How can I promote openSUSE 13.1 64 bit to be an AD Domain controller?

Easgs · November 27, 2013, 4:26pm

How can I promote openSUSE 13.1 64 bit to be an AD Domain controller?, I can see in yast that I have installed the samba version 4.1.0-3.5.1, but if I check the samba version with the command samba -V I get the error that ‘samba’ is not a typo, the same for the command samba-tool domain provision – interactive

thanks

jdmcdaniel3 · November 27, 2013, 4:37pm

Why use AD? I have found no need for this unless you are using this at work. For all things Samba and a Workgroup please look here:

S.A.C.T. - Samba Automated Configuration Tool - Version 1.06 - Blogs - openSUSE Forums

Thank You,

Easgs · November 27, 2013, 5:11pm

I require AD Domain controller for a test enviroment before implementation for a network that requieres group policies and other AD functions, and since samba 4.1 includes now support for AD I think it is time to take advantage of this in openSUSE.

venzkep · November 28, 2013, 5:10am

On 11/27/2013 10:16 AM, Easgs wrote:
>
> I require AD Domain controller for a test enviroment before
> implementation for a network that requieres group policies and other AD
> functions, and since samba 4.1 includes now support for AD I think it is
> time to take advantage of this in openSUSE.
>
>
Easgs;

Are you familiar with this document?

http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

tsu2 · November 28, 2013, 9:53pm

A big question when you setup a Domain Controller is whether you are setting up the first DC in the Domain or if it’s an additional.

The latter should be nearly trivial (I’ve read the documentation although haven’t yet had the opportunity to do it).
Generally speaking you only need to promote to the DC role and configure AD to replicate to it.
I haven’t checked for YAST support for configuring the SAMBA role so can’t comment on that, but there should be plenty of documentation for doing it from CLI.

If an AD already exists, I highly recommend doing that… Then if you wish you can remove your SAMBA DC from the network.
That way, you import all the AD objects (which is more extensive than simply building LDAP from scratch) including existing User and Machine accounts.
Once separated from your original network and if you want to experiment in a standalone environment, you can promote your SAMBA DC again to be authoritative for your Domain.

TSU

Easgs · November 29, 2013, 2:08am

Are you familiar with this document?

Samba AD DC HOWTO - SambaWiki

yes I am, I have done that sucessfully in opensuse 12.3 64 bit, but since 13.1 already includes the installation packages I want to know how can I use those instead of having to compile and install from source, because the tipical promotion command

samba-tool domain provision --use-rfc2307 --interactive

and even the

samba -V

command doesn’t work

this will be configured as a single domain controller

venzkep · November 29, 2013, 6:11am

On 11/28/2013 7:16 PM, Easgs wrote:
>
>> Are you familiar with this document?
>>
>> ‘Samba AD DC HOWTO - SambaWiki’
>> (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO)
>
> yes I am, I have done that sucessfully in opensuse 12.3 64 bit, but
> since 13.1 already includes the installation packages I want to know how
> can I use those instead of having to compile and install from source,
> because the tipical promotion command
> Code:
> --------------------
> samba-tool domain provision --use-rfc2307 --interactive
> --------------------
> and even the
> Code:
> --------------------
> samba -V
> --------------------
> command doesn’t work
>
> this will be configured as a single domain controller
>
>
Easgs;

I’m not using openSUSE 13.1 and am not sure just how the packaging was done. There are now two Samba daemons, smb(d)
gives old Samba3 compatibility and samba gives AD compatibility. The samba daemon should be in /usr/local/samba which is
most likely not in a users path. Did you check “samba -V” with the full path? Did you check that “samba” (not just
smb) is actually installed and started?

P.V.
“We’re all in this together, I’m pulling for you” Red Green

Easgs · November 29, 2013, 5:09pm

The samba daemon should be in /usr/local/samba which is
most likely not in a users path.

that rute does not exist in the file system

Sauerland · November 29, 2013, 6:39pm

Relase Notes for 13.1:

5.3. Samba Version 4.1

Samba version 4.1 shipped with openSUSE 13.1 does not include support to operate as an Active Directory style domain controller. This functionality is currently disabled, as it lacks integration with system-wide MIT Kerberos.

Libarch · November 29, 2013, 6:45pm

The release notes which were downloaded and displayed on screen during installation of 13.1 (in the last 24 hrs) included a note that the Samba 4.1 packages in this release do **not **include AD functionality, due to a conflict with MIT Kerberos (?) - or words to that effect. But the (official?) release notes here don’t mention it!

I also can’t find any of the necessary tools in my Samba installation, and would like to know whether running an AD domain is possible under 13.1.

Libarch · November 29, 2013, 6:50pm

Sorry, my post crossed with yours - that was the message I saw. Where did you find those release notes?

Sauerland · November 30, 2013, 12:46am

This are the latest Release-Notes:

zypper se -s release-notes
Daten des Repositories laden ...
Installierte Pakete lesen ...

S | Name                   | Typ        | Version     | Arch   | Repository          
--+------------------------+------------+-------------+--------+---------------------
i | release-notes-openSUSE | Paket      | 13.1.8-16.1 | noarch | openSUSE-13.1-Update
v | release-notes-openSUSE | Paket      | 13.1.7-10.1 | noarch | openSUSE-13.1-Update
v | release-notes-openSUSE | Paket      | 13.1.6-6.4  | noarch | openSUSE-13.1-Update
v | release-notes-openSUSE | Paket      | 13.1.4-1.1  | noarch | openSUSE-13.1-Oss   
  | release-notes-openSUSE | Quellpaket | 13.1.8-16.1 | noarch | openSUSE-13.1-Update
  | release-notes-openSUSE | Quellpaket | 13.1.7-10.1 | noarch | openSUSE-13.1-Update
  | release-notes-openSUSE | Quellpaket | 13.1.6-6.4  | noarch | openSUSE-13.1-Update

See here:
/usr/share/doc/release-notes/openSUSE/RELEASE-NOTES.en.html

Libarch · November 30, 2013, 11:56am

Thanks!

So - the answer to the OP’s question would seem to be … you can’t. Which is very disappointing, as I was also intending to try this. I would like to know if this is likely to be possible in the next release, at least.

Easgs · December 3, 2013, 3:38pm

It seems that it is not possible even compiling samba 4.1 from source, after adding the options to /etc/named.conf

tkey-gssapi-credential "DNS/server.samdom.example.com";
tkey-domain "SAMDOM.EXAMPLE.COM";

DNS refuse to start

Easgs · December 4, 2013, 12:34am

my mistake, I was adding options for bind 9.7 but opensuse 13.1 has 9.9 so the correct option is

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

Now I have the AD server up and running and I have joined a Windows 8 machine, but I need to make some more testing.

thanks

Libarch · December 8, 2013, 9:35pm

Good luck Easgs and please tell the forum how you get on.

I suppose I am sceptical, perhaps because my knowledge is a bit limited. As I understand it, the Suse developers have not included all of the Samba 4.1 packages in the 13.1 release because of conflicts between Kerberos versions (MIT used in the system, Heimdal used by Samba?). I have no idea what that really means in practice, but I am worried that installing the ‘full’ Samba 4 from scratch would destabilise the system - otherwise why would the developers ‘withdraw’ the AD bits?

I’m a bit out of my depth with this to be honest!

robin_listas · December 8, 2013, 11:33pm

On 2013-12-08 21:36, Libarch wrote:

> - otherwise why would the developers ‘withdraw’ the AD bits?

The release notes says:

5.3. Samba Version 4.1

Samba version 4.1 shipped with openSUSE 13.1 does not include support to
operate as an Active Directory style domain controller. This
functionality is currently disabled, as it lacks integration with
system-wide MIT Kerberos.

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

remsnet · December 23, 2013, 11:27pm

The current OSS 13.1 Samba package NOT build with AD support.
Thus , your samba4 can only be an native samba AD client not server.

my own OSS 13.1 selfcompiled are with MIT kerb5.

regards.

tsu2 · December 24, 2013, 1:34am

Technically speaking, I’m sure that you can have a SAMBA4 Server (or other AD “client” relative to a DC), it’s just not promotable to be a DC.

I expect the following link describes the technical problems accurately (it’s a little over a year old as of this writing but likely still relevant)
Features/Samba4 - FedoraProject

So, at least it seems that the MIT Kerberos export restrictions have been circumvented but existing DC code is heavily dependent on the Heimdal version of Kerberos so cannot be easily ported over.

Or, it looks like if you don’t require AD integration you can build a Heimdal based LDAP Domain.

Hmmmm… I wonder if Microsoft Active Directory Federation Services might be one possible solution, you won’t have true integration but based on “claims” you might be able to map non-AD security to AD objects.

TSU

remsnet · December 29, 2013, 10:05pm

There IS an Samba DC package for fedora 20 in the wild that Fits near the needs - WITH MIT Kerberus.

Samba AD been STILL Possible, - BUT - that require a LOOOT of work on your system that it FIT.

Myself work currently on an RPi ARM based Samba-dc package - see at GitHub - hvenzke/OpenSuSE-Samba-DC: Build Files and Notice for Samba AS RPMBuild on RPi
I am arround 80% done it …

Maybe someone interested to participant… ??? … write me an notice at github if so.
regards …