1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Samba4 Install Guide (Problems with Kerberos)

Discussion in 'Web and Network Services' started by QuinRiva, Dec 4, 2012.

  1. QuinRiva

    QuinRiva New Member

    Messages:
    23
    Thanks Received:
    0
    Preface
    I have encountered great difficulty installing Samba4 on FreeBSD, and with a final release imminent I am documenting my install procedure along with a handful of relevant differences for FreedBSD. From what I can tell, Samba4's internal Kerberos server does not start and as a result Samba4 does not fully work on FreeBSD.

    Scroll to the end to get more information about the Kerberos problem. I am hoping that this guide will help solve the Kerberos issue so that FreeBSD users can utilise Samba4.

    System Configuration
    This is a fresh install of FreeBSD 9.0 with services: sshd; ntpd; and powerd enabled.

    This is my server setup:
    My server's IP is: 192.168.1.1
    My server's name is: Vanity
    My domain is: SIN
    My realm is: sin.x
    My default user is: test
    When following this guide, remember to substitute for the appropriate values.

    The version of Samba4 installed: 4.1.0pre1-GIT-99efe84

    Samba4 Installation Guide for FreeBSD 9.0

    Basic housekeeping
    The first thing I'll do is update the Ports Collection:
    Code:
    # portsnap fetch
    # portsnap extract
    # portsnap update


    I need a text editor and I can't use vi, so I'm going to install nano:
    Code:
    # cd /usr/ports/editors/nano
    # make install clean


    I have selected the option [*] EXTRA_ENCODINGS as part of the libiconv 1.14 install (this is a dependency for nano)

    Code:
    #rehash

    Until I discovered rehash, I had to reboot to use newly installed programmes.

    Enable ACL
    Samba4 requires that the filesystem be mounted with ACL. Let's configure fstab to mount the filesystem correctly on startup:
    Code:
    # nano /etc/fstab
    # Device        Mountpoint      FStype  Options Dump    Pass#
    /dev/da0p2      /               ufs     rw,acls 1       1
    /dev/da0p3      none            swap    sw      0       0

    With nano, Ctrl+O saves the file, and Ctrl+X closes the file.
    Let's mount the filesystem now:
    Code:
    # mount -o acls /


    Install Git
    To get the latest version of Samba4 we need to install git:
    Code:
    # pkg_add -r git
    # rehash


    Install Samba4
    I'm going to download Samba to the home directory of the default user (test):
    Code:
    # cd /home/test
    # git clone git://git.samba.org/samba.git samba-master
    # cd samba-master
    # ./configure --enable-debug --enable-selftest
    # make
    'build' finished successfully (11m59.678s)
    # make install
    'install' finished successfully (3m12.695s) 


    Provision Samba4
    Provisioning Samba4 has changed recently and most documentation list the old way of doing it.
    Code:
    # /usr/local/samba/bin/samba-tool domain provision
     Realm [SIN.X]: SIN.X
     Domain [SIN]: SIN
     Server Role (dc, member, standalone) [dc]: dc
     DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
     DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: 192.168.1.1
     Administrator password: <password>
     Retype password: <password>

    Most of the values have been populated automatically from DHCP (my router). And this is the result I get:
    Code:
    Looking up IPv4 addresses
    Looking up IPv6 addresses
    More than one IPv6 address found. Using fe80:1::223:aeff:fe63:d846
    Setting up share.ldb
    Setting up secrets.ldb
    Setting up the registry
    Setting up the privileges database
    Setting up idmap db
    Setting up SAM db
    Setting up sam.ldb partitions and settings
    Setting up sam.ldb rootDSE
    Pre-loading the Samba 4 and AD schema
    Adding DomainDN: DC=sin,DC=x
    Adding configuration container
    Setting up sam.ldb schema
    Setting up sam.ldb configuration data
    Setting up display specifiers
    Adding users container
    Modifying users container
    Adding computers container
    Modifying computers container
    Setting up sam.ldb data
    Setting up well known security principals
    Setting up sam.ldb users and groups
    Setting up self join
    Adding DNS accounts
    Creating CN=MicrosoftDNS,CN=System,DC=sin,DC=x
    Creating DomainDnsZones and ForestDnsZones partitions
    Populating DomainDnsZones and ForestDnsZones partitions
    Setting up sam.ldb rootDSE marking as synchronized
    Fixing provision GUIDs
    A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
    Once the above files are installed, your Samba4 server will be ready to use
    Server Role:           active directory domain controller
    Hostname:              Vanity
    NetBIOS Domain:        SIN
    DNS Domain:            sin.x
    DOMAIN SID:            S-1-5-21-3757277530-4222028134-2000681140
    


    Testing Samba4
    Existing documentation states that this is how you start Samba4:
    Code:
     #/usr/local/samba/sbin/samba

    But I think on FreeBSD it should be: samba start

    Now let's test:
    Code:
     # /usr/local/samba/bin/smbclient -L localhost -U%
    Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
    
            Sharename       Type      Comment
            ---------       ----      -------
            netlogon        Disk
            sysvol          Disk
            IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-99efe84)
    Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
    
            Server               Comment
            ---------            -------
    
            Workgroup            Master
            ---------            -------
    


    And yes, that is how the output is formatted.
    Code:
     # /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'<password>' -c 'ls'
    Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
      .                                   D        0  Mon Dec  3 22:22:47 2012
      ..                                  D        0  Mon Dec  3 22:22:55 2012
    
                    36535 blocks of size 4194304. 32702 blocks available
    


    Configuring DNS
    I am using –dns-backend=SAMBA_INTERNAL, so I only need to configure /etc/resolv.conf.
    Code:
     # nano /etc/resolv.conf

    Code:
    # Generated by resolvconf
    search SIN.X
    domain sin.x
    nameserver 192.168.1.1
    nameserver 192.168.1.254
    

    I'm not sure if search is the same as domain? Note that the second nameserver is my router, I don’t want to be unable to connect to the net while I’m setting everything up. I think this file will be overwritten by DHCP though (my router handles DHCP too).

    Testing DNS
    To test LDAP:
    Code:
    # host -t SRV _ldap._tcp.sin.x
    Host _ldap._tcp.sin.x not found: 3(NXDOMAIN)

    At first this didn't work, even after rebooting I got the same problem. I think that it is because Samba4 isn't starting automatically and must be started by:
    Code:
    # /usr/local/samba/sbin/samba start

    Trying again:
    Code:
    # host -t SRV _ldap._tcp.sin.x
    _ldap._tcp.sin.x has SRV record 0 100 389 vanity.sin.x.

    Now testing Kerberos:
    Code:
    # host -t SRV _kerberos._udp.sin.x
    _kerberos._udp.sin.x has SRV record 0 100 88 vanity.sin.x.

    And finally the this server:
    Code:
    # host -t A vanity.sin.x
    vanity.sin.x has address 192.168.1.1


    Testing Kerberos
    Samba4 uses an internal implementation of Kerberos, do not start the Heimdal Kerberos that comes with FreeBSD, this is a different service.
    The HOWTO states to replace the existing krb.conf with the file located /usr/local/samba/share/setup/krb5.conf, but neither krb.conf nor krb5.conf existed on my system.

    My guess was this:
    Code:
     # cp /usr/local/samba/share/setup/krb5.conf /etc/krb.conf
     # nano /etc/krb5.conf
    

    And edit the file as such:
    Code:
    [libdefaults]
            default_realm = SIN.X
            dns_lookup_realm = false
            dns_lookup_kdc = true
    


    Testing:
    Code:
     # kinit administrator@SIN.X
    administrator@SIN.X's Password: <password>
    kinit: krb5_get_init_creds: unable to reach any KDC in realm SIN.X
    


    It appears that Kerberos is failing to start, so I'm not sure of where to go from here?

    Someone far more knowledgeable than me indicated that nsupdate was not compiled with GSSAPI. I have no idea how to go about fixing this, but surely Frank and I aren't the only people having this problem.
     
  2. ziyanm

    ziyanm New Member

    Messages:
    43
    Thanks Received:
    5
    Thanks for the howto. Did you have to install any dependencies by hand or does waf handle it?

    Regarding your Kerberos issue, you can use $ sockstat -l and $ pgrep to verify that the necessary daemons are started.

    If you suspect that the problem is with $ nsupdate check if a samba-specific version is installed under /usr/local/bin. If so, get samba to use that one instead of the system-provided one in /usr/bin. You can check GSSAPI support by doing $ ldd /usr/local/bin/nsupdate to check what libraries it links to.
     
  3. mix_room

    mix_room Member

    Messages:
    592
    Thanks Received:
    44
    I added the following to my /usr/local/samba/etc/smb.conf-file

    Code:
    nsupdate command = /usr/local/samba/sbin/samba_dnsupdate
    server services = smb,dnsupdate,dns,winbind,kdc
    


    In particular I think the
    Code:
    server services = ...,kdc
    portion was important. Before adding it I had the same issues as you, after adding they no longer appear. I have not compiled anything with GSSAPI.

    EDIT: there are other issues that I run into though, so this may not be the full solution to the problem.
     
  4. QuinRiva

    QuinRiva New Member

    Messages:
    23
    Thanks Received:
    0
    Waf handled everything, I didn't have to manually install any dependencies.


    I made the changes that mix_room suggested, and I'm now getting the same error as before:
    Code:
    host -t SRV _ldap._tcp.sin.x
    Host _ldap._tcp.sin.x not found: 3(NXDOMAIN)


    So I think it is definitely a DNS issue.
     
  5. mix_room

    mix_room Member

    Messages:
    592
    Thanks Received:
    44
    Also check which host you are using to resolve DNS-queries. Your samba server should be resolving DNS-queries, edit /etc/resolv.conf.
    If you are using your ISPs DNS server, they will not know what is going on, same thing with your modem-router-firewall-NAT-combo
     
  6. ziyanm

    ziyanm New Member

    Messages:
    43
    Thanks Received:
    5
    Can you do any DNS queries at all?
    Code:
    host -l sin.x
     
  7. tanked

    tanked Member

    Messages:
    106
    Thanks Received:
    1
    I just thought I'd chime in and say whilst reading the posts by the Samba developers on Slashdot, they say DNS replication is not quite reliable yet and neither is replication of the sysvol share (rsync can be used for this though). Apparently it is currently recommended to only use 1 domain controller with Samaba 4 at the moment.
     
  8. QuinRiva

    QuinRiva New Member

    Messages:
    23
    Thanks Received:
    0
    Thanks for that tanked. I'm only using one DC (the machine that Samba4 is on), so there shouldn't be any issues with replication. I only have 5 machines connected to the domain, the FreeBSD Server (DC) and 4 client PC's.
     
  9. QuinRiva

    QuinRiva New Member

    Messages:
    23
    Thanks Received:
    0
    I've gotten a bit further but I'm stuck again. I've done a full reinstall of FreeBSD, and this time I'm going to try and use BIND9_DLZ. However the issue that I come across is the include statement (include "/usr/local/samba/private/named.conf";) in /etc/namedb/named.conf.
    When I try to start named:
    Code:
    /etc/rc.d/named onestart


    I get the following errors in the log file:
    Code:
    Dec 16 23:37:54 Vanity named[13638]: starting BIND 9.8.1-P1 -t /var/named -u bind
    Dec 16 23:37:54 Vanity named[13638]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifad$
    Dec 16 23:37:54 Vanity named[13638]: /etc/namedb/named.conf:296: open: /usr/local/samba/private/named.conf: file not found
    Dec 16 23:37:54 Vanity named[13638]: loading configuration: file not found
    Dec 16 23:37:54 Vanity named[13638]: exiting (due to fatal error)
    Dec 16 23:37:54 Vanity test: /etc/rc.d/named: WARNING: failed to start named
    


    I have confirmed that the user bind can read/write to:
    Code:
    Vanity# ls -lah /usr/local/samba/private/
    total 11620
    drwxr-xr-x   7 bind  wheel   1.0k Dec 16 23:56 .
    drwxr-xr-x  10 root  wheel   512B Dec 16 22:06 ..
    drwxrwx---   3 bind  wheel   512B Dec 16 22:06 dns
    -rw-r-----   1 bind  wheel   657B Dec 16 22:06 dns.keytab
    -rw-r--r--   1 bind  wheel   2.2k Dec 16 22:06 dns_update_list
    -rw-------   1 bind  wheel   1.2M Dec 16 22:06 hklm.ldb
    -rw-------   1 bind  wheel   1.5M Dec 16 22:06 idmap.ldb
    -rw-r--r--   1 bind  wheel    86B Dec 16 22:06 krb5.conf
    drwxr-x---   2 bind  wheel   512B Dec 16 22:06 ldap_priv
    srwxrwxrwx   1 bind  wheel     0B Dec 16 22:06 ldapi
    -rwxrwxr-x   1 bind  wheel   615B Dec 16 23:54 named.conf
    -rwxrwxr-x   1 bind  wheel   204B Dec 16 22:06 named.conf.update
    -rwxrwxr-x   1 bind  wheel   2.2k Dec 16 22:06 named.txt
    -rw-------   1 bind  wheel   1.2M Dec 16 22:06 privilege.ldb
    -rw-------   1 bind  wheel   696B Dec 16 22:06 randseed.tdb
    -rw-------   1 bind  wheel   4.1M Dec 16 22:06 sam.ldb
    drwxr-x---   2 bind  wheel   512B Dec 16 22:06 sam.ldb.d
    -rw-------   1 bind  wheel   696B Dec 16 22:06 schannel_store.tdb
    -rw-------   1 bind  wheel   967B Dec 16 22:06 secrets.keytab
    -rw-------   1 bind  wheel   1.2M Dec 16 22:06 secrets.ldb
    -rw-------   1 bind  wheel   420k Dec 16 22:06 secrets.tdb
    -rw-------   1 bind  wheel   1.2M Dec 16 22:06 share.ldb
    drwxr-xr-x   3 bind  wheel   512B Dec 16 22:06 smbd.tmp
    -rw-r--r--   1 bind  wheel   955B Dec 16 22:06 spn_update_list
    drwxr-xr-x   2 bind  wheel   512B Dec 16 22:06 tls
    Vanity#


    and :
    Code:
    Vanity# ls -lah /usr/local/samba/lib/bind9
    total 184
    drwxr-xr-x   2 bind  wheel   512B Dec 16 22:04 .
    drwxr-xr-x  15 root  wheel   2.5k Dec 16 22:04 ..
    -rwxr-xr-x   1 bind  wheel    85k Dec 16 22:02 dlz_bind9.so
    -rwxr-xr-x   1 bind  wheel    85k Dec 16 22:02 dlz_bind9_9.so


    Any ideas why it can't find that file? Am I chrooted?
     
  10. kpa

    kpa Well-Known Member

    Messages:
    4,110
    Thanks Received:
    812
    BIND runs chroot(8)ed in /var/named by default on FreeBSD. To turn off the chroot you have to add an option to rc.conf(5)

    Code:
    named_chrootdir=""
    
     
  11. QuinRiva

    QuinRiva New Member

    Messages:
    23
    Thanks Received:
    0
    Thanks kpa, I finally have a DNS Server up and running but I get an error regarding BIND not being able to find managed-keys.bind?

    Code:
    Dec 17 21:48:24 Vanity named[4670]: starting BIND 9.8.1-P1 -u bind
    Dec 17 21:48:24 Vanity named[4670]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifadd$
    Dec 17 21:48:24 Vanity named[4670]: command channel listening on 127.0.0.1#953
    Dec 17 21:48:24 Vanity named[4670]: command channel listening on ::1#953
    Dec 17 21:48:24 Vanity named[4670]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
    Dec 17 21:48:24 Vanity named[4670]: running
    Dec 17 21:59:55 Vanity named[4670]: client 192.168.1.2#60822: update 'sin.x/IN' denied
    Dec 17 22:00:00 Vanity named[4670]: client 192.168.1.2#62005: update 'sin.x/IN' denied
    


    You'll notice that for some reason, trying to connect from my main computer (192.168.1.2) fails.
     
  12. spanglefox

    spanglefox New Member

    Messages:
    79
    Thanks Received:
    3
    Hello,

    Just a quick note to say I have a working Samba 4 installation. I initially wanted to use BIND as the DNS resolver but did have issues with it in the chroot environment and issues after I had removed it from such.

    It did have issues with Kerberos once I had removed BIND from the chroot.

    I did chicken out and reprovision the domain using the samba backend DNS as I needed the system to be up and running asap. Everything worked fine from there.
     
  13. heathen

    heathen New Member

    Messages:
    4
    Thanks Received:
    0
    Glad to see that Samba 4 works for you, guys. I can't even build it from sources, there are few errors in source3/modules/vfs_zfsacl.c (too many\too few arguments in some functions). I have corrected this errors and can build samba 4 now.

    But there is another challenge. Now I can't get result from
    Code:
    samba-tool domain provision

    If I run it without any parameters, I just get:
    Code:
    root@server:/usr/ports/shells # /usr/local/samba/bin/samba-tool domain provision
    Realm []: wrkz.local
     Domain [wrkz]:
     Server Role (dc, member, standalone) [dc]:
     DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE
    Administrator password:
    Retype password:
    Looking up IPv4 addresses
    More than one IPv4 address found. Using 192.168.3.252
    Looking up IPv6 addresses
    set_sys_acl_no_snum: SMB_VFS_SYS_ACL_SET_FILE returned zero.
    ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
      File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run
        use_rfc2307=use_rfc2307, skip_sysvolacl=False)
      File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1956, in provision
        raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")
    


    By the way, my FreeBSD's root is on the zfs pool.

    If I change file server backend to ntvfs (just for test) then I get:
    Code:
    root@server:/usr/ports/shells # /usr/local/samba/bin/samba-tool domain provision --use-ntvfs --interactive --host-ip=192.168.3.252
    Realm [WRKZ.RU]: wrkz.local
     Domain [wrkz]:
     Server Role (dc, member, standalone) [dc]:
     DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE
    Administrator password:
    Retype password:
    Looking up IPv6 addresses
    Setting up secrets.ldb
    Setting up the registry
    Setting up the privileges database
    Setting up idmap db
    Setting up SAM db
    Setting up sam.ldb partitions and settings
    Setting up sam.ldb rootDSE
    Pre-loading the Samba 4 and AD schema
    Adding DomainDN: DC=wrkz,DC=local
    Adding configuration container
    Setting up sam.ldb schema
    Setting up sam.ldb configuration data
    Setting up display specifiers
    Adding users container
    Modifying users container
    Adding computers container
    Modifying computers container
    Setting up sam.ldb data
    Setting up well known security principals
    Setting up sam.ldb users and groups
    Setting up self join
    ERROR(ldb): uncaught exception - Empty RDN value on CN=,OU=Domain Controllers,DC=wrkz,DC=local not permitted!
      File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
        return self.run(*args, **kwargs)
      File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run
        use_rfc2307=use_rfc2307, skip_sysvolacl=False)
      File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 2058, in provision
        skip_sysvolacl=skip_sysvolacl)
      File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1661, in provision_fill
        next_rid=next_rid, dc_rid=dc_rid)
      File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1364, in fill_samdb
        ntdsguid=ntdsguid)
      File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1003, in setup_self_join
        "RIDALLOCATIONEND": str(next_rid + 100 + 499)})
      File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/common.py", line 50, in setup_add_ldif
        ldb.add_ldif(data, controls)
      File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 224, in add_ldif
        self.add(msg, controls)
    


    As long as I know there is NFSv4\ZFS ACL module in the Samba, but how to get it works?..

    Could anybody give me advice on this situation?

    Thank you in advance!
     
  14. spanglefox

    spanglefox New Member

    Messages:
    79
    Thanks Received:
    3
    Ahhh yes. I found that Samba 4 did not play well with ZFS. Which,as you pointed out in your post is odd, given ZFS has ACLs at its heart (don't quote me on that). I was going to fire over to see if the Samba forums may have anything.

    I only got Samba 4 working with a UFS+S filesystem and SAMBA_ INTERNAL DNS.

    A slight bit of useless info but managed to add Windows XP, 7 and 8 along with Server 2008R2 and 2012 to my created domain. Windows 8 domain logon is just freaky! That is, however, another story on Windows 8. Just sharing that information if it helps with your deployment .

    Keep me updated on your progress!
     
  15. von_Gaden

    von_Gaden New Member

    Messages:
    79
    Thanks Received:
    3
    I'm sure that Samba 4 will bring us the possibility of replacement and extending the scalability and reliability of AD controllers. I looked forward it's official version to come out.
    But I'm a little bit conservative and I usually avoid installing development or not included in the Ports versions of software.
    Is the New Samba 4 going to be included in the Ports soon?
     
  16. spanglefox

    spanglefox New Member

    Messages:
    79
    Thanks Received:
    3
    As far as I know the official version has been released.

    That was what I was using. Samba-4.0.0 from http://www.samba.org. I believe the official production (stable??) release was in Dec. '12.

    I too would be interested in when Samba-4.0.0 goes into ports (i.e. not rc/beta).
     
  17. arez

    arez New Member

    Messages:
    1
    Thanks Received:
    0
    ZFS Settings

    You have to have at least zpool version 18, which was in FreeBSD 8.0 or newer.

    Set the ACL Mode and Inheritance to passthrough:

    Code:
    $ zfs create -o mountpoint=/mydata zroot/mydata
    $ zfs set aclmode=passthrough zroot/mydata
    $ zfs set aclinherit=passthrough zroot/mydata


    Now, you have ACL’s:

    Code:
    # getfacl /mydata
    # file: /mydata
    # owner: root
    # group: wheel
             everyone@:rwxpD-a-R-c--s:------:allow
           user:arez:r-x---a-R-c--s:fd----:allow
             user:foobar:r-x---a-R-c--s:fd----:allow
                owner@:rwxpD-aARWcCos:------:allow
                group@:rwxpD-a-R-c--s:------:allow


    Now, unlike Solaris, which displays ZFS acl’s though ls -Z, FreeBSD uses setfacl and getfacl to set and get ACL’s.

    P.S.
    Excuse me for my bad English.
     
  18. mix_room

    mix_room Member

    Messages:
    592
    Thanks Received:
    44
    It is there now. See net/samba4. It works nicely for me.
     
    spanglefox thanks for this.
  19. gaileys

    gaileys New Member

    Messages:
    1
    Thanks Received:
    0
    Everything worked fine but I'm struggling with Share permissions from Windows 7. Every time I use that to change perms I get:
    Code:
    an error occurred while applying security information
    and
    Code:
    the parameter is incorrect


    I've been messing around with ACL's to try to resolve this but nothing seems to work. This is the last step for me and I'm defeated by it! Any ideas?
     
  20. linuxhelp

    linuxhelp New Member

    Messages:
    11
    Thanks Received:
    0
    SAMBA4+Kerberos as PDC

    Hi all,

    I tried to set up Samba4 with Kerberos 5 and DNS-samba-internal (with howtos of 3+4) current on a clean freebsd FreeBSD 9.1 amd64, but I got trouble für with kdc connect, bind98 is installed with static zone files.

    Code:
    log.samba:
    /usr/local/sbin/samba_dnsupdate: RuntimeError: kinit for FREEBSD$@HOME.LOCAL failed (Cannot contact any KDC for requested realm)
    
    /etc/hosts #no errors
    nslookup+dig recognize the server named FREEBSD.HOME.LOCAL # no errors
    
    wbinfo -u / -g #shows users and groups successful
    
    but:
    smbclient -k -L //freebsd.home.local/netlogin -U domainuser  #fails cause no kerberos conn.
    
    successful:
    smbclient -L //freebsd.home.local/netlogin -U domainuser
    
    kinit administrator@HOME.LOCAL #success login
    klist # shows ticket successful..


    Basic question: does Samba4 configure and handle Kerberos on its own? Or must a Kerberos server be enabled? Samba4 opens port 88. Why does samba-tool not allow DOMAINNAME = HOME.LOCAL, only "HOME"?

    I have seen that port 764 wasn't online?

    - Windows 7 Test-Client (clean setup) does not connect either.

    sockstat -4:
    Code:
    user1   sshd       3058  3  tcp4   192.168.178.205:22    192.168.178.73:35925
    root     sshd       3056  3  tcp4   192.168.178.205:22    192.168.178.73:35925
    bind     named      2656  20 tcp4   192.168.178.205:53    *:*
    bind     named      2656  21 tcp4   127.0.0.1:53          *:*
    bind     named      2656  22 tcp4   127.0.0.1:953         *:*
    bind     named      2656  512 udp4  192.168.178.205:53    *:*
    bind     named      2656  513 udp4  127.0.0.1:53          *:*
    root     samba4     2211  19 tcp4   *:88                  *:*
    root     samba4     2211  20 udp4   *:88                  *:*
    root     samba4     2211  21 tcp4   *:464                 *:*
    root     samba4     2211  22 udp4   *:464                 *:*
    root     samba4     2211  23 udp4   192.168.178.205:88    *:*
    root     samba4     2211  24 udp4   192.168.178.205:464   *:*
    root     samba4     2210  19 udp4   *:389                 *:*
    root     samba4     2210  20 udp4   192.168.178.205:389   *:*
    root     samba4     2209  20 tcp4   *:389                 *:*
    root     samba4     2209  21 tcp4   *:636                 *:*
    root     samba4     2209  22 tcp4   *:3268                *:*
    root     samba4     2209  23 tcp4   *:3269                *:*
    root     samba4     2207  19 udp4   *:137                 *:*
    root     samba4     2207  20 udp4   *:138                 *:*
    root     samba4     2207  21 udp4   192.168.178.255:137   *:*
    root     samba4     2207  22 udp4   192.168.178.205:137   *:*
    root     samba4     2207  23 udp4   192.168.178.255:138   *:*
    root     samba4     2207  24 udp4   192.168.178.205:138   *:*
    root     smbd       2206  42 tcp4   *:445                 *:*
    root     smbd       2206  43 tcp4   *:139                 *:*
    root     samba4     2205  31 tcp4   *:1024                *:*
    root     samba4     2205  34 tcp4   *:135                 *:*
    www      httpd      1652  4  tcp4   *:80                  *:*
    www      httpd      1652  6  tcp4   *:443                 *:*
    www      httpd      1651  4  tcp4   *:80                  *:*
    www      httpd      1651  6  tcp4   *:443                 *:*
    www      httpd      1650  4  tcp4   *:80                  *:*
    www      httpd      1650  6  tcp4   *:443                 *:*
    www      httpd      1649  4  tcp4   *:80                  *:*
    www      httpd      1649  6  tcp4   *:443                 *:*
    www      httpd      1648  4  tcp4   *:80                  *:*
    www      httpd      1648  6  tcp4   *:443                 *:*
    root     httpd      1566  4  tcp4   *:80                  *:*
    root     httpd      1566  6  tcp4   *:443                 *:*
    root     sshd       1559  4  tcp4   *:22                  *:*
    mysql    mysqld     1539  10 tcp4   *:3306                *:*
    ldap     slapd      869   7  tcp4   192.168.178.205:389   *:*
    ldap     slapd      869   8  tcp4   127.0.0.1:389         *:*
    root     vsftpd     847   3  tcp4   *:21                  *:*
    root     perl       838   6  tcp4   *:10000               *:*
    root     perl       838   7  udp4   *:10000               *:*
    root     syslogd    549   9  udp4   *:514                 *:*
    


    krb5.conf
    Code:
    [libdefaults]
            default_realm = HOME.LOCAL
            dns_lookup_realm = false
            dns_lookup_kdc = true
    
    
     
  21. mix_room

    mix_room Member

    Messages:
    592
    Thanks Received:
    44
    Are you using the net/samba4 or are you pulling the sources from git?
    There might be some things that were patched away in the port, I would suggest using it.
     
  22. spanglefox

    spanglefox New Member

    Messages:
    79
    Thanks Received:
    3
    Well sadly at the moment our Samba 4 development is on pause (awaiting hardware to be purchased). I have not had the chance to tinker with the ports version of Samba 4. The only version I "know" as good and working was the original 4.0.0 release; which I installed by building the code downloaded directly from http://http://www.samba.org/.

    As soon as I get back around to our Samba development I will help as I can.
     
    arez thanks for this.
  23. von_Gaden

    von_Gaden New Member

    Messages:
    79
    Thanks Received:
    3
    Thank you all for sharing your experience with Samba 4!
    Unlike our beloved FreeBSD, I think Samba lacks some exact and clear documentation so we must relay on each other.

    I started to test it prior adopting for production use. And I found a strange problem: the server (AD Domain controller) is not visible when browsing the network (tested with Window 7 and Windows XP). Note that machines join the domain successfully and domain users and groups are visible from clients. DNS (Samba internal) works fine too and the server is browseable by its UNC name (\\name or \\name.domain.suffix).
    Any ideas?

    Since I've started asking - can someone advise me what is better - Samba internal DNS or connection to BIND? I have some installations with authoritative DNS servers where I'd never put Samba DNS on Internet or allow BIND to run out-of it's chroot environment. I think about an option to use both and bind them to different network interfaces but maybe there is a better solution.

    And one more thing: I see only numerical UIDs in UFS ACLs, created by Samba. Should I worry about not seeing the real usernames? By default Samba4 uses internal LDAP and I've not seen directions how to bind it to systems NSSwitch for example nor I've tried to do that...

    Thanks everybody one again and I'm looking forward your advices!
     
  24. mix_room

    mix_room Member

    Messages:
    592
    Thanks Received:
    44
    If I remember correctly this is not a bug but a feature(TM). I can't find any info on it right now, but I've read about others with the same issues somewhere.

    I added the following to my /etc/nsswitch.conf, and it seems to work nicely.
    Code:
    group: files winbind
    passwd: files winbind
    
     
    von_Gaden thanks for this.
  25. igorino

    igorino New Member

    Messages:
    43
    Thanks Received:
    10
    I had to elaborate a little more the /etc/krb5.conf file in order to enable Kerberos authentication, adding the [realms] section in that file did the trick:
    Code:
    [libdefaults]
            default_realm = IFSC.EDU
            default_keytab_name = FILE:/var/db/samba4/private/dns.keytab
            dns_lookup_realm = false
            dns_lookup_kdc = true
    [realms]
            IFSC.EDU = {
            kdc = samba4.ifsc.edu:88
            default_domain = ifsc.edu
    }