|
| [SMS] - Superb Mini Server Project Support Forum |
 |
| |
  |
| View previous topic :: View next topic |
| Author |
Message |
rcastro
Junior Member
Joined: 17 Aug 2013
Posts: 5
|
 Posted: Sat Aug 17, 2013 5:06 am Post subject: Samba4 support |
 |
|
I´ve installed SMS version 2.0.5 in my server and i´m pretend it to use it as AD.
The smb.conf example is incorrect, i found later the correct smb.conf that´s allow me to use smbclient -L localhost -U%
But, when i´m trying to prove host -t SRV _ldap._tcp.mydomain.com appears error 3(NXDOMAIN).
Looking in google for this error, indicates a list of port that should be open, like 88
if i use nmap -p 88 myip
Appear
88 tcp close kerberos
How may i open this port??
Thank's |
|
| Back to top |
|
gerasimos_h
Site Admin
Joined: 09 Aug 2007
Posts: 1757
Location: Greece
|
|
| Back to top |
|
rcastro
Junior Member
Joined: 17 Aug 2013
Posts: 5
|
| Posted: Sun Aug 18, 2013 3:10 am Post subject: |
|
|
Hi!!
Thank you for your support.
Yes, i did use samba-tool domain provision, and the smb.conf created send my error when i use smbclient -L localhost -U %
So, i must to edit this file to write: server services = smb, s3fs
With this, (after restart samba) smbclient -L localhost -U % is working
(but, if iuse smbclient //localhost/netlogon -UAdministrator%'<password>' -c 'ls' appear "samba internal error").
I've modify resolv,conf, hosts, named.conf. My DNS is working; but
host -t SRV _ldap._tcp.MYDOMAIN indicates NXDOMAIN(3).
In Google i've found that kerberos must be under firewall, but if i use
nmap -p 88 myip
indicates me that port 88 is closed.
How may i open this port???
Thank you. Sincerely Ricardo |
|
| Back to top |
|
gerasimos_h
Site Admin
Joined: 09 Aug 2007
Posts: 1757
Location: Greece
|
| Posted: Sun Aug 18, 2013 6:16 am Post subject: |
|
|
Have you follow the guide in the docs, to create /etc/krb5.conf with your REALM.
| Code: | [libdefaults]
default_realm = YOUR.REALM
dns_lookup_realm = false
dns_lookup_kdc = true |
You can also try to start heimdal with
| Code: | | smsconfig heimdal start |
and test with kinit to login
gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
| Back to top |
|
rcastro
Junior Member
Joined: 17 Aug 2013
Posts: 5
|
| Posted: Tue Aug 20, 2013 3:03 am Post subject: |
|
|
Help!!! 
My brain is complete closed I can't understand what is happening. Please!!!! Help!!!
My resolv.conf is
domain ite.edu.mx
search ite.edu.mx
nameserver 10.10.10.253
nameserver 8.8.8.8
nameserver 8.8.4.4
My hosts is
127.0.0.1 localhost
192.168.4.210 ite ite.edu.mx
10.10.10.253 alumnos ite.edu.mx
The 10.10.10.253 is the internal IP,
My named.conf is
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
files 4096;
managed-keys-directory "managed-keys";
empty-zones-enable yes;
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "caching-example/named.root";
};
zone "localhost" IN {
type master;
file "caching-example/localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "ite.edu.mx" {
type master;
file "/var/named/ite.edu.mx.hosts";
allow-transfer {127.0.0.1;};
};
zone "10.10.10.in-addr.arpa" {
type master;
file "/var/named/10.10.10.rev";
};
logging {
};
My smb.conf is
# Global parameters
[global]
workgroup = ITE
realm = ite.edu.mx
netbios name = ALUMNOS
server role = active directory domain controller
dns forwarder = 10.10.10.253
server services = smb,kdc,s3fs
passdb backend = samba4
[netlogon]
path = /var/lib/samba/sysvol/ite.edu.mx/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
If i do smbclient -L localhost -U%
Domain=[ITE] OS=[Unix] Server=[Samba 4.0.8]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
Domain=[ITE] OS=[Unix] Server=[Samba 4.0.8]
Server Comment
--------- -------
Workgroup Master
--------- -------
But, if i use
root@ite:/etc/samba# smbclient //localhost/netlogon -UAdministrator% -c 'ls'
Anonymous login successful
Domain=[ITE] OS=[Unix] Server=[Samba 4.0.8]
tree connect failed: NT_STATUS_INTERNAL_ERROR
And then
root@ite:/etc/samba# host -t SRV _ldap._tcp.ite.edu.mx
Host _ldap._tcp.ite.edu.mx not found: 3(NXDOMAIN)
root@ite:/etc/samba# host -t SRV _kerberos._udp.ite.edu.mx
Host _kerberos._udp.ite.edu.mx not found: 3(NXDOMAIN)
root@ite:/etc/samba# host -t A alumnos.ite.edu.mx
alumnos.ite.edu.mx is an alias for ite.edu.mx.
ite.edu.mx has address 10.10.10.253
if i try smsconfig heimdal start
root@ite:/etc/samba# smsconfig heimdal start
root@ite:/etc/samba#
root@ite:/etc/samba# smsconfig heimdal status
Service heimdal [ Stopped ]
Please!!!! Help!!!! |
|
| Back to top |
|
gerasimos_h
Site Admin
Joined: 09 Aug 2007
Posts: 1757
Location: Greece
|
| Posted: Tue Aug 20, 2013 7:01 am Post subject: |
|
|
OK! I see some weird configurations, that's for sure...
Anyway I 'll post my working configs, although for samba it's done by samba-tool...
It's clear that you were not reading the correct guides for samba4...
smb.conf
| Code: | [global]
workgroup = AD
realm = AD.SMS.ORG
netbios name = SMS
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
[netlogon]
path = /var/lib/samba/sysvol/ad.sms.org/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No |
named.conf
| Code: | options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
files 4096;
managed-keys-directory "managed-keys";
empty-zones-enable yes;
tkey-gssapi-keytab "/etc/samba/private/dns.keytab";
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "caching-example/named.root";
};
zone "localhost" IN {
type master;
file "caching-example/localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "ad.sms.org." IN {
type master;
file "/etc/samba/private/dns/ad.sms.org.zone";
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
include "/etc/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
}; |
/etc/samba/private/dns/ad.sms.org.zone
| Code: | ; -*- zone -*-
; generated by provision.pl
$ORIGIN ad.sms.org.
$TTL 1W
@ IN SOA sms hostmaster (
2012121618 ; serial
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS sms
IN A 192.168.254.154
;
sms IN A 192.168.254.154
gc._msdcs IN A 192.168.254.154
27a18fac-edb7-43cd-98c9-279563e6eaa7._msdcs IN CNAME sms
;
; global catalog servers
_gc._tcp IN SRV 0 100 3268 sms
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 sms
_ldap._tcp.gc._msdcs IN SRV 0 100 3268 sms
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 sms
;
; ldap servers
_ldap._tcp IN SRV 0 100 389 sms
_ldap._tcp.dc._msdcs IN SRV 0 100 389 sms
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 sms
_ldap._tcp.a69fc188-f756-460e-bd6f-6344c70cf791.domains._msdcs IN SRV 0 100 389 sms
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 sms
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 sms
;
; krb5 servers
_kerberos._tcp IN SRV 0 100 88 sms
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 sms
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 sms
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 sms
_kerberos._udp IN SRV 0 100 88 sms
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp IN SRV 0 100 88 sms
_kerberos-master._udp IN SRV 0 100 88 sms
;
; kpasswd
_kpasswd._tcp IN SRV 0 100 464 sms
_kpasswd._udp IN SRV 0 100 464 sms
;
; heimdal 'find realm for host' hack
_kerberos IN TXT AD.SMS.ORG |
/etc/krb5.conf
| Code: | [libdefaults]
default_realm = AD.SMS.ORG
dns_lookup_realm = false
dns_lookup_kdc = true |
Heimdal ain't necessary , but if you want to start it rename /var/heimdal/kdc.conf-sample
Also you need to stop LDAP server
smsconfig ldap stop
Some working outputs
| Code: | root@sms:~# host -t SRV _kerberos._udp.ad.sms.org
_kerberos._udp.ad.sms.org has SRV record 0 100 88 sms.ad.sms.org. |
| Code: | root@sms:~# host -t SRV _ldap._tcp.ad.sms.org
_ldap._tcp.ad.sms.org has SRV record 0 100 389 sms.ad.sms.org. |
gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
| Back to top |
|
rcastro
Junior Member
Joined: 17 Aug 2013
Posts: 5
|
| Posted: Tue Aug 20, 2013 9:26 pm Post subject: |
|
|
Successful!!!   
Thank you some much!!!! Without your help i couldn't do it!!!
Thank you. My Domain is now AD |
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
|
 |
 |
SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional
|
 |
|
|
