!!!UPDATE AT BOTTOM!!!
Hello everybody,
I'm trying to setup an additional Active Directory domain controller. The other 2 are on Windows, this one on debian, raspbian to be precise:
Code:
root@raspberrypi1:/var/log/samba# uname -a
Linux raspberrypi1 4.0.5+ #797 PREEMPT Sat Jun 20 00:47:38 BST 2015 armv6l GNU/Linux
root@raspberrypi1:/var/log/samba# cat /etc/debian_version
8.0
pi@raspberrypi1 ~ $ samba -V
Version 4.1.17-Debian
root@raspberrypi1:/var/log/samba# named -v
BIND 9.9.5-9-Raspbian (Extended Support Version)
I tried to follow this manual (unfortunately it is only in German):
http://znil.net/index.php?title=Rasp...anuell_starten
Anyway, the join worked with all the
Partition[...] objects[402/1618] linked_values[0/0]
messages until it finally said
Joined domain [...] as a DC
I'm using bind as backend.
Unfortunately it doesn't seem to fully work:
Code:
root@raspberrypi1:/var/log/samba# samba-tool drs showrepl -d 4
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:raspberrypi1.my.domain.name[,seal]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.0.33 bcast=192.168.0.255 netmask=255.255.255.0
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.0.33 bcast=192.168.0.255 netmask=255.255.255.0
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
Failed to connect host 192.168.0.33 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.0.33 (raspberrypi1.my.domain.name) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to raspberrypi1.my.domain.name failed - drsException: DRS connection to raspberrypi1.my.domain.name failed: (-1073741258, 'The connection was refused')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
root@raspberrypi1:/var/log/samba#
--> port 135 - NT_STATUS_CONNECTION_REFUSED
I'm not sure what's supposed to listen on port 135. The documentation says:
End Point Mapper (DCE/RPC Locator Service)
When I use the Windows MMC and have a look at some things:
Active Directory Sites and Services:
-Sites
--Sitename
---Servers
-> All 3 are listed here, the 2 windows machines and the new samba one.
However when I look the DNS snap in and go to my domain, open the entry for the domain name itself it has a tab called "name servers". Here only the 2 windows machines are listed.
So it looks like it's half way integrated. A demotion I once tried also failed right at the beginning:
Code:
root@raspberrypi1:/var/log/samba# samba-tool domain demote
Using server.my.domain.name as partner server for the demotion
Desactivating inbound replication
Asking partner server server.my.domain.name to synchronize from us
Error while demoting, re-enabling inbound replication
ERROR(<class 'samba.drs_utils.drsException'>): Error while sending a DsReplicaSync for partion CN=Schema,CN=Configuration,DC=my,DC=domain,DC=name - drsException: DsReplicaSync failed (8452, 'WERR_DS_DRA_NO_REPLICA')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 650, in run
sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid, str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
root@raspberrypi1:/var/log/samba#
Looks to me like it hasn't replicated, yet.
DNS lookups are working in every direction.
Here are some outputs:
Code:
root@raspberrypi1:/var/log/samba# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:cd:e3:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.33/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fecd:e360/64 scope link
valid_lft forever preferred_lft forever
Code:
pi@raspberrypi1 ~ $ testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
[global]
workgroup = MYDOMAINNAME
realm = my.domain.name
interfaces = eth0, lo
server role = active directory domain controller
passdb backend = samba_dsdb
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/my.domain.name/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
pi@raspberrypi1 ~ $
------------------------------------------------------------------------
Code:
root@raspberrypi1:/var/log/samba# cat /etc/resolv.conf
domain my.domain.name
nameserver 127.0.0.1
nameserver 192.168.0.2 <- dc1, hostname "server"
nameserver 192.168.0.21 <- dc2, hostname "dc2"
root@raspberrypi1:/var/log/samba#
------------------------------------------------------------------------
Code:
pi@raspberrypi1 ~ $ sudo netstat -llptun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.0.33:53 0.0.0.0:* LISTEN 1249/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1249/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 373/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1249/named
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 722/smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 722/smbd
tcp6 0 0 :::53 :::* LISTEN 1249/named
tcp6 0 0 :::22 :::* LISTEN 373/sshd
tcp6 0 0 ::1:953 :::* LISTEN 1249/named
tcp6 0 0 :::445 :::* LISTEN 722/smbd
tcp6 0 0 :::36735 :::* LISTEN 535/java
tcp6 0 0 :::36736 :::* LISTEN 535/java
tcp6 0 0 :::139 :::* LISTEN 722/smbd
udp 0 0 192.168.0.33:123 0.0.0.0:* 446/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 446/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 446/ntpd
udp 0 0 192.168.0.33:53 0.0.0.0:* 1249/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1249/named
udp6 0 0 fe80::ba27:ebff:fec:123 :::* 446/ntpd
udp6 0 0 ::1:123 :::* 446/ntpd
udp6 0 0 :::123 :::* 446/ntpd
udp6 0 0 :::53 :::* 1249/named
pi@raspberrypi1 ~ $
------------------------------------------------------------------------
Code:
pi@raspberrypi1 ~ $ sudo systemctl status samba <tab-tab>
samba-ad-dc.service samba.service
------------------------------------------------------------------------
Code:
root@raspberrypi1:/var/log/samba# systemctl status samba-ad-dc.service
samba-ad-dc.service - LSB: start Samba daemons for the AD DC
Loaded: loaded (/etc/init.d/samba-ad-dc)
Active: active (running) since Tue 2015-07-07 12:17:57 CEST; 1h 23min ago
Process: 22308 ExecStop=/etc/init.d/samba-ad-dc stop (code=exited, status=0/SUCCESS)
Process: 22338 ExecStart=/etc/init.d/samba-ad-dc start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/samba-ad-dc.service
720 /usr/sbin/samba -D
722 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
841 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Jul 07 12:17:57 raspberrypi1 samba-ad-dc[22338]: Starting Samba AD DC daemon: samba.
Jul 07 12:17:57 raspberrypi1 systemd[1]: Started LSB: start Samba daemons for the AD DC.
root@raspberrypi1:/var/log/samba#
This log used to be full of messages about not being able to contact cups. I hadn't installed it since I didn't intend to use it.
They disappeared after I installed the cups packages.
------------------------------------------------------------------------
Maybe this is normal, but there are 2 samba services installed, one is not running.
It's masked, I tried to unmask it, but it doesn't seem to work. Should this be like it is?
Code:
pi@raspberrypi1 ~ $ sudo systemctl status samba.service
samba.service
Loaded: masked (/dev/null)
Active: inactive (dead)
pi@raspberrypi1 ~ $ sudo systemctl unmask samba.service
pi@raspberrypi1 ~ $ echo $?
0
pi@raspberrypi1 ~ $ sudo systemctl start samba.service
Failed to start samba.service: Unit samba.service is masked.
pi@raspberrypi1 ~ $
------------------------------------------------------------------------
Code:
root@raspberrypi1:/var/log/samba# systemctl status samba-ad-dc.service
samba-ad-dc.service - LSB: start Samba daemons for the AD DC
Loaded: loaded (/etc/init.d/samba-ad-dc)
Active: active (running) since Tue 2015-07-07 12:17:57 CEST; 1h 23min ago
Process: 22308 ExecStop=/etc/init.d/samba-ad-dc stop (code=exited, status=0/SUCCESS)
Process: 22338 ExecStart=/etc/init.d/samba-ad-dc start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/samba-ad-dc.service
720 /usr/sbin/samba -D
722 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
841 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Jul 07 12:17:57 raspberrypi1 samba-ad-dc[22338]: Starting Samba AD DC daemon: samba.
Jul 07 12:17:57 raspberrypi1 systemd[1]: Started LSB: start Samba daemons for the AD DC.
root@raspberrypi1:/var/log/samba# systemctl status bind9.service
bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
Drop-In: /run/systemd/generator/bind9.service.d
50-insserv.conf-$named.conf
Active: active (running) since Tue 2015-07-07 12:21:56 CEST; 1h 21min ago
Docs: man:named(8)
Process: 22666 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE)
Main PID: 22695 (named)
CGroup: /system.slice/bind9.service
22695 /usr/sbin/named -f -u bind
Jul 07 12:22:10 raspberrypi1 named[22695]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jul 07 12:22:10 raspberrypi1 named[22695]: command channel listening on 127.0.0.1#953
Jul 07 12:22:10 raspberrypi1 named[22695]: command channel listening on ::1#953
Jul 07 12:22:10 raspberrypi1 named[22695]: managed-keys-zone: loaded serial 2
Jul 07 12:22:10 raspberrypi1 named[22695]: zone 0.in-addr.arpa/IN: loaded serial 1
Jul 07 12:22:11 raspberrypi1 named[22695]: zone localhost/IN: loaded serial 2
Jul 07 12:22:11 raspberrypi1 named[22695]: zone 127.in-addr.arpa/IN: loaded serial 1
Jul 07 12:22:11 raspberrypi1 named[22695]: zone 255.in-addr.arpa/IN: loaded serial 1
Jul 07 12:22:11 raspberrypi1 named[22695]: all zones loaded
Jul 07 12:22:11 raspberrypi1 named[22695]: running
root@raspberrypi1:/var/log/samba#
------------------------------------------------------------------------
I've digged through all the NT_STATUS_CONNECTION_REFUSED results on the internet, but it doesn't seem their resolutions apply to my case. Does anybody have an idea?
UPDATE:
I was able to solve this one by: systemctl start smbd.service
Maybe restart them again, but after that the port 135 was finally taken.
Now I'm at the next error and getting this:
Code:
root@raspberrypi1:/var/log/samba# samba-tool drs showrepl -d 7
INFO: Current debug levels:
all: 7
tdb: 7
printdrivers: 7
lanman: 7
smb: 7
rpc_parse: 7
rpc_srv: 7
rpc_cli: 7
passdb: 7
sam: 7
auth: 7
winbind: 7
vfs: 7
idmap: 7
quota: 7
acls: 7
locking: 7
msdfs: 7
dmapi: 7
registry: 7
scavenger: 7
dns: 7
ldb: 7
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:raspberrypi1.MY.DOMAIN.NAME[,seal,print]
Mapped to DCERPC endpoint 135
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.0.33 bcast=192.168.0.255 netmask=255.255.255.0
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.0.33 bcast=192.168.0.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.0.33 bcast=192.168.0.255 netmask=255.255.255.0
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.0.33 bcast=192.168.0.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Server ldap/RASPBERRYPI1.MY.DOMAIN.NAME@MY.DOMAIN.NAME is not registered with our KDC: Miscellaneous failure (see text): Matching credential (ldap/RASPBERRYPI1.MY.DOMAIN.NAME@MY.DOMAIN.NAME) not found
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to raspberrypi1.MY.DOMAIN.NAME failed - drsException: DRS connection to raspberrypi1.MY.DOMAIN.NAME failed: (-1073741643, 'NT_STATUS_IO_TIMEOUT')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
root@raspberrypi1:/var/log/samba#
The log.smb fills with entries like this every couple of seconds:
Code:
[2015/07/09 13:49:43.683996, 0] ../auth/gensec/gensec.c:247(gensec_update)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2015/07/09 13:49:43.693671, 0] ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2@ncacn_ip_tcp:c68974ba-6fca-4d51-be8b-7519e3e1ea0b._msdcs.my.domain.name[1029,seal,krb5] NT_STATUS_ACCESS_DENIED
Does anybody have an idea? In a way the error is kind of clear, but I have no idea how to fix that permission issue. I've looked on the Windows DNS MMC snapin: Under the _msdcs.my.domain.name domain there were 2 entries, both aliases with id's like the above, each referencing one domain controller. So I added another alias manually pointing from e3514235-4b06-11d1-ab04-00c04fc2dcd2._msdcs.my.domain.name to raspberrypi1. Unfortunately that didn't help.
