Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Victory Re: Replacing AD with Samba4

After a week of sporadic tweaking, I'm declaring victory in the Samba Active
Directory project.  Here are notes for anyone else trying to accomplish
something similar; the rise of Google's commercial ad-focused business and the
lack of any natural-language query capability has reduced quality of technical
information online to the point where it can take days to find the
nugget-needles of truth amid terabytes of useless haystacks of cruft.

My goals were two-fold:
 1) Eliminate my dependency on Microsoft Server, which I run at
    home and no longer have any practical way to keep up-to-date
 2) Set up and maintain backups of my secure LDAP information,
    which I realized I've never backed up in the past

What I had before was a standard Active Directory installation consisting of
two Windows Server 2008r2 instances named dc01 and dc02. (They were installed
under VirtualBox on a pair of OpenSuSE servers.) It's not really accurate to
say they are "primary" and "backup": domain controllers running Active
Directory these days run active-active symmetrical replication. So a lot of
the online documentation gets confusing because Microsoft's terminology
doesn't really spell out explicitly what the roles are.

What I have now are four instances running mutual replication between every
pair, dc01 through dc04. The new ones are running a source-compiled build of
samba 4.2.3 under LXC. (Still running an older distro, 12.3, because of the
immense effort required to replace the distro underlying several LXC
instances.)  My realm is called ETHER.CI.NET and I use a workgroup CIGROUP.

I can administer the new machines using Apache Directory Studio, and the old
ones using MS Active Directory Administration Center.  (For reasons that I
don't have time to figure out, neither of these admin tools works with all 4
instances; online info suggests they should both work but there are SSL-cert
issues and/or missing TCP services that get in my way for now.) New users and
password changes that I make on any instance get replicated quickly to the
other 3.  I've also been able to configure my local Jira installation to use
Active Directory logins on one of the new Samba servers.

In addition to instructions in the Samba4 installation wiki, here are commands
that I found necessary due (in part) to oddities in my ancient distro and (in
part) to rough-edges remaining in Samba4 packaging:

 samba-tool domain join DC -Uadministrator \
   --realm=ETHER.CI.NET --dns-backend=SAMBA_INTERNAL

 ldbsearch -H ../private/sam.ldb '(invocationid=*)' \
   --cross-ncs objectguid

 (using vi) add both dc03 and the forgotten dc04 to /etc/hosts

 samba-tool dns add dc01 \
   e3f94209-f380-44a4-ae96-eb8750403671 CNAME

 bin/net changesecretpw -f

 net ads password -U Administrator%[pw] DC03$

Something about the version of kerberos I have seems to require at least one
reboot before I can get past a preauth-failure message, even though 'klist'
command output seems fine. I also found that after building the second
instance, I needed to clear the /usr/local/samba and reinstall the first, to
get past a "Refusing DsReplicaUpdateRefs" error.  Other error messages I
collected during troubleshooting are:

 Failed to fetch our own, local AD domain join password for
  winbindd's internal use, both from secrets.tdb and

 samba_dnsupdate: RuntimeError: kinit for DC03$@ETHER.CI.NET
  failed (Preauthentication failed)

 RID Manager failed RID allocation - WERR_BADFILE

 Password change failed: Client not found in Kerberos database

 UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED

 dos charset 'CP850' unavailable - using ASCII

All I need to do for backups (at the moment) is make a periodic snapshot of
/usr/local/samba; there are additional open-source Linux scripts available to
improve upon this.

Below are the krb5.conf and smb.conf configs that I finally settled on. I
almost gave up on this after a few days but at this point I'm a lot happier
with this than the old Microsoft-only setup.


    default_realm = ETHER.CI.NET
    dns_lookup_realm = false
    dns_lookup_kdc = false

    ETHER.CI.NET = {
	kdc =
	kdc =
	kdc =
	kdc =
	admin_server =

[domain_realm] = ETHER.CI.NET = ETHER.CI.NET

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log

# Global parameters
	workgroup = CIGROUP
	realm = ETHER.CI.NET
	netbios name = DC03
	server role = active directory domain controller
	domain logons = Yes
	domain master = No
        winbind refresh tickets = Yes

	allow dns updates = signed
	winbind trusted domains only = no
	winbind use default domain = yes

	path = /usr/local/samba/var/locks/sysvol/
	read only = No

	path = /usr/local/samba/var/locks/sysvol
	read only = No

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /