I have written one more article with the steps to configure FreeIPA server and client which can also act as an alternate to Microsoft Active Directory. And since FreeIPA is a GUI based, it can be a better alternative then Samba4.
I started reading Samba4 Join a DC article with a belief that it shows the steps required to configure a backup domain controller for our PDC in Samba 4. (Please correct me if I am wrong).
But when I studied in depth I came to the conclusion that it was guiding us to create a secondary domain controller and not a backup dc.
Still I tried to configure the same using the steps as provided on that article and as to my belief I ended up configuring a secondary dc rather than a backup dc.
NOTE: This article guides you to configure secondary domain controller rather than a primary domain controller.
But still I would like to show the steps which I followed and the fix to errors which I faced while configuring the same.
Primary DC: 192.168.1.6
Hostname: test.example.com
Secondary DC: 192.168.1.5
Hostname: test1.example.com
So let me assume that you already have a working primary dc. It can be Samba 4 or Windows Server 2008 AD.
Before you start always make sure to check the pre-requisites
On the primary domain controller (test.example.com)
Verify the entry of kerberos config file is as shown below on your PDC
[root@test ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
Update your resolv.conf with the address of your DNS server which should be your PDC as for me
[root@test ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
On the secondary domain controller (test1.example.com)
Update your resolv.conf with the DNS server as used in your PDC (Primary Domain Controller)
[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
To prepare a SDC(Secondary Domain Controller) you will have to configure Samba 4.1 in your current server as well. These are the steps you need to do. You can follow the below article for configuring Samba 4.1
Samba 4.1 as Active Directory
|
IMPORTANT NOTE:
|
|
Do not run the provision step for Samba 4.1
|
Run the below command as root
[root@test1 samba-4.1.4]# samba-tool domain join example.com DC -Uadministrator --realm=example.com Finding a writeable DC for domain 'example.com' Found DC test.example.com Password for [EXAMPLEadministrator]: [Give your PDC password] NO DNS zone information found in source domain, not replicating DNS workgroup is EXAMPLE realm is example.com checking sAMAccountName Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com Setting account password for TEST1$ Enabling account Calling bare provision No IPv6 address will be assigned ldb: module schema_load initialization failed : No such object ldb: module rootdse initialization failed : No such object ldb: module samba_dsdb initialization failed : No such object ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null) samdb_connect failed VFS connect failed! Join failed - cleaning up checking sAMAccountName Deleted CN=TEST1,OU=Domain Controllers,DC=example,DC=com Deleted CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Deleted CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option. File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1172, in join_DC ctx.do_join() File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1076, in do_join ctx.join_provision() File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 727, in join_provision use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend) File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 2052, in provision raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.")
In the first attempt I got the above error
There are two solutions for this
Solution 1:
Your filesystem does not supports acl so you will have to remount your fs with acl, user_xattr parameter
Make sure these two rpms are installed in your server
[root@test ~]# rpm -qa|grep libattr
libattr-2.4.44-7.el6.i686
libattr-devel-2.4.44-7.el6.i686
[root@test ~]# rpm -qa|grep libacl
libacl-2.2.49-6.el6.i686
libacl-devel-2.2.49-6.el6.i686
# mount -o remount,acl,user_xattr /dev/mapper/VolGroup-root
For making permanent changes update your fstab file
# cat /etc/fstab
/dev/mapper/VolGroup-root / ext4 defaults,acl,user_xattr 1 1
Solution 2:
Use an extra parameter --use-ntvfs to skip the above work in case it is a production server as you will not be allowed to reboot a prod server.
[root@test1 ~]# samba-tool domain join example.com DC -Uadministrator --realm=example.com --use-ntvfs Finding a writeable DC for domain 'example.com' Found DC test.example.com Password for [EXAMPLEadministrator]: [Give your PDC password] NO DNS zone information found in source domain, not replicating DNS workgroup is EXAMPLE realm is example.com checking sAMAccountName Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com Setting account password for TEST1$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=example,DC=com Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=example,DC=com] objects[402/1653] linked_values[0/0] Partition[CN=Configuration,DC=example,DC=com] objects[804/1653] linked_values[0/0] Partition[CN=Configuration,DC=example,DC=com] objects[1206/1653] linked_values[0/0] Partition[CN=Configuration,DC=example,DC=com] objects[1608/1653] linked_values[0/0] Partition[CN=Configuration,DC=example,DC=com] objects[1653/1653] linked_values[20/0] Replicating critical objects from the base DN of the domain Partition[DC=example,DC=com] objects[98/98] linked_values[23/0] Partition[DC=example,DC=com] objects[394/296] linked_values[23/0] Done with always replicated NC (base, config, schema) Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain EXAMPLE (SID S-1-5-21-2036099725-333104617-2937475635) as a DC
Now next step is to make sure your hostname for SDC is resolvable on the DNS
On DNS server (192.168.1.6)
[root@test ~]# nslookup test1.example.con
Server: 192.168.1.6
Address: 192.168.1.6#53
** server can't find test1.example.con: NXDOMAIN
(Make an entry in last line)
test1 IN A 192.168.1.5
Restart the named services
Stopping named: . [ OK ]
Starting named: [ OK ]
Now retry to resolve the hostname
[root@test1 ~]# nslookup test1.example.com
Server: 192.168.1.6
Address: 192.168.1.6#53
Name: test1.example.com
Address: 192.168.1.5
Verify if the objectGUID is resolvable to the new hostname, Run the below command
# record 1
dn: CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
# record 2
dn: CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
[root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
Host 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. not found: 3(NXDOMAIN)
You can update your DNS record using the below command
# samba-tool dns add IP-of-your-DNS _msdcs.samdom.example.com 607bc2dc-0754-49e3-aa37-9be403d0cc33 CNAME test1.example.com -Uadministrator
So In case you are also facing the same issue follow the below steps to manually update your zone file in DNS
[root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
Make a new entry at the last line of the file
607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. IN CNAME test1
Stopping named: . [ OK ]
Starting named: [ OK ]
Now again retry to run the below command
[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
nameserver 192.168.1.5
Starting Samba
You have to follow the same step to start samba as used in PDC
Password for administrator@EXAMPLE.COM: [Give password for Administrator]
Warning: Your password will expire in 41 days on Mon Mar 31 13:44:36 2014
Failed to connect host 192.168.1.5 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.1.5 (test1.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to test1.example.com failed - drsException: DRS connection to test1.example.com failed: (-1073741258, 'The connection was refused')
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
[root@test1 ~]# cat /var/log/messages | grep 135
Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 on port 135 - NT_STATUS_CONNECTION_REFUSED
Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 (74b975bc-c25c-4ce7-9773-fe3f6eb1b903._msdcs.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Then just to be sure
[root@test1 ~]# telnet localhost 135
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Change it to disabled state and reboot the system
Now retry the same
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
Default-First-Site-NameTEST1
DSA Options: 0x00000001
DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0
==== INBOUND NEIGHBORS ====
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
Solution:
[root@test1 ~]# samba-tool drs showrepl Default-First-Site-NameTEST1 DSA Options: 0x00000001 DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33 DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0 ==== INBOUND NEIGHBORS ==== DC=example,DC=com Default-First-Site-NameTEST via RPC DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903 Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE) 1 consecutive failure(s). Last success @ Tue Feb 18 10:35:58 2014 IST CN=Configuration,DC=example,DC=com Default-First-Site-NameTEST via RPC DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903 Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE) 1 consecutive failure(s). Last success @ Tue Feb 18 10:35:57 2014 IST CN=Schema,CN=Configuration,DC=example,DC=com Default-First-Site-NameTEST via RPC DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903 Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE) 1 consecutive failure(s). Last success @ Tue Feb 18 10:35:53 2014 IST ==== OUTBOUND NEIGHBORS ==== ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 77f4ad2e-ddca-4584-8d8c-7efbd1f7d93c Enabled : TRUE Server DNS name : test.example.com Server DN name : CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com TransportType: RPC options: 0x00000001
On Windows client machine
You can switch to either dc using these steps
New Password:
Retype Password:
User 'test' created successfully
[root@test1 ~]# samba-tool user list
Administrator
dns-test
krbtgt
Guest
test
On PDC (test.example.com)
Administrator
dns-test
krbtgt
Guest
test
Hello,
Getting error while adding SDC
root@srv-03:~# /usr/local/samba/bin/samba-tool domain join syed.local DC -UAdministrator –realm=syed.local
Finding a writeable DC for domain 'syed.local'
Found DC SRV-01.syed.local
Password for [WORKGROUPAdministrator]:
Failed to bind – LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://SRV-01.syed.local' with backend 'ldap': (null)
ERROR(ldb): uncaught exception – None
Hello Syed,
It would be hard to guess the right place to look for. But you can start with checking all the pre-requisites, time sync between server/client, kerberos setting etc
Thanks
Deepak
Thank you Deepak
Can you please explain the difference between a back-up and a secondary domain controller?
A BDC can be pushed to become a PDC in case any failure occurs on the latter. But in the above case the SDC is using the DNS server of the primary domain server and in case of failure the DNS will stop working making it unable to connect the PDC.
An SDC like this can be used for reducing high loads where multiple users are simultaneously accessing the PDC but not as a backup domain controller.
Great i want to reduce network traffic over a wan link
the PDC is always available but on a slow connection
In that case the speed depends on the WAN link speed and also on many other factors as no. of concurrent connections, usage etc.
You can configure a SDC on the remote location with the users/groups as per the office branch. So that the logon authentication requests can be taken care locally instead of routing the traffic over WAN.
Hi
iam trying in ubuntu 14.0 server with samba4 with windows 2008 R2 DC. I need this Samba4 to act as additional DC for user authentications. When i try this command samba-tool join domain as dc, it starts the replication of schemas and last i get this error,
Failed to apply records: failed to find GUID for (null) invalid DN syntax
Failed to commit objects: WERR_GENERAL_Failure
Join Failed – Cleaning up
Errr type exceptions : uncaught exception – Failed to process chunk: NT_Status_Unsucessful.
what could be the reason??
I am not very sure about the error but through the little info I found on web it says this error generally pops up if your AD is also running an exchange server.
so if my AD has an Exchange, Samba4 is not compatible to run ?
If yes, atleast can i use my Ubuntu as ldap server without samba just for User authentication serivces for my firewall logins?
If DC is not possible, i wish to have a local DNS & LDAP server for Firewall authentication. Else my remote location firewall looks everytime my local Windows DC for user authentication.
Yeah because as from what i found Samba 4 doesnot have any schemas for Exchange Server.
For Centralized authentication purpose you can use NIS or LDAP server, anyone you are comfortable with as I have not worked on LDAP so I don't have much of an experience but NIS works good and you can find plenty of documents for its configuration/troubleshooting as compared to LDAP.
Good night from Brazil!
This works for me fine eith dns internals! but…
How I do to replicate sysvol and netlogon directories betwen PDC and SDC (or BDC) into samba 4?
Gracefully
Hi there,
When the PDC is down and not working anymore you can seize all the fsmo roles to the SDC to make it primary. On both servers bind must be running.
wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles
Cheers from switzerland
Hi there,
I had the same problem like you. Since I has transfered all the fsmo roles to the sdc and then back to the pdc (while both running), I can now do the task which not affected by the fsmo roles (like create a new user and login with it) while the pdc is not running.
cheers
Apologies for the late reply
I believe the sysvol and netlogon policies are also replicated simultaneously. Any how to assign GPO using SDC you will have to switch the domain controller and while doing that in my case I see all the policies are replicated on both the controllers
Well that brought a smile on my face early morning, Let me give it a try and will update my results on a new article if everything goes fine
Thanks a ton mate.
Cheers
There is an additional step:
for every svr record on your dns, which points to your pdc ie. dc1…, you have to manually create an additional one for your sdc ie. dc2… this can be done through the dns console, available in the windows rsat Tools.
Hope this helps you..
Cheers
Well the sdc worked fine with transferring of fsmo roles but the DNS part is confusing as you see I have sonfigured my PDC with BIND and not SAMBA_INTERNAL so in case my PDC goes down the dns would also not work anymore
How are we going to overcome that?
I also use BIND on both DCs. In "/etc/bind/named.conf" add "/var/lib/samba/private/named.conf;" on both servers. Maybe you have another samba path. I use the current debian distribution with sernet samba.
You can download my documentation here (I will remove it in 20 days):
dropbox.com/s/2ucqf6a65ibaq0u/Linux-HA-AD-Domain.pdf?dl=0
You can also create the SRV records with the samba-tool:
wiki.samba.org/index.php/DNS_Administration
Yeah that makes more sense, ultimately even I had tried the same way using both the DC with BIND. I thought using Samba Internal might work differently but any how we will need DNS on the SDC as well.
samba-toll can only be used to update the records if you are using SAMBA_INTERNAL else if we are using backend DNS as BIND then we need to manually update the records in the config file.
So seems like basically we will have to create a replica of DNS as on PDC for the SDC to properly function
There are still few things for me to do R&D, will surely go through your doc.
Thanks
Hello, I have made a short movie.. In my environment the replication of the dns is working.
dropbox.com/s/aevs1kgyy2phb0u/24-11-_2014_22-38-32.mp4?dl=0
Hey m really sorry, I had been running a lil busy lately so couldn't get time to go through your document. BTW Thanks a ton for the video.
sysvol replication:
wiki.samba.org/index.php/SysVol_Replication
Are you sure an fstab change is a kernel change requiring a reboot? Once you've remounted it and adjusted fstab so subsequent mounts keep the desired config, that's usually it. If that's changed, I'd love to hear it.
Maybe resist recommending The Most Unfriendly editor-like app in the world, in a howto. Your intended audience for a how-to doc lacks the neck-beard and proud martyr complex required to persevere with something as unusable as vi. I've had decades of good results from simply recommending anything else.
Thanks for your comment, I agree fstab changes does not mandatorily requires a reboot unless you are changing/adding some special attributes which would require a reboot. Although adding/removing new partitions can be updated by "mount -a" but I don't think assigning new attributes like acl, quota will work without a reboot, please correct me if I am wrong.
which editor would you recommend instead of vi?
Hi Deepak,
Great article, but you have mentioned like
"On the primary domain controller (test.example.com)
Verify the entry of kerberos config file is as shown below on your PDC
[root@test ~]# cat /etc/krb5.conf"
Assuming that the PDC is a windows machine how would this workout, where would the krb5 config file be, this only works if the PDC is also a Linux machine and not windows.
Is this correct or am I missing something here.
Good article and right to the point. I don’t know if this is really the best place to ask but do you folks have any thoughts on where to employ some professional writers? Thanks in advance
Hi
Try:
1- SELINUX=enforcing
2- semanage port -a -t smbd_port_t -p tcp 135
3- semanage port -a -t smbd_port_t -p udp 135
4- Make sure SAMBA starts up with your system. (I had to restart SAMBA, until I realized that it did not start automatically)
5- reboot
6-samba-tool drs showrepl
In my SDC/BDC work fine