FreeBSD as Domain Controller

Greetings,

I'm new to the forum and I need to set up a Domain Server using samba4 and BIND99 with automatic DNS update using dns.keytab.

All the settings that do, at the time of performing Samba and DNS tests, did not present an error. However, when accessing the DNS server by Windows 7 RSAT is giving an "access denied" message, when I search in DNS for FreeBSD, the host name added no domain is not appearing in the DNS list.

In short, I can not see DNS through windows, and a DNS PivotTable is not being updated.

To avoid any doubts in the process, I'm a step-by-step how to set up all-inclusive.

I wonder if someone helped me solve the problem.

I thank the attention!

Thank you!


###########################################
PROPOSED STRUCTURE

HOSTNAME: ad
DOMAIN: estudo.local
IP: 172.100.0.254
MASK: 255.255.0.0
GW: 172.100.254.254
DNS1: 172.100.0.254 /* THE FIRST DNS MUST ALWAYS BE THE PROPRIETARY DNS */
DNS2: 172.100.254.254


1) AFTER INSTALLING FREEBSD11, PERFORM UPDATE;
Code:
root@ad:~ # pkg update
root@ad:~ # pkg upgrade
2) CHANGE THE FSTAB CONFIGURATION;
Code:
root@ad:~ # vi /etc/fstab

# Device        Mountpoint      FStype  Options Dump    Pass#
/dev/ada0s1a    /               ufs     rw,acls 1       1
/dev/ada0s1b    none            swap    sw      0       0
:x

3) RESET THE SYSTEM OR RETURN THE PARTITION
Code:
root@ad:~ # reboot
root@ad:~ # mount -o acls /
4) CHANGE DNS SETTINGS;
Code:
root@ad:~ # vi /etc/resolv.conf

search estudo.local
domain estudo.local
nameserver 172.100.0.254
nameserver 172.100.254.254
:x

5) CHANGE THE /etc/hosts
Code:
root@ad:~ # vi /etc/hosts

# $FreeBSD: releng/11.0/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
172.100.0.254           ad ad.estudo.local

#
# Imaginary network.
#10.0.0.2               myname.my.domain myname
#10.0.0.3               myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
#       10.0.0.0        -   10.255.255.255
#       172.16.0.0      -   172.31.255.255
#       192.168.0.0     -   192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
:x

6) UPDATES PORTSNAP
Code:
root@ad:~ # portsnap fetch update extract
7) INSTALLING BIND99
Code:
root@ad:~ # cd /usr/ports/dns/bind99

root@ad:/usr/ports/dns/bind99 # make config-recursive

OPTIONS MARKED FOR bind99-9.0.10
 
DOCS
IDN
IPV6
RPZ_NSDNAME
RPZ_NSIP
RRL
SIGCHASE
SSL
THREADS
DLZ_BDB
DLZ_FILESYSTEM
DLZ_STUB
GSSAPI_BASE

OPTIONS MARKED FOR libxml2-2.9.4

SCHEMA
THREADS
VALID

OPTIONS MARKED FOR gmake-4.2.1_1

NLS

OPTIONS MARKED FOR gettext-tools-0.19.8.1

DOCS
THREADS

OPTIONS MARKED FOR idnkit-1.0_6

DOCS

RUN THE COMMAND BELOW AGAIN

root@ad:/usr/ports/dns/bind99 # make config-recursive

OPTIONS MARKED FOR db5-5.3.28_6

CRYPTO
DOCS

root@ad:/usr/ports/dns/bind99 # make && make install clean && rehash
8) INSTALLING SAMBA45
Code:
root@ad:/usr/ports/dns/bind99 # cd /usr/ports/net/samba45
root@ad:/usr/ports/net/samba45 # make config-recursive

OPTIONS MARKED FOR samba45-4.5.8

ADS
AD_DC
DEBUG
DOCS
FAM
LDAP
QUOTAS
SYSLOG
UTMP
BIND99

OPTIONS MARKED FOR libarchive-3.3.1,1

LZ4
LZO

OPTIONS MARKED FOR lzo2-2.10_1

DOCS
EXAMPLES

OPTIONS MARKED FOR perl5-5.24.1_1

DTRACE
MULTIPLICITY
PERL_64BITINT
PTHREAD
THREADS

OPTIONS MARKED FOR py27-dnspython-1.15.0

EXAMPLES

OPTIONS MARKED FOR python27-2.7.13_3

IPV6
LIBFFI
NLS
PYMALLOC
THREADS
UCS4

OPTIONS MARKED FOR libffi-3.2.1

OPTIONS MARKED FOR m4-1.4.18,1

EXAMPLES

OPTIONS MARKED FOR texinfo-6.1.20160425_1,1

NLS

OPTIONS MARKED FOR help2man-1.47.4

NLS

OPTIONS MARKED FOR tcl86-8.6.6_2

DTRACE
MODULES
THREADS

OPTIONS MARKED FOR readline-6.3.8_1

DOCS
TERMCAP

OPTIONS MARKED FOR sqlite3-3.18.0

DBSTAT
EXTENSION
FTS3_TOKEN
FTS4
METADATA
SECURE_DELETE
STSHELL
THREADS
UNLOCK_NOTIFY
URI
UNICODE61
RTREE
READLINES
TS1

OPTIONS MARKED FOR py27-pip-9.0.1

DOCS

OPTIONS MARKED FOR py27-Jinja2-2.9.5

BABEL
EXAMPLES

OPTIONS MARKED FOR py27-Babel-2.3.4

DOCS

OPTIONS MARKED FOR py27-docutils-0.13.1

OPTIONS MARKED FOR py27-snowballstemmer-1.2.0_1

PYSTEMMER

OPTIONS MARKED FOR ca_root_nss-3.30.2

ETCSYMLINK

OPTIONS MARKED FOR py27-virtualenv-15.1.0

DOCS

OPTIONS MARKED FOR git-2.12.1_1

CONTRIB
CURL
CVS
GITWEB
ICONV
NLS
P4
PCRE
PERL
SEND_EMAIL
SUBTREE

OPTIONS MARKED FOR curl-7.54.0

CA_BUNDLE
COOKIES
DOCS
EXAMPLES
HTTP2
IPV6
PROXY
TLS_SRP
GSSAPI_BASE
THREADED_RESOLVER
OPENSSL

OPTIONS MARKED FOR xmlto-0.0.28

DOCS

OPTIONS MARKED FOR bash-4.4.12_2

COLONBREAKSWORDS
DOCS
HELP
NLS

OPTIONS MARKED FOR bison-3.0.4,1

DOCS
EXAMPLES
NLS

OPTIONS MARKED FOR getopt-1.1.6

DOCS
NLS

OPTIONS MARKED FOR libxslt-1.1.29_1

CRYPTO

OPTIONS MARKED FOR libgcrypt-1.7.6

DOCS

OPTIONS MARKED FOR libgpg-error-1.27

DOCS
NLS

OPTIONS MARKED FOR docbook-xsl-1.76.1_3

DOCS
ECLIPSE
EPUB
EXTENSIONS
HIGHLIGHTING
HTMLHELP
JAVAHELP
PROFILING
ROUNDTRIP
SLIDES
TEMPLATE
TESTS
TOOLS
WEBSITE
XHTML11

OPTIONS MARKED FOR xmlcatmgr-2.2_2

DOCS

OPTIONS MARKED FOR w3m-0.5.3.20170102

DOCS
NLS

OPTIONS MARKED FOR boehm-gc-7.6.0

DOCS

OPTIONS MARKED FOR libatomic_ops-7.4.4

DOCS

OPTIONS MARKED FOR pcre-8.40

DOCS
MAN3
STACK_RECURSION

OPTIONS MARKED FOR cvsps-2.1_2

DOCS

OPTIONS MARKED FOR p5-Authen-SASL-2.16_1

KERBEROS

OPTIONS MARKED FOR p5-GSSAPI-0.28_1

GSSAPI_BASE

OPTIONS MARKED FOR bzr-2.7.0_1

CA_BUNDLE
SFTP

OPTIONS MARKED FOR py27-paramiko-2.0.5

EXAMPLES

OPTIONS MARKED FOR py27-enum34-1.1.6

DOCS

OPTIONS MARKED FOR talloc-2.1.9

OPTIONS MARKED FOR tevent-0.9.31

OPTIONS MARKED FOR tdb-1.3.12,1

OPTIONS MARKED FOR ldb-1.1.29_1

OPTIONS MARKED FOR popt-1.16_2

NLS

OPTIONS MARKED FOR openldap-client-2.4.44

OPTIONS MARKED FOR gnutls-3.5.11

DOCS
EXAMPLES
IDN
NLS
P11KIT
TPM
ZLIB

OPTIONS MARKED FOR gmp-6.1.2

OPTIONS MARKED FOR nettle-3.3

DOCS
EXAMPLES

OPTIONS MARKED FOR libtasn1-4.10

DOCS

OPTIONS MARKED FOR libunistring-0.9.7

DOCS

OPTIONS MARKED FOR trousers-0.3.14_1

OPTIONS MARKED FOR cmake-3.8.0

DOCS
MANPAGES

OPTIONS MARKED FOR rhash-1.3.4

DOCS

OPTIONS MARKED FOR gamin-0.1.10_9

RUN_AS_EUID

OPTIONS MARKED FOR glib-2.50.2_1,1

OPTIONS MARKED FOR libiconv-1.14_10

DOCS
ENCODINGS

root@ad:/usr/ports/net/samba45 # make && make install clean && rehash
9) MAKE THE PROVISION OF THE DOMAIN
Code:
root@ad:/usr/ports/net/samba45 # samba-tool domain provision --use-rfc2307 --interactive

Realm [ESTUDO.LOCAL]:
Domain [ESTUDO]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=estudo,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=estudo,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/db/samba4/private/named.conf for an example configuration include file for BIND
and /var/db/samba4/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              ad
NetBIOS Domain:        ESTUDO
DNS Domain:            estudo.local
DOMAIN SID:            S-1-5-21-812769385-2631176092-429983996
10) LINKING SAMBA4 NAMED.CONF IN NAMED.CONF AND INSERTING DNS.KEYTAB IN NAMED.CONF
Code:
root@ad:~ # cd
root@ad:~ # vi /usr/local/etc/namedb/named.conf
.
.
.
options {
        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
        listen-on       { 127.0.0.1; any; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };

// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
        forwarders {
                127.0.0.1;
                8.8.8.8;
        };
.
.
.

include "/var/db/samba4/private/named.conf";
:x

Code:
root@ad:~ # chgrp bind /var/db/samba4/private/dns.keytab
root@ad:~ # chmod g+r /var/db/samba4/private/dns.keytab
11) INSERTING NAMED AND SAMBA IN INITIALIZATION
Code:
root@ad:~ # echo 'named_enable="YES"' >> /etc/rc.conf
root@ad:~ # echo 'samba_server_enable="YES"' >> /etc/rc.conf
12) CONFIGURING KERBEROS
Code:
root@ad:~ # ln -s /usr/local/share/samba45/setup/krb5.conf /etc/
root@ad:~ # vi /etc/krb5.conf

[libdefaults]
        default_realm = ESTUDO.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
:x

13) RESTARTING TO MAKE SURE THE SERVICES WERE INITIALIZED
Code:
root@ad:~ # reboot
14) PERFORMING CONFIGURATION TEST
Code:
root@ad:~ # smbclient //localhost/netlogon -Uadministrator
Enter administrator's password:
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]
smb: \> quit

root@ad:~ # smbclient -L localhost -UAdministrator
Enter Administrator's password:
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.5.8)
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

root@ad:~ # smbclient //localhost/netlogon -UAdministrator'' -c 'ls'
Enter Administrator's password:
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]
  .                                   D        0  Sat May 13 14:38:48 2017
  ..                                  D        0  Sat May 13 14:39:08 2017

                30450780 blocks of size 1024. 25318944 blocks available
15) TAKING TESTS IN DNS
Code:
root@ad:~ # samba_dnsupdate --verbose

root@ad:~ # host -t SRV _ldap._tcp.estudo.local
_ldap._tcp.estudo.local has SRV record 0 100 389 ad.estudo.local.

root@ad:~ # host -t SRV _kerberos._udp.estudo.local
_kerberos._udp.estudo.local has SRV record 0 100 88 ad.estudo.local.

root@ad:~ # host -t A ad.estudo.local
ad.estudo.local has address 172.100.0.254

root@ad:~ # kinit administrator
administrator@ESTUDO.LOCAL's Password:

root@ad:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@ESTUDO.LOCAL

  Issued                Expires               Principal
May 13 16:11:31 2017  May 14 02:11:31 2017  krbtgt/ESTUDO.LOCAL@ESTUDO.LOCAL
 
Last edited:
Greetings,

I'm new to the forum and I need to set up a Domain Server using samba4 and BIND99 with automatic DNS update using dns.keytab.

All the settings that do, at the time of performing Samba and DNS tests, did not present an error. However, when accessing the DNS server by Windows 7 RSAT is giving an "access denied" message, when I search in DNS for FreeBSD, the host name added no domain is not appearing in the DNS list.

root@ad:~ # host -t A ad.estudo.local
ad.estudo.local has address 172.100.0.254

I have not tried this installation in FreeBSD, but I've been attempting source builds of Samba 4.7.4 on Ubuntu 16.04.3 LTS in order to use MIT Kerberos which is supported for AD as of Samba 4.7. I would recommend trying 4.7 to see if anything has changed re: RSAT DNS.

That said, FreeBSD seems like a very good choice if one only wishes to use the machine as a Samba DC as the Freshports are very up-to-date and FreeBSD is undeniably easier for building from source than Linux. I am going to give it a shot and see if I have any better luck - while I've been able to compile it on Ubuntu, it requires far more steps to be decently integrated with the rest of the system.

Back to your problem: While combing over the samba wiki, I noticed somewhere that it is supposedly not good to use .LOCAL because it is used for Avahi and can conflict. -- I found it, It's explained in detail here:

https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Using_an_Invalid_TLD

Perhaps this is the source of your problems.

PS: Thanks for the great explanation of the steps you took to install Samba45 :)
 
You are expecting to use BIND9_DLZ, however I cannot see anywhere you have implement it?
Please go through BIND9 DLZ configuration at https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End to configure DLZ module.

Code:
dlz "estudo.local" {
 
  database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so";

};
Last time I used dynamic module with BIND99 and BIND910, this was not working for me. I could only set this up with BIND98.
I hope this little modification will help you solving the issue.

Regards,
Krzysztof
 
Couple important comments here:

/etc/resolv.conf
Code:
search estudo.local
domain estudo.local
nameserver 172.100.0.254
nameserver 172.100.254.254
You should use only one search list or domain. They together will not work.
In your case please leave only domain entry.

/usr/local/etc/namedb/named.conf
Code:
        forwarders {
                127.0.0.1;
                8.8.8.8;
        };
You should avoid using 127.0.0.1 loopback interface as your forwarder. Specify there IP addresses of DNS servers responsible for external DNS name resolution only (other than your estudo.local domain)
Google DNS infrastructure is good for start but I would strongly recommend using one from your ISP instead :)
You can simply reuse these from /etc/resolv.conf file specified as nameserver (172.100.0.254 and 172.100.254.254)

Regards,
Krzysztof
 
Greetings

First of all I would like to thank you for having responded and saying that I did the tests as they passed me, but it did not work. Although it did not work out, I got new ideas and re-created the whole process.

That done, it worked 99%.

My problem now is dynamic DNS update by host windows.

For example, when I put the computer running windows 7 in the domain, it usually comes in, but it does not appear in the DNS table.

I will put the settings used for the configuration of the Domain Controller and then put the errors.

###########################################
PROPOSED STRUCTURE

HOSTNAME: ad
DOMAIN: estudo.local
IP: 172.100.100.254
MASK: 255.255.0.0
GW: 172.100.254.254
DNS1: 172.100.100.254 /* THE FIRST DNS MUST ALWAYS BE THE PROPRIETARY DNS */
DNS2: 172.100.254.254


1) AFTER INSTALLING FREEBSD11, PERFORM UPDATE;

Code:
root@ad:~ # pkg update
root@ad:~ # pkg upgrade

2) CHANGE THE FSTAB CONFIGURATION;

Code:
root@ad:~ # vi /etc/fstab

# Device        Mountpoint      FStype  Options Dump    Pass#
/dev/ada0s1a    /               ufs     rw,acls 1       1
/dev/ada0s1b    none            swap    sw      0       0
:x

3) RESET THE SYSTEM OR RETURN THE PARTITION

Code:
root@ad:~ # reboot
root@ad:~ # mount -o acls /

4) CHANGE DNS SETTINGS;

Code:
root@ad:~ # vi /etc/resolv.conf

[CODE][CODE][CODE]
[/CODE][/CODE]search estudo.local
domain estudo.local
nameserver 172.100.100.254
nameserver 172.100.254.254
[/CODE]

5) CHANGE THE /etc/hosts

Code:
root@ad:~ # vi /etc/hosts

# $FreeBSD: releng/11.0/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
172.100.100.254           ad ad.estudo.local

#
# Imaginary network.
#10.0.0.2               myname.my.domain myname
#10.0.0.3               myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
#       10.0.0.0        -   10.255.255.255
#       172.16.0.0      -   172.31.255.255
#       192.168.0.0     -   192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)

6) UPDATES PORTSNAP

Code:
root@ad:~ # portsnap fetch && portsnap extract

7) INSTALLING BIND99

Code:
root@ad:~ # cd /usr/ports/dns/bind99/ && make -DBATCH install clean && rehash

8) INSTALLING SAMBA47

Code:
root@ad:~ # cd /usr/ports/net/samba47/ && make -DBATCH install clean && rehash

9) INSTALLING CUPS [OPTIONAL]

Code:
root@ad:~ # cd /usr/ports/print/cups/  && make -DBATCH install clean && rehash

10) INSERTING NAMED AND SAMBA IN INITIALIZATION

Code:
root@ad:~ # echo 'named_enable="YES"' >> /etc/rc.conf
root@ad:~ # echo 'named_chrootdir=""' >> /etc/rc.conf
root@ad:~ # echo 'cupsd_enable="YES"' >> /etc/rc.conf
root@ad:~ # echo 'samba_server_enable="YES"' >> /etc/rc.conf

11) LINKING SAMBA4 NAMED.CONF IN NAMED.CONF AND INSERTING DNS.KEYTAB IN NAMED.CONF

Code:
root@ad:~ # vi /usr/local/etc/namedb/named.conf
.
.
.
options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
        listen-on       { 127.0.0.1; any; };
        allow-query     { localhost; any; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };

// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
        forwarders {
                127.0.0.1;
        };
*/
        forwarders {
                8.8.8.8;
        };
.
.
.
:x

12) MAKE THE PROVISION OF THE DOMAIN

Code:
root@ad:/usr/ports/net/samba45 # samba-tool domain provision --use-rfc2307 --interactive

Realm [ESTUDO.LOCAL]:
Domain [ESTUDO]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=estudo,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=estudo,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/db/samba4/private/named.conf for an example configuration include file for BIND
and /var/db/samba4/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              ad
NetBIOS Domain:        ESTUDO
DNS Domain:            estudo.local
DOMAIN SID:            S-1-5-21-812769385-2631176092-429983996

13) CONFIGURING KERBEROS FOR AUTHENTICATION IN THE AD

Code:
root@ad:~ # cp /var/db/samba4/private/krb5.conf /etc

14) ADDING DNS UPDATE COMMAND IN SAMBA

NOTE: Run the which nsupdate or samba-nsupdate command to know the path of the nsupdate command to insert into the smb4.conf file as below

Code:
root@ad:~ # which nsupdate
/usr/local/bin/nsupdate [COPY THAT LINE AND INSERT SMB4.CONF AS BELOW]

root@ad:~ # vi /usr/local/etc/smb4.conf

# Global parameters
[global]
        netbios name = AD
        realm = ESTUDO.LOCAL
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = ESTUDO
        idmap_ldb:use rfc2307 = yes
    nsupdate command = /usr/local/bin/nsupdate

[netlogon]
        path = /var/db/samba4/sysvol/estudo.local/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No
:x

15) ACCESSING GUIDANCE FILE FOR SECURE DNS UPDATE CONFIGURATION

NOTE: Copy the line in bold

Code:
root@ad:~ # vi /var/db/samba4/private/named.txt

# Additional informations for DNS setup using BIND

# If you are running a capable version of BIND and you wish to support
# secure GSS-TSIG updates, you must make the following configuration
# changes:

#
# Steps for BIND 9.8.x and 9.9.x -----------------------------------------
#

# 1. Insert following lines into the options {} section of your named.conf
#    file:
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";

# 2. If SELinux is enabled, ensure that all files have the appropriate
#    SELinux file contexts.  The dns.keytab file must be accessible by the
#    BIND daemon and should have a SELinux type of named_conf_t.  This can be
#    set with the following command:
chcon -t named_conf_t /var/db/samba4/private/dns.keytab

#    Even if not using SELinux, do confirm (only) BIND can access this file as the
#    user it becomes (generally not root).

#
# Steps for BIND 9.x.x using BIND9_DLZ ------------------------------
#

# 3. Disable chroot support in BIND.
#    BIND is often configured to run in a chroot, but this is not
#    compatible with access to the dns/sam.ldb files that database
#    access and updates require.  Additionally, the DLZ plugin is
#    linked to a large number of Samba shared libraries and loads
#    additonal plugins.

#
# Steps for BIND 9.x.x using BIND9_FLATFILE ------------------------------
#

# 3. Ensure the BIND zone file(s) that will be dynamically updated are in
#    a directory where the BIND daemon can write.  When BIND performs
#    dynamic updates, it not only needs to update the zone file itself but
#    it must also create a journal (.jnl) file to track the dynamic updates
#    as they occur.  Under Fedora 9, the /var/named directory can not be
#    written to by the "named" user.  However, the directory /var/named/dynamic
#    directory does provide write access.  Therefore the zone files were
#    placed under the /var/named/dynamic directory.  The file directives in
#    both example zone statements at the beginning of this file were changed
#    by prepending the directory "dynamic/".
:q!
 
16) REACTIVATE THE NAMED.CONF FILE AND INSERT THE LINE COPIED ABOVE

Code:
root@ad:~ # vi /usr/local/etc/namedb/named.conf

// $FreeBSD: head/dns/bind99/files/named.conf.in 443607 2017-06-14 22:54:43Z mat $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
//      listen-on       { 127.0.0.1; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };


.
.
.

/* An example dynamic zone
key "exampleorgkey" {
        algorithm hmac-md5;
        secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
        type master;
        allow-update {
                key "exampleorgkey";
        };
        file "/usr/local/etc/namedb/dynamic/example.org";
};
*/

/* Example of a slave reverse zone
zone "1.168.192.in-addr.arpa" {
        type slave;
        file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa";
        masters {
                192.168.1.1;
        };
};
*/

#add a dlz file
:x

17) CHANGING ACCESS PERMISSIONS TO DNS.KEYTAB

Code:
root@ad:~ # chgrp bind /var/db/samba4/private/dns.keytab
root@ad:~ # chmod g+r /var/db/samba4/private/dns.keytab


18) CHECKING IF THE LIBRARY DLZ_BIND9 IS ENABLED FOR CURRENT VERSION

NOTE: COPY THE LINE IN BOLD AND COLLECT ON THE LAST LINE OF THE NAMED.CONF CONFIGURATION FILE

Code:
root@ad:~ # named -v
BIND 9.9.11-P1 (Extended Support Version) <id:008ed2d>

root@ad:~ # vi /var/db/samba4/private/named.conf

# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/db/samba4/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";

    # For BIND 9.9.x
     database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
    # database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_11.so";
};
:q!

19) STICK THE LINE COPIED IN THE PREVIOUS COMMAND IN THE LAST LINE OF NAMED.CONF

Code:
root@ad:~ # vi /usr/local/etc/namedb/named.conf

.
.
.
/* Example of a slave reverse zone
zone "1.168.192.in-addr.arpa" {
        type slave;
        file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa";
        masters {
                192.168.1.1;
        };
};
*/

#add a dlz file
include "/var/db/samba4/private/named.conf";
:x

20) RESTART THE SERVERS NAMED AND SAMBA_SERVER

Code:
root@ad:~ # service named restart
named not running? (check /var/run/named/pid).
wrote key file "/usr/local/etc/namedb/rndc.key"
Starting named.

root@ad:~ # service samba_server restart
Performing sanity check on Samba configuration: OK
samba not running? (check /var/run/samba4/samba.pid).
Performing sanity check on Samba configuration: OK
Starting samba.


21) TAKING TESTS

Code:
root@ad:~ # host -t SRV _ldap._tcp.estudo.local
_ldap._tcp.estudo.local has SRV record 0 100 389 ad.estudo.local.

root@ad:~ # host -t SRV _kerberos._udp.estudo.local
_kerberos._udp.estudo.local has SRV record 0 100 88 ad.estudo.local.


22) CREATING TICKET OF THE ADMINISTRATOR NO KERBEROS

Code:
root@ad:~ # kinit Administrator
Administrator@ESTUDO.LOCAL's Password:


23) VERIFYING WHO CAN ALREADY TICKET

Code:
root@ad:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@ESTUDO.LOCAL

  Issued                Expires               Principal
Jan 21 20:05:59 2018  Jan 22 06:05:59 2018  krbtgt/ESTUDO.LOCAL@ESTUDO.LOCAL


24) UPDATING DNS TABLE

Code:
root@ad:~ # samba_dnsupdate --verbose
IPs: ['172.100.100.254']
Looking for DNS entry A ad.estudo.local 172.100.100.254 as ad.estudo.local.
Looking for DNS entry NS estudo.local ad.estudo.local as estudo.local.
Looking for DNS entry NS _msdcs.estudo.local ad.estudo.local as _msdcs.estudo.local.
Looking for DNS entry A estudo.local 172.100.100.254 as estudo.local.
Looking for DNS entry SRV _ldap._tcp.estudo.local ad.estudo.local 389 as _ldap._tcp.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.estudo.local ad.estudo.local 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.estudo.local ad.estudo.local 389 as _ldap._tcp.dc._msdcs.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.dc._msdcs.estudo.local ad.estudo.local 389
Looking for DNS entry SRV _ldap._tcp.4361dc67-706c-4393-b04f-b148ee68a527.domains._msdcs.estudo.local ad.estudo.local 389 as _ldap._tcp.4361dc67-706c-4393-b04f-b148ee68a527.domains._msdcs.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.4361dc67-706c-4393-b04f-b148ee68a527.domains._msdcs.estudo.local ad.estudo.local 389
Looking for DNS entry SRV _kerberos._tcp.estudo.local ad.estudo.local 88 as _kerberos._tcp.estudo.local.
Checking 0 100 88 ad.estudo.local. against SRV _kerberos._tcp.estudo.local ad.estudo.local 88
Looking for DNS entry SRV _kerberos._udp.estudo.local ad.estudo.local 88 as _kerberos._udp.estudo.local.
Checking 0 100 88 ad.estudo.local. against SRV _kerberos._udp.estudo.local ad.estudo.local 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.estudo.local ad.estudo.local 88 as _kerberos._tcp.dc._msdcs.estudo.local.
Checking 0 100 88 ad.estudo.local. against SRV _kerberos._tcp.dc._msdcs.estudo.local ad.estudo.local 88
Looking for DNS entry SRV _kpasswd._tcp.estudo.local ad.estudo.local 464 as _kpasswd._tcp.estudo.local.
Checking 0 100 464 ad.estudo.local. against SRV _kpasswd._tcp.estudo.local ad.estudo.local 464
Looking for DNS entry SRV _kpasswd._udp.estudo.local ad.estudo.local 464 as _kpasswd._udp.estudo.local.
Checking 0 100 464 ad.estudo.local. against SRV _kpasswd._udp.estudo.local ad.estudo.local 464
Looking for DNS entry CNAME 8eb3a7ba-29ec-4d8c-a490-6c663bd912e0._msdcs.estudo.local ad.estudo.local as 8eb3a7ba-29ec-4d8c-a490-6c663bd912e0._msdcs.estudo.local.
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.estudo.local ad.estudo.local 389 as _ldap._tcp.Default-First-Site-Name._sites.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.Default-First-Site-Name._sites.estudo.local ad.estudo.local 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.estudo.local ad.estudo.local 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.estudo.local ad.estudo.local 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.estudo.local ad.estudo.local 88 as _kerberos._tcp.Default-First-Site-Name._sites.estudo.local.
Checking 0 100 88 ad.estudo.local. against SRV _kerberos._tcp.Default-First-Site-Name._sites.estudo.local ad.estudo.local 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.estudo.local ad.estudo.local 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.estudo.local.
Checking 0 100 88 ad.estudo.local. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.estudo.local ad.estudo.local 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.estudo.local ad.estudo.local 389 as _ldap._tcp.pdc._msdcs.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.pdc._msdcs.estudo.local ad.estudo.local 389
Looking for DNS entry A gc._msdcs.estudo.local 172.100.100.254 as gc._msdcs.estudo.local.
Looking for DNS entry SRV _gc._tcp.estudo.local ad.estudo.local 3268 as _gc._tcp.estudo.local.
Checking 0 100 3268 ad.estudo.local. against SRV _gc._tcp.estudo.local ad.estudo.local 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.estudo.local ad.estudo.local 3268 as _ldap._tcp.gc._msdcs.estudo.local.
Checking 0 100 3268 ad.estudo.local. against SRV _ldap._tcp.gc._msdcs.estudo.local ad.estudo.local 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.estudo.local ad.estudo.local 3268 as _gc._tcp.Default-First-Site-Name._sites.estudo.local.
Checking 0 100 3268 ad.estudo.local. against SRV _gc._tcp.Default-First-Site-Name._sites.estudo.local ad.estudo.local 3268
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.estudo.local ad.estudo.local 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.estudo.local.
Checking 0 100 3268 ad.estudo.local. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.estudo.local ad.estudo.local 3268
Looking for DNS entry A DomainDnsZones.estudo.local 172.100.100.254 as DomainDnsZones.estudo.local.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.estudo.local ad.estudo.local 389 as _ldap._tcp.DomainDnsZones.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.DomainDnsZones.estudo.local ad.estudo.local 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.estudo.local ad.estudo.local 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.estudo.local ad.estudo.local 389
Looking for DNS entry A ForestDnsZones.estudo.local 172.100.100.254 as ForestDnsZones.estudo.local.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.estudo.local ad.estudo.local 389 as _ldap._tcp.ForestDnsZones.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.ForestDnsZones.estudo.local ad.estudo.local 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.estudo.local ad.estudo.local 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.estudo.local.
Checking 0 100 389 ad.estudo.local. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.estudo.local ad.estudo.local 389
No DNS updates needed


25) RESTART THE SERVER

Code:
root@ad:~ # reboot

26) END
 
I will now proceed with the error.

the clearest way I could find to demonstrate the error was as follows:

I turned on the virtual machine that was running windows 7, put it in the domain and rebooted, and when I rebooted it presented the error as below:

Code:
root@ad:~ # tail -f /var/log/messages
Jan 21 19:49:07 ad smbd[611]: [2018/01/21 19:49:07.343869,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Jan 21 19:49:07 ad smbd[611]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#56544: update 'estudo.local/IN' denied
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#50618: update 'estudo.local/IN' denied
Jan 21 19:51:25 ad su: joaobrn to root on /dev/pts/0
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#63239: update 'estudo.local/IN' denied
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#52497: update 'estudo.local/IN' denied
Jan 21 20:52:11 ad su: joaobrn to root on /dev/pts/0
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#62097: update 'estudo.local/IN' denied
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#63298: update 'estudo.local/IN' denied

Thank you for the support!!
 

Attachments

  • 00.PNG
    00.PNG
    111.1 KB · Views: 852
  • 01.PNG
    01.PNG
    43 KB · Views: 904
Back
Top