Subject: Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC)
Subject: Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC)
PUBLISHED 15 FEB 2020 SATURDAY, SINGAPORE, SINGAPORE, SINGAPORE
This manual/guide is meant for small and medium businesses (SMB) which do not want to spend a lot of money on Windows Server 2016/2019 licensing.
REFERENCE GUIDE
===============
Guide: Setting up Samba as an Active Directory Domain Controller
Link: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING'S MANUAL
=======================================================
Starting CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine on Ubuntu 18.04.3 LTS Desktop Host
===================================================================================================
Virtual Machine Manager (virt-manager) depends on libvirtd service.
$ sudo systemctl start libvirtd.service
Start the Virtual Machine Manager.
$ sudo virt-manager
Select the CentOS 8.1 QEMU/KVM virtual machine and click "Power on the virtual machine".
REFERENCE GUIDE
===============
Guide: ENABLING HOST-GUEST NETWORKING WITH KVM, MACVLAN AND MACVTAP
Link: https://www.furorteutonicus.eu/2013/08/04/enabling-host-guest-networking-with-kvm-macvlan-and-macvtap/
Still on the Ubuntu 18.04.3 LTS Desktop host.
$ nano /home/teo-en-ming/macvlan.sh
#!/bin/bash
# Adapted by Teo En Ming on 14 Feb 2020 Friday (Valentine's Day in Singapore).
# let host and guests talk to each other over macvlan
# configures a macvlan interface on the hypervisor
# run this on the hypervisor (e.g. in /etc/rc.local)
# made for IPv4; need modification for IPv6
# meant for a simple network setup with only eth0 or enp5s0 on the host,
# and a static (manual) ip config
# Original Author: Evert Mouw, 2013 (European Union)
#HWLINK=eth0
HWLINK=enp5s0
MACVLN=macvlan0
TESTHOST=www.google.com
# ------------
# wait for network availability
# ------------
# IPv4 pings only
while ! ping -4 -q -c 1 $TESTHOST > /dev/null
do
echo "$0: Cannot ping $TESTHOST, waiting another 5 secs..."
sleep 5
done
# ------------
# get network config
# ------------
IP=$(ip address show dev $HWLINK | grep "inet " | awk '{print $2}')
NETWORK=$(ip -o route | grep $HWLINK | grep -v default | grep -v 169 | awk '{print $1}')
GATEWAY=$(ip -o route | grep default | awk '{print $3}')
# ------------
# setting up $MACVLN interface
# ------------
ip link add link $HWLINK $MACVLN type macvlan mode bridge
ip address add $IP dev $MACVLN
ip link set dev $MACVLN up
# ------------
# routing table
# ------------
# empty routes
ip route flush dev $HWLINK
ip route flush dev $MACVLN
# add routes
ip route add $NETWORK dev $MACVLN metric 0
# add the default gateway
ip route add default via $GATEWAY
===END OF LINUX SHELL SCRIPT===
$ sudo chmod +x /home/teo-en-ming/macvlan.sh
$ sudo /home/teo-en-ming/macvlan.sh
192.168.1.122 is the IP address (DHCP auto configuration) of the CentOS 8.1 Linux Server.
ssh into the CentOS 8.1 Linux Server.
ssh teo-en-ming@192.168.1.122
PREPARING THE INSTALLATION ON CENTOS 8.1 LINUX SERVER
=====================================================
Setting hostname of CentOS 8.1 Linux Server.
============================================
# hostnamectl set-hostname dc1
To see the hostname:
# hostnamectl
Output:
Static hostname: dc1
Icon name: computer-vm
Chassis: vm
Machine ID: 668fdf5de7214d56be0ef8b65f7166e9
Boot ID: 5691a1a2dacd41c4ab5871d25885e138
Virtualization: kvm
Operating System: CentOS Linux 8 (Core)
CPE OS Name: cpe:/o:centos:centos:8
Kernel: Linux 4.18.0-147.el8.x86_64
Architecture: x86-64
How to set static IP address 192.168.1.10 on CentOS 8.1 Linux Server
====================================================================
# cd /etc/sysconfig/network-scripts/
# nano ifcfg-ens3
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens3"
UUID="8e179c97-1388-48ee-a8be-d173ee3ff40c"
DEVICE="ens3"
ONBOOT="yes"
IPADDR="192.168.1.10"
PREFIX="24"
GATEWAY="192.168.1.1"
DNS1="8.8.8.8" ===>>> (IF YOU USE THIS LINE, NETWORK MANAGER WILL ALWAYS OVERWRITE /etc/resolv.conf, which is undesirable)
# reboot
ssh into CentOS 8.1 Linux Server with static IP address 192.168.1.10.
$ ssh teo-en-ming@192.168.1.10
Check if Samba processes are running:
# ps ax | egrep "samba|smbd|nmbd|winbindd"
# nano /etc/hosts
Contents of file:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.10 dc1.teo-en-ming.corp dc1
Backup the original /etc/krb5.conf
# mv /etc/krb5.conf /etc/krb5.conf.bak
INSTALLING SAMBA 4.11.6 ON CENTOS 8.1 LINUX SERVER QEMU/KVM VIRTUAL MACHINE
===========================================================================
REFERENCE GUIDE
===============
Guide: Build Samba from Source
Link: https://wiki.samba.org/index.php/Build_Samba_from_Source
Installing package dependencies before building Samba on CentOS 8.1 Linux Server.
# yum -y install dnf-plugins-core
# yum config-manager --set-enabled PowerTools
# yum install docbook-style-xsl gcc gdb gnutls-devel gpgme-devel jansson-devel
# yum install keyutils-libs-devel krb5-workstation libacl-devel libaio-devel
# yum install libarchive-devel libattr-devel libblkid-devel libtasn1 libtasn1-tools
# yum install libxml2-devel libxslt openldap-devel pam-devel perl
# yum install perl-ExtUtils-MakeMaker perl-Parse-Yapp popt-devel python3-cryptography
# yum install python3-dns python3-gpg python36-devel readline-devel rpcgen systemd-devel
# yum install tar zlib-devel
Compulsory Packages NOT installed at the moment:
lmdb-devel
Download Samba current stable release 4.11.6.
# wget https://download.samba.org/pub/samba/stable/samba-4.11.6.tar.gz
# tar -zxf samba-4.11.6.tar.gz
# cd samba-4.11.6/
# ./configure
Output:
Samba AD DC and --enable-selftest requires lmdb 0.9.16 or later
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
# yum install lmdb-devel
Run ./configure again.
# ./configure
Output:
'configure' finished successfully (42.262s)
Make full use of all 4 cores on my AMD Ryzen 3 3200G processor.
# make -j 4
Output:
Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'build' finished successfully (9m24.396s)
# make install
Output:
Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'install' finished successfully (2m58.171s)
# nano /etc/profile
Append the following line:
export PATH=$PATH:/usr/local/samba/bin/:/usr/local/samba/sbin/
PROVISIONING A SAMBA ACTIVE DIRECTORY DOMAIN CONTROLLER
=======================================================
Provisioning Samba AD DC in Interactive Mode.
The original intention was to use SAMBA_INTERNAL DNS backend.
# samba-tool domain provision --use-rfc2307 --interactive
Output:
Realm [TEO-EN-MING.CORP]: TEO-EN-MING.CORP
Domain [TEO-EN-MING]: TEO-EN-MING
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: 8.8.8.8
Administrator password:
Retype password:
INFO 2020-02-14 22:56:13,700 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-14 22:56:14,152 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb
INFO 2020-02-14 22:56:14,595 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-14 22:56:14,848 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-14 22:56:16,031 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-14 22:56:16,721 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-14 22:56:17,155 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-14 22:56:17,263 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-14 22:56:17,266 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-14 22:56:17,331 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2020-02-14 22:56:17,548 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-14 22:56:17,646 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-14 22:56:17,722 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-14 22:56:21,121 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-14 22:56:21,263 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-14 22:56:23,502 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-14 22:56:23,543 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-14 22:56:23,545 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-14 22:56:23,547 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-14 22:56:23,549 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-14 22:56:23,550 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-14 22:56:23,695 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-14 22:56:23,760 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-14 22:56:24,075 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=ms-DS-Replication-Notify-First-DSA-Delay,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=interSiteTransport-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-14 22:56:27,001 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-14 22:56:27,377 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-14 22:56:27,401 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-14 22:56:27,620 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.dc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-14 22:56:28,660 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-14 22:56:28,734 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-14 22:56:29,720 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-14 22:56:29,720 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-14 22:56:30,078 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-14 22:56:30,277 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-14 22:56:30,277 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-3028196010-72872391-2123559056
Configuring the DNS Resolver. Network Manager will keep overwriting /etc/resolv.conf. This problem will be resolved later.
# nano /etc/resolv.conf
Contents of file:
search teo-en-ming.corp
nameserver 192.168.1.10
REFERENCE GUIDE
===============
Guide: Managing the Samba AD DC Service Using Systemd
Link: https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service_Using_Systemd
# systemctl mask smbd nmbd winbind
# systemctl disable smbd nmbd winbind
# nano /etc/systemd/system/samba-ad-dc.service
Contents of file:
[Unit]
Description=Samba Active Directory Domain Controller
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
ExecStart=/usr/local/samba/sbin/samba -D
PIDFile=/usr/local/samba/var/run/samba.pid
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
# systemctl daemon-reload
# systemctl enable samba-ad-dc
# systemctl start samba-ad-dc
Output:
Job for samba-ad-dc.service failed because the control process exited with error code.
See "systemctl status samba-ad-dc.service" and "journalctl -xe" for details.
The SAMBA AD DC service cannot start because SELINUX is enabled on CentOS 8.1.
We will see later.
# systemctl status samba-ad-dc
Output:
● samba-ad-dc.service - Samba Active Directory Domain Controller
Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-02-15 08:39:58 +08; 46s ago
Process: 6967 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=203/EXEC)
Main PID: 1595 (code=exited, status=203/EXEC)
Feb 15 08:39:58 dc1 systemd[1]: Starting Samba Active Directory Domain Controller...
Feb 15 08:39:58 dc1 systemd[1]: samba-ad-dc.service: Control process exited, code=exited status=203
Feb 15 08:39:58 dc1 systemd[1]: samba-ad-dc.service: Failed with result 'exit-code'.
Feb 15 08:39:58 dc1 systemd[1]: Failed to start Samba Active Directory Domain Controller.
SAMBA AD DC service cannot start because SELINUX is enabled on CentOS 8.1.
We will see later.
# reboot
Start Samba AD DC manually.
# samba -D
Create a reverse zone in Samba Internal DNS Backend.
# samba-tool dns zonecreate 192.168.1.10 1.168.192.in-addr.arpa -U administrator
Output:
Password for [TEO-EN-MING\administrator]:
Zone 1.168.192.in-addr.arpa created successfully
Configuring Kerberos
====================
cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
Starting Samba AD DC Manually.
# samba -D
Verifying the File Server.
==========================
$ smbclient -L localhost -U%
Output:
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.11.6)
SMB1 disabled -- no workgroup available
$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Output:
Enter TEO-EN-MING\Administrator's password:
. D 0 Fri Feb 14 22:56:17 2020
.. D 0 Fri Feb 14 22:56:24 2020
17811456 blocks of size 1024. 12025652 blocks available
Verifying DNS (Failed)
======================
# killall dnsmasq
$ host -t SRV _ldap._tcp.teo-en-ming.corp.
Output:
Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN)
$ host -t SRV _kerberos._udp.teo-en-ming.corp.
Output:
Host _kerberos._udp.teo-en-ming.corp. not found: 3(NXDOMAIN)
$ host -t A dc1.teo-en-ming.corp.
Output:
Host dc1.teo-en-ming.corp. not found: 3(NXDOMAIN)
I am unable to find the above DNS records because Network Manager keeps overwriting /etc/resolv.conf
As a result, I am always looking up the WRONG DNS server.
Verifying Kerberos
==================
$ kinit administrator
Output:
kinit: Cannot find KDC for realm "TEO-EN-MING.CORP" while getting initial credentials
The above problem is also due to Network Manager keeps overwriting /etc/resolv.conf.
As a result, I am always looking up the WRONG DNS server.
TROUBLESHOOTING: DISABLE SELINUX ON CENTOS 8.1
==============================================
$ sestatus
Output:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
# nano /etc/sysconfig/selinux
Change from SELINUX=enforcing to SELINUX=disabled
# reboot
$ sestatus
SELinux status: disabled
After disabling SELINUX, now we can start Samba AD DC successfully.
# systemctl status samba-ad-dc
Output:
● samba-ad-dc.service - Samba Active Directory Domain Controller
Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-02-15 08:50:22 +08; 1min 0s ago
Process: 1084 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS)
Main PID: 1131 (samba)
Tasks: 44 (limit: 23972)
Memory: 261.8M
CGroup: /system.slice/samba-ad-dc.service
├─1131 /usr/local/samba/sbin/samba -D
├─1375 /usr/local/samba/sbin/samba -D
├─1376 /usr/local/samba/sbin/samba -D
├─1377 /usr/local/samba/sbin/samba -D
├─1379 /usr/local/samba/sbin/samba -D
├─1380 /usr/local/samba/sbin/samba -D
├─1387 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─1389 /usr/local/samba/sbin/samba -D
├─1391 /usr/local/samba/sbin/samba -D
├─1392 /usr/local/samba/sbin/samba -D
├─1393 /usr/local/samba/sbin/samba -D
├─1396 /usr/local/samba/sbin/samba -D
├─1398 /usr/local/samba/sbin/samba -D
├─1399 /usr/local/samba/sbin/samba -D
├─1403 /usr/local/samba/sbin/samba -D
├─1404 /usr/local/samba/sbin/samba -D
├─1407 /usr/local/samba/sbin/samba -D
├─1408 /usr/local/samba/sbin/samba -D
├─1409 /usr/local/samba/sbin/samba -D
├─1411 /usr/local/samba/sbin/samba -D
├─1412 /usr/local/samba/sbin/samba -D
├─1413 /usr/local/samba/sbin/samba -D
├─1415 /usr/local/samba/sbin/samba -D
├─1416 /usr/local/samba/sbin/samba -D
├─1418 /usr/local/samba/sbin/samba -D
├─1419 /usr/local/samba/sbin/samba -D
├─1420 /usr/local/samba/sbin/samba -D
├─1422 /usr/local/samba/sbin/samba -D
├─1423 /usr/local/samba/sbin/samba -D
├─1424 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─1426 /usr/local/samba/sbin/samba -D
├─1427 /usr/local/samba/sbin/samba -D
├─1429 /usr/local/samba/sbin/samba -D
├─1464 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─1465 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─1469 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─1490 /usr/local/samba/sbin/samba -D
├─1492 /usr/local/samba/sbin/samba -D
├─1493 /usr/local/samba/sbin/samba -D
├─1495 /usr/local/samba/sbin/samba -D
├─1496 /usr/local/samba/sbin/samba -D
├─1498 /usr/local/samba/sbin/samba -D
├─1499 /usr/local/samba/sbin/samba -D
└─1501 /usr/local/samba/sbin/samba -D
Feb 15 08:50:25 dc1 samba[1131]: [2020/02/15 08:50:25.778777, 0] ../../source4/smbd/process_prefork.c:512(prefork_child_pipe_handler)
Feb 15 08:50:25 dc1 samba[1131]: prefork_child_pipe_handler: Parent 1131, Child 1406 exited with status 0
Feb 15 08:50:27 dc1 smbd[1387]: [2020/02/15 08:50:27.634592, 0] ../../lib/util/become_daemon.c:136(daemon_ready)
Feb 15 08:50:27 dc1 smbd[1387]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Feb 15 08:50:27 dc1 winbindd[1424]: [2020/02/15 08:50:27.761081, 0] ../../source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache)
Feb 15 08:50:27 dc1 winbindd[1424]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Feb 15 08:50:27 dc1 winbindd[1424]: [2020/02/15 08:50:27.770049, 0] ../../lib/util/become_daemon.c:136(daemon_ready)
Feb 15 08:50:27 dc1 winbindd[1424]: daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections
Feb 15 08:50:27 dc1 samba[1426]: [2020/02/15 08:50:27.870385, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:50:27 dc1 samba[1426]: /usr/local/samba/sbin/samba_dnsupdate: WARNING: no network interfaces found
We need to kill dnsmasq so that Samba's internal DNS server can start.
# killall dnsmasq
# systemctl restart samba-ad-dc
# systemctl status samba-ad-dc
● samba-ad-dc.service - Samba Active Directory Domain Controller
Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-02-15 08:53:28 +08; 21s ago
Process: 2512 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS)
Main PID: 2514 (samba)
Tasks: 58 (limit: 23972)
Memory: 215.6M
CGroup: /system.slice/samba-ad-dc.service
├─2514 /usr/local/samba/sbin/samba -D
├─2516 /usr/local/samba/sbin/samba -D
├─2517 /usr/local/samba/sbin/samba -D
├─2518 /usr/local/samba/sbin/samba -D
├─2519 /usr/local/samba/sbin/samba -D
├─2520 /usr/local/samba/sbin/samba -D
├─2521 /usr/local/samba/sbin/samba -D
├─2522 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─2523 /usr/local/samba/sbin/samba -D
├─2524 /usr/local/samba/sbin/samba -D
├─2525 /usr/local/samba/sbin/samba -D
├─2526 /usr/local/samba/sbin/samba -D
├─2527 /usr/local/samba/sbin/samba -D
├─2528 /usr/local/samba/sbin/samba -D
├─2529 /usr/local/samba/sbin/samba -D
├─2530 /usr/local/samba/sbin/samba -D
├─2531 /usr/local/samba/sbin/samba -D
├─2532 /usr/local/samba/sbin/samba -D
├─2533 /usr/local/samba/sbin/samba -D
├─2534 /usr/local/samba/sbin/samba -D
├─2535 /usr/local/samba/sbin/samba -D
├─2536 /usr/local/samba/sbin/samba -D
├─2537 /usr/local/samba/sbin/samba -D
├─2538 /usr/local/samba/sbin/samba -D
├─2539 /usr/local/samba/sbin/samba -D
├─2540 /usr/local/samba/sbin/samba -D
├─2541 /usr/local/samba/sbin/samba -D
├─2542 /usr/local/samba/sbin/samba -D
├─2543 /usr/local/samba/sbin/samba -D
├─2544 /usr/local/samba/sbin/samba -D
├─2545 /usr/local/samba/sbin/samba -D
├─2546 /usr/local/samba/sbin/samba -D
├─2547 /usr/local/samba/sbin/samba -D
├─2548 /usr/local/samba/sbin/samba -D
├─2549 /usr/local/samba/sbin/samba -D
├─2550 /usr/local/samba/sbin/samba -D
├─2551 /usr/local/samba/sbin/samba -D
├─2552 /usr/local/samba/sbin/samba -D
├─2553 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─2554 /usr/local/samba/sbin/samba -D
├─2555 /usr/local/samba/sbin/samba -D
├─2556 /usr/local/samba/sbin/samba -D
├─2557 /usr/local/samba/sbin/samba -D
├─2558 /usr/local/samba/sbin/samba -D
├─2559 /usr/local/samba/sbin/samba -D
├─2560 /usr/local/samba/sbin/samba -D
├─2562 /usr/local/samba/sbin/samba -D
├─2569 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─2570 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─2571 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─2572 /usr/local/samba/sbin/samba -D
├─2573 /usr/local/samba/sbin/samba -D
├─2574 /usr/local/samba/sbin/samba -D
├─2575 /usr/local/samba/sbin/samba -D
├─2576 /usr/local/samba/sbin/samba -D
├─2577 /usr/local/samba/sbin/samba -D
├─2578 /usr/local/samba/sbin/samba -D
└─2579 /usr/local/samba/sbin/samba -D
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742774, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 945, in run
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742787, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: raise e
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742800, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 941, in run
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742813, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]: /usr/local/samba/sbin/samba_dnsupdate: 0, server, zone, name, add_rec_buf, None)
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.767521, 0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Feb 15 08:53:38 dc1 samba[2556]: dnsupdate_nameupdate_done: Failed DNS update with exit code 39
Testing your Samba AD DC
========================
# killall dnsmasq
# systemctl restart samba-ad-dc
Verifying the File Server
=========================
$ smbclient -L localhost -U%
Output:
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.11.6)
SMB1 disabled -- no workgroup available
$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Output:
Enter TEO-EN-MING\Administrator's password:
. D 0 Fri Feb 14 22:56:17 2020
.. D 0 Fri Feb 14 22:56:24 2020
17811456 blocks of size 1024. 12018876 blocks available
Verifying DNS (Failed again)
============================
$ host -t SRV _ldap._tcp.teo-en-ming.corp.
Output:
Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN)
Unable to find above DNS record because Network Manager is always overwriting /etc/resolv.conf
As a result, I am always looking up the WRONG DNS server.
# systemctl stop samba-ad-dc
TROUBLESHOOTING AGAIN
=====================
Re-provisioning the Samba AD DC, using Samba Internal DNS Backend again.
# samba-tool domain provision --use-rfc2307 --interactive
Output:
Realm [TEO-EN-MING.CORP]:
Domain [TEO-EN-MING]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
INFO 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 09:01:10,639 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 09:01:11,057 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 09:01:11,436 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 09:01:11,620 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 09:01:12,200 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 09:01:12,667 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 09:01:12,817 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 09:01:12,820 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 09:01:12,893 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2020-02-15 09:01:13,093 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:01:13,201 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 09:01:13,342 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 09:01:16,649 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 09:01:16,794 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 09:01:19,013 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 09:01:19,053 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 09:01:19,056 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 09:01:19,057 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 09:01:19,060 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 09:01:19,061 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 09:01:19,199 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 09:01:19,261 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 09:01:19,564 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=MSMQ-Sign-Certificates-Mig,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=lostAndFound-Display,CN=411,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:01:21,879 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 09:01:22,122 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:01:22,144 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 09:01:22,393 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record DC=gc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:01:23,163 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 09:01:23,213 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 09:01:24,265 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 09:01:24,265 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 09:01:24,581 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller
INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1
INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING
INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp
INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-3427788993-2190856266-1509719656
# systemctl start samba-ad-dc
Verifying DNS (Failed again)
=============
host -t SRV _ldap._tcp.teo-en-ming.corp.
Output:
Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN)
Unable to find above DNS record because Network Manager is always overwriting /etc/resolv.conf
As a result, I am always looking up the WRONG DNS server.
Installing BIND DNS Server and Using it as the DNS Backend for Samba
====================================================================
# yum install bind
# systemctl stop samba-ad-dc
We are going to use BIND9 as the Samba DNS backend this time.
I changed my mind. I decided not to use Samba's Internal DNS backend.
# samba-tool domain provision --use-rfc2307 --interactive
Output:
Realm [TEO-EN-MING.CORP]:
Domain [TEO-EN-MING]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
INFO 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 09:13:53,977 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 09:13:54,381 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 09:13:54,704 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 09:13:54,888 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 09:13:55,478 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 09:13:55,819 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 09:13:55,886 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 09:13:55,888 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 09:13:55,945 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2020-02-15 09:13:56,187 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:13:56,362 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 09:13:56,518 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 09:13:59,846 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 09:13:59,991 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 09:14:02,238 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 09:14:02,279 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 09:14:02,280 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 09:14:02,282 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 09:14:02,283 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 09:14:02,284 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 09:14:02,425 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 09:14:02,489 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 09:14:02,777 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=MS-TS-Property02,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=localPolicy-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=PolicyType,CN=WMIPolicy,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:14:05,299 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 09:14:05,558 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:14:05,587 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 09:14:05,778 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.DomainDnsZones,DC=teo-en-ming.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:14:07,207 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
INFO 2020-02-15 09:14:07,207 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
INFO 2020-02-15 09:14:07,333 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 09:14:07,383 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 09:14:08,576 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 09:14:08,576 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 09:14:09,009 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 09:14:09,200 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-3153339276-3256266220-4030185391
# nano /etc/named.conf
Append the following line:
include "/usr/local/samba/bind-dns/named.conf";
# named -v
Output:
BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el8 (Extended Support Version) <id:7107deb>
# nano /usr/local/samba/bind-dns/named.conf
Contents of file:
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/bind-dns/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so";
};
Setting up BIND9 options and keytab for Kerberos
================================================
# nano /etc/named.conf
Add the following to the options {} section of your main BIND named.conf file. For example:
options {
[...]
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
minimal-responses yes;
};
Verify that your /etc/krb5.conf Kerberos client configuration file is readable by your BIND user. For example:
# ls -l /etc/krb5.conf
Output:
-rw-r--r--. 1 root root 97 Feb 15 00:49 /etc/krb5.conf
# chown root:named /etc/krb5.conf
Verify that the nsupdate utility exists on your domain controller (DC):
# which nsupdate
/usr/bin/nsupdate
Starting the BIND DNS Service
=============================
# named-checkconf
# systemctl enable named.service
# systemctl start named.service
# systemctl status named.service
Output:
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-02-15 09:28:54 +08; 26s ago
Process: 3670 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 3667 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disab>
Main PID: 3673 (named)
Tasks: 4 (limit: 23972)
Memory: 73.1M
CGroup: /system.slice/named.service
└─3673 /usr/sbin/named -u named -c /etc/named.conf
Feb 15 09:28:54 dc1 named[3673]: zone 0.in-addr.arpa/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone localhost/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone localhost.localdomain/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: all zones loaded
Feb 15 09:28:54 dc1 named[3673]: running
Feb 15 09:28:54 dc1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Feb 15 09:29:04 dc1 named[3673]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Feb 15 09:29:04 dc1 named[3673]: resolver priming query complete
I still cannot find the mandatory DNS records. Re-provisioning Samba AD DC again.
# cd /usr/local/samba/etc
# mv smb.conf smb.conf.bak
# samba-tool domain provision --use-rfc2307 --interactive
Realm [TEO-EN-MING.CORP]:
Domain [TEO-EN-MING]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
INFO 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 09:34:24,412 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 09:34:24,817 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 09:34:25,101 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 09:34:25,269 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 09:34:25,783 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 09:34:26,233 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 09:34:26,316 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 09:34:26,317 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 09:34:26,367 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2020-02-15 09:34:26,551 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:34:26,684 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 09:34:26,791 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 09:34:30,087 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 09:34:30,230 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 09:34:32,425 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 09:34:32,465 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 09:34:32,467 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 09:34:32,467 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 09:34:32,469 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 09:34:32,470 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 09:34:32,608 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 09:34:32,667 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 09:34:32,967 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=userPKCS12,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=pKICertificateTemplate-Display,CN=406,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:34:35,720 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 09:34:35,963 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:34:35,982 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 09:34:36,248 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:34:37,633 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
INFO 2020-02-15 09:34:37,633 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
INFO 2020-02-15 09:34:37,763 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 09:34:37,804 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 09:34:38,781 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 09:34:38,781 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 09:34:39,223 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 09:34:39,438 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-2121330042-1058780221-1881093528
# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = DC1
realm = TEO-EN-MING.CORP
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = TEO-EN-MING
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/teo-en-ming.corp/scripts
read only = No
# systemctl start samba-ad-dc
TROUBLESHOOTING SAMBA INSTALLATION BY RE-COMPILING SAMBA FROM SOURCE AGAIN
==========================================================================
I was afraid that SELINUX might affect the previous build of Samba from source.
# cd /root
# rm -rf samba-4.11.6
# systemctl stop samba-ad-dc
# cd /usr/local
# rm -rf samba/
# cd /root
# tar xfvz samba-4.11.6.tar.gz
# cd samba-4.11.6/
# ./configure
# make -j 4
Output:
Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'build' finished successfully (9m21.630s)
# make install
Output:
Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'install' finished successfully (2m47.846s)
Provisioning Samba AD DC from scratch after rebuilding Samba from source.
# samba-tool domain provision --use-rfc2307 --interactive
Realm [TEO-EN-MING.CORP]:
Domain [TEO-EN-MING]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
INFO 2020-02-15 10:00:20,082 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 10:00:20,505 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb
INFO 2020-02-15 10:00:20,871 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 10:00:21,131 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 10:00:22,314 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 10:00:22,838 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 10:00:23,230 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 10:00:23,322 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 10:00:23,324 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 10:00:23,398 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2020-02-15 10:00:23,573 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 10:00:23,653 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 10:00:23,749 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 10:00:27,115 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 10:00:27,261 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 10:00:29,491 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 10:00:29,531 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 10:00:29,532 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 10:00:29,533 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 10:00:29,534 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 10:00:29,535 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 10:00:29,674 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 10:00:29,735 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 10:00:30,058 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=rpc-Ns-Bindings,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=nTFRSSubscriber-Display,CN=40C,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=Incoming Forest Trust Builders,CN=Builtin,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 10:00:33,052 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 10:00:33,285 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 10:00:33,305 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 10:00:33,511 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=@,DC=teo-en-ming.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 10:00:34,921 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
INFO 2020-02-15 10:00:34,921 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
INFO 2020-02-15 10:00:35,045 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 10:00:35,095 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 10:00:36,238 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 10:00:36,238 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 10:00:36,771 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 10:00:37,012 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role: active directory domain controller
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname: dc1
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain: TEO-EN-MING
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain: teo-en-ming.corp
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID: S-1-5-21-4032533190-753116703-2394070240
# systemctl start samba-ad-dc
TROUBLESHOOTING THE BIND9_DLZ BACKEND
=====================================
# samba_upgradedns --dns-backend=BIND9_DLZ
Output:
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/TEO-EN-MING.CORP.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc1 account already exists
See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
TROUBLESHOOTING "MISSING" MANDATORY SAMBA DNS RECORDS
=====================================================
REFERENCE
=========
Finally! I found the problem and discovered the solution.
Guide: CentOS 7 NetworkManager Keeps Overwriting /etc/resolv.conf
Link: https://ma.ttias.be/centos-7-networkmanager-keeps-overwriting-etcresolv-conf/
To prevent Network Manager to overwrite your resolv.conf changes, remove the DNS1, DNS2, … lines from /etc/sysconfig/network-scripts/ifcfg-*.
# cd /etc/sysconfig/network-scripts/
# nano ifcfg-ens3
Remove DNS1 entry.
To make BIND listen on all interfaces
=====================================
# nano /etc/named.conf
Change the following entry:
listen-on port 53 { any; };
# systemctl restart named
# netstat -anp | grep -v unix | grep LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 28855/samba
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 29436/named
tcp 0 0 192.168.1.10:53 0.0.0.0:* LISTEN 29436/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 29436/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1090/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1087/cupsd
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 28855/samba
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 29436/named
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 28847/samba
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 28839/smbd
tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 28837/samba
tcp 0 0 0.0.0.0:49153 0.0.0.0:* LISTEN 28845/samba
tcp 0 0 0.0.0.0:49154 0.0.0.0:* LISTEN 28845/samba
tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 28847/samba
tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 28847/samba
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 28847/samba
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 28845/samba
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 28839/smbd
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1597/systemd-resolv
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::464 :::* LISTEN 28855/samba
tcp6 0 0 ::1:53 :::* LISTEN 29436/named
tcp6 0 0 :::22 :::* LISTEN 1090/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1087/cupsd
tcp6 0 0 :::88 :::* LISTEN 28855/samba
tcp6 0 0 ::1:953 :::* LISTEN 29436/named
tcp6 0 0 :::636 :::* LISTEN 28847/samba
tcp6 0 0 :::445 :::* LISTEN 28839/smbd
tcp6 0 0 :::49152 :::* LISTEN 28837/samba
tcp6 0 0 :::49153 :::* LISTEN 28845/samba
tcp6 0 0 :::49154 :::* LISTEN 28845/samba
tcp6 0 0 :::3268 :::* LISTEN 28847/samba
tcp6 0 0 :::3269 :::* LISTEN 28847/samba
tcp6 0 0 :::389 :::* LISTEN 28847/samba
tcp6 0 0 :::135 :::* LISTEN 28845/samba
tcp6 0 0 :::5355 :::* LISTEN 1597/systemd-resolv
tcp6 0 0 :::139 :::* LISTEN 28839/smbd
Modify /etc/resolv.conf again. This is the crux of the problem.
# nano /etc/resolv.conf
search teo-en-ming.corp
nameserver 192.168.1.10
Verifying DNS (Successful this time)
====================================
$ host -t SRV _ldap._tcp.teo-en-ming.corp.
Output:
_ldap._tcp.teo-en-ming.corp has SRV record 0 100 389 dc1.teo-en-ming.corp.
$ host -t SRV _kerberos._udp.teo-en-ming.corp.
Output:
_kerberos._udp.teo-en-ming.corp has SRV record 0 100 88 dc1.teo-en-ming.corp.
$ host -t A dc1.teo-en-ming.corp.
Output:
dc1.teo-en-ming.corp has address 192.168.122.1
dc1.teo-en-ming.corp has address 192.168.1.10
Verifying Kerberos (Successful this time)
=========================================
# kninit administrator
Output:
Password for administrator@TEO-EN-MING.CORP:
Warning: Your password will expire in 41 days on Sat 28 Mar 2020 10:00:30 AM +08
# klist
Output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEO-EN-MING.CORP
Valid starting Expires Service principal
02/15/2020 10:56:56 02/15/2020 20:56:56 krbtgt/TEO-EN-MING.CORP@TEO-EN-MING.CORP
renew until 02/16/2020 10:56:53
OVERWHELMING SUCCESS!
=====================
Joining Domain from Windows 10 Pro QEMU/KVM virtual machine
===========================================================
Install Windows 10 Pro version 1909 as a QEMU/KVM virtual machine.
Ping Samba AD DC from Windows.
ping 192.168.1.10
SUCCESS!
Configure Preferred DNS Server as 192.168.1.10 for your virtual NIC.
Alternate DNS Server: 8.8.8.8 (Compulsory for internet access)
REFERENCE GUIDE
===============
Guide: DNS Administration
Link: https://wiki.samba.org/index.php/DNS_Administration
Listing zone records
====================
# samba-tool dns query 192.168.1.10 teo-en-ming.corp @ ALL -U administrator
Output:
Password for [TEO-EN-MING\administrator]:
Name=, Records=6, Children=0
SOA: serial=241, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc1.teo-en-ming.corp., email=hostmaster.teo-en-ming.corp. (flags=600000f0, serial=241, ttl=3600)
NS: dc1.teo-en-ming.corp. (flags=600000f0, serial=1, ttl=900)
A: 192.168.1.10 (flags=600000f0, serial=1, ttl=900)
AAAA: 2401:7400:c802:de67:0000:0000:0000:14c2 (flags=600000f0, serial=1, ttl=900)
A: 192.168.122.1 (flags=600000f0, serial=26, ttl=900)
AAAA: 2401:7400:c802:de67:0d19:690d:f659:ad40 (flags=600000f0, serial=27, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=1
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=dc1, Records=4, Children=0
A: 192.168.1.10 (flags=f0, serial=1, ttl=900)
AAAA: 2401:7400:c802:de67:0000:0000:0000:14c2 (flags=f0, serial=1, ttl=900)
A: 192.168.122.1 (flags=f0, serial=24, ttl=900)
AAAA: 2401:7400:c802:de67:0d19:690d:f659:ad40 (flags=f0, serial=25, ttl=900)
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Disable IPv6 on Windows 10 Pro QEMU/KVM virtual machine.
Deleting Unneccessary DNS Records (OPTIONAL TASK)
=================================================
# samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp A 192.168.122.1 -U administrator
# samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp AAAA 2401:7400:c802:de67:0000:0000:0000:14c2 -U administrator
# samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp AAAA 2401:7400:c802:de67:0d19:690d:f659:ad40 -U administrator
# samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 A 192.168.122.1 -U administrator
# samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 AAAA 2401:7400:c802:de67:0000:0000:0000:14c2 -U administrator
# samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 AAAA 2401:7400:c802:de67:0d19:690d:f659:ad40 -U administrator
Disabling the Firewall on CentOS 8.1
====================================
# systemctl stop firewalld
# systemctl disable firewalld
Join Domain from Windows 10 Pro QEMU/KVM Virtual Machine
========================================================
Domain: teo-en-ming.corp
Welcome to the teo-en-ming.corp domain.
Download and install Microsoft Remote Server Administration Tools (RSAT) for Windows 10.
Restart Windows 10 Pro QEMU/KVM virtual machine.
Login as domain administrator.
User: TEO-EN-MING\administrator
Password: Unknown
Open Active Directory Users and Computers.
Final Success!
==============
AUTHOR: MR. TURRITOPSIS DOHRNII TEO EN MING, SINGAPORE
REFERENCES
==========
[1] https://lkml.org/lkml/2020/2/15/16
[2] http://lkml.iu.edu/hypermail/linux/kernel/2002.1/10224.html
[3] https://marc.info/?l=linux-kernel&m=158174694431737&w=2
[4] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-February/029090.html
[5] https://lists.samba.org/archive/samba/2020-February/228348.html
[6] https://lists.centos.org/pipermail/centos/2020-February/date.html
[7] https://marc.info/?l=kvm&m=158174875032089&w=2
[8] https://marc.info/?l=kvm-ia64&m=158174885032130&w=2
[9] https://marc.info/?l=kvm-ppc&m=158174912932190&w=2
Comments
Post a Comment