= Proposed Self Contained Change: Samba AD = https://fedoraproject.org/wiki/Changes/Samba_AD
Change owner(s): * Alexander Bokovoy <abokovoy AT redhat DOT com> * Andreas Schneider <asn AT redhat DOT com>
Samba AD is an open source implementation of an Active Directory set of tools and protocols. It allows Windows clients to be enrolled and managed using native Windows tools. In addition, Samba AD can serve as a domain controller for Fedora workstations and servers utilizing DCERPC, LDAP and Kerberos.
== Detailed Description == Samba AD is an implementation of an Active Directory set of tools and protocols. It is developed and released as part of Samba suite. Upcoming Samba 4.7 release will contain changes to allow Samba AD to be built and used with MIT Kerberos. Prior to Samba 4.7 it was impossible to compile Samba AD with MIT Kerberos. As result, Samba AD was not packaged in Fedora.
== Scope == * Proposal owners: Samba packages in Fedora already include a stub subpackage samba-dc that is going to be replaced with a full Samba AD implementation. Appropriate dependencies are already present in Fedora 27/Rawhide or will be added together with Samba 4.7 update. This mostly concerns upgrade of Samba-related libraries: libtevent, libldb, libtdb, and MIT Kerberos update to support new APIs added to accommodate Samba AD (already in Rawhide).
* Other developers: N/A (not a System Wide Change)
* Release engineering: - https://pagure.io/releng/issue/6869 - We believe no impact to Release Engineering is needed for this change
* List of deliverables: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)
Il giorno gio, 29/06/2017 alle 15.53 +0200, Jan Kurik ha scritto:
= Proposed Self Contained Change: Samba AD = https://fedoraproject.org/wiki/Changes/Samba_AD
This is a good news.
I have implemented on Fedora 25 a samba 4.5.x rebuild with dc enable + bind dns + dncpd + ntpd
How I can help you when first release of Fedora 27 + Samba 4.7 AD is ready ?
Many thanks
--
Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)
On la, 01 heinä 2017, Dario Lesca wrote:
Il giorno gio, 29/06/2017 alle 15.53 +0200, Jan Kurik ha scritto:
= Proposed Self Contained Change: Samba AD = https://fedoraproject.org/wiki/Changes/Samba_AD
This is a good news.
I have implemented on Fedora 25 a samba 4.5.x rebuild with dc enable + bind dns + dncpd + ntpd
How I can help you when first release of Fedora 27 + Samba 4.7 AD is ready ?
Thanks. Testing would be a primary goal, especially dependencies and upgrades. While there is no automatic upgrade to Samba AD is planned, we'd like to ensure smooth distribution upgrade.
Il giorno sab, 01/07/2017 alle 06.29 +0300, Alexander Bokovoy ha scritto:
While there is no automatic upgrade to Samba AD is planned, we'd like to ensure smooth distribution upgrade.
Does this mean?
I have on Fedora 25 + samba 4.5.x rebuild with this spec modify (and some other):
-%global with_mitkrb5 1 -%global with_dc 0 +%global with_mitkrb5 0 +%global with_dc 1
Then now I use the Heimdal Kerberos, not MIT kerberos
When fedora 27 + samba AD will come, how can I migrate the server?
Is this the right procedure?
If you just want to replace a DC with another DC, then you only need to add the new DC to the domain, let replication do its thing, transfer any FSMO roles from the old DC to the new DC, demote old DC and then turn off the old DC.
https://lists.samba.org/archive/samba/2016-September/202802.html
Or I can move the /var/lib/samba /etc/samba and some other stuff from old server to new server?
When the firs (beta) F27 + samba 4.7 AD will be release, I will try the upgrade on a test virtual environment.
Let me know
Thanks
On la, 01 heinä 2017, Dario Lesca wrote:
Il giorno sab, 01/07/2017 alle 06.29 +0300, Alexander Bokovoy ha scritto:
While there is no automatic upgrade to Samba AD is planned, we'd like to ensure smooth distribution upgrade.
Does this mean?
I have on Fedora 25 + samba 4.5.x rebuild with this spec modify (and some other):
-%global with_mitkrb5 1 -%global with_dc 0 +%global with_mitkrb5 0 +%global with_dc 1
Then now I use the Heimdal Kerberos, not MIT kerberos
When fedora 27 + samba AD will come, how can I migrate the server?
By standing up a new DC and then removing the old DC from the topology. I don't think we ever going to support any other upgrade path between Heimdal-based and MIT Kerberos-based Samba AD DCs.
Is this the right procedure?
If you just want to replace a DC with another DC, then you only need to add the new DC to the domain, let replication do its thing, transfer any FSMO roles from the old DC to the new DC, demote old DC and then turn off the old DC.
https://lists.samba.org/archive/samba/2016-September/202802.html
Yes, this is the right procedure.
Or I can move the /var/lib/samba /etc/samba and some other stuff from old server to new server?
While we tried to maintain the same ldb content between the backends, there is no guarantee that in-place upgrade would work here. It is too fragile to replace Heimdal build with MIT build on the same machine.
When the firs (beta) F27 + samba 4.7 AD will be release, I will try the upgrade on a test virtual environment.
Sure!
On ma, 03 heinä 2017, Dario Lesca wrote:
Il giorno lun, 03/07/2017 alle 09.29 +0300, Alexander Bokovoy ha scritto:
When the firs (beta) F27 + samba 4.7 AD will be release, I will try the upgrade on a test virtual environment.
Sure!
Thanks! I'll let you know
So, we pushed 4.7.0-RC1 to Rawhide. Also, asn/samba_ad_dc COPR repo contains a rebuild for F25 and F26. Feel free to test that.
Note that right now FreeIPA in rawhide (and other Fedora versions) is not binary compatbile with Samba 4.7.0. One needs to use https://github.com/freeipa/freeipa/pull/901 patchset to FreeIPA git master to fix incompatibilities. Hopefully, this patchset will get merged next week and we'll be able to get rawhide to a working state.
I think in mid-August we can run a Test Day too.
Il giorno gio, 06/07/2017 alle 15.44 +0300, Alexander Bokovoy ha scritto:
So, we pushed 4.7.0-RC1 to Rawhide. Also, asn/samba_ad_dc COPR repo contains a rebuild for F25 and F26. Feel free to test that.
Today I have start to try f27+samba4.7.
Download and install Fedora 27 server rawhide https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Serve r/x86_64/iso/Fedora-Server-netinst-x86_64-Rawhide-20170724.n.0.iso
Install samba-dc: # dnf install samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python
Install Bind: # dnf -y install bind bind-utils
Run samba-tool # samba-tool domain provision \ --realm=dom.loc \ --domain=dom \ --dns-backend=BIND9_DLZ \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 \
I have must remove this option: --use-xattr=yes , there is no more
Than I have to try configure bind and add into /etc/named.conf this:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
include "/var/lib/samba/private/named.conf";
NOTE: the files to include have the right access: # ll /var/lib/samba/private/{dns.keytab,named.conf} -rw-r-----. 1 root named 772 27 lug 13.46 /var/lib/samba/private/dns.keytab -rw-r--r--. 1 root root 720 27 lug 13.46 /var/lib/samba/private/named.conf
But the folder is not accessible from bind user: # ll -ld /var/lib/samba/private/ drwx------. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/
then I have change it with: # chmod g+rx /var/lib/samba/private/ # chgrp named /var/lib/samba/private/
But when I start bind with:
# systemctl start named
I get this error:
lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD DNS Zone' failed lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed to load. lug 27 14:39:53 server-addc.dom.loc named[2418]: DLZ driver failed to load. lug 27 14:39:53 server-addc.dom.loc named[2418]: loading configuration: failure lug 27 14:39:53 server-addc.dom.loc named[2418]: exiting (due to fatal error) lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Control process exited, code=exited status=1 lug 27 14:39:53 server-addc.dom.loc systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Unit entered failed state. lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Failed with result 'exit-code'.
The sam.ldb is present and accessible by named:
# ll -d /var/lib/samba/private/dns/sam.ldb -rw-rw----. 1 root named 3014656 27 lug 13.46 /var/lib/samba/private/dns/sam.ldb # ll -d /var/lib/samba/private/dns/ drwxrwx---. 3 root named 38 27 lug 13.46 /var/lib/samba/private/dns/ # ll -d /var/lib/samba/private/ drwxr-x---. 8 root named 4096 27 lug 15.10 /var/lib/samba/private/
If I start named as root (without systemd ) with this command:
# /usr/sbin/named -u named -c /etc/named.conf
All work fine
Some suggest?
Many thanks
On 2017-07-27 15:16, Dario Lesca wrote:
Il giorno gio, 06/07/2017 alle 15.44 +0300, Alexander Bokovoy ha scritto:
So, we pushed 4.7.0-RC1 to Rawhide. Also, asn/samba_ad_dc COPR repo contains a rebuild for F25 and F26. Feel free to test that.
Today I have start to try f27+samba4.7.
Download and install Fedora 27 server rawhide https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Serve r/x86_64/iso/Fedora-Server-netinst-x86_64-Rawhide-20170724.n.0.iso
Install samba-dc: # dnf install samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python
Install Bind: # dnf -y install bind bind-utils
Run samba-tool # samba-tool domain provision \ --realm=dom.loc \ --domain=dom \ --dns-backend=BIND9_DLZ \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 \
I have must remove this option: --use-xattr=yes , there is no more
Than I have to try configure bind and add into /etc/named.conf this:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
include "/var/lib/samba/private/named.conf";
NOTE: the files to include have the right access: # ll /var/lib/samba/private/{dns.keytab,named.conf} -rw-r-----. 1 root named 772 27 lug 13.46 /var/lib/samba/private/dns.keytab -rw-r--r--. 1 root root 720 27 lug 13.46 /var/lib/samba/private/named.conf
But the folder is not accessible from bind user: # ll -ld /var/lib/samba/private/ drwx------. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/
then I have change it with: # chmod g+rx /var/lib/samba/private/ # chgrp named /var/lib/samba/private/
But when I start bind with:
# systemctl start named
I get this error:
lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD DNS Zone' failed lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed to load. lug 27 14:39:53 server-addc.dom.loc named[2418]: DLZ driver failed to load. lug 27 14:39:53 server-addc.dom.loc named[2418]: loading configuration: failure lug 27 14:39:53 server-addc.dom.loc named[2418]: exiting (due to fatal error) lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Control process exited, code=exited status=1 lug 27 14:39:53 server-addc.dom.loc systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Unit entered failed state. lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Failed with result 'exit-code'.
The sam.ldb is present and accessible by named:
# ll -d /var/lib/samba/private/dns/sam.ldb -rw-rw----. 1 root named 3014656 27 lug 13.46 /var/lib/samba/private/dns/sam.ldb # ll -d /var/lib/samba/private/dns/ drwxrwx---. 3 root named 38 27 lug 13.46 /var/lib/samba/private/dns/ # ll -d /var/lib/samba/private/ drwxr-x---. 8 root named 4096 27 lug 15.10 /var/lib/samba/private/
If I start named as root (without systemd ) with this command:
# /usr/sbin/named -u named -c /etc/named.conf
All work fine
Some suggest?
Many thanks
How does the unit file look like?
//Zdenek
Il giorno gio, 27/07/2017 alle 15.39 +0200, Zdenek Sedlak ha scritto:
How does the unit file look like?
Do you mean that:
# cat /usr/lib/systemd/system/named.service [Unit] Description=Berkeley Internet Name Domain (DNS) Wants=nss-lookup.target Wants=named-setup-rndc.service Before=nss-lookup.target After=named-setup-rndc.service After=network.target
[Service] Type=forking Environment=NAMEDCONF=/etc/named.conf EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install] WantedBy=multi-user.target
Il giorno gio, 27/07/2017 alle 15.16 +0200, Dario Lesca ha scritto:
Il giorno gio, 06/07/2017 alle 15.44 +0300, Alexander Bokovoy ha ..... But when I start bind with:
# systemctl start named
I get this error:
lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD DNS Zone' failed lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed to load. .... If I start named as root (without systemd ) with this command:
# /usr/sbin/named -u named -c /etc/named.conf
All work fine
Some suggest?
If I run # setenforce 0 and # systemctrl start named
The service start without error.
Then is a selinux problem, but into /var/log/audit/audit.log or journalctl I don't see any warning
Some suggest?
Il giorno gio, 27/07/2017 alle 15.16 +0200, Dario Lesca ha scritto:
But the folder is not accessible from bind user: # ll -ld /var/lib/samba/private/ drwx------. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/
then I have change it with: # chmod g+rx /var/lib/samba/private/ # chgrp named /var/lib/samba/private/
I have fill this bug https://bugzilla.redhat.com/show_bug.cgi?id=1476175
# systemctl start named
I get this error:
lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD DNS Zone' failed lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed to load. lug 27 14:39:53 server-addc.dom.loc named[2418]: DLZ driver failed to load. lug 27 14:39:53 server-addc.dom.loc named[2418]: loading configuration: failure lug 27 14:39:53 server-addc.dom.loc named[2418]: exiting (due to fatal error) lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Control process exited, code=exited status=1 lug 27 14:39:53 server-addc.dom.loc systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Unit entered failed state. lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Failed with result 'exit-code'.
And this: https://bugzilla.redhat.com/show_bug.cgi?id=1476187
devel@lists.stg.fedoraproject.org