[Discuss] Victory Re: Replacing AD with Samba4

[richb at pioneer.ci.net (Rich Braun)]

After a week of sporadic tweaking, I'm declaring victory in the Samba Active
Directory project.  Here are notes for anyone else trying to accomplish
something similar; the rise of Google's commercial ad-focused business and the
lack of any natural-language query capability has reduced quality of technical
information online to the point where it can take days to find the
nugget-needles of truth amid terabytes of useless haystacks of cruft.

My goals were two-fold:
 1) Eliminate my dependency on Microsoft Server, which I run at
    home and no longer have any practical way to keep up-to-date
 2) Set up and maintain backups of my secure LDAP information,
    which I realized I've never backed up in the past

What I had before was a standard Active Directory installation consisting of
two Windows Server 2008r2 instances named dc01 and dc02. (They were installed
under VirtualBox on a pair of OpenSuSE servers.) It's not really accurate to
say they are "primary" and "backup": domain controllers running Active
Directory these days run active-active symmetrical replication. So a lot of
the online documentation gets confusing because Microsoft's terminology
doesn't really spell out explicitly what the roles are.

What I have now are four instances running mutual replication between every
pair, dc01 through dc04. The new ones are running a source-compiled build of
samba 4.2.3 under LXC. (Still running an older distro, 12.3, because of the
immense effort required to replace the distro underlying several LXC
instances.)  My realm is called ETHER.CI.NET and I use a workgroup CIGROUP.

I can administer the new machines using Apache Directory Studio, and the old
ones using MS Active Directory Administration Center.  (For reasons that I
don't have time to figure out, neither of these admin tools works with all 4
instances; online info suggests they should both work but there are SSL-cert
issues and/or missing TCP services that get in my way for now.) New users and
password changes that I make on any instance get replicated quickly to the
other 3.  I've also been able to configure my local Jira installation to use
Active Directory logins on one of the new Samba servers.

In addition to instructions in the Samba4 installation wiki, here are commands
that I found necessary due (in part) to oddities in my ancient distro and (in
part) to rough-edges remaining in Samba4 packaging:

 samba-tool domain join ether.ci.net DC -Uadministrator \
   --realm=ETHER.CI.NET --dns-backend=SAMBA_INTERNAL

 ldbsearch -H ../private/sam.ldb '(invocationid=*)' \
   --cross-ncs objectguid

 (using vi) add both dc03 and the forgotten dc04 to /etc/hosts

 samba-tool dns add dc01 _msdcs.ether.ci.net \
   e3f94209-f380-44a4-ae96-eb8750403671 CNAME dc03.ether.ci.net

 bin/net changesecretpw -f

 net ads password -U Administrator%[pw] DC03$

Something about the version of kerberos I have seems to require at least one
reboot before I can get past a preauth-failure message, even though 'klist'
command output seems fine. I also found that after building the second
instance, I needed to clear the /usr/local/samba and reinstall the first, to
get past a "Refusing DsReplicaUpdateRefs" error.  Other error messages I
collected during troubleshooting are:

 Failed to fetch our own, local AD domain join password for
  winbindd's internal use, both from secrets.tdb and
  secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

 samba_dnsupdate: RuntimeError: kinit for DC03$@ETHER.CI.NET
  failed (Preauthentication failed)

 RID Manager failed RID allocation - WERR_BADFILE

 Password change failed: Client not found in Kerberos database

 UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED

 dos charset 'CP850' unavailable - using ASCII

All I need to do for backups (at the moment) is make a periodic snapshot of
/usr/local/samba; there are additional open-source Linux scripts available to
improve upon this.

Below are the krb5.conf and smb.conf configs that I finally settled on. I
almost gave up on this after a few days but at this point I'm a lot happier
with this than the old Microsoft-only setup.

-rich

----krb5.conf----
[libdefaults]
    default_realm = ETHER.CI.NET
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    ETHER.CI.NET = {
	kdc = 192.168.2.62
	kdc = 192.168.2.65
	kdc = 192.168.2.63
	kdc = 192.168.2.71
	admin_server = 192.168.2.62
    }

[domain_realm]
    .ether.ci.net = ETHER.CI.NET
    ether.ci.net = ETHER.CI.NET

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON



----smb.conf----
# Global parameters
[global]
	workgroup = CIGROUP
	realm = ETHER.CI.NET
	netbios name = DC03
	server role = active directory domain controller
	domain logons = Yes
	domain master = No
        winbind refresh tickets = Yes

	allow dns updates = signed
	winbind trusted domains only = no
	winbind use default domain = yes

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/ether.ci.net/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No