Matthew F.'s picture

I'm new to Turnkey, setting up a homelab with Proxmox which seems to be quite trendy at the moment. In general I'm loving the Turnkey experience. While I understand that each application is default configured to be stand-alone I'd love to be able to integrate them a little more easily. For example being able to point my Redmine appliance at my exisitng GitLab appliance as a git backend or even more simply being able to point my Redmine appliance at my Domain Controller appliance for authentication during installation would be the icing on the Turnkey cake.
I'm sure I'll figure out the post install configuration to do it myself eventually :-)

The most interesting challenge so far has been the new Samba 4 Domain Controller setup. For me this is a PDC, full AD replacement on a registered domain that I own.
It has been a little bumpy to be fair, not that I would ever expect Samba to be simple. About 8 hours of reading and experimentation and I finally have the Windows 10 PC where I'm writing this attached to the domain although I don't actually have a domain account I can log onto yet.

The biggest hurdle was that Kerberos package installation is missing from the Domain Controller appliance. I only realised this when I got a netstat -ta dump from someone doing similar under an Ubuntu Server 14.4 vm and saw that when I do that there's no kerberos or kpasswd showing up.

I found the WebMin Module for kbr5 while I was trying to work out which Kerberos package to install for Hiemdahl without poluting my container with a bunch of MIT stuff I don't need. It works too which makes it even more surprsing to me that Kerberos was left out.

There are some interesting effects from running in an LXC under Proxmox. The most significant seems to be the way Proxmox imposes network configuration in a way not especially friendly to a PDC. I'm not going to try to list exact steps but the outline is you need to bring the system up under DHCP. Get everything installed and configured even though it won't work and without trying to switch to a static IP. Then shutdown and change the Proxmox network and DNS settings to static IP and self-DNS. Restart and tweak from there. Attempts to change to static IP and point the DC at itself for DNS from inside the container seem to result in failed network and Samba service on startup including fatal scenarios where the Samba service becomes masked and is unrecoverable.

Rambled enough now,

Matt F.


Jeremy Davis's picture

Your ideas re integration of appliances/software would truly be awesome. A community member has a home lab where he uses LDAP to integrate logins across appliances. Even if we could document that, it would be quite cool. Unfortunately, I don't know much about LDAP and don't generally have a lot of spare time, so I'm not sure when we might get to that. Regardless, I agree it would be cool!

Re the Domain Controller, I'm really sorry to hear of your pain and required efforts to get it working. That certainly isn't how it should be! (As per the name) TurnKey ideally should require minimal effort to get started.

But before I dig into that a little further, first a minor technicality that I think is worth mentioning. Unless you are using an old NT style domain, there is no PDC (all DCs are equal in an AD domain - there is no Primary DC).

As I hinted above, your feedback regarding the difficulties you hit with initial setup of our Domain Controller appliance is a bit disappointing to hear. FWIW none of us here are Windows users (all the TurnKey developers use Linux, the Core team all use Debian as their "daily driver") so it probably hasn't had the same degree of battle-testing as many of the other appliances. E.g. this website is running on our Drupal7 appliance and I personally use our Gitea appliance (running as a local LXC container) for my own personal coding projects, plus I also run our Fileserver appliance.

Anyway, I've not extensively tested the "join an existing domain" firstboot option (was that what you used?). But I've relatively recently tested the "create a new domain" option, and it "just worked" for me and I could join a (clean install of) Win10 Pro (VM) to the freshly created AD domain?!

As of TurnKey v14.0, we've been using Samba4 to provide the AD DC functionality. Prior to that our "Domain Controller" was configured as an NT style PDC. I know that to get that to connect to an AD domain, the installation of additional Kerberos was required.

Samba4 itself includes a built-in Heimdal KDC (Kerberos Key Distribution Center). So you should not need to install any additional Kerberos packages. FWIW our configuration of Samba4 within the Domain Controller appliance is mostly taken from the Samba wiki. However, it's interesting that you found Ubuntu 14.04 docs that note a requirement of Kerberos packages to get it working. As noted above, I was aware that they were required for Samba3, but AFAIK Ubuntu 14.04 included Samba4 as well, so again should not require a separate Kerberos install?!

The Samba wiki page does note though that Samba4's Kerberos implementation is not compatible with MIT Kerberos. TBH, I don't know enough about Kerberos or Windows AD to know what (if any) implications that might have for. Although, unless you are joining an existing AD domain, AFAIK our "create new AD domain" config should "just work" (as my testing suggests). We have had other users report issues though. It seems that there may be some Windows config that breaks things, although I'm not yet clear on exactly what that config might be and/or how to disable/adjust it. We've also had other users note that it "just works" for them too, so it's not just me...

I wonder if it's something to do with running it as a container? I've only ever tested the Domain Controller appliance within a full VM. FWIW back when I first started with TurnKey (v11.x) I found that Samba wasn't fully functional when used in conjunction with a 'veth' virtual NIC (Proxmox OpenVZ container), although since then the issues appear to have been resolved (possibly something to do with Proxmox now using LXC for containers?) as my Fileserver appliance seems to work fine now (although in fairness, I don't use SMB/CIFS much).

Regardless of all of the above, I'd be interested to know a bit more about your setup, infrastructure and what additional steps you needed to take to get it working. Assuming that it doesn't adversely affect the people that are already using the appliance, we may even consider including it so that it also works for those in your situation...

Looking forward to hearing your thoughts, etc.

Add new comment