Samba 4 - domain controller: Difference between revisions
(21 intermediate revisions by the same user not shown) | |||
Line 35: | Line 35: | ||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
||
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
||
</pre> |
|||
== Copy kerberos conf == |
|||
( Default configs should have been created by now ... ) |
|||
<pre> |
|||
mv /etc/krb5.conf{,.default} |
|||
cp /var/lib/samba/private/krb5.conf /etc |
|||
</pre> |
</pre> |
||
Line 60: | Line 53: | ||
this parameter forces the provision script to run interactively. Alternately, you can review the help for the provision step by running samba-tool domain provision --help |
this parameter forces the provision script to run interactively. Alternately, you can review the help for the provision step by running samba-tool domain provision --help |
||
</pre> |
</pre> |
||
== Configure Kerberos == |
|||
Usually the krb5.conf file is generated when samba is initially setup; for debian/ubuntu look in: /var/lib/samba/private/krb5.conf |
|||
If it fits the items below, copy it to /etc |
|||
<pre> |
|||
[libdefaults] |
|||
default_realm = ${REALM} |
|||
dns_lookup_realm = false |
|||
dns_lookup_kdc = true |
|||
</pre> |
|||
* Note: If you have forgotten your realm, run samba-tool testparm --suppress-prompt | grep realm, to find it out. |
|||
= Setup replicator/secondary domain controller = |
= Setup replicator/secondary domain controller = |
||
Line 81: | Line 86: | ||
samba-tool drs showrepl |
samba-tool drs showrepl |
||
</pre> |
</pre> |
||
== Joining a windows domain - checklist == |
|||
* If needed, force replication between DC from samba (if it fails from Windows it often works via samba-tools): |
|||
<pre> |
|||
samba-tool drs replicate dc02.hq.skytech.dk dc01.hq.skytech.dk DC=HQ,DC=SKYTECH,DC=DK |
|||
</pre> |
|||
* Sysvol data is not copied automatically to samba - you must do this yourself. Copying with rsync will not create the correct ACL. So copy with any tool and run the below cmd to setup [default] sysvol perms. |
|||
* If you need to reset (fix) permissions on sysvol share on samba issue: |
|||
<pre> |
|||
samba-tool ntacl sysvolreset |
|||
</pre> |
|||
== Switching to 'backup' DC if PDC dies horribly == |
== Switching to 'backup' DC if PDC dies horribly == |
||
The extra DC will take over if the primary goes down - but if you want to promote the 'backup' one you can do the win equiv of |
The extra DC will take over if the primary goes down - but if you want to promote the 'backup' one you can do the win equiv of fsmo role xfers with: |
||
<pre> |
<pre> |
||
samba-tool fsmo seize --role=all* |
samba-tool fsmo seize --role=all* |
||
Line 103: | Line 122: | ||
Also I had some issues with DNS - make sure it is pointing to the ip of the machine running samba. |
Also I had some issues with DNS - make sure it is pointing to the ip of the machine running samba. |
||
= Join computer to Samba (or any AD) Domain = |
|||
= Administering DC via windows 7 / Win XP = |
|||
== General issues == |
|||
To administer it with a windows setup, one must download RSAT ( http://www.microsoft.com/en-us/download/details.aspx?id=7887 ). |
|||
=== Time === |
|||
First of all, make sure the time is up-to-date on the machine you're trying to join from. I cannot re-iterate this enough. |
|||
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. |
|||
After installation enable the Active directory mmc pages from "Windows default programs". |
|||
If they are not synchronized, then authentication will fail for apparently no reason. |
|||
Make sure you're logged into the domain as administrator (or put your user in domain-admin group) on the win-machine and then fire up mmc. Now you can control everything from here. |
|||
I was led on a wild goosechase based on an error the system would throw about not being able to join - so watch the time! |
|||
= Group Policy = |
|||
Everything except setting password complexity seems to work |
|||
=== DNS === |
|||
== Setting password complexity == |
|||
Point your local dns to the AD and join. |
|||
I couldn't get password complexity to work with the samba server and it is currently not working. |
|||
== Join domain with a linux machine == |
|||
Also keep in mind samba functions like a windows 2003 server so you can't do any fine-grained control of password policy in different groups/OU - it is globally defined. |
|||
=== Install software and join domain === |
|||
It has to be done from the command line: |
|||
<pre> |
|||
~# samba-tool domain passwordsettings set --complexity=off |
|||
Password complexity deactivated! |
|||
All changes applied successfully! |
|||
~# samba-tool domain passwordsettings show --complexity=off |
|||
Password informations for domain 'DC=hq,DC=skytech,DC=dk' |
|||
Password complexity: off |
|||
Store plaintext passwords: off |
|||
Password history length: 24 |
|||
Minimum password length: 7 |
|||
Minimum password age (days): 1 |
|||
Maximum password age (days): 42 |
|||
(samba-tool domain passwordsettings --help to get more info about options) |
|||
</pre> |
|||
<li> Read more here: https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Notes |
|||
= Join domain with a linux machine = |
|||
== Install software and join domain == |
|||
Using likewise-open it is wevy wevy easy to join a domain. |
Using likewise-open it is wevy wevy easy to join a domain. |
||
Line 156: | Line 154: | ||
After a successfull join you should be able to browse network shares etc. |
After a successfull join you should be able to browse network shares etc. |
||
== Login as domain user with ssh == |
=== Login as domain user with ssh === |
||
If you want to login as a ssh domain user, you need to use |
If you want to login as a ssh domain user, you need to use |
||
Line 165: | Line 163: | ||
and you'll be logged in a the domain user (in something like /home/likewise-open/<DOMAIN_USER>) |
and you'll be logged in a the domain user (in something like /home/likewise-open/<DOMAIN_USER>) |
||
== Getting sudo rights == |
=== Getting sudo rights === |
||
You'll prob. find you don't have any sudo rights now (exactly like you have to add yourself to local computer admin to do the equivalent on a windows machine) - you can fix that by adding yourself to the right sudoers group. |
You'll prob. find you don't have any sudo rights now (exactly like you have to add yourself to local computer admin to do the equivalent on a windows machine) - you can fix that by adding yourself to the right sudoers group. |
||
Line 183: | Line 181: | ||
</pre> |
</pre> |
||
== Login with normal GUI desktop as domain user == |
=== Login with normal GUI desktop as domain user === |
||
You've probably figured this out already - just like with SSH just change your username to be: |
You've probably figured this out already - just like with SSH just change your username to be: |
||
Line 190: | Line 188: | ||
and then your domain pass. |
and then your domain pass. |
||
=== XFCE on linux mint (16 - petra ) === |
==== XFCE on linux mint (16 - petra ) ==== |
||
I went through some trouble finding out how to do this. Eventually I switched away from default mdm -> lightdm. |
I went through some trouble finding out how to do this. Eventually I switched away from default mdm -> lightdm. |
||
Line 209: | Line 207: | ||
~# sudo dpkg-reconfigure lightdm |
~# sudo dpkg-reconfigure lightdm |
||
</pre> |
</pre> |
||
= Administering DC via windows 7 / Win XP = |
|||
To administer it with a windows setup, one must download RSAT ( http://www.microsoft.com/en-us/download/details.aspx?id=7887 ). |
|||
After installation enable the Active directory mmc pages from "Windows default programs". |
|||
Make sure you're logged into the domain as administrator (or put your user in domain-admin group) on the win-machine and then fire up mmc. Now you can control everything from here. |
|||
= Group Policy = |
|||
Everything except setting password complexity seems to work |
|||
== Setting password complexity == |
|||
I couldn't get password complexity to work with the samba server and it is currently not working. |
|||
Also keep in mind samba functions like a windows 2008 R2 server so you can't do any fine-grained control of password policy in different groups/OU - it is globally defined. |
|||
It has to be done from the command line: |
|||
Edit: It is possible to also set min-pwd-lenght (was using GC to control with 2003 samba AD before) |
|||
<pre> |
|||
~# samba-tool domain passwordsettings set --min-pwd-length=5 --complexity=off |
|||
Password complexity deactivated! |
|||
All changes applied successfully! |
|||
~# samba-tool domain passwordsettings show --complexity=off |
|||
Password informations for domain 'DC=hq,DC=skytech,DC=dk' |
|||
Password complexity: off |
|||
Store plaintext passwords: off |
|||
Password history length: 24 |
|||
Minimum password length: 5 |
|||
Minimum password age (days): 1 |
|||
Maximum password age (days): 42 |
|||
(samba-tool domain passwordsettings --help to get more info about options) |
|||
</pre> |
|||
<li> Read more here: https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Notes |
|||
= Add a win2003 DC as additional DC = |
= Add a win2003 DC as additional DC = |
||
'''Must follow https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Check_required_DNS_entries_of_the_new_host and add the DNS as listed.. otherwise replication will not work! ''' |
|||
== DNS == |
== DNS == |
||
Line 245: | Line 281: | ||
5. On the General tab, click to select the Global catalog check box. |
5. On the General tab, click to select the Global catalog check box. |
||
6. Restart the domain controller. |
6. Restart the domain controller. |
||
</pre> |
|||
== Manually adding missing DNS-entries == |
|||
I had to manually add some entries on the samba server (using the DNS GUI on win2003 to compare and add as needed) |
|||
* Forward Lookup Zones -> <DOMAIN> -> Add NS entry for the win2003 machine |
|||
* Forward Lookup Zones -> <DOMAIN> -> Entire subtree of _tcp was missing |
|||
= Adding a 2012 server as DC in an existing 2003 forest only = |
|||
''' update: I never got this to work - for testing purposes I instead joined a win2008 machine to the domain, kicked out the Samba machine, upgraded the domain to win2008 functionality - added two win2012 machines, kicked out the 2008 and upgraded everything to win2012 functionality''' |
|||
<pre> |
|||
Make sure that the server 2012 is already an member of the domain before upgrading it to an domain controller. |
|||
To use an server 2012 domain in an 2003 envoirment you need to run adprep its located on the server 2012 disk ..\support\adprep |
|||
When everything is looking fine your adprep will show you this. |
|||
PS C:\Users\Administrator> D:\support\adprep\adprep.exe /forestprep |
|||
ADPREP WARNING: |
|||
Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or lat |
|||
er. |
|||
You are about to upgrade the schema for the Active Directory forest named 'domain', using the Active Directory |
|||
domain controller (schema master) 'SRV2012SRV01.domain.local'. |
|||
This operation cannot be reversed after it completes. |
|||
[User Action] |
|||
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by |
|||
typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit. |
|||
Then start server manager and click 'Add roles and features' and install the needed services. |
|||
</pre> |
|||
= Remove samba and migrate/move to pure windows servers = |
|||
== Demote samba server == |
|||
<pre> |
|||
samba-tool domain demote |
|||
</pre> |
|||
Possible clean up entries in AD. |
|||
== Change all FSMO roles to win2003 == |
|||
Follow the guide here and update |
|||
* http://support.microsoft.com/kb/324801 |
|||
Additionally I had to manually add a forward DNS to our internal network to be able to let the win2003 be able to funtion as single AD-server after I shutdown samba4 (I still don't know why..) |
|||
== Upgrade to 2008/2012 domain functionality == |
|||
TODO |
|||
= Things to watch out for / checklist = |
|||
* I accidentally installed krb5-admin-server on top of samba. Which is all good and stuff when you install it, but on next reboot samba won't start. It will complain about krb ports being used. Whereas the error log is pretty obvious really, it keep me looking for some hours. Eventually I actually _read_ the log and found that krb5 was started before samba... disable in /etc/default/krb5-admin-server and set start to false. |
|||
= Change password via LDAP = |
|||
From mailinglist: |
|||
<pre> |
|||
#!/bin/bash |
|||
password=test |
|||
password='"'$password'"' |
|||
u16pass=`printf $password|iconv -f ascii -t UTF16LE|base64` |
|||
echo "dn: CN=John Smith,cn=Users,DC=domain,DC=com" >ldap.ldif |
|||
echo "changetype: modify" >>ldap.ldif |
|||
echo "replace: unicodePwd" >>ldap.ldif |
|||
echo "unicodePwd:: $u16pass" >>ldap.ldif |
|||
ldapmodify -v -c -a -f ldap.ldif -H ldaps://server.domain.com -D |
|||
administrator@domain.com -W |
|||
rm ldap.ldif |
|||
</pre> |
|||
= Edit ldap data = |
|||
To change for user martin: |
|||
<pre> |
|||
ldbedit --url=/var/lib/samba/private/sam.ldb CN=martin |
|||
</pre> |
|||
= Setup openLDAP proxy for AD = |
|||
* https://wiki.samba.org/index.php/Authenticating_other_services_against_AD |
|||
= Apache and AD/LDAP binds = |
|||
* I created a user, ldapuser - who binds to AD and will lookup a user. |
|||
I require the user to be in the OU CompanyUsers and also have a group membership in ldap. |
|||
* I could not get it to work without having to resolve to ou=xxx - I tried with cn=users, but didn't work for some reason |
|||
** Retried with newer apache - I had no issues getting it to work with cn=Users and just using default groups/user setups |
|||
<pre> |
|||
<Directory /var/www/openldap/> |
|||
AuthName "AD authentication" |
|||
AuthBasicProvider ldap |
|||
AuthType Basic |
|||
AuthLDAPGroupAttribute member |
|||
AuthLDAPGroupAttributeIsDN On |
|||
AuthLDAPURL ldap://dc01.hq.skytech.dk:389/ou=CompanyUsers,dc=hq,dc=skytech,dc=dk?sAMAccountName?sub?(objectClass=*) |
|||
AuthLDAPBindDN cn=ldapuser,cn=Users,dc=hq,dc=skytech,dc=dk |
|||
AuthLDAPBindPassword XXXX |
|||
require ldap-group cn=ldap,ou=CompanyUsers,dc=hq,dc=skytech,dc=dk |
|||
</Directory> |
|||
</pre> |
</pre> |
Latest revision as of 21:24, 27 July 2018
Prereq
Install
apt-get install build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl samba
Verify correct filesystem support
Install/setup ntpd
# Associate to the public NTP pool servers server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org # Location of drift file driftfile /var/lib/ntp/ntp.drift # Location of the log file logfile /var/log/ntp # Location of the update directory ntpsigndsocket /var/lib/samba/ntp_signd/ # Restrictions restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Setup as domain controller
samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes
Argument Explanations
--use-rfc2307 this argument adds POSIX attributes (UID/GID) to the AD Schema. This will be necessary if you intend to authenticate Linux, BSD, or OS X clients (including the local machine) in addition to Microsoft Windows. --use-xattrs=yes this argument enables the use of unix extended attributes (ACLs) for files hosted on this server. If you intend not have file shares on the domain controller, you can omit this switch (but this is not recommended). You should also ensure that any filesystems that will host Samba shares are mounted with support for ACLs. --interactive this parameter forces the provision script to run interactively. Alternately, you can review the help for the provision step by running samba-tool domain provision --help
Configure Kerberos
Usually the krb5.conf file is generated when samba is initially setup; for debian/ubuntu look in: /var/lib/samba/private/krb5.conf If it fits the items below, copy it to /etc
[libdefaults] default_realm = ${REALM} dns_lookup_realm = false dns_lookup_kdc = true
- Note: If you have forgotten your realm, run samba-tool testparm --suppress-prompt | grep realm, to find it out.
Setup replicator/secondary domain controller
Install and setup a server with the above but stop short of running the samba-tool domain provision ... cmd
Make sure you can use the nameserver the existing DC is using (ie point your namserver whatever the existing one is using).
Start replication:
samba-tool domain join HQ.SKYTECH.DK DC -Uadministrator --realm=HQ.SKYTECH.DK
I had to manually create both dns on the PDC -
Basically, follow the checklist here: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Check_required_DNS_entries_of_the_new_host
Since I was setting up a new DC paired with another Samba setup I could skip the part about "repadm ..."
Check replication status:
samba-tool drs showrepl
Joining a windows domain - checklist
- If needed, force replication between DC from samba (if it fails from Windows it often works via samba-tools):
samba-tool drs replicate dc02.hq.skytech.dk dc01.hq.skytech.dk DC=HQ,DC=SKYTECH,DC=DK
- Sysvol data is not copied automatically to samba - you must do this yourself. Copying with rsync will not create the correct ACL. So copy with any tool and run the below cmd to setup [default] sysvol perms.
- If you need to reset (fix) permissions on sysvol share on samba issue:
samba-tool ntacl sysvolreset
Switching to 'backup' DC if PDC dies horribly
The extra DC will take over if the primary goes down - but if you want to promote the 'backup' one you can do the win equiv of fsmo role xfers with:
samba-tool fsmo seize --role=all* * Be sure to understand all the fsmo roles before doing this! Also if they're distributed to forest zones/machines/dc make sure to account for them all.
- More info here: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#FSMO_role_transfer
Docs/guides/troubleshooting
Found inspirations @ various sites:
- [Seems like a good place to start] - http://ubuntuforums.org/showthread.php?t=2146198
- https://wiki.archlinux.org/index.php/Samba_4_Active_Directory_Domain_Controller
- http://wiki.samba.org/index.php/DNS
- http://www.golinuxhub.com/2013/06/samba-41-as-active-directory.html
- [getting windows machines on the new AD] - http://wiki.samba.org/index.php/Configuring_a_windows_client_for_AD
- [Kerberos] - https://help.ubuntu.com/10.04/serverguide/kerberos.html
Also I had some issues with DNS - make sure it is pointing to the ip of the machine running samba.
Join computer to Samba (or any AD) Domain
General issues
Time
First of all, make sure the time is up-to-date on the machine you're trying to join from. I cannot re-iterate this enough.
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other.
If they are not synchronized, then authentication will fail for apparently no reason.
I was led on a wild goosechase based on an error the system would throw about not being able to join - so watch the time!
DNS
Point your local dns to the AD and join.
Join domain with a linux machine
Install software and join domain
Using likewise-open it is wevy wevy easy to join a domain.
First install it (I choose the -gui version, but otherwise feel free to use the CLI version):
GUI: ~# sudo aptitude install likewise-open5-gui ## Run it (remember to run as sudo or you'll just get weird errors!) and enter domain + username. You'll be prompted for a domain admin user+pass. ~# sudo domainjoin-gui ## CLI: ~# sudo domainjoin-cli join DOMAIN_NAME USER
After a successfull join you should be able to browse network shares etc.
Login as domain user with ssh
If you want to login as a ssh domain user, you need to use
user: <DOMAIN>\<DOMAIN_USER>
pass: <DOMAIN_USER_PASS>
and you'll be logged in a the domain user (in something like /home/likewise-open/<DOMAIN_USER>)
Getting sudo rights
You'll prob. find you don't have any sudo rights now (exactly like you have to add yourself to local computer admin to do the equivalent on a windows machine) - you can fix that by adding yourself to the right sudoers group.
## Add to sudoers (visudo, edit file directly etc) .. then add the domain group you're in %<DOMAIN>\<DOMAIN_GROUP> ALL=(ALL) ALL ## Example "%HQ\domain^users" ALL=(ALL) ALL
I had to use "" to get it to work. To find your group simply do a id "<DOMAIN>\<DOMAIN_USER>"
To lookup users, groups etc just act like on a normal LDAP network - ie all of getent will work:
~# getent group
Login with normal GUI desktop as domain user
You've probably figured this out already - just like with SSH just change your username to be:
<DOMAIN>\<DOMAIN_USER>
and then your domain pass.
XFCE on linux mint (16 - petra )
I went through some trouble finding out how to do this. Eventually I switched away from default mdm -> lightdm.
Then I changed my /etc/lightdm/lightdm.conf to look like:
[SeatDefaults] user-session=cinnamon greeter-hide-users=true greeter-show-manual-login=true greeter-session=lightdm-gtk-greeter
To actually switch I did:
~# sudo apt-get install lightdm-gtk-greeter ## It should prompt for which manager you want, otherwise issue: ~# sudo dpkg-reconfigure lightdm
Administering DC via windows 7 / Win XP
To administer it with a windows setup, one must download RSAT ( http://www.microsoft.com/en-us/download/details.aspx?id=7887 ).
After installation enable the Active directory mmc pages from "Windows default programs".
Make sure you're logged into the domain as administrator (or put your user in domain-admin group) on the win-machine and then fire up mmc. Now you can control everything from here.
Group Policy
Everything except setting password complexity seems to work
Setting password complexity
I couldn't get password complexity to work with the samba server and it is currently not working.
Also keep in mind samba functions like a windows 2008 R2 server so you can't do any fine-grained control of password policy in different groups/OU - it is globally defined.
It has to be done from the command line:
Edit: It is possible to also set min-pwd-lenght (was using GC to control with 2003 samba AD before)
~# samba-tool domain passwordsettings set --min-pwd-length=5 --complexity=off Password complexity deactivated! All changes applied successfully! ~# samba-tool domain passwordsettings show --complexity=off Password informations for domain 'DC=hq,DC=skytech,DC=dk' Password complexity: off Store plaintext passwords: off Password history length: 24 Minimum password length: 5 Minimum password age (days): 1 Maximum password age (days): 42 (samba-tool domain passwordsettings --help to get more info about options)
Add a win2003 DC as additional DC
Must follow https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Check_required_DNS_entries_of_the_new_host and add the DNS as listed.. otherwise replication will not work!
DNS
I only had issues with DNS-replication - I would get errors about the server not having permission to replicate DomainDNSZones to the windows server. Maybe it was caused because I didn't have DNS service installed before I added the server to the domain. At any rate; I followed the link here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/c3eccec6-2628-4e19-bbd4-01f3964ffc77/event-id-4513-dns-problem?forum=winserverDS
Basicially (on the win2003 machine):
1. Logon to a domain controller with an Enterprise admin account (Prefer to logon to the replication partner of the problematic DC) 2. Run ntdsutil in a Domain Controller 3. Run "domain management" command in ntdsutil 4. Run "Connections" command and then connect to local server by "Connect to server localdcname" command. (Replace localdcname with local DC's hostname) 5. Hit Q and enter. 6. Run the following command and you will see that your problematic server is not listed in the output, although it should since it has DNS server installed. If you are replicating a DNS zone to the forest then run "List NC Replicas DC=ForestDnsZones,DC=domain,DC=com" If you are replicating a DNS zone to the domain then run "List NC Replicas DC=DomainDnsZones,DC=domain,DC=com" Before continuing to the next step make sure that there is no object under "LostAndFoundConfig" (serves as a container for lost forestwide objects) container. You can check this with ADSIEDIT.msc under Configuration Partition. If there is an object first check its "lastKnownParent" attribute and if you decide if this is not an orphaned object then move it to its location. If you decide this is an orphaned object then delete it. 7. Now add your problematic Domain Controller with DNS server install to the NC's you are replicating. By running following commands. 8 For Forest wide DNS partition: "Add NC Replica DC=ForestDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format). For Domain wide DNS partition: "Add NC Replica DC=DomainDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format). 9. Force replication on problematic DC from its partner (where follow the steps from 1 to 8).
I had to do both replica settings for DomainDNSZones and ForestDNSZones and then force a replication between the 2 hosts.
Global Catalog
I had to enable the win2003 server as GC server as well:
1. On the domain controller, click Start, point to Programs, click Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, double-click Sites, double-click the name of the site, and then double-click Servers. 3. Double-click the target domain controller. 4. In the details pane, right-click NTDS Settings, and then click Properties. 5. On the General tab, click to select the Global catalog check box. 6. Restart the domain controller.
Manually adding missing DNS-entries
I had to manually add some entries on the samba server (using the DNS GUI on win2003 to compare and add as needed)
- Forward Lookup Zones -> <DOMAIN> -> Add NS entry for the win2003 machine
- Forward Lookup Zones -> <DOMAIN> -> Entire subtree of _tcp was missing
Adding a 2012 server as DC in an existing 2003 forest only
update: I never got this to work - for testing purposes I instead joined a win2008 machine to the domain, kicked out the Samba machine, upgraded the domain to win2008 functionality - added two win2012 machines, kicked out the 2008 and upgraded everything to win2012 functionality
Make sure that the server 2012 is already an member of the domain before upgrading it to an domain controller. To use an server 2012 domain in an 2003 envoirment you need to run adprep its located on the server 2012 disk ..\support\adprep When everything is looking fine your adprep will show you this. PS C:\Users\Administrator> D:\support\adprep\adprep.exe /forestprep ADPREP WARNING: Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or lat er. You are about to upgrade the schema for the Active Directory forest named 'domain', using the Active Directory domain controller (schema master) 'SRV2012SRV01.domain.local'. This operation cannot be reversed after it completes. [User Action] If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit. Then start server manager and click 'Add roles and features' and install the needed services.
Remove samba and migrate/move to pure windows servers
Demote samba server
samba-tool domain demote
Possible clean up entries in AD.
Change all FSMO roles to win2003
Follow the guide here and update
Additionally I had to manually add a forward DNS to our internal network to be able to let the win2003 be able to funtion as single AD-server after I shutdown samba4 (I still don't know why..)
Upgrade to 2008/2012 domain functionality
TODO
Things to watch out for / checklist
- I accidentally installed krb5-admin-server on top of samba. Which is all good and stuff when you install it, but on next reboot samba won't start. It will complain about krb ports being used. Whereas the error log is pretty obvious really, it keep me looking for some hours. Eventually I actually _read_ the log and found that krb5 was started before samba... disable in /etc/default/krb5-admin-server and set start to false.
Change password via LDAP
From mailinglist:
#!/bin/bash password=test password='"'$password'"' u16pass=`printf $password|iconv -f ascii -t UTF16LE|base64` echo "dn: CN=John Smith,cn=Users,DC=domain,DC=com" >ldap.ldif echo "changetype: modify" >>ldap.ldif echo "replace: unicodePwd" >>ldap.ldif echo "unicodePwd:: $u16pass" >>ldap.ldif ldapmodify -v -c -a -f ldap.ldif -H ldaps://server.domain.com -D administrator@domain.com -W rm ldap.ldif
Edit ldap data
To change for user martin:
ldbedit --url=/var/lib/samba/private/sam.ldb CN=martin
Setup openLDAP proxy for AD
Apache and AD/LDAP binds
- I created a user, ldapuser - who binds to AD and will lookup a user.
I require the user to be in the OU CompanyUsers and also have a group membership in ldap.
- I could not get it to work without having to resolve to ou=xxx - I tried with cn=users, but didn't work for some reason
- Retried with newer apache - I had no issues getting it to work with cn=Users and just using default groups/user setups
<Directory /var/www/openldap/> AuthName "AD authentication" AuthBasicProvider ldap AuthType Basic AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On AuthLDAPURL ldap://dc01.hq.skytech.dk:389/ou=CompanyUsers,dc=hq,dc=skytech,dc=dk?sAMAccountName?sub?(objectClass=*) AuthLDAPBindDN cn=ldapuser,cn=Users,dc=hq,dc=skytech,dc=dk AuthLDAPBindPassword XXXX require ldap-group cn=ldap,ou=CompanyUsers,dc=hq,dc=skytech,dc=dk </Directory>