Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » SMS User Support

Post new topic   Reply to topic
Samba4 support
View previous topic :: View next topic  
Author Message
rcastro
Junior Member


Joined: 17 Aug 2013
Posts: 5

PostPosted: Sat Aug 17, 2013 5:06 am    Post subject: Samba4 support Reply with quote

I´ve installed SMS version 2.0.5 in my server and i´m pretend it to use it as AD.
The smb.conf example is incorrect, i found later the correct smb.conf that´s allow me to use smbclient -L localhost -U%
But, when i´m trying to prove host -t SRV _ldap._tcp.mydomain.com appears error 3(NXDOMAIN).
Looking in google for this error, indicates a list of port that should be open, like 88

if i use nmap -p 88 myip
Appear
88 tcp close kerberos

How may i open this port??

Thank's
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1747
Location: Greece

PostPosted: Sat Aug 17, 2013 6:53 am    Post subject: Reply with quote

If you are referring to default /etc/samba/smb.conf it's for standalone server and not for ADDC, there is an example at /etc/samba/smb.conf-domain.example but that's for reference since you need to run samba-tool.
Did you run "samba-tool domain provision" ?
Once you run it, it will create proper configs at /etc/samba/private

Have you look at those guides?
http://en.gentoo-wiki.com/wiki/Samba4_as_Active_Directory_Server
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
rcastro
Junior Member


Joined: 17 Aug 2013
Posts: 5

PostPosted: Sun Aug 18, 2013 3:10 am    Post subject: Reply with quote

Hi!!
Thank you for your support.

Yes, i did use samba-tool domain provision, and the smb.conf created send my error when i use smbclient -L localhost -U %
So, i must to edit this file to write: server services = smb, s3fs
With this, (after restart samba) smbclient -L localhost -U % is working
(but, if iuse smbclient //localhost/netlogon -UAdministrator%'<password>' -c 'ls' appear "samba internal error").
I've modify resolv,conf, hosts, named.conf. My DNS is working; but
host -t SRV _ldap._tcp.MYDOMAIN indicates NXDOMAIN(3).
In Google i've found that kerberos must be under firewall, but if i use
nmap -p 88 myip
indicates me that port 88 is closed.
How may i open this port???
Thank you. Sincerely Ricardo
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1747
Location: Greece

PostPosted: Sun Aug 18, 2013 6:16 am    Post subject: Reply with quote

Have you follow the guide in the docs, to create /etc/krb5.conf with your REALM.
Code:
[libdefaults]
        default_realm = YOUR.REALM
        dns_lookup_realm = false
        dns_lookup_kdc = true

You can also try to start heimdal with
Code:
smsconfig heimdal start

and test with kinit to login

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
rcastro
Junior Member


Joined: 17 Aug 2013
Posts: 5

PostPosted: Tue Aug 20, 2013 3:03 am    Post subject: Reply with quote

Help!!! Crying or Very sad Crying or Very sad
My brain is complete closed Crying or Very sad I can't understand what is happening. Please!!!! Help!!!
My resolv.conf is
domain ite.edu.mx
search ite.edu.mx
nameserver 10.10.10.253
nameserver 8.8.8.8
nameserver 8.8.4.4

My hosts is
127.0.0.1 localhost
192.168.4.210 ite ite.edu.mx
10.10.10.253 alumnos ite.edu.mx

The 10.10.10.253 is the internal IP,

My named.conf is
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
files 4096;
managed-keys-directory "managed-keys";
empty-zones-enable yes;
};

//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "caching-example/named.root";
};

zone "localhost" IN {
type master;
file "caching-example/localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "ite.edu.mx" {
type master;
file "/var/named/ite.edu.mx.hosts";
allow-transfer {127.0.0.1;};
};
zone "10.10.10.in-addr.arpa" {
type master;
file "/var/named/10.10.10.rev";
};
logging {
};

My smb.conf is
# Global parameters
[global]
workgroup = ITE
realm = ite.edu.mx
netbios name = ALUMNOS
server role = active directory domain controller
dns forwarder = 10.10.10.253
server services = smb,kdc,s3fs
passdb backend = samba4

[netlogon]
path = /var/lib/samba/sysvol/ite.edu.mx/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

If i do smbclient -L localhost -U%
Domain=[ITE] OS=[Unix] Server=[Samba 4.0.8]

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
Domain=[ITE] OS=[Unix] Server=[Samba 4.0.8]

Server Comment
--------- -------

Workgroup Master
--------- -------

But, if i use
root@ite:/etc/samba# smbclient //localhost/netlogon -UAdministrator% -c 'ls'
Anonymous login successful
Domain=[ITE] OS=[Unix] Server=[Samba 4.0.8]
tree connect failed: NT_STATUS_INTERNAL_ERROR

And then
root@ite:/etc/samba# host -t SRV _ldap._tcp.ite.edu.mx
Host _ldap._tcp.ite.edu.mx not found: 3(NXDOMAIN)

root@ite:/etc/samba# host -t SRV _kerberos._udp.ite.edu.mx
Host _kerberos._udp.ite.edu.mx not found: 3(NXDOMAIN)


root@ite:/etc/samba# host -t A alumnos.ite.edu.mx
alumnos.ite.edu.mx is an alias for ite.edu.mx.
ite.edu.mx has address 10.10.10.253


if i try smsconfig heimdal start

root@ite:/etc/samba# smsconfig heimdal start
root@ite:/etc/samba#
root@ite:/etc/samba# smsconfig heimdal status
Service heimdal [ Stopped ]

Please!!!! Help!!!! Crying or Very sad Crying or Very sad Crying or Very sad
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1747
Location: Greece

PostPosted: Tue Aug 20, 2013 7:01 am    Post subject: Reply with quote

OK! I see some weird configurations, that's for sure...
Anyway I 'll post my working configs, although for samba it's done by samba-tool...
It's clear that you were not reading the correct guides for samba4...

smb.conf
Code:
[global]
        workgroup = AD
        realm = AD.SMS.ORG
        netbios name = SMS
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate

[netlogon]
        path = /var/lib/samba/sysvol/ad.sms.org/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

named.conf
Code:
options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
files 4096;
managed-keys-directory "managed-keys";
empty-zones-enable yes;
tkey-gssapi-keytab "/etc/samba/private/dns.keytab";
};

//
// a caching only nameserver config
//
zone "." IN {
        type hint;
        file "caching-example/named.root";
};

zone "localhost" IN {
        type master;
        file "caching-example/localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "caching-example/named.local";
        allow-update { none; };
};


zone "ad.sms.org." IN {
        type master;
        file "/etc/samba/private/dns/ad.sms.org.zone";
        /*
         * the list of principals and what they can change is created
         * dynamically by Samba, based on the membership of the domain controllers
         * group. The provision just creates this file as an empty file.
         */
        include "/etc/samba/private/named.conf.update";

        /* we need to use check-names ignore so _msdcs A records can be created */
        check-names ignore;
};


/etc/samba/private/dns/ad.sms.org.zone
Code:
; -*- zone -*-
; generated by provision.pl
$ORIGIN ad.sms.org.
$TTL 1W
@               IN SOA  sms   hostmaster (
                                2012121618   ; serial
                                2D              ; refresh
                                4H              ; retry
                                6W              ; expiry
                                1W )            ; minimum
                        IN NS   sms

            IN A    192.168.254.154
;

sms        IN A    192.168.254.154
gc._msdcs               IN A    192.168.254.154

27a18fac-edb7-43cd-98c9-279563e6eaa7._msdcs     IN CNAME        sms
;
; global catalog servers
_gc._tcp                IN SRV 0 100 3268       sms
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268       sms
_ldap._tcp.gc._msdcs    IN SRV 0 100 3268       sms
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     IN SRV 0 100 3268 sms
;
; ldap servers
_ldap._tcp              IN SRV 0 100 389        sms
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        sms
_ldap._tcp.pdc._msdcs   IN SRV 0 100 389        sms
_ldap._tcp.a69fc188-f756-460e-bd6f-6344c70cf791.domains._msdcs          IN SRV 0 100 389 sms
_ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389 sms
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389 sms
;
; krb5 servers
_kerberos._tcp          IN SRV 0 100 88         sms
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 sms
_kerberos._tcp.Default-First-Site-Name._sites   IN SRV 0 100 88 sms
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 sms
_kerberos._udp          IN SRV 0 100 88         sms
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp           IN SRV 0 100 88         sms
_kerberos-master._udp           IN SRV 0 100 88         sms
;
; kpasswd
_kpasswd._tcp           IN SRV 0 100 464        sms
_kpasswd._udp           IN SRV 0 100 464        sms
;
; heimdal 'find realm for host' hack
_kerberos               IN TXT  AD.SMS.ORG


/etc/krb5.conf
Code:
[libdefaults]
        default_realm = AD.SMS.ORG
        dns_lookup_realm = false
        dns_lookup_kdc = true


Heimdal ain't necessary , but if you want to start it rename /var/heimdal/kdc.conf-sample
Also you need to stop LDAP server
smsconfig ldap stop

Some working outputs
Code:
root@sms:~# kinit Administrator@AD.SMS.ORG
Administrator@AD.SMS.ORG's Password:
root@sms:~#


Code:
root@sms:~# host -t SRV _kerberos._udp.ad.sms.org
_kerberos._udp.ad.sms.org has SRV record 0 100 88 sms.ad.sms.org.


Code:
root@sms:~# host -t SRV _ldap._tcp.ad.sms.org
_ldap._tcp.ad.sms.org has SRV record 0 100 389 sms.ad.sms.org.


gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
rcastro
Junior Member


Joined: 17 Aug 2013
Posts: 5

PostPosted: Tue Aug 20, 2013 9:26 pm    Post subject: Reply with quote

Successful!!! Very Happy Laughing Exclamation

Thank you some much!!!! Without your help i couldn't do it!!!

Thank you. My Domain is now AD
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » SMS User Support All times are GMT + 2 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional