• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Samba4 Install Guide (Problems with Kerberos)

QuinRiva

Member

Thanks: 2
Messages: 26

#1
Preface
I have encountered great difficulty installing Samba4 on FreeBSD, and with a final release imminent I am documenting my install procedure along with a handful of relevant differences for FreedBSD. From what I can tell, Samba4's internal Kerberos server does not start and as a result Samba4 does not fully work on FreeBSD.

Scroll to the end to get more information about the Kerberos problem. I am hoping that this guide will help solve the Kerberos issue so that FreeBSD users can utilise Samba4.

System Configuration
This is a fresh install of FreeBSD 9.0 with services: sshd; ntpd; and powerd enabled.

This is my server setup:
My server's IP is: 192.168.1.1
My server's name is: Vanity
My domain is: SIN
My realm is: sin.x
My default user is: test
When following this guide, remember to substitute for the appropriate values.

The version of Samba4 installed: 4.1.0pre1-GIT-99efe84

Samba4 Installation Guide for FreeBSD 9.0

Basic housekeeping
The first thing I'll do is update the Ports Collection:
Code:
# portsnap fetch
# portsnap extract
# portsnap update
I need a text editor and I can't use vi, so I'm going to install nano:
Code:
# cd /usr/ports/editors/nano
# make install clean
I have selected the option [*] EXTRA_ENCODINGS as part of the libiconv 1.14 install (this is a dependency for nano)

Code:
#rehash
Until I discovered rehash, I had to reboot to use newly installed programmes.

Enable ACL
Samba4 requires that the filesystem be mounted with ACL. Let's configure fstab to mount the filesystem correctly on startup:
Code:
# nano /etc/fstab
# Device        Mountpoint      FStype  Options Dump    Pass#
/dev/da0p2      /               ufs     rw,acls 1       1
/dev/da0p3      none            swap    sw      0       0
With nano, Ctrl+O saves the file, and Ctrl+X closes the file.
Let's mount the filesystem now:
Code:
# mount -o acls /
Install Git
To get the latest version of Samba4 we need to install git:
Code:
# pkg_add -r git
# rehash
Install Samba4
I'm going to download Samba to the home directory of the default user (test):
Code:
# cd /home/test
# git clone git://git.samba.org/samba.git samba-master
# cd samba-master
# ./configure --enable-debug --enable-selftest
# make
[color="SeaGreen"]'build' finished successfully (11m59.678s)[/color]
# make install
[color="SeaGreen"]'install' finished successfully (3m12.695s)[/color]
Provision Samba4
Provisioning Samba4 has changed recently and most documentation list the old way of doing it.
Code:
# /usr/local/samba/bin/samba-tool domain provision
 Realm [SIN.X]: SIN.X
 Domain [SIN]: SIN
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: 192.168.1.1
 Administrator password: <password>
 Retype password: <password>
Most of the values have been populated automatically from DHCP (my router). And this is the result I get:
Code:
[color="SeaGreen"]Looking up IPv4 addresses
Looking up IPv6 addresses
More than one IPv6 address found. Using fe80:1::223:aeff:fe63:d846
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sin,DC=x
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=sin,DC=x
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              Vanity
NetBIOS Domain:        SIN
DNS Domain:            sin.x
DOMAIN SID:            S-1-5-21-3757277530-4222028134-2000681140[/color]
Testing Samba4
Existing documentation states that this is how you start Samba4:
Code:
 #/usr/local/samba/sbin/samba
But I think on FreeBSD it should be: samba start

Now let's test:
Code:
 # /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-99efe84)
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
And yes, that is how the output is formatted.
Code:
 # /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'<password>' -c 'ls'
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
  .                                   D        0  Mon Dec  3 22:22:47 2012
  ..                                  D        0  Mon Dec  3 22:22:55 2012

                36535 blocks of size 4194304. 32702 blocks available
Configuring DNS
I am using –dns-backend=SAMBA_INTERNAL, so I only need to configure /etc/resolv.conf.
Code:
 # nano /etc/resolv.conf
Code:
# Generated by resolvconf
search SIN.X
domain sin.x
nameserver 192.168.1.1
nameserver 192.168.1.254
I'm not sure if search is the same as domain? Note that the second nameserver is my router, I don’t want to be unable to connect to the net while I’m setting everything up. I think this file will be overwritten by DHCP though (my router handles DHCP too).

Testing DNS
To test LDAP:
Code:
# host -t SRV _ldap._tcp.sin.x
Host _ldap._tcp.sin.x not found: 3(NXDOMAIN)
At first this didn't work, even after rebooting I got the same problem. I think that it is because Samba4 isn't starting automatically and must be started by:
Code:
# /usr/local/samba/sbin/samba start
Trying again:
Code:
# host -t SRV _ldap._tcp.sin.x
_ldap._tcp.sin.x has SRV record 0 100 389 vanity.sin.x.
Now testing Kerberos:
Code:
# host -t SRV _kerberos._udp.sin.x
_kerberos._udp.sin.x has SRV record 0 100 88 vanity.sin.x.
And finally the this server:
Code:
# host -t A vanity.sin.x
vanity.sin.x has address 192.168.1.1
Testing Kerberos
Samba4 uses an internal implementation of Kerberos, do not start the Heimdal Kerberos that comes with FreeBSD, this is a different service.
The HOWTO states to replace the existing krb.conf with the file located /usr/local/samba/share/setup/krb5.conf, but neither krb.conf nor krb5.conf existed on my system.

My guess was this:
Code:
 # cp /usr/local/samba/share/setup/krb5.conf /etc/krb.conf
 # nano /etc/krb5.conf
And edit the file as such:
Code:
[libdefaults]
        default_realm = SIN.X
        dns_lookup_realm = false
        dns_lookup_kdc = true
Testing:
Code:
 # kinit administrator@SIN.X
administrator@SIN.X's Password: <password>
kinit: krb5_get_init_creds: unable to reach any KDC in realm SIN.X
It appears that Kerberos is failing to start, so I'm not sure of where to go from here?

Someone far more knowledgeable than me indicated that nsupdate was not compiled with GSSAPI. I have no idea how to go about fixing this, but surely Frank and I aren't the only people having this problem.
 

ziyanm

Member

Thanks: 5
Messages: 43

#2
Thanks for the howto. Did you have to install any dependencies by hand or does waf handle it?

Regarding your Kerberos issue, you can use $ sockstat -l and $ pgrep to verify that the necessary daemons are started.

If you suspect that the problem is with $ nsupdate check if a samba-specific version is installed under /usr/local/bin. If so, get samba to use that one instead of the system-provided one in /usr/bin. You can check GSSAPI support by doing $ ldd /usr/local/bin/nsupdate to check what libraries it links to.
 

mix_room

Aspiring Daemon

Thanks: 45
Messages: 598

#3
I added the following to my /usr/local/samba/etc/smb.conf-file

Code:
nsupdate command = /usr/local/samba/sbin/samba_dnsupdate
server services = smb,dnsupdate,dns,winbind,kdc
In particular I think the
Code:
server services = ...,kdc
portion was important. Before adding it I had the same issues as you, after adding they no longer appear. I have not compiled anything with GSSAPI.

EDIT: there are other issues that I run into though, so this may not be the full solution to the problem.
 

QuinRiva

Member

Thanks: 2
Messages: 26

#4
Waf handled everything, I didn't have to manually install any dependencies.


I made the changes that mix_room suggested, and I'm now getting the same error as before:
Code:
host -t SRV _ldap._tcp.sin.x
Host _ldap._tcp.sin.x not found: 3(NXDOMAIN)
So I think it is definitely a DNS issue.
 

mix_room

Aspiring Daemon

Thanks: 45
Messages: 598

#5
QuinRiva said:
So I think it is definitely a DNS issue.
Also check which host you are using to resolve DNS-queries. Your samba server should be resolving DNS-queries, edit /etc/resolv.conf.
If you are using your ISPs DNS server, they will not know what is going on, same thing with your modem-router-firewall-NAT-combo
 

tanked

Active Member

Thanks: 1
Messages: 111

#7
I just thought I'd chime in and say whilst reading the posts by the Samba developers on Slashdot, they say DNS replication is not quite reliable yet and neither is replication of the sysvol share (rsync can be used for this though). Apparently it is currently recommended to only use 1 domain controller with Samaba 4 at the moment.
 

QuinRiva

Member

Thanks: 2
Messages: 26

#8
Thanks for that tanked. I'm only using one DC (the machine that Samba4 is on), so there shouldn't be any issues with replication. I only have 5 machines connected to the domain, the FreeBSD Server (DC) and 4 client PC's.
 

QuinRiva

Member

Thanks: 2
Messages: 26

#9
I've gotten a bit further but I'm stuck again. I've done a full reinstall of FreeBSD, and this time I'm going to try and use BIND9_DLZ. However the issue that I come across is the include statement (include "/usr/local/samba/private/named.conf";) in /etc/namedb/named.conf.
When I try to start named:
Code:
/etc/rc.d/named onestart
I get the following errors in the log file:
Code:
Dec 16 23:37:54 Vanity named[13638]: starting BIND 9.8.1-P1 -t /var/named -u bind
Dec 16 23:37:54 Vanity named[13638]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifad$
Dec 16 23:37:54 Vanity named[13638]: /etc/namedb/named.conf:296: open: /usr/local/samba/private/named.conf: file not found
Dec 16 23:37:54 Vanity named[13638]: loading configuration: file not found
Dec 16 23:37:54 Vanity named[13638]: exiting (due to fatal error)
Dec 16 23:37:54 Vanity test: /etc/rc.d/named: WARNING: failed to start named
I have confirmed that the user bind can read/write to:
Code:
Vanity# ls -lah /usr/local/samba/private/
total 11620
drwxr-xr-x   7 bind  wheel   1.0k Dec 16 23:56 .
drwxr-xr-x  10 root  wheel   512B Dec 16 22:06 ..
drwxrwx---   3 bind  wheel   512B Dec 16 22:06 dns
-rw-r-----   1 bind  wheel   657B Dec 16 22:06 dns.keytab
-rw-r--r--   1 bind  wheel   2.2k Dec 16 22:06 dns_update_list
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 hklm.ldb
-rw-------   1 bind  wheel   1.5M Dec 16 22:06 idmap.ldb
-rw-r--r--   1 bind  wheel    86B Dec 16 22:06 krb5.conf
drwxr-x---   2 bind  wheel   512B Dec 16 22:06 ldap_priv
srwxrwxrwx   1 bind  wheel     0B Dec 16 22:06 ldapi
-rwxrwxr-x   1 bind  wheel   615B Dec 16 23:54 named.conf
-rwxrwxr-x   1 bind  wheel   204B Dec 16 22:06 named.conf.update
-rwxrwxr-x   1 bind  wheel   2.2k Dec 16 22:06 named.txt
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 privilege.ldb
-rw-------   1 bind  wheel   696B Dec 16 22:06 randseed.tdb
-rw-------   1 bind  wheel   4.1M Dec 16 22:06 sam.ldb
drwxr-x---   2 bind  wheel   512B Dec 16 22:06 sam.ldb.d
-rw-------   1 bind  wheel   696B Dec 16 22:06 schannel_store.tdb
-rw-------   1 bind  wheel   967B Dec 16 22:06 secrets.keytab
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 secrets.ldb
-rw-------   1 bind  wheel   420k Dec 16 22:06 secrets.tdb
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 share.ldb
drwxr-xr-x   3 bind  wheel   512B Dec 16 22:06 smbd.tmp
-rw-r--r--   1 bind  wheel   955B Dec 16 22:06 spn_update_list
drwxr-xr-x   2 bind  wheel   512B Dec 16 22:06 tls
Vanity#
and :
Code:
Vanity# ls -lah /usr/local/samba/lib/bind9
total 184
drwxr-xr-x   2 bind  wheel   512B Dec 16 22:04 .
drwxr-xr-x  15 root  wheel   2.5k Dec 16 22:04 ..
-rwxr-xr-x   1 bind  wheel    85k Dec 16 22:02 dlz_bind9.so
-rwxr-xr-x   1 bind  wheel    85k Dec 16 22:02 dlz_bind9_9.so
Any ideas why it can't find that file? Am I chrooted?
 

QuinRiva

Member

Thanks: 2
Messages: 26

#11
Thanks kpa, I finally have a DNS Server up and running but I get an error regarding BIND not being able to find managed-keys.bind?

Code:
Dec 17 21:48:24 Vanity named[4670]: starting BIND 9.8.1-P1 -u bind
Dec 17 21:48:24 Vanity named[4670]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifadd$
Dec 17 21:48:24 Vanity named[4670]: command channel listening on 127.0.0.1#953
Dec 17 21:48:24 Vanity named[4670]: command channel listening on ::1#953
Dec 17 21:48:24 Vanity named[4670]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Dec 17 21:48:24 Vanity named[4670]: running
Dec 17 21:59:55 Vanity named[4670]: client 192.168.1.2#60822: update 'sin.x/IN' denied
Dec 17 22:00:00 Vanity named[4670]: client 192.168.1.2#62005: update 'sin.x/IN' denied
You'll notice that for some reason, trying to connect from my main computer (192.168.1.2) fails.
 

spanglefox

Active Member

Thanks: 14
Messages: 154

#12
Hello,

Just a quick note to say I have a working Samba 4 installation. I initially wanted to use BIND as the DNS resolver but did have issues with it in the chroot environment and issues after I had removed it from such.

It did have issues with Kerberos once I had removed BIND from the chroot.

I did chicken out and reprovision the domain using the samba backend DNS as I needed the system to be up and running asap. Everything worked fine from there.
 

heathen

New Member


Messages: 4

#13
Glad to see that Samba 4 works for you, guys. I can't even build it from sources, there are few errors in source3/modules/vfs_zfsacl.c (too many\too few arguments in some functions). I have corrected this errors and can build samba 4 now.

But there is another challenge. Now I can't get result from
Code:
samba-tool domain provision
If I run it without any parameters, I just get:
Code:
root@server:/usr/ports/shells # /usr/local/samba/bin/samba-tool domain provision
Realm []: wrkz.local
 Domain [wrkz]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.3.252
Looking up IPv6 addresses
set_sys_acl_no_snum: SMB_VFS_SYS_ACL_SET_FILE returned zero.
ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run
    use_rfc2307=use_rfc2307, skip_sysvolacl=False)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1956, in provision
    raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")
By the way, my FreeBSD's root is on the zfs pool.

If I change file server backend to ntvfs (just for test) then I get:
Code:
root@server:/usr/ports/shells # /usr/local/samba/bin/samba-tool domain provision --use-ntvfs --interactive --host-ip=192.168.3.252
Realm [WRKZ.RU]: wrkz.local
 Domain [wrkz]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE
Administrator password:
Retype password:
Looking up IPv6 addresses
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=wrkz,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
ERROR(ldb): uncaught exception - Empty RDN value on CN=,OU=Domain Controllers,DC=wrkz,DC=local not permitted!
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run
    use_rfc2307=use_rfc2307, skip_sysvolacl=False)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 2058, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1661, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1364, in fill_samdb
    ntdsguid=ntdsguid)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1003, in setup_self_join
    "RIDALLOCATIONEND": str(next_rid + 100 + 499)})
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/common.py", line 50, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 224, in add_ldif
    self.add(msg, controls)
As long as I know there is NFSv4\ZFS ACL module in the Samba, but how to get it works?..

Could anybody give me advice on this situation?

Thank you in advance!
 

spanglefox

Active Member

Thanks: 14
Messages: 154

#14
Ahhh yes. I found that Samba 4 did not play well with ZFS. Which,as you pointed out in your post is odd, given ZFS has ACLs at its heart (don't quote me on that). I was going to fire over to see if the Samba forums may have anything.

I only got Samba 4 working with a UFS+S filesystem and SAMBA_ INTERNAL DNS.

A slight bit of useless info but managed to add Windows XP, 7 and 8 along with Server 2008R2 and 2012 to my created domain. Windows 8 domain logon is just freaky! That is, however, another story on Windows 8. Just sharing that information if it helps with your deployment .

Keep me updated on your progress!
 

von_Gaden

Active Member

Thanks: 11
Messages: 119

#15
I'm sure that Samba 4 will bring us the possibility of replacement and extending the scalability and reliability of AD controllers. I looked forward it's official version to come out.
But I'm a little bit conservative and I usually avoid installing development or not included in the Ports versions of software.
Is the New Samba 4 going to be included in the Ports soon?
 

spanglefox

Active Member

Thanks: 14
Messages: 154

#16
As far as I know the official version has been released.

That was what I was using. Samba-4.0.0 from http://www.samba.org. I believe the official production (stable??) release was in Dec. '12.

I too would be interested in when Samba-4.0.0 goes into ports (i.e. not rc/beta).
 

arez

New Member


Messages: 1

#17
heathen said:
As long as I know there is NFSv4\ZFS ACL module in the Samba, but how to get it works?..
Could anybody give me advice on this situation?
Thank you in advance!
ZFS Settings

You have to have at least zpool version 18, which was in FreeBSD 8.0 or newer.

Set the ACL Mode and Inheritance to passthrough:

Code:
$ zfs create -o mountpoint=/mydata zroot/mydata
$ zfs set aclmode=passthrough zroot/mydata
$ zfs set aclinherit=passthrough zroot/mydata
Now, you have ACL’s:

Code:
# getfacl /mydata
# file: /mydata
# owner: root
# group: wheel
         everyone@:rwxpD-a-R-c--s:------:allow
       user:arez:r-x---a-R-c--s:fd----:allow
         user:foobar:r-x---a-R-c--s:fd----:allow
            owner@:rwxpD-aARWcCos:------:allow
            group@:rwxpD-a-R-c--s:------:allow
Now, unlike Solaris, which displays ZFS acl’s though ls -Z, FreeBSD uses setfacl and getfacl to set and get ACL’s.

P.S.
Excuse me for my bad English.
 

gaileys

New Member


Messages: 1

#19
Everything worked fine but I'm struggling with Share permissions from Windows 7. Every time I use that to change perms I get:
Code:
an error occurred while applying security information
and
Code:
the parameter is incorrect
I've been messing around with ACL's to try to resolve this but nothing seems to work. This is the last step for me and I'm defeated by it! Any ideas?
 

linuxhelp

New Member


Messages: 11

#20
SAMBA4+Kerberos as PDC

Hi all,

I tried to set up Samba4 with Kerberos 5 and DNS-samba-internal (with howtos of 3+4) current on a clean freebsd FreeBSD 9.1 amd64, but I got trouble für with kdc connect, bind98 is installed with static zone files.

Code:
log.samba:
/usr/local/sbin/samba_dnsupdate: RuntimeError: kinit for FREEBSD$@HOME.LOCAL failed (Cannot contact any KDC for requested realm)

/etc/hosts #no errors
nslookup+dig recognize the server named FREEBSD.HOME.LOCAL # no errors

wbinfo -u / -g #shows users and groups successful

but:
smbclient -k -L //freebsd.home.local/netlogin -U domainuser  #fails cause no kerberos conn.

successful:
smbclient -L //freebsd.home.local/netlogin -U domainuser

kinit [email]administrator@HOME.LOCAL[/email] #success login
klist # shows ticket successful..
Basic question: does Samba4 configure and handle Kerberos on its own? Or must a Kerberos server be enabled? Samba4 opens port 88. Why does samba-tool not allow DOMAINNAME = HOME.LOCAL, only "HOME"?

I have seen that port 764 wasn't online?

- Windows 7 Test-Client (clean setup) does not connect either.

sockstat -4:
Code:
user1   sshd       3058  3  tcp4   192.168.178.205:22    192.168.178.73:35925
root     sshd       3056  3  tcp4   192.168.178.205:22    192.168.178.73:35925
bind     named      2656  20 tcp4   192.168.178.205:53    *:*
bind     named      2656  21 tcp4   127.0.0.1:53          *:*
bind     named      2656  22 tcp4   127.0.0.1:953         *:*
bind     named      2656  512 udp4  192.168.178.205:53    *:*
bind     named      2656  513 udp4  127.0.0.1:53          *:*
root     samba4     2211  19 tcp4   *:88                  *:*
root     samba4     2211  20 udp4   *:88                  *:*
root     samba4     2211  21 tcp4   *:464                 *:*
root     samba4     2211  22 udp4   *:464                 *:*
root     samba4     2211  23 udp4   192.168.178.205:88    *:*
root     samba4     2211  24 udp4   192.168.178.205:464   *:*
root     samba4     2210  19 udp4   *:389                 *:*
root     samba4     2210  20 udp4   192.168.178.205:389   *:*
root     samba4     2209  20 tcp4   *:389                 *:*
root     samba4     2209  21 tcp4   *:636                 *:*
root     samba4     2209  22 tcp4   *:3268                *:*
root     samba4     2209  23 tcp4   *:3269                *:*
root     samba4     2207  19 udp4   *:137                 *:*
root     samba4     2207  20 udp4   *:138                 *:*
root     samba4     2207  21 udp4   192.168.178.255:137   *:*
root     samba4     2207  22 udp4   192.168.178.205:137   *:*
root     samba4     2207  23 udp4   192.168.178.255:138   *:*
root     samba4     2207  24 udp4   192.168.178.205:138   *:*
root     smbd       2206  42 tcp4   *:445                 *:*
root     smbd       2206  43 tcp4   *:139                 *:*
root     samba4     2205  31 tcp4   *:1024                *:*
root     samba4     2205  34 tcp4   *:135                 *:*
www      httpd      1652  4  tcp4   *:80                  *:*
www      httpd      1652  6  tcp4   *:443                 *:*
www      httpd      1651  4  tcp4   *:80                  *:*
www      httpd      1651  6  tcp4   *:443                 *:*
www      httpd      1650  4  tcp4   *:80                  *:*
www      httpd      1650  6  tcp4   *:443                 *:*
www      httpd      1649  4  tcp4   *:80                  *:*
www      httpd      1649  6  tcp4   *:443                 *:*
www      httpd      1648  4  tcp4   *:80                  *:*
www      httpd      1648  6  tcp4   *:443                 *:*
root     httpd      1566  4  tcp4   *:80                  *:*
root     httpd      1566  6  tcp4   *:443                 *:*
root     sshd       1559  4  tcp4   *:22                  *:*
mysql    mysqld     1539  10 tcp4   *:3306                *:*
ldap     slapd      869   7  tcp4   192.168.178.205:389   *:*
ldap     slapd      869   8  tcp4   127.0.0.1:389         *:*
root     vsftpd     847   3  tcp4   *:21                  *:*
root     perl       838   6  tcp4   *:10000               *:*
root     perl       838   7  udp4   *:10000               *:*
root     syslogd    549   9  udp4   *:514                 *:*
krb5.conf
Code:
[libdefaults]
        default_realm = HOME.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
 

mix_room

Aspiring Daemon

Thanks: 45
Messages: 598

#21
Are you using the net/samba4 or are you pulling the sources from git?
There might be some things that were patched away in the port, I would suggest using it.
 

spanglefox

Active Member

Thanks: 14
Messages: 154

#22
Well sadly at the moment our Samba 4 development is on pause (awaiting hardware to be purchased). I have not had the chance to tinker with the ports version of Samba 4. The only version I "know" as good and working was the original 4.0.0 release; which I installed by building the code downloaded directly from http://http://www.samba.org/.

As soon as I get back around to our Samba development I will help as I can.
 

von_Gaden

Active Member

Thanks: 11
Messages: 119

#23
Thank you all for sharing your experience with Samba 4!
Unlike our beloved FreeBSD, I think Samba lacks some exact and clear documentation so we must relay on each other.

I started to test it prior adopting for production use. And I found a strange problem: the server (AD Domain controller) is not visible when browsing the network (tested with Window 7 and Windows XP). Note that machines join the domain successfully and domain users and groups are visible from clients. DNS (Samba internal) works fine too and the server is browseable by its UNC name (\\name or \\name.domain.suffix).
Any ideas?

Since I've started asking - can someone advise me what is better - Samba internal DNS or connection to BIND? I have some installations with authoritative DNS servers where I'd never put Samba DNS on Internet or allow BIND to run out-of it's chroot environment. I think about an option to use both and bind them to different network interfaces but maybe there is a better solution.

And one more thing: I see only numerical UIDs in UFS ACLs, created by Samba. Should I worry about not seeing the real usernames? By default Samba4 uses internal LDAP and I've not seen directions how to bind it to systems NSSwitch for example nor I've tried to do that...

Thanks everybody one again and I'm looking forward your advices!
 

mix_room

Aspiring Daemon

Thanks: 45
Messages: 598

#24
von_Gaden said:
I started to test it prior adopting for production use. And I found a strange problem: the server (AD Domain controller) is not visible when browsing the network (tested with Window 7 and Windows XP). Note that machines join the domain successfully and domain users and groups are visible from clients. DNS (Samba internal) works fine too and the server is browseable by its UNC name (\\name or \\name.domain.suffix).
Any ideas?
If I remember correctly this is not a bug but a feature(TM). I can't find any info on it right now, but I've read about others with the same issues somewhere.

And one more thing: I see only numerical UIDs in UFS ACLs, created by Samba. Should I worry about not seeing the real usernames? By default Samba4 uses internal LDAP and I've not seen directions how to bind it to systems NSSwitch for example nor I've tried to do that...
I added the following to my /etc/nsswitch.conf, and it seems to work nicely.
Code:
group: files winbind
passwd: files winbind
 

igorino

Member

Thanks: 11
Messages: 52

#25
I had to elaborate a little more the /etc/krb5.conf file in order to enable Kerberos authentication, adding the [realms] section in that file did the trick:
Code:
[libdefaults]
        default_realm = IFSC.EDU
        default_keytab_name = FILE:/var/db/samba4/private/dns.keytab
        dns_lookup_realm = false
        dns_lookup_kdc = true
[realms]
        IFSC.EDU = {
        kdc = samba4.ifsc.edu:88
        default_domain = ifsc.edu
}