Children=<span class=\"nu0\">0<\/span>\r\n  Name=_sites, Records=<span class=\"nu0\">0<\/span>, Children=<span class=\"nu0\">1<\/span>\r\n  Name=_tcp, Records=<span class=\"nu0\">0<\/span>, Children=<span class=\"nu0\">4<\/span>\r\n  Name=_udp, Records=<span class=\"nu0\">0<\/span>, Children=<span class=\"nu0\">2<\/span>\r\n  Name=DomainDnsZones, Records=<span class=\"nu0\">0<\/span>, Children=<span class=\"nu0\">2<\/span>\r\n  Name=ForestDnsZones, Records=<span class=\"nu0\">0<\/span>, Children=<span class=\"nu0\">2<\/span>\r\n  Name=lab-addc1, Records=<span class=\"nu0\">1<\/span>, Children=<span class=\"nu0\">0<\/span>\r\n    A: 10.1.200.3 <span class=\"br0\">(<\/span>flags=f0, serial=<span class=\"nu0\">1<\/span>, ttl=<span class=\"nu0\">900<\/span><span class=\"br0\">)<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>If the above test worked you should have a working AD DC running on Linux and can replace your Microsoft Small Business Server with it. Yay!<\/p>\n<p>To add Ubuntu machines to the new domain <a href=\"https:\/\/blogging.dragon.org.uk\/join-ubuntu1404-t0-samba-winbind\/\">see this how to I prepared earlier<\/a> ?<\/p>\n<h3>Trouble shooting<\/h3>\n<div class=\"black_style-wrap5\">\n<div class=\"black_style-wrap4\">\n<div class=\"black_style-wrap3\">\n<div class=\"black_style-wrap2\">\n<div class=\"black_style-wrap\">\n<div class=\"black_style\">\n<div class=\"\">\n<pre class=\"de1\">Aug  <span class=\"nu0\">2<\/span> <span class=\"nu0\">16<\/span>:<span class=\"nu0\">22<\/span>:<span class=\"nu0\">18<\/span> lab-addc1 named<span class=\"br0\">[<\/span><span class=\"nu0\">2347<\/span><span class=\"br0\">]<\/span>: Loading 'AD DNS Zone' using driver dlopen\r\nAug  <span class=\"nu0\">2<\/span> <span class=\"nu0\">16<\/span>:<span class=\"nu0\">22<\/span>:<span class=\"nu0\">18<\/span> lab-addc1 named<span class=\"br0\">[<\/span><span class=\"nu0\">2347<\/span><span class=\"br0\">]<\/span>: dlz_dlopen: incorrect version <span class=\"nu0\">1<\/span> should be <span class=\"nu0\">2<\/span> in '\/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9.so'\r\nAug  <span class=\"nu0\">2<\/span> <span class=\"nu0\">16<\/span>:<span class=\"nu0\">22<\/span>:<span class=\"nu0\">18<\/span> lab-addc1 named<span class=\"br0\">[<\/span><span class=\"nu0\">2347<\/span><span class=\"br0\">]<\/span>: dlz_dlopen of 'AD DNS Zone' failed<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>You need to edit \/var\/lib\/samba\/private\/named.conf for the correct version of the lib.<\/p>\n<p>After booting up a Windows machine using DHCP and the DNS updated automatically. Put a tail on the syslog file and run the following command. It will try and force Samba to update the DNS setting it knows about. The command below will in turn try and call the bind utility nsupdate.<\/p>\n<div class=\"khaki_style-wrap5\">\n<div class=\"khaki_style-wrap4\">\n<div class=\"khaki_style-wrap3\">\n<div class=\"khaki_style-wrap2\">\n<div class=\"khaki_style-wrap\">\n<div class=\"khaki_style\">\n<div class=\"bash\">\n<pre class=\"de1\"><span class=\"kw2\">sudo<\/span> samba_dnsupdate <span class=\"re5\">--verbose<\/span> <span class=\"re5\">--all-names<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>There will be loads of output to the terminal and to the syslog. Likely causes are<\/p>\n<ul>\n<li>The apparmor rules in\n<ul>\n<li>\/etc\/apparmor.d\/usr.sbin.named<\/li>\n<li>\/etc\/apparmor.d\/usr.sbin.dhcpd<\/li>\n<\/ul>\n<\/li>\n<li>File permissions\n<ul>\n<li>-rw-r\u2013r\u2013 1 root root 3781 May 10 11:59 \/etc\/krb5.conf<\/li>\n<li>-rw-r\u2014\u2013 1 root bind 852 May 10 12:00 \/var\/lib\/samba\/private\/dns.keytab<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Also see <a href=\"https:\/\/wiki.samba.org\/index.php\/Dns_tkey_negotiategss:_TKEY_is_unacceptable\">https:\/\/wiki.samba.org\/index.php\/Dns_tkey_negotiategss:_TKEY_is_unacceptable<\/a><\/p>\n<p>For the next part in this series take a look at <a href=\"https:\/\/blogging.dragon.org.uk\/administering-ad-dc-via-windows\/\">Administering AD DC via Windows<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Samba 4 is a good bit of software. If only that last few tweaks could be done to finish it and the documentation off it would be great software. I have found lot of ways to set up Samba4 as a AD DC most of which fail to work only this one series of steps [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":621,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-900","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/900","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=900"}],"version-history":[{"count":11,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/900\/revisions"}],"predecessor-version":[{"id":1506,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/900\/revisions\/1506"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/621"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}