I can give it a try, sure. Can I take it that there will be an option in the future to join a Nethserver as a Domain controller to an existing domain in the future?
1 Like
If Samba has that feature, we can say NethServer is going to have it too!
follow upstream
Fair enough, I look forward to it.
Did you have a command-line method to get this to work? I can test it for you.
1 Like
This is the starting point:
- install nethserver-dc
- run this action manually nethserver-dc-install
- configure a bridge interface (say br0)
-
config setprop nsdc IpAddress $SOMEIP bridge br0 status enabled, (i.e. SOMEIP=192.168.122.123) - expand nethserver-dc-save templates manually
- disable provision unit:
systemctl --root=/var/lib/machines/nsdc disable samba-provision.service systemctl start nsdc- log on nsdc:
systemd-run -t -M nsdc /bin/bash
Refer to Samba wiki to run samba-tool manually:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
1 Like
I understand that the Samba DC runs in a container, or sandbox of some sort, correct? Do you have some info on getting in there in order to run these commands?
Just updated my comment above with some commands, please poke me if more are required!
For instance, to install additional packages in nsdc and make experiments run from the host machine:
yum -y --releasever=7 --installroot=/var/lib/machines/nsdc install iputils iproute ...and-so-on
2 Likes
I’m not following the template extraction process. I’m expecting that I am not running that script directly as it appears to be creating that bridge and other items to sandbox off the DC.
Could I get some clarification on the template process.
please, invest some time to search here and in documentation about templating…
almost all conf files are templatized… if you want to deal with NS, you’ve got to learn how templates work
1 Like
You can start from this:
http://docs.nethserver.org/projects/nethserver-devel/en/latest/templates.html
and
http://docs.nethserver.org/projects/nethserver-devel/en/latest/databases.html
just run
expand-template <file>
1 Like
Is Samba 4 joining an existing domain as a domain controller going to be supported in release 7 or will that be for another release?
Yesterday, I succeeded on joining nsdc to an existing AD domain with a manual procedure.
I’m going to write down a wiki page with the detailed steps.
I guess we’ll release an UI during the ns7 lifecycle, after ns7 Final release.
Edit: here we go!
3 Likes
well, I’m not using NS nor windows 
Sorry, since you often write and answer questions here I supposed you are a user and would like help us to improve the product. My fault!
I’m doing it already 
I’m going to test this both with windows and pre-exisiting samba4 DCs… will report back on this thread with eventual findings.
Thanks @davidep for the wiki entry!
Wiki page contents were updated!
2 Likes
Hello, i tested joining Nethserver/NSDC to a Windows Server 2003 R2 Standard and at least the joins worked.
I used https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory as a starting point.
I setup a new domain admin called superuser to make the joins.
I did:
systemd-run -M nsdc -t /bin/bash
On the NSDC:
echo domain cmb.local > /etc/resolv.conf
Added my Windows Server as nameserver
echo nameserver 192.168.1.20 >> /etc/resolv.conf
Joining:
samba-tool domain join cmb DC -U"CMB\superuser" --dns-backend=NONE --simple-bind-dn=CN=superuser,CN=Users,DC=cmb,DC=local
Result of joining:
Finding a writeable DC for domain ‘cmb’
Found DC zeus.cmb.local
Password for [CN=superuser,CN=Users,DC=cmb,DC=local]:
workgroup is CMB
realm is cmb.local
Adding CN=NSDC-TESTSERVER,OU=Domain Controllers,DC=cmb,DC=local
Adding CN=NSDC-TESTSERVER,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding CN=NTDS Settings,CN=NSDC-TESTSERVER,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding SPNs to CN=NSDC-TESTSERVER,OU=Domain Controllers,DC=cmb,DC=local
Setting account password for NSDC-TESTSERVER$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=cmb,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[402/1677] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[804/1677] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1206/1677] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1553/1677] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=cmb,DC=local] objects[402/4808] linked_values[0/0]
Partition[CN=Configuration,DC=cmb,DC=local] objects[804/4808] linked_values[0/0]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1206/4808] linked_values[0/0]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1608/4808] linked_values[0/0]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1703/4808] linked_values[0/0]
Replicating critical objects from the base DN of the domain
Partition[DC=cmb,DC=local] objects[94/94] linked_values[0/0]
Partition[DC=cmb,DC=local] objects[326/3469] linked_values[0/0]
Done with always replicated NC (base, config, schema)
Exop on[CN=RID Manager$,CN=System,DC=cmb,DC=local] objects[3] linked_values[0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain CMB (SID S-1-5-21-2773429375-1845033767-2786721901) as a DC
Replication test looks good:
bash-4.2# samba-tool drs showrepl
Standardname-des-ersten-Standorts\NSDC-TESTSERVER
DSA Options: 0x00000001
DSA object GUID: 1cb522fe-8296-4bb2-8fc6-688d0fd8779a
DSA invocationId: 73102b65-96ed-42ba-bbbc-79d7c097209d
==== INBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Mon Aug 28 03:20:34 2017 CEST was successful
0 consecutive failure(s).
Last success @ Mon Aug 28 03:20:34 2017 CEST
CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Mon Aug 28 03:20:34 2017 CEST was successful
0 consecutive failure(s).
Last success @ Mon Aug 28 03:20:34 2017 CEST
DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Mon Aug 28 03:20:37 2017 CEST was successful
0 consecutive failure(s).
Last success @ Mon Aug 28 03:20:37 2017 CEST
==== OUTBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Mon Aug 28 03:04:41 2017 CEST was successful
0 consecutive failure(s).
Last success @ Mon Aug 28 03:04:41 2017 CEST
CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Mon Aug 28 03:04:41 2017 CEST was successful
0 consecutive failure(s).
Last success @ Mon Aug 28 03:04:41 2017 CEST
DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Mon Aug 28 03:04:41 2017 CEST was successful
0 consecutive failure(s).
Last success @ Mon Aug 28 03:04:41 2017 CEST
==== KCC CONNECTION OBJECTS ====
Joining the nethserver to AD worked after few tries and reboots. I think, the DNS update error is because of selecting dns-backend=NONE when joining.
[root@testserver ~]# net ads join -Usuperuser
Enter superuser’s password:
Using short domain name – CMB
Joined ‘TESTSERVER’ to dns domain ‘cmb.local’
DNS update failed: NT_STATUS_IO_TIMEOUT
Not working joins looked like:
[root@testserver ~]# net ads join -Usuperuser
Enter superuser’s password:
gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server not found in Kerberos database]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Failed to join domain: failed to connect to AD: An internal error occurred.
I created a user named testuser1 with “samba-tool user create testuser1” and it was replicated after hours so I could see it on the Windows Server, what made me really happy.
But still having problems with Kerberos
[root@testserver ~]# kinit
kinit: Cannot find KDC for realm “CMB.LOCAL” while getting initial credentials
[root@testserver ~]# net domain -k -S192.168.1.20 -Uadministrator
Enter administrator’s password:
Kinit for administrator to access (null) failed: Cannot find KDC for requested realm
Enumerating domains:
Domain name Server name of Browse Master ------------- ---------------------------- CMB ZEUS WORKGROUP LIBREELEC
/var/log/messages is full of:
Aug 28 04:00:33 testserver dnsmasq[943]: Maximum number of concurrent DNS queries reached (max: 150)
Giving up for today…
Unfortunately I saw this thread and the instructions in the wiki after trying these things on my own. I’ll give it another try with the help of the wiki and report back my experiences to this thread…
1 Like
Next try, with a little help from the wiki:
Now Kerberos seems to work:
[root@testserver ~]# kinit
Password for administrator@CMB.LOCAL:
[root@testserver ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@CMB.LOCAL
Replication seems to be ok, GOLIATH(W2008) doesn’t exist anymore but ZEUS(W2003) is there and has no errors but the output gets longer from day to day:
bash-4.2# samba-tool drs showrepl
Standardname-des-ersten-Standorts\NSDC-TESTSERVER
DSA Options: 0x00000001
DSA object GUID: aa5c6fb2-66f4-47b1-b780-b55baa197b0e
DSA invocationId: 080d2f81-a653-4c4b-a1e6-4dec8abfde8e
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 03:04:59 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 03:04:59 2017 CEST
DC=ForestDnsZones,DC=cmb,DC=local
Standardname-des-ersten-Standorts\GOLIATH via RPC
DSA object GUID: 2235df69-738f-4018-ac30-06cb3cdf9472
Last attempt @ Tue Aug 29 03:05:59 2017 CEST failed, result 121 (WERR_SEM_TIMEOUT)
6 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 03:05:59 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 03:05:59 2017 CEST
DC=DomainDnsZones,DC=cmb,DC=local
Standardname-des-ersten-Standorts\GOLIATH via RPC
DSA object GUID: 2235df69-738f-4018-ac30-06cb3cdf9472
Last attempt @ Tue Aug 29 03:01:59 2017 CEST failed, result 121 (WERR_SEM_TIMEOUT)
5 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 03:01:59 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 03:01:59 2017 CEST
CN=Schema,CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\GOLIATH via RPC
DSA object GUID: 2235df69-738f-4018-ac30-06cb3cdf9472
Last attempt @ Tue Aug 29 03:02:59 2017 CEST failed, result 121 (WERR_SEM_TIMEOUT)
5 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 03:02:59 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 03:02:59 2017 CEST
CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\GOLIATH via RPC
DSA object GUID: 2235df69-738f-4018-ac30-06cb3cdf9472
Last attempt @ Tue Aug 29 03:03:59 2017 CEST failed, result 121 (WERR_SEM_TIMEOUT)
5 consecutive failure(s).
Last success @ NTTIME(0)
DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 03:04:59 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 03:04:59 2017 CEST
DC=cmb,DC=local
Standardname-des-ersten-Standorts\GOLIATH via RPC
DSA object GUID: 2235df69-738f-4018-ac30-06cb3cdf9472
Last attempt @ Tue Aug 29 03:04:59 2017 CEST failed, result 121 (WERR_SEM_TIMEOUT)
5 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 02:38:22 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 02:38:22 2017 CEST
DC=DomainDnsZones,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 02:38:22 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 02:38:22 2017 CEST
CN=Schema,CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 02:38:22 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 02:38:22 2017 CEST
CN=Configuration,DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 02:38:22 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 02:38:22 2017 CEST
DC=cmb,DC=local
Standardname-des-ersten-Standorts\ZEUS via RPC
DSA object GUID: 2a3fbf55-751c-48e5-af46-e478727bd509
Last attempt @ Tue Aug 29 02:38:22 2017 CEST was successful
0 consecutive failure(s).
Last success @ Tue Aug 29 02:38:22 2017 CEST
==== KCC CONNECTION OBJECTS ====
Connection –
Connection name: df396807-b5eb-4ae6-a0db-0f23261b5943
Enabled : TRUE
Server DNS name : goliath.cmb.local
Server DN name : CN=NTDS Settings,CN=GOLIATH,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=cmb,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection –
Connection name: 5e22eb29-223d-4f03-97e4-f4ed4548ac76
Enabled : TRUE
Server DNS name : zeus.cmb.local
Server DN name : CN=NTDS Settings,CN=ZEUS,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=cmb,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Valid starting Expires Service principal
08/29/2017 02:45:57 08/29/2017 12:45:57 krbtgt/CMB.LOCAL@CMB.LOCAL
renew until 08/30/2017 02:45:51
And following command shows nothing, so it’s still not working:
[root@testserver ~]# getent passwd administrator
[root@testserver ~]#
That’s it for today. Time for GOT now.
1 Like