Unable to activate active directory domain controller in 7 RC1

NethServer Version: V7rc1
Module: Samba4 AD

Ciao a tutti,
while testing Zentyal and looking around for resources, I’ve been very pleased to discover Nethserver. Thank you for your work guys!

I’ve downloaded the 7 RC1 ISO image and had a shot in VirtualBox. Installation is fine, I’ve applied updates from Software center and installed VBoxLinuxAdditions without effort. After this, I’ve tried to install the modules I’m interested in: Active Directory, Mail and SOGo, among the others, to set a primary domain controller “small business” server.

When activating the AD module in the Users and Groups panel, I’m asked the IP address for my DC, on a bridged interface. I’m a “Debian man” :slight_smile: and having configured an AD PDC in Zentyal and Samba4 in vanilla Ubuntu 16.04, I don’t quite get how it works in Nethserver. I’ve entered the very same static IP address I’ve previously set for my testing machine, and checked “Create a bridge interface for the green network”. After a very long time, I get the following errors:

S95nethserver-dc-waitstart #5 (exit status 256)
S96nethserver-dc-join #6 (exit status 256)

I’ve also tried a fresh install with the Samba AD and File Server modules alone, with the same result, and even with a different, unused, IP address for the DC.

Please let me know if I’ve missed something or how I can provide further information.
Grazie,
Salvo

The AD runs inside a container which needs a different IP.
You should picture it as a virtual machine inside your server.

Just take a look to the manual:
http://docs.nethserver.org/en/v7rc/accounts.html#samba-active-directory

If you see any error, please post the relevant part from /var/log/messages.

1 Like

remember to configure the network interface in promiscuous mode in VirtualBox!

1 Like

Ciao Giacomo, Rolf,
thank you for quick response. The network adapter in VirtualBox is set to bridged and has promiscuous mode set to Allow All as specified in the manual.
Giacomo, what do you mean by “picture it as a virtual machine inside your server”?
These are the last lines of my /var/log/messages.

Nov 4 16:29:55 ntest kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vb-nsdc: link becomes ready Nov 4 16:29:55 ntest kernel: br0: port 2(vb-nsdc) entered forwarding state Nov 4 16:29:55 ntest kernel: br0: port 2(vb-nsdc) entered forwarding state Nov 4 16:29:55 ntest systemd-nspawn: [#033[32m OK #033[0m] Started Network Service. Nov 4 16:29:55 ntest systemd-nspawn: [#033[32m OK #033[0m] Reached target Network. Nov 4 16:29:56 ntest kernel: br0: port 1(enp0s3) entered forwarding state Nov 4 16:30:00 ntest systemd-nspawn: CentOS Linux 7 (Core) Nov 4 16:30:00 ntest systemd-nspawn: Kernel 3.10.0-327.36.3.el7.x86_64 on an x86_64 Nov 4 16:30:10 ntest kernel: br0: port 2(vb-nsdc) entered forwarding state Nov 4 16:34:49 ntest smbd[3665]: [2016/11/04 16:34:49.820802, 0] ../source3/printing/print_cups.c:151(cups_connect) Nov 4 16:34:49 ntest smbd[3665]: Unable to connect to CUPS server localhost:631 - Transport endpoint is not connected Nov 4 16:34:49 ntest smbd[2984]: [2016/11/04 16:34:49.820998, 0] ../source3/printing/print_cups.c:529(cups_async_callback) Nov 4 16:34:49 ntest smbd[2984]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Nov 4 16:36:26 ntest systemd: Starting Cleanup of Temporary Directories... Nov 4 16:36:26 ntest systemd: Started Cleanup of Temporary Directories. Nov 4 16:47:50 ntest smbd[3892]: [2016/11/04 16:47:50.567272, 0] ../source3/printing/print_cups.c:151(cups_connect) Nov 4 16:47:50 ntest smbd[3892]: Unable to connect to CUPS server localhost:631 - Transport endpoint is not connected Nov 4 16:47:50 ntest smbd[2984]: [2016/11/04 16:47:50.568056, 0] ../source3/printing/print_cups.c:529(cups_async_callback) Nov 4 16:47:50 ntest smbd[2984]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Nov 4 16:49:55 ntest esmith::event[1525]: [ERROR] could not connect to Samba Domain Controller Nov 4 16:49:55 ntest esmith::event[1525]: Action: /etc/e-smith/events/nethserver-dc-save/S95nethserver-dc-waitstart FAILED: 1 [1201.805106] Nov 4 16:49:55 ntest /sbin/e-smith/db[3928]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||LdapURI||Provider|none|status|disabled Nov 4 16:49:55 ntest /sbin/e-smith/db[3928]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|10.0.0.13|LdapURI||Provider|none|status|disabled Nov 4 16:49:55 ntest dbus[511]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Nov 4 16:49:55 ntest dbus-daemon: dbus[511]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' Nov 4 16:49:55 ntest systemd: Starting Time & Date Service... Nov 4 16:49:55 ntest dbus[511]: [system] Successfully activated service 'org.freedesktop.timedate1' Nov 4 16:49:55 ntest dbus-daemon: dbus[511]: [system] Successfully activated service 'org.freedesktop.timedate1' Nov 4 16:49:55 ntest systemd: Started Time & Date Service. Nov 4 16:49:55 ntest /sbin/e-smith/db[3928]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|10.0.0.13|LdapURI||Provider|none|status|disabled Nov 4 16:49:55 ntest /sbin/e-smith/db[3928]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|10.0.0.13|LdapURI||Provider|ad|status|disabled Nov 4 16:49:55 ntest /sbin/e-smith/db[3928]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|10.0.0.13|LdapURI||Provider|ad|status|disabled Nov 4 16:49:55 ntest /sbin/e-smith/db[3928]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|10.0.0.13|LdapURI||Provider|ad|status|enabled Nov 4 16:49:56 ntest dnsmasq[3450]: exiting on receipt of SIGTERM Nov 4 16:49:56 ntest systemd: Stopping DNS caching server.... Nov 4 16:49:56 ntest systemd: Started DNS caching server.. Nov 4 16:49:56 ntest systemd: Starting DNS caching server.... Nov 4 16:49:56 ntest dnsmasq[3933]: started, version 2.66 cachesize 4000 Nov 4 16:49:56 ntest dnsmasq[3933]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth Nov 4 16:49:56 ntest dnsmasq-tftp[3933]: TFTP root is /var/lib/tftpboot Nov 4 16:49:56 ntest dnsmasq[3933]: using nameserver 10.0.0.13#53 for domain nalma.loc Nov 4 16:49:56 ntest dnsmasq[3933]: using nameserver 8.8.8.8#53 Nov 4 16:49:56 ntest dnsmasq[3933]: read /etc/hosts - 2 addresses Nov 4 16:49:56 ntest systemd: Stopped System Security Services Daemon. Nov 4 16:49:56 ntest dbus[511]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper) Nov 4 16:49:56 ntest dbus-daemon: dbus[511]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper) Nov 4 16:49:56 ntest dbus[511]: [system] Successfully activated service 'org.freedesktop.realmd' Nov 4 16:49:56 ntest dbus-daemon: dbus[511]: [system] Successfully activated service 'org.freedesktop.realmd' Nov 4 16:49:56 ntest dbus[511]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' Nov 4 16:49:56 ntest dbus-daemon: dbus[511]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' Nov 4 16:49:56 ntest systemd: Starting Authorization Manager... Nov 4 16:49:56 ntest polkitd[3945]: Started polkitd version 0.112 Nov 4 16:49:56 ntest dbus[511]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Nov 4 16:49:56 ntest systemd: Started Authorization Manager. Nov 4 16:49:56 ntest dbus-daemon: dbus[511]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Nov 4 16:49:56 ntest realmd: * Resolving: _ldap._tcp.nalma.loc Nov 4 16:50:11 ntest realmd: ! Discovery timed out after 15 seconds Nov 4 16:50:11 ntest esmith::event[1525]: realm: No such realm found Nov 4 16:50:11 ntest esmith::event[1525]: [WARNING] DC join attempt 1 of 3 failed! Wait a few seconds... Nov 4 16:50:16 ntest realmd: * Resolving: _ldap._tcp.nalma.loc Nov 4 16:50:31 ntest realmd: ! Discovery timed out after 15 seconds Nov 4 16:50:31 ntest esmith::event[1525]: realm: No such realm found Nov 4 16:50:31 ntest esmith::event[1525]: [WARNING] DC join attempt 2 of 3 failed! Wait a few seconds... Nov 4 16:50:36 ntest realmd: * Resolving: _ldap._tcp.nalma.loc Nov 4 16:50:51 ntest realmd: ! Discovery timed out after 15 seconds Nov 4 16:50:51 ntest esmith::event[1525]: realm: No such realm found Nov 4 16:50:51 ntest esmith::event[1525]: [WARNING] DC join attempt 3 of 3 failed! Wait a few seconds... Nov 4 16:50:56 ntest esmith::event[1525]: [ERROR] DC join failed Nov 4 16:50:56 ntest esmith::event[1525]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-join FAILED: 1 [60.837506] Nov 4 16:50:57 ntest esmith::event[1525]: Password complexity activated! Nov 4 16:50:57 ntest esmith::event[1525]: Password history length changed! Nov 4 16:50:57 ntest esmith::event[1525]: Minimum password age changed! Nov 4 16:50:57 ntest esmith::event[1525]: Maximum password age changed! Nov 4 16:50:57 ntest esmith::event[1525]: All changes applied successfully! Nov 4 16:50:57 ntest esmith::event[1525]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-password-policy SUCCESS [0.651015] Nov 4 16:50:57 ntest esmith::event[1525]: Event: nethserver-dc-save FAILED

Looks like a DNS issue to me, but I can’t understand why.
Thank you,
Salvo

Please see this:

NethServer 7.2 alpha 3 - "First Blood"

and this:

NethServer 7.2 alpha 3 - "First Blood"

NethServer 7.2 alpha 3 - "First Blood"

Thanks Gabriel.
These are the settings I’ve tried and you see in the above log:
10.0.0.91 is my PC, VirtualBox host. Subnet is 255.255.255.0 (not my choice BTW).
10.0.0.17 is my Nethserver guest, hostname ntest.nalma.loc, and 10.0.0.13 is the free IP address I’ve specified in the DC configuration.
Still not understanding what I’m doing wrong! :frowning:

Can you check the clock on both “machines”?
On PC and NS?
If is an DNS issue and the the clock isn’t sync, the DC join will fail.
I think I had such situation when I’ve tested on VirtualBox.

You have the same issue like here:

Try out Nethserver 7 beta1

@chuckk didn’t tell us if and how was solved.

@flatspin suggested to "to set the interface to promiscuous mode “allow all” but you already did that.

You made a nice catch: I’ve been snapshotting all day long and the system time of the guest went nuts.
I’m now retrying after using ntpdate, but it’s hung at “57%: adjust-services” for more than ten minutes now… with no messages in /var/log/messages
Edit: just finished, same errors on the web UI and same log.

I have the same error at 57%.
Let me find on forum that post.

OK!
I found it!

Experimenting with Samba Domain Controller

Can you test?

EDIT: and here:

KDC not present in NS7B1

EDIT 2:

After DC join fail, did you try “factory reset” as described here and after that to try again?

Hi Gabriel,
I’ve restarted everything from scratch, following the steps in the post you’ve linked. Same result unfortunately. Just to be verbose:

  • New virtual machine in VirtualBox 5.0.26, Ubuntu 14.04 host with IP address 10.0.0.91, LAN 1 as bridged adapter with promiscuous mode set to Allow All.
  • Installed Nethserver 7rc1 using all defaults but Rome timezone, Italian keyboard, and static IP address 10.0.0.17, netmask 24, gateway 10.0.0.254, hostname set to ntest.nalma.loc (edit: .com was a typo), set a non-default root password, no additional users.
  • Logged in in https://10.0.0.17:980 as root from my PC, applied updates in Software center. For the record, Software center took a long time to display packages, with a page reload helped in between.
  • Edited contact information and self-signed certificate (relogged in after that).
  • Installed Samba AD module, and only that.
  • Reboot.
  • Tried to configured the Samba AD module specifying 10.0.0.13 (free) as DC IP address, checked to create a bridged interface.
  • Failed with the error already posted after several minutes.
  • Without closing the page, with the same settings I’ve tried another go, same result after 15 minutes.
    In past tests, the “factory reset” procedure didn’t help: same result over and over.

I’m starting to feel a little incompetent about that! Please let me know what do you think.

As a side note, I still don’t get why Samba has to be run in a container. Looks very not KISS to me. As said, starting a PDC in vanilla Ubuntu 16.04 or in Zentyal 4.2 takes literally a few minutes (tested joining a Windows XP client), while here I’ve watched one and half episode of Lost (no pun intended) while trying :slight_smile:
The motivation published by Microsoft, recommending that the DC is on a separate host, seems a bit thin to me: even they didn’t follow that in Windows SBS. Sorry if this may sound rude, it isn’t meant to, I’m just a little frustrated, as I’ve not yet started to try anything! :frowning:
Thank you for your help,
Salvo

Hi Salvo,

Please give me a couple of hours to install Ubuntu on my laptop to try to reproduce your situation.

I will give feedback ASAP.

From here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

"Using the Domain Controller as a File Server

The Samba Active Directory (AD) domain controller (DC) is able to provide file shares, such as all other installation modes. However, the Samba team does not recommend to use a DC as file server because the DC smbd process has some limitations compared with the service in non-DC setups."

1 Like

Hi Gabriel,
thank you for your response. I’ll search more about the limitations of Samba as a DC ASAP. In my previous test environments they didn’t hit me, but it may be just me.

Meanwhile, I’ve repeated the whole test on my home PC, which has a very similar setup.
Host runs Ubuntu 15.04, IP address is 192.168.1.2, netmask is 24, gateway is 192.168.1.1, under a home router. VirtualBox is 4.3.26, and, repeating the steps in my previous message in the guest, using 192.168.1.20 for NS and 192.168.1.21 for the DC, the DC has been provisioned without errors!

Having checksummed the download on both my home PC and my office PC, and not willing to accept that the difference may be due to the host OS or VirtualBox versions :slight_smile: I guess we can blame the network setup at office?

There we already have production a Windows Server 2003 domain with a primary DC (which is of course a DNS server, and has DHCP enabled) and two secondary DCs, the whole network is behind a firewall, but my PC is allowed to pass through for outgoing traffic, just like at home, and there is a running Zentyal 4.2 test server acting as PDC for a test domain (which is a DNS server, and has DHCP disabled).

Thanks,
Salvo

1 Like

I think that was the problem!
You have already a DC on your network and maybe has the same FQDN.

Enjoy now with NS 7RC!

PS:

  • You can mark the post as “solved” (your answer from above).
  • You gave me free time to solve other problems. Thank you!:smiley:

No, it has not the same FQDN unfortunately. They couldn’t be more different :slight_smile:

16 posts were split to a new topic: I still don’t get why Samba has to be run in a container

Besides the domain name, is a problem for Nethserver if there is a DC in the same network even if the domain is totally different? If it is, I’m afraid Nethserver could not be the right choice for me, since I cannot turn of the existing production domain at once, but the migration to a new system would take some time.

I am using two PDCs, one is NS7RC1, in the same network, with different domain names, without issues.

1 Like

Gabriel, I’m so stubborn that tomorrow I’ll carry my home desktop PC at office to try from scratch in that network :slight_smile:

3 Likes