OpenSuSe 15.1 as primary AD DC

Hi everyone!
I try to create AD DC via YaST.
I install yast2-samba-provision and go to YaST > Provision an AD DC.
i Installed all missed package, choise Add a new forest > Root Domain name > choise functional level > set NetBIOS DN and NetBIOS host name.
After all, a get error below in screenshot
https://drive.google.com/file/d/1W3eMqwrPcWDDytAvCeCTnhcvLv0dL-2J/view?usp=sharing

The error message is a bit vague because it can be the result of several different things, for example:

  • The password is shorter than 7 characters
  • The password doesn’t conform to specific requirements on complexity. For example have Capital Letters in it or Numbers.
  • You’ve used a domain name that doesn’t conform to TLD, for example: mytestdomain.local would be fine, mytestdomain would not.

You can check /var/log/YaST2/y2log to see what the exact error message is when it appears on the screen.

Few minutes, please.
I’ll check and answer

2019-12-10 21:23:03 <1> srv(2032) [ui] YPushButton.cc(setFunctionKey):202 Guessing button role YOKButton for YPushButton "Next" at 0x7fc8b02d22b0 from function key F10
2019-12-10 21:23:03 <1> srv(2032) [ui] YPushButton.cc(setFunctionKey):202 Guessing button role YCancelButton for YPushButton "Cancel" at 0x7fc8b01ff790 from function key F9
2019-12-10 21:23:04 <1> srv(2032) [ui] YPushButton.cc(setFunctionKey):202 Guessing button role YOKButton for YPushButton "Next" at 0x7fc8b02d22b0 from function key F10
2019-12-10 21:23:04 <1> srv(2032) [ui] YPushButton.cc(setFunctionKey):202 Guessing button role YCancelButton for YPushButton "Cancel" at 0x7fc8b01ff790 from function key F9
2019-12-10 21:23:04 <3> srv(2032) [bash] ShellCommand.cc(shellcommand):78 hostname: Name or service not known
2019-12-10 21:23:04 <2> srv(2032) [Ruby] modules/Hostname.rb:161 Using fallback hostname
2019-12-10 21:23:04 <1> srv(2032) [Ruby] modules/Hostname.rb:171 Current FQDN: srv
2019-12-10 21:23:10 <1> srv(2032) [ui] YPushButton.cc(setFunctionKey):202 Guessing button role YOKButton for YPushButton "Next" at 0x7fc8b02d22b0 from function key F10
2019-12-10 21:23:10 <1> srv(2032) [ui] YPushButton.cc(setFunctionKey):202 Guessing button role YCancelButton for YPushButton "Cancel" at 0x7fc8b01ff790 from function key F9
2019-12-10 21:23:17 <1> srv(2032) [Ruby] modules/Progress.rb:344 Progress::New(Provisioning Samba Active Directory Domain controller..., 5, "Write the settings", "Provision", "Write kerberos settings", "Write DNS settings", "Update network configuration"])
2019-12-10 21:23:17 <2> srv(2032) [ui] YWidget.cc(findWidget):635     THROW:    No widget with ID back
2019-12-10 21:23:17 <2> srv(2032) [ui] YCP_UI.cc(ChangeWidget):728     CAUGHT:   No widget with ID back
2019-12-10 21:23:17 <3> srv(2032) [libycp] modules/Wizard.rb:1282 UI::ChangeWidget failed: UI::ChangeWidget( `id (`back), `Enabled, false )
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 Neither `next nor `accept widgets exist
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 ------------- Backtrace begin -------------
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/Wizard.rb:1251:in `DisableNextButton'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/Progress.rb:465:in `New'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/SambaProvision.rb:60:in `Write'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/include/samba-provision/dialogs.rb:193:in `WriteDialog'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/include/samba-provision/wizards.rb:72:in `block in SambaProvisionSequence'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/builtins.rb:546:in `eval'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/Sequencer.rb:261:in `WS_run'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/Sequencer.rb:333:in `block in Run'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/Sequencer.rb:325:in `loop'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/Sequencer.rb:325:in `Run'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/include/samba-provision/wizards.rb:85:in `SambaProvisionSequence'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/fun_ref.rb:33:in `call'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/fun_ref.rb:33:in `call'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/modules/CommandLine.rb:1517:in `Run'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/clients/samba-provision.rb:50:in `main'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/share/YaST2/clients/samba-provision.rb:64:in `&lt;top (required)&gt;'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/wfm.rb:318:in `eval'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/wfm.rb:318:in `run_client'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/wfm.rb:206:in `call_builtin'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/wfm.rb:206:in `call_builtin_wrapper'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib64/ruby/vendor_ruby/2.5.0/yast/wfm.rb:195:in `CallFunction'
2019-12-10 21:23:17 <3> srv(2032) [Ruby] modules/Wizard.rb:1251 /usr/lib/YaST2/bin/y2start:62:in `&lt;main&gt;'
2019-12-10 21:23:17 &lt;3&gt; srv(2032) [Ruby] modules/Wizard.rb:1251 ------------- Backtrace end ---------------
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78 Looking up IPv4 addresses
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78 Looking up IPv6 addresses
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78 No IPv6 address will be assigned
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78 ERROR(&lt;class 'samba.provision.ProvisioningError'&gt;): Provision failed - ProvisioningError: Failed to create directory /var/lib/samba/private: No such file or directory
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78   File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 538, in run
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78     backend_store=backend_store)
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2205, in provision
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78     directory_create_or_exists(paths.private_dir, 0o700)
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2056, in directory_create_or_exists
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [bash] ShellCommand.cc(shellcommand):78     raise ProvisioningError("Failed to create directory %s: %s" % (path, e.strerror))
2019-12-10 21:23:18 &lt;1&gt; srv(2032) [Ruby] modules/SambaProvision.rb:172 Samba provision result: {"exit"=&gt;255, "stderr"=&gt;**"Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned**
ERROR(&lt;class 'samba.provision.ProvisioningError'&gt;): Provision failed - ProvisioningError: Failed to create directory /var/lib/samba/private: No such file or directory
  File \"/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py\", line 538, in run
    backend_store=backend_store)
  File \"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py\", line 2205, in provision
    directory_create_or_exists(paths.private_dir, 0o700)
  File \"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py\", line 2056, in directory_create_or_exists
    raise ProvisioningError(\"Failed to create directory %s: %s\" % (path, e.strerror))
", "stdout"=&gt;""}
2019-12-10 21:23:18 &lt;3&gt; srv(2032) [Ruby] modules/SambaProvision.rb:85 Error provisioning database. Check logs for details.
2019-12-10 21:23:18 &lt;1&gt; srv(2032) [ui] YPushButton.cc(setFunctionKey):202 Guessing button role YOKButton for YPushButton "OK" at 0x7fc8b01f0300 from function key F10
2019-12-10 21:23:19 &lt;1&gt; srv(2032) [Ruby] clients/samba-provision.rb:53 Samba-provision module finished
2019-12-10 21:23:19 &lt;1&gt; srv(2032) [Ruby] clients/samba-provision.rb:54 ----------------------------------------
2019-12-10 21:23:19 &lt;1&gt; srv(2032) [Interpreter] bin/y2start:62 Called YaST client returned.
2019-12-10 21:23:19 &lt;1&gt; srv(2032) [qt-ui] YQUI.cc(uiThreadDestructor):332 Destroying UI thread
2019-12-10 21:23:19 &lt;1&gt; srv(2032) [qt-ui] YQUI.cc(~YQUI):315 Closing down Qt UI.
2019-12-10 21:23:19 &lt;2&gt; srv(2032) [qt-ui] YQUI.cc(qMessageHandler):676 &lt;libqt-warning&gt; QObject::killTimer: Timers cannot be stopped from another thread
2019-12-10 21:23:19 &lt;2&gt; srv(2032) [qt-ui] YQUI.cc(qMessageHandler):676 &lt;libqt-warning&gt; QObject::~QObject: Timers cannot be stopped from another thread
2019-12-10 21:23:19 &lt;2&gt; srv(2032) [qt-ui] YQUI.cc(qMessageHandler):676 &lt;libqt-warning&gt; QObject::~QObject: Timers cannot be stopped from another thread
2019-12-10 21:23:19 &lt;1&gt; srv(2032) [Y2Ruby] binary/YRuby.cc(~YRuby):117 Shutting down ruby interpreter.
2019-12-10 21:23:19 &lt;1&gt; srv(2032) [Y2Perl] YPerl.cc(destroy):164 Shutting down embedded Perl interpreter.

Also, I have a few questions about setting up a dns server. I configured the configuration files as follows:

/etc/named.conf

options {
    include "/etc/named.d/forwarders.conf";
};
logging {
    category default { log_syslog; };
    channel log_syslog { syslog; };
};
zone "network.local" in {
    file "/etc/network.local";
    type master;
    allow-update { any; };
};
zone "reverse.local" in {
    file "/etc/reverse.local";
    type master;
    allow-update { any; };
};

/etc/network.local

$TTL 86400      ;       1 day
network.local.    IN      SOA   srv.network.local. admin.network.local. (
                                20110103        ; Serial
                                10800           ; Refresh
                                3600            ; Retry
                                604800          ; Expire
                                86400           ; Minimum TTL
                        )

                IN      NS      srv.network.local.
                IN      A       192.168.2.1
localhost       IN      A       127.0.0.1
server          IN      A       192.168.2.1


/etc/reverse.local

$TTL 86400      ;       1 day
2.168.192.in-addr.arpa. IN SOA srv.network.local. admin.network.local. (
                        20110104        ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        3600 )          ; Minimum

        IN      NS      srv.network.local.
1       IN      PTR     network.local
1       IN      PTR     srv.network.local

After command nslookup srv 192.168.2.1 i got:

Server:         192.168.2.1
Address:        192.168.2.1#53

** server can't find srv: NXDOMAIN

ERROR(<class ‘samba.provision.ProvisioningError’>): Provision failed - ProvisioningError: Failed to create directory /var/lib/samba/private: No such file or directory

This is curious, perhaps you should try to install samba-client manually and then re-try the tool (samba-client owns the directory in question)

Not only does an AD Domain require a suffix, it’s not recommended to use something like “.local” because some technologies use that namespace. If you never implement or encounter one of those technologies, you’ll be OK but if you ever do run into a problem it’s extraordinarily difficult to address… to the point many will decide the practical solution is to tear down their entire AD and re-build with a new namespace. Use something likely unique like “.mygreennetwork” or whatever else you can make up.

It’d be interesting if you can create a SAMBA AD Domain on its won from the beginning, I’ve never heard of anyone doing that.
It’s common to create a DC that can join an existing AD Domain.
Or, create an original SAMBA (not AD) Domain.
The issue is whether SAMBA’s setup can create and deploy an AD schema on its own which I’ve never looked into. It’s likely technically possible but I don’t know if there is an easy setup that’s built into SAMBA.

TSU

A FYI if not already aware…

LEAP SAMBA documentation
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha-samba.html

I’ll admit I haven’t looked at trying to create an original AD realm and Domain using SAMBA anytime recently and unless you see something that’s not described in the above LEAP documentation, you may have some difficulties using YaST. Based on the above documentation, I suspect that you <might> only be creating a SAMBA NT4 type Domain (but I may be surprised). If you try using YaST, you can use the below reference to inspect your configuration for what type of Domain you installed.

But,
An Internet search suggests that it’s possible to create an original SAMBA AD, the following article describes doing so on Ubuntu. Of course Ubuntu doesn’t have YaST, but if you use the following you may be able to integrate various steps with the LEAP documentation for setting up SAMBA manually. I don’t know if there have been improvements to SAMBA since the article was written in 2016, but at that time you could only create a Win2008 AD (not 2012 or later).

https://www.tecmint.com/install-samba4-active-directory-ubuntu/

Another comment…
It’d be very unusual to set up an AD with NetBIOS and WINS name resolution support.
AD naming conventions are based entirely on the Hostname system with uses only DNS and hosts files, no WINS and lmhosts files.

Good Luck,
TSU

I want to deviate a little from the question towards the DNS server. With YaST I set up a DNS server. Here are its settings:

/etc/named.conf:

options {
    include "/etc/named.d/forwarders.conf";
};
logging {
    category default { log_syslog; };
    channel log_syslog { syslog; };
};
zone "example.com" in {
    allow-update { key super; };
    allow-transfer { any; localhost; localnets; };
    file "dyn/example.comX";
    type master;
};
zone "2.168.192.in-addr.arpa" in {
    allow-transfer { any; localnets; };
    file "master/2.168.192.in-addr.arpa";
    type master;
};
acl local { 192.168.2/24; };


/var/lib/named/dyn/example.comX


$TTL 2d
@        IN SOA        dnsserver.    root.dnsserver. (
                2019121100    ; serial
                3h        ; refresh
                1h        ; retry
                1w        ; expiry
                1d )        ; minimum

example.com.    IN NS        dnsserver.example.com.


master/2.168.192.in-addr.arpa


$TTL 2d
@        IN SOA        dnsserver.example.com    root.dnsserver. (
                2019121102    ; serial
                3h        ; refresh
                1h        ; retry
                1w        ; expiry
                1d )        ; minimum

2.168.192.in-addr.arpa.    IN NS        dnsserver.2.168.192.in-addr.arpa.
2.2.168.192.in-addr.arpa.    IN PTR        example.com.


if i use command:

nslookup dnsserver
Server:   192.168.2.2
Address:  192.168.2.2#53

** server can't find dnsserver: SERVFAIL

But, if i use

ping dnsserver
PING dnsserver (192.168.2.2) 56(84) bytes of data.
64 bytes from dnsserver (192.168.2.2): icmp_seq=1 ttl=64

Looks like everything works.

Comment about “example.com
Don’t know if this is just a placeholder or your real configuration, but it shouldn’t be real if you don’t own the domain “example.com
You should use a FQDN that’s not routable over the Internet to comply with security “Best Practice” although I’ve done so for a Domain I owned because in that situation although it was very unlikely anyone from outside the LAN would ever access my servers, I also didn’t mind if that information somehow leaked. And, it was convenient in one case to provide LAN name resolution for external clients.

Are you using the YaST DNS module to manage your zone records?
I can’t remember off the top of my head whether it has ever been proper to only define 3 octets for your in-addr.arpa zones… Would seem to me that it should be standard to define 4 octets, the missing (leading when a reverse lookup zone) should be a zero.

TSU

I have been able to create an original AD DC on openSUSE Leap 15.1 by using parts of the URL to tecmint pointed out by tsu2, and by sheer experimentation with the “AD Provison” YAST2 menu item. I’ll write up my procedure and post it right after this. Everything seems to be working. I have a functioning 2008R2-level Domain Controller using the samba 4.9.5 stock RPM’s. Leap 15.2 apparently uses 4.11 RPM’s, which will bump the schema to 2012 as an optional upgrade. The Samba folks have not said this schema is supported though. Everything so far looks good, except that I cannot seem to get machine-based GPO’s to be applied. I’m following this bug on its progress:

https://bugzilla.samba.org/show_bug.cgi?id=13516

The problem is between Samba and MIT Kerberos. There seems to be a fix upstream somewhere, at least one of the contributors has made the comment that he has it working. If I see anything further, I’ll reply here as well.

Procedure to Build Samba AD-DC on openSUSE Leap 15.1:

  1. Install the openSUSE Leap 15.1 Operating System, and include the following packages:

    A. I prefer Mate, so I install Generic Desktop for starters.
    B. Enable on-line repositories (gets me access to Mate).
    C. Remove any default packages I don’t need like games, office, etc.
    D. Don’t click on File Server, just accept default selection on “File Server” selection, it pretty much already starts a Samba install.
    E. Choose Search Tab

    1. From Search, select samba-ad-dc, yast2-aduc, yast2-gpmc, yast2-samba-provision, net-tools-deprecated, firewall-config

    F. All of the other defaults are fine for test purposes. Otherwise, remove any other fluff you don’t need, i.e. openvpn, totem, etc.

  2. Provide the host with a fixed IP address and proper name (adc1, fs1, whatever). The techmint tutorial suggests not using the “.local” suffix for a domain name; it’s currently in use by avahi and may cause confusion.

  3. Apply whatever other hardening techniques to your server that you’re familiar with.

Now we get into it:

  1. From Techmint: rename or delete /etc/samba/smb.conf. This will be recreated by the Samba Provision

  2. Run YaST2 -> Provision an Active Directory Domain Controller

    A. Specify the Domain Name: in my case, test.internal
    B. Select the radio button: Add a new forest
    C. Click Next

    D. Forect and domain functional level: 2008 R2
    E. “Store POSIX attributes in AD” is checked.
    F. Click Next

    G. NetBIOS Names: accept the defaults; mine are “NetBIOS Domain Name: TEST”, “NetBIOS Host Name: ADC1”
    H. DNS Server Backend: DNS Internal (No other choice here)
    I. Forwarder: <IP Address of local DNS, could be internal router?>
    J. Click Next

    K. Domain Administrator Password: <Some Password> (This is for the “Windows Admin Account”)
    L. Click OK

  3. That should run and install any missing pieces, but there shouldn’t be any.

  4. Remove or rename /etc/krb5.conf

  5. Create a softlink to Samba’s krb5.conf: ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

  6. Start the Domain Controller: systemctl start samba-ad-dc

  7. Enable the service.

  8. Check the status, you should see multiple attributes running associated with it.

  9. Using netstat, review the Samba processes that are now running: netstat -tilpn | grep “smbd|samba”; note all of the listening ports - you’ll need to add these to firewalld’s list of open ports.

  10. Confirm your domain level: # samba-tool domain level show; it should tell you 2008 R2

  11. Check the /etc/resolv.conf for resolvers; localhost should be first, followed by the forwarder you entered previously. The search domain should be the AD domain.

  12. Modify /etc/chrony.conf, or create a dedicated config file in /etc/chrony.d ~> samba-ad.conf

    A. Add the following lines to chrony:

    ntpsigndsocket /var/lib/samba/ntp_signd
    allow <local subnet: i.e. 192.168.1.0>/24
    bindcmdaddress 0.0.0.0
    bindcmdaddress ::

  13. Restart chronyd service

  14. Reboot the server.

  15. Upon reboot, use firewall-config to add all of the ports noted during the netstat command. You may need to run netstat again to double check kerberos ports. Include the chrony ports for time sync.

  16. Run standard diagnostic tests to check name resolution and service availability:

ping -c3 <ad.domain>
ping -c3 <dc>.<ad.domain>
ping -c3 <dc>

host -t A <ad.domain>
host -t A <dc>.<ad.domain>
host -t SRV _kerberos._udp.<ad.domain>
host -t SRV _ldap._tcp.<ad.domain>

All of these should either reach, map or identify the domain controller.

  1. Verify kerberos (Do this from an account that has successfully authenticated to the linx server):

kinit administrator@&lt;AD.DOMAIN> (Log in as root; don’t just su to root)

klist (Will list the krb ticket)

  1. At this point, you should be able to join a workstation to the domain.

Good Luck!