View previous topic :: View next topic |
Author |
Message |
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Mon Apr 10, 2023 12:23 pm Post subject: How to configure a Active Directory domain name |
|
|
I installed gentoo to make a samba file server to windows workstations as clients. I already installed samba and configured it. The shares are working, and I can access them from windows. I can also define restrictions distributed users. When the server user and the windows users differs, I need to put the server credentials to access the shares, when the server user and the windows user have the same name and passwors, i can access the shares automatically.
I want to be able to login on windows with a server user by adding windows to a domain. How can I configure a domain name on gentoo to be able to add a Active Directory domain? |
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Tue Apr 11, 2023 1:54 am Post subject: |
|
|
I am reading the article, and it tells me to use "samba-tools", but in my samba installation I do not have such application. I installed samba by:
Code: |
# emerge --ask --noreplace net-fs/samba
|
Without any USE flag
What different I need to do to have this application available in my system? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Tue Apr 11, 2023 3:29 am Post subject: |
|
|
I am using the following use flags for net-fs/samba:
Code: | # emerge -pv1 net-fs/samba
These are the packages that would be merged, in order:
[ebuild R ] net-fs/samba-4.18.0::gentoo USE="acl addc ads client json ldap pam python regedit syslog winbind zeroconf -ceph -cluster -cups -debug (-fam) -glusterfs -gpg -iprint -llvm-libunwind -profiling-data -quota (-selinux) -snapper -spotlight (-system-heimdal) -system-mitkrb5 -systemd (-test) -unwind" CPU_FLAGS_X86="aes" PYTHON_SINGLE_TARGET="python3_11 -python3_9 -python3_10" 0 KiB |
This installed samba-tool as well. The latter is the main tool to setup and maintain a Samba DC.
To provision Samba as a Domain Controller, I used (in 2019) the following samba-tool call:
Code: | samba-tool domain provision \
--realm=$REALM \
--domain=$DOMAIN \
--server-role=dc \
--dns-backend=BIND9_DLZ \
--host-ip=$HOSTIP \
--host-ip6=$HOSTIP6 \
--function-level=2008_R2 \
--use-rfc2307 |
(with all the variables set accordingly).
Especially for the DNS setup there are other options, depending on your overall system setup. |
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Tue Apr 11, 2023 4:49 pm Post subject: |
|
|
I tried the command:
Code: |
# samba-tool domain provision --use-rfc2307 --interactive
|
I got this warning during the interactive configuration:
Code: |
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
|
I tried to restart samba:
Code: |
~# eselect rc restart samba
Restarting init script
setterm: terminal xterm does not support --blank
* samba -> start: smbd ...
* start-stop-daemon: failed to start `/usr/sbin/smbd' [ !! ]
* samba -> start: nmbd ...
* start-stop-daemon: failed to start `/usr/sbin/nmbd' [ !! ]
* Error: starting services (see system logs)
* samba -> stop: smbd ...
* start-stop-daemon: no matching processes found [ ok ]
* samba -> stop: nmbd ...
* start-stop-daemon: no matching processes found [ ok ]
* ERROR: samba failed to start
|
Log messages:
Code: |
[2023/04/11 13:37:53.739473, 0] ../../source3/smbd/server.c:1741(main)
smbd version 4.16.9 started.
Copyright Andrew Tridgell and the Samba Team 1992-2022
[2023/04/11 13:37:53.745364, 0] ../../source3/smbd/server.c:1798(main)
main: server role = 'active directory domain controller' not compatible with running smbd standalone.
You should start 'samba' instead, and it will control starting smbd if required
|
|
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Tue Apr 11, 2023 4:59 pm Post subject: |
|
|
Please have a look at "/etc/conf.d/samba". Should look like this.
Code: | # Add "winbind" to the daemon_list if you also want winbind to start.
# Replace "smbd nmbd" by "samba4" if you want the active directory domain controller part or the ntvfs
# file server part or the rpc proxy to start.
# Note that samba4 controls 'smbd' by itself, thus it can't be started manually. You can, however,
# tweak the behaviour of a samba4-controlled smbd by modifying your '/etc/samba/smb.conf' file
# accordingly.
daemon_list="samba4"
...
|
|
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Tue Apr 11, 2023 6:19 pm Post subject: |
|
|
I made this change, and now samba is working. I tried to join a windows workstation to the domain and I have a trouble.
on smb.conf I add an entry on global:
admin users = adminserv
and added this user and password
I made a typo and the message of inforrect password or invalid user
When I typed it right, the message says that was not possible join to the domain because of the name of the computer, I tried another names, but the error persists [access denied] |
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Tue Apr 11, 2023 7:20 pm Post subject: |
|
|
For joining a workstation to the Domain, I suggest to use the vanilla admin account created during DC setup (Administrator). No need to configure additional ones.
Btw. users have to be created in the DC database (samba-tool user ...).
How does your DNS setup look like and how is the workstation resolved?
If DC is dc.dom.mydomain.net a workstation WS should have the name ws.dom.mycomain.net.
Ideally the reverse lookup of the corresponding IPs leads to the same name. My experience is, that mismatches here lead to all kind of obscure errors. |
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Tue Apr 11, 2023 8:21 pm Post subject: |
|
|
I tried to add the user this way:
Code: |
~# samba-tool user add adminserver
|
And I tried th join the workstation to the domain using the login creted by this way.
To add the domainname, I used a simgle word like "MYSERVER".
When creating the smbconf file on interactive mode I've got this warning:
Code: |
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
|
|
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Tue Apr 11, 2023 8:54 pm Post subject: |
|
|
Please post the output of the following commands, executed on the Domain Controller:
Code: | samba-tool group listmembers Administrators
samba-tool user getgroups adminserver |
The user used to register the workstation must be in the Administrators group.
Code: | host <name of DC>
host MYSERVER
host <IP address of MYSERVER> |
What DNS backend do you use for Samba? |
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Wed Apr 12, 2023 1:59 am Post subject: |
|
|
The outputs:
Code: |
~# samba-tool group listmembers Administrators
Enterprise Admins
Domain Admins
Administrator
|
Code: |
~# samba-tool user getgroups adminserver
Domain Users
|
DNS Backend: SAMBA_INTERNAL |
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Wed Apr 12, 2023 2:49 am Post subject: |
|
|
The user adminserver is not part of the Administrators group and therefore cannot be used for joining the Workstation.
Anyway I strongly suggest to use the Administrator account for that to keep it simple.
The steps to join a Windows Workstation to the Samba Domain are described here: https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain
The important parts are:
- Use a local admin account to login into your Windows Workstation, as joining requires admin privileges for the Workstation.
- As soon as asked for the Domain Account to use for joining the Workstation, enter Administrator and the password you have set during Domain provisioning.
If the join operation succeeds, the Workstation will restart and afterwards you will be able to login into your Workstation using e.g. user name "<Your Domain Name>\adminserver" (or any other user you created via samba-tool user add ...). Please note, that this will be a new user profile on your Workstation. I am not aware of any way to convert a local user profile into a Domain user profile. However there are tools available to copy data and settings from one profile to another. |
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Fri Apr 14, 2023 5:46 pm Post subject: |
|
|
I used this tutorial to configure the active directory:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
and I got this warning message during the interative configuration, but the domain is working fine, and I already joided the PC to the domain:
Code: |
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
|
I can just ignore this message, or this is something I need to worry about?
How can I determine a custom administrator user? |
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Sat Apr 15, 2023 6:57 am Post subject: |
|
|
Regarding
Quote: | Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs |
Yes, you can ignore this message.
Regarding the Admin user. Simply add your user to the Administrators Group. See your previous post regarding the available options:
Quote: | ~# samba-tool group listmembers Administrators
Enterprise Admins
Domain Admins
Administrator
|
Quote: | ~# samba-tool user getgroups adminserver
Domain Users |
So
Code: | samba-tool group addmembers Administrators adminserver |
should do the trick. |
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Tue Apr 18, 2023 3:25 pm Post subject: |
|
|
Is it possible to acess my samba server remotely without the necessity of making a configuration in anywhere else, only configuring the server?
*the server has internet access
I want to acess the samba server from a configured windows workstation remotely.
Is this possible? |
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Tue Apr 18, 2023 6:25 pm Post subject: |
|
|
Possible, yes. Simply use google to find the port you have to expose.
From a security point of view this is not advisable.
You would have to harden the Samba configuration to not expose any known design flaws of the protocol. And even then, only a simple password authentication protects your data.
Either use a VPN or a web based file access with proper MFA in front. |
|
Back to top |
|
|
antoniovalos n00b
Joined: 24 Mar 2023 Posts: 26
|
Posted: Thu Apr 20, 2023 7:56 pm Post subject: |
|
|
I was looking for a solution to acess the samba from home, I saw "IPsec" vpn on the web interface, I become interested on it, and I was looking for a configuration that stands on the server and in the client, but only if here is a safe way to do this.
In the office we have this configuration:
Internet -> router1 -> router2 -> server
I want to connect the clients on the router2, the client must be able to acess internet and the server, the server woult not have network acess and clients connected to the router1 can't be able to acess the server.
How can I do this? |
|
Back to top |
|
|
|