Setting up Samba AD-DC on Debian Stretch made easy.

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Hai,
 
As im setting up a new test environment, i've documented my setups and here you go.. 
A easy to follow howto for a Debian Samba AD DC  ( tested on Debian Stretch, but should works also on Jessie )
 
You can find the files, here:
https://github.com/thctlo/samba4   In the "howtos" folder are the files.
 
And if you see errors, wel its on github ;-)  or if you see improvements on this, please let me know.
 
I've made a 3 steps setup.
 
1) Setup Debian and make sure you base server is setup ok.
2) Check you base server install.
3) Install samba as AD DC with Bind9_DLZ and NTP.
4) few minimal test for the AD DC.
 
And more to come as while im setting up my new test environment.
If you follow the exact setups, it wil result in a correct working samba AD DC.
 
 
Greetz,
 
Louis
 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Arg...

The link without spaces on the end.  ;-)
https://github.com/thctlo/samba4


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> L.P.H. van Belle via samba
> Verzonden: maandag 11 september 2017 13:07
> Aan: [hidden email]
> Onderwerp: [Samba] Setting up Samba AD-DC on Debian Stretch made easy.
>
> Hai,
>  
> As im setting up a new test environment, i've documented my
> setups and here you go.. A easy to follow howto for a Debian
> Samba AD DC  ( tested on Debian Stretch, but should works
> also on Jessie )
>  
> You can find the files, here:
> https://github.com/thctlo/samba4   In the "howtos" folder are
> the files.
>  
> And if you see errors, wel its on github ;-)  or if you see
> improvements on this, please let me know.
>  
> I've made a 3 steps setup.
>  
> 1) Setup Debian and make sure you base server is setup ok.
> 2) Check you base server install.
> 3) Install samba as AD DC with Bind9_DLZ and NTP.
> 4) few minimal test for the AD DC.
>  
> And more to come as while im setting up my new test environment.
> If you follow the exact setups, it wil result in a correct
> working samba AD DC.
>  
>  
> Greetz,
>  
> Louis
>  
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
On Mon, 11 Sep 2017 13:13:33 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Arg...
>
> The link without spaces on the end.  ;-)
> https://github.com/thctlo/samba4
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > L.P.H. van Belle via samba
> > Verzonden: maandag 11 september 2017 13:07
> > Aan: [hidden email]
> > Onderwerp: [Samba] Setting up Samba AD-DC on Debian Stretch made
> > easy.
> >
> > Hai,
> >  
> > As im setting up a new test environment, i've documented my
> > setups and here you go.. A easy to follow howto for a Debian
> > Samba AD DC  ( tested on Debian Stretch, but should works
> > also on Jessie )
> >  
> > You can find the files, here:
> > https://github.com/thctlo/samba4   In the "howtos" folder are
> > the files.
> >  
> > And if you see errors, wel its on github ;-)  or if you see
> > improvements on this, please let me know.
> >  
> > I've made a 3 steps setup.
> >  
> > 1) Setup Debian and make sure you base server is setup ok.
> > 2) Check you base server install.
> > 3) Install samba as AD DC with Bind9_DLZ and NTP.
> > 4) few minimal test for the AD DC.
> >  
> > And more to come as while im setting up my new test environment.
> > If you follow the exact setups, it wil result in a correct
> > working samba AD DC.
> >  
> >  
> > Greetz,
> >  
> > Louis
> >  
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>

I 'C' a typo ;-)

README.MD

'colletion' should be 'collection'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 11 Sep 2017 14:16:02 +0200
L.P.H. van Belle <[hidden email]> wrote:

> Thanx! Fixed. And I think you will even find more.
> ;-)
>

You are correct ;-)

I found this in 'stretch-base-2-samba-minimal-ad.txt'

# In above you see the line :
# A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
# ignore it, we use the /etc/krb5.conf, and as of samba 4.7.x this is the default.
# Note!!  Do not symlink /var/lib/samba/private/krb5.conf to /etc/krb5.conf.
# This wil give problems in the future.

This is correct, but it is also wrong ;-)
It is correct in that you shouldn't symlink the Samba krb5.conf.
It is wrong in stating that using the OS /etc/krb5.conf will be the
default in 4.7

What is happening is that the permissions are being tightened on the
private dir and if you use a symlink, it will not work.

Also a new dir will be created on provisioning using Bind9 (or
upgrading from the internal DNS) 'binddns'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Hai Rowland,

Thank for pointing out the 4.7 part.

So, i just remove that part and wait for the offical release of 4.7, but i you have a better text, yes, please :-))

I did see some email on technical about krb5.conf also, maybe thats only for the "mit" enabled version?
I just cant find that email anymore.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: maandag 11 september 2017 14:49
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian
> Stretch made easy.
>
> On Mon, 11 Sep 2017 14:16:02 +0200
> L.P.H. van Belle <[hidden email]> wrote:
>
> > Thanx! Fixed. And I think you will even find more.
> > ;-)
> >
>
> You are correct ;-)
>
> I found this in 'stretch-base-2-samba-minimal-ad.txt'
>
> # In above you see the line :
> # A Kerberos configuration suitable for Samba 4 has been
> generated at /var/lib/samba/private/krb5.conf
> # ignore it, we use the /etc/krb5.conf, and as of samba 4.7.x
> this is the default.
> # Note!!  Do not symlink /var/lib/samba/private/krb5.conf to
> /etc/krb5.conf.
> # This wil give problems in the future.
>
> This is correct, but it is also wrong ;-)
> It is correct in that you shouldn't symlink the Samba krb5.conf.
> It is wrong in stating that using the OS /etc/krb5.conf will be the
> default in 4.7
>
> What is happening is that the permissions are being tightened on the
> private dir and if you use a symlink, it will not work.
>
> Also a new dir will be created on provisioning using Bind9 (or
> upgrading from the internal DNS) 'binddns'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Hai,

I made the install howto based on the wiki steps, i only changed the order of install on some places.
And found it, not email but wiki.

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 
The part Configuring Kerberos.
(  cp /usr/local/samba/private/krb5.conf /etc/krb5.conf )

Which made me think that the /var/lib/samba/private/krb5.conf isnt used. (anymore)
And so /etc/krb5.conf is the default, ... Wrong thinking?  


Greetz,

Louis


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> L.P.H. van Belle via samba
> Verzonden: maandag 11 september 2017 15:20
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian
> Stretch made easy.
>
> Hai Rowland,
>
> Thank for pointing out the 4.7 part.
>
> So, i just remove that part and wait for the offical release
> of 4.7, but i you have a better text, yes, please :-))
>
> I did see some email on technical about krb5.conf also, maybe
> thats only for the "mit" enabled version?
> I just cant find that email anymore.
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> Rowland Penny
> > via samba
> > Verzonden: maandag 11 september 2017 14:49
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian
> Stretch made
> > easy.
> >
> > On Mon, 11 Sep 2017 14:16:02 +0200
> > L.P.H. van Belle <[hidden email]> wrote:
> >
> > > Thanx! Fixed. And I think you will even find more.
> > > ;-)
> > >
> >
> > You are correct ;-)
> >
> > I found this in 'stretch-base-2-samba-minimal-ad.txt'
> >
> > # In above you see the line :
> > # A Kerberos configuration suitable for Samba 4 has been
> generated at
> > /var/lib/samba/private/krb5.conf # ignore it, we use the
> > /etc/krb5.conf, and as of samba 4.7.x this is the default.
> > # Note!!  Do not symlink /var/lib/samba/private/krb5.conf to
> > /etc/krb5.conf.
> > # This wil give problems in the future.
> >
> > This is correct, but it is also wrong ;-) It is correct in that you
> > shouldn't symlink the Samba krb5.conf.
> > It is wrong in stating that using the OS /etc/krb5.conf will be the
> > default in 4.7
> >
> > What is happening is that the permissions are being
> tightened on the
> > private dir and if you use a symlink, it will not work.
> >
> > Also a new dir will be created on provisioning using Bind9 (or
> > upgrading from the internal DNS) 'binddns'
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Hi Louis,

Am 11.09.2017 um 15:29 schrieb L.P.H. van Belle via samba:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 
> The part Configuring Kerberos.
> (  cp /usr/local/samba/private/krb5.conf /etc/krb5.conf )
>
> Which made me think that the /var/lib/samba/private/krb5.conf isnt used. (anymore)
> And so /etc/krb5.conf is the default, ... Wrong thinking?  

Nothing ever used the krb5.conf file that was generated in PRIVATE_DIR
during the provisioning, except you linked it in /etc/.

Unfortunately, previously the Wiki suggested to link the file. However,
there are good reasons to better copy the generated file to /etc/ or
merge the content with an existing /etc/krb5.conf. For example, if
Andreas' patch for securing the private directory goes into 4.7 (if not,
then 4.8), the private directory gets root:root (700) permissions. This
means that no other user, except root, can read this file if
/etc/krb5.conf is a link to the private dir. In this case, for example,
dynamic DNS update will fail if you use the BIND9_DLZ back end.

We will highlight this in the RNs and docs if the patch will be part of
4.7 (or 4.8). Anyway, already now it's better to copy the file instead
of linking it.

Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Hello Marc,

Thank you for this explanation, very clear now.
I did see that binddir change also, and that upgrade test where ok sofar.
I'll keep an eye on the release notes when released.

Thanks!

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:[hidden email]]
> Verzonden: maandag 11 september 2017 16:52
> Aan: L.P.H. van Belle; [hidden email]
> Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian
> Stretch made easy.
>
> Hi Louis,
>
> Am 11.09.2017 um 15:29 schrieb L.P.H. van Belle via samba:
> >
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directo
> > ry_Domain_Controller
> > The part Configuring Kerberos.
> > (  cp /usr/local/samba/private/krb5.conf /etc/krb5.conf )
> >
> > Which made me think that the /var/lib/samba/private/krb5.conf isnt
> > used. (anymore) And so /etc/krb5.conf is the default, ...
> Wrong thinking?
>
> Nothing ever used the krb5.conf file that was generated in
> PRIVATE_DIR during the provisioning, except you linked it in /etc/.
>
> Unfortunately, previously the Wiki suggested to link the
> file. However, there are good reasons to better copy the
> generated file to /etc/ or merge the content with an existing
> /etc/krb5.conf. For example, if Andreas' patch for securing
> the private directory goes into 4.7 (if not, then 4.8), the
> private directory gets root:root (700) permissions. This
> means that no other user, except root, can read this file if
> /etc/krb5.conf is a link to the private dir. In this case,
> for example, dynamic DNS update will fail if you use the
> BIND9_DLZ back end.
>
> We will highlight this in the RNs and docs if the patch will
> be part of
> 4.7 (or 4.8). Anyway, already now it's better to copy the
> file instead of linking it.
>
> Regards,
> Marc
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 11 Sep 2017 15:29:20 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai,
>
> I made the install howto based on the wiki steps, i only changed the
> order of install on some places. And found it, not email but wiki.
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 
> The part Configuring Kerberos.
> (  cp /usr/local/samba/private/krb5.conf /etc/krb5.conf )
>
> Which made me think that the /var/lib/samba/private/krb5.conf isnt
> used. (anymore) And so /etc/krb5.conf is the default, ... Wrong
> thinking?  
>

Yes ;-)

I have always copied the krb5.conf, but if you did symlink it, this
would work because the permissions allowed it. From 4.7.0 the
permissions will be tightened and only a limited number of accounts (or
maybe only root) will be allowed access into the dir, so using a symlink
will not work anymore.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
In reply to this post by Samba - General mailing list
L.P.H. van Belle wrote on Mon Sep 11 11:06:56 UTC 2017:

> Hai,
>
> As im setting up a new test environment, i've documented my setups and
here you go..  
> A easy to follow howto for a Debian Samba AD DC  ( tested on Debian
Stretch, but should works also on Jessie )
>
> You can find the files, here:
> https://github.com/thctlo/samba4  In the "howtos" folder are the files.

[snip]

Louis,

Many thanks for your helpful scripts and howto's.

In your howto: stretch-base-2-samba-minimal-ad.txt, I found the following
issues:

Lines 17 to 37:  smbclient is needed when testing later, so install it here
along with the other packages?

Line 252 to 259: The path to /etc/bind or /etc is missing in these sed
lines.

Line 287:  the variable SAMBA_NT_ADMIN is undefined when you use it here.
Presumably it should be set to "Administrator"  prior to this command?

Keep up the good work!

Regards,

Roy




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Hai Roy,

I've applied the the correct paths as reported.

Thanks!! For reporting this.


Greetz,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> spindles7 via samba
> Verzonden: dinsdag 12 september 2017 12:03
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian
> Stretch made easy.
>
> L.P.H. van Belle wrote on Mon Sep 11 11:06:56 UTC 2017:
>
> > Hai,
> >
> > As im setting up a new test environment, i've documented my
> setups and
> here you go..  
> > A easy to follow howto for a Debian Samba AD DC  ( tested on Debian
> Stretch, but should works also on Jessie )
> >
> > You can find the files, here:
> > https://github.com/thctlo/samba4  In the "howtos" folder
> are the files.
>
> [snip]
>
> Louis,
>
> Many thanks for your helpful scripts and howto's.
>
> In your howto: stretch-base-2-samba-minimal-ad.txt, I found
> the following
> issues:
>
> Lines 17 to 37:  smbclient is needed when testing later, so
> install it here along with the other packages?
>
> Line 252 to 259: The path to /etc/bind or /etc is missing in
> these sed lines.
>
> Line 287:  the variable SAMBA_NT_ADMIN is undefined when you
> use it here.
> Presumably it should be set to "Administrator"  prior to this command?
>
> Keep up the good work!
>
> Regards,
>
> Roy
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 12 Sep 2017 11:03:14 +0100
spindles7 via samba <[hidden email]> wrote:

> L.P.H. van Belle wrote on Mon Sep 11 11:06:56 UTC 2017:
>
> > Hai,
> >
> > As im setting up a new test environment, i've documented my setups
> > and
> here you go..  
> > A easy to follow howto for a Debian Samba AD DC  ( tested on Debian
> Stretch, but should works also on Jessie )
> >
> > You can find the files, here:
> > https://github.com/thctlo/samba4  In the "howtos" folder are the
> > files.
>
> [snip]
>
> Louis,
>
> Many thanks for your helpful scripts and howto's.
>
> In your howto: stretch-base-2-samba-minimal-ad.txt, I found the
> following issues:
>
> Lines 17 to 37:  smbclient is needed when testing later, so install
> it here along with the other packages?
>
> Line 252 to 259: The path to /etc/bind or /etc is missing in these sed
> lines.
>
> Line 287:  the variable SAMBA_NT_ADMIN is undefined when you use it
> here. Presumably it should be set to "Administrator"  prior to this
> command?
>
> Keep up the good work!
>
> Regards,
>
> Roy
>
>
>
>

The problem isn't that 'SAMBA_NT_ADMIN' isn't set, it is, but to
'SAMBA_NT_DOMAIN' instead, see lines 278 & 279

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 12 Sep 2017 13:00:17 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai Roy,
>
> I've applied the the correct paths as reported.
>
> Thanks!! For reporting this.
>
>

Sorry Louis, but it doesn't make sense to use a variable called
'SAMBA_NT_DOMAIN' for an ADMIN user.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Samba AD-DC on Debian Stretch made easy.

Samba - General mailing list
Hai Rowland,

Now, dont be sorry, i ask for this ;-). Is good to see and hear people use it.
Everything that can be improved, i'll listen to and think about it.

This was a "copy past" from an other script, so yes, this one is an easy change.
# Enable one of these two.
#SAMBA_NT_DOMAIN="BUILTIN\Administrators"
#SAMBA_NT_DOMAIN="$(cat /etc/samba/smb.conf | grep workgroup | awk '{ print $NF}')\Domain Admins"

So, i've changed it to ...
# You can only enable one of these two at once, if you want both groups, run it, change it and run it again.
SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators"
SAMBA_DC_ADMIN_GROUP_CHOICE="$(cat /etc/samba/smb.conf | grep workgroup | awk '{ print $NF}')\Domain Admins"

Yes, i know long variable name, but that makes merging all script much easier.

.. Its changed, if you have a better way to describe this, you know.. Let me know.
Your the Englishman here :-p
;-)


Greetz,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 12 september 2017 13:14
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian
> Stretch made easy.
>
> On Tue, 12 Sep 2017 13:00:17 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> > Hai Roy,
> >
> > I've applied the the correct paths as reported.
> >
> > Thanks!! For reporting this.
> >
> >
>
> Sorry Louis, but it doesn't make sense to use a variable
> called 'SAMBA_NT_DOMAIN' for an ADMIN user.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba