[Discuss] Replacing AD with Samba4

Chris Allen csallen1204 at gmail.com
Wed Aug 12 09:33:32 EDT 2015 

I also run a test AD domain at home, but most of my servers are 
standalone and don't use an external server for authentication.

As an IT person, Active Directory has been a necessary evil, regardless 
if the majority of the server base is running Linux. All of the 
companies I have worked for have had an AD Domain, regardless if their 
products were Unix/Linux-based.

With that said, I have found that learning to run Active Directory on 
Linux has been a more in-depth learning experience than just firing up a 
Domain on a Windows server. AD is a collection of different protocols 
and learning how they interact will benefit you no matter what your 
preferred OS is. When you setup a domain in Windows, you are never 
exposed to the underpinnings like you are in Linux.

With AD, you don't even need to use Samba/Winbind for client 
authentication and do LDAP instead.

Going back to the original problems:

1) 'samba-tool drs showrepl' gets a NT_STATUS_LOGON_FAILURE (meaning I can't
verify that replication's working, or not).
Certain things need to be in place before you can talk to the DC:

2) The samba_dnsupdate process gets an error in syslog "RuntimeError: kinit
for DC03$@ETHER.CI.NET failed (Preauthentication failed)" and prevents the
internal DNS server from coming up.

There should be samba logs in /var/log that can give more detailed 
information. If it's not detailed enough, you should be able to make it 
more verbose

When getting Linux machines talking to Windows AD, I’ve had to have the 
following in place:
-Manually adding a DNS entry in the AD DNS
-Setting a hostname identical to the DNS entry
-Pointing /etc/resolv.conf to the PDC/BDC DNS and setting the default 
search domain to the AD one
-Having NTP sync to the PDC/BDC, this is more important than you think 
because too much time skew will cause the sGoing back to the original 
problems:

1) 'samba-tool drs showrepl' gets a NT_STATUS_LOGON_FAILURE (meaning I can't
verify that replication's working, or not).
Certain things need to be in place before you can talk to the DC:

2) The samba_dnsupdate process gets an error in syslog "RuntimeError: kinit
for DC03$@ETHER.CI.NET failed (Preauthentication failed)" and prevents the
internal DNS server from coming up.

There should be samba logs in /var/log that can give more detailed 
information. If it's not detailed enough, you should be able to make it 
more verbose

When getting Linux machines talking to Windows AD, i've had to have the 
following in place:
-Manually adding a DNS entry in the AD DNS
-Setting a hostname identical to the DNS entry
-Pointing /etc/resolv.conf to the PDC/BDC DNS
-Having NTP sync to the PDC/BDC
-Editing the /etc/krb5.conf file because you need that keytab first and 
the vanilla default won't work:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
  DOMAIN.COM = {
   kdc = 192.168.0.1
   kdc = 192.168.0.2
   admin_server = 192.168.0.1
  }

[domain_realm]
  .domain.com = DOMAIN.COM
  domain.com = DOMAIN.COM

[appdefaults]
pam = {
      debug = false
      ticketlifetime = 36000
      renewlifetime = 36000
      forwardable = true
      krb4_convert = false
}erver to stop responding to requests
-Editing the /etc/krb5.conf file because you need that keytab first and 
the vanilla default won't work:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
  DOMAIN.COM = {
   kdc = 192.168.0.1
   kdc = 192.168.0.2
   admin_server = 192.168.0.1
  }

[domain_realm]
  .domain.com = DOMAIN.COM
  domain.com = DOMAIN.COM

[appdefaults]
pam = {
      debug = false
      ticketlifetime = 36000
      renewlifetime = 36000
      forwardable = true
      krb4_convert = false
}

As for your Windows 2008 servers, if the license expires, you should 
still be able to continue to use them and get security updates. God only 
knows I have a few of those in non-production. The only thing that 
should happen is that you will get nag alerts that it's not a genuine 
Windows system.

Hope this helps

On 08/12/2015 08:59 AM, Edward Ned Harvey (blu) wrote:
>> From: Rich Braun [mailto:richb at pioneer.ci.net]
>>
>> I guess I didn't make it clear: this is my home LAN. My domain controllers
>> exist solely to support a couple of Windows instances that run software that
>> has yet to become available on Linux, and/or devices that want to
>> communicate
>> with SMB network shares.
> Oh - Uh - That makes a lot of sense now. ;-)
>
> The part that's still missing is: Why run a domain at all? Why not just let the couple of windows boxen run standalone, and use basic authentication to the SMB share?
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss

More information about the Discuss mailing list