Juan's picture

Domain controller V 16.0 works with windows 8 or windows 10 ???

I'm doing tests and with Xp it works but I try to make it work with windows 10 and windows 8 and it does not work.

 

 

Forum: 
Jeremy Davis's picture

I'm currently working on the (not yet released) v16.1 Domain Controller. I just tried connecting to that on a Win 10 Pro machine I had handy. It worked fine?!

It does have all the latest Debian packages though. If you do an 'apt update && apt upgrade' then you'll be 99.99% the same.

I have tweaked our firstboot script a bit, but mostly that has been the "join" functionality (i.e. joining to an existing AD domain). Once I'm done with it, I'm happy to share if you want to try re-running the initial setup with the newer script? Regardless, I doubt that has anything to do with it.

Also my Win machine hasn't had updates since late last year, so perhaps a newer Windows update has changed something (and broken joining a Samba domain)? I removed my Win machine from the domain again and the updates are installing as we speak. So once they've installed, I'll try again and report back.

The only thing that initially tripped me up was that it couldn't find the domain from Windows. But then I remembered that I hadn't configured it to use the DC for DNS. After setting Windows DNS to be the IP of the Domain Controller, it worked fine.

So perhaps you could explain in a bit more detail exactly what "does not work" means? I.e. exact error messages you are getting, steps you've taken, etc.

Also if you aren't using a US-International keyboard, there may be issues with special characters (e.g. in passwords).

Juan's picture

Indeed, when configuring the DNS of the windows 8 and 10 machines with the turnkey Domain, it worked correctly. Thanks a lot

Jeremy Davis's picture

Awesome. I wish all issues were that simple to fix! :)

Good luck with it all!

Juan's picture

 I keep testing DC, as user control works perfectly, what I can't make it work is restarting the samba services through webmin, I have to restart the system every time I make a change.

I have started the tests with the folder sharing and I can see the folders but I cannot create or delete anything within them, neither does the access and control of the home (linux system user folders) work, the users see and access the folder but they cannot write or delete anything from the domain access.

I have also not been able to change the keyboard language from confconsole.

I hope I have explained well.

 

smb.conf made from webmin:

# Global parameters
[global]
    dns forwarder = 8.8.8.8
    interfaces = 127.0.0.1 192.168.0.7
    netbios name = dc1
    realm = VERSALLES.LAN
    server role = active directory domain controller
    workgroup = VERSALLES
    idmap_ldb:use rfc2307 = yes

[netlogon]
    path = /var/lib/samba/sysvol/versalles.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[homes]
    valid users = %S
    path = /home
    writeable = yes

[comun]
    comment = comun
    writeable = yes
    path = /media/compart

 

Jeremy Davis's picture

As noted on the Domain Controller doc page (in the Administer your AD section), when using Samba as a AD Domain Controller, management is best done using Windows own RSAT (Remote Server Administration Tool) - installed on an AD member Windows machine. By my understanding, everything should "just work" in that scenario.

As also noted on that doc page, in the General best practice recommendations section (under the sub heading "File storage/fileserver") it is not recommended to use a DC as a file server (a separate Samba Fileserver AD member should be used instead). It should probably work, but Samba themselves recommend against it. Our separate Fileserver appliance might be useful in that situation? However, unfortunately, it doesn't yet have an easy way to be added as a Domain member (it uses the legacy Samba config by default). Alternatively, you could add an additional DC member and just reconfigure it as a Fileserver. FWIW the "Join existing AD domain" functionality on firstboot is broken in v16.0. It's been fixed in the new v16.1 release, but that is not yet available from the Domain Controller appliance page, but it will be soon - in the meantime, you could download the v16.1 iso here).

Apologies that I didn't highlight that doc page in my previous post. I hope this post helps get you going in the right direction...

Please continue to share further feedback on pain points as it really useful for us! Also, whilst it is/was a known issue, it wasn't actually being tracked... So I have opened an issue with Webmin upstream, plus an issue on our own issue tracker so it doesn't get forgotten and/or hopefully new users will find it easier.

Juan's picture

Hello! Jeremy.

 I should read the documents about distros before writing, sorry for that, it´s a shame that sharing is not implemented, I hope that this feature will add soon. I will continue with my tests and tell my experiences in this forum. Thank you very much for the quick response.

We will speak soon.

 

Jeremy Davis's picture

Just to clarify, it's not that "sharing is not implemented". It's that the Samba developers recommend not using the same server for Domain Controller and Fileserver functionality. It may well be possible, but it's just not something that I've never tried (because of the Samba dev's notes).

It turns out though, that the link in the docs to the Samba wiki on how to set up a Samba Domain Member was dead (they must have reorganised their docs?). I've found the right page (in the link above) and updated it in the docs too.

I hope that helps. Please post back with any more issues you hit, questions you have, and/or any suggestions you have on how we might make it better...

Juan's picture

Thank you, I am reviewing the Samba Wiki docs, I will report my progress or setbacks.

Jeremy Davis's picture

Following your bug report re Webmin, I passed the report upstream (to Webmin devs) that the Samba server start/stop/restart buttons didn't work, and it turns out that the commands that run when the buttons are clicked, can be changed.

So as noted by the lead Webmin developer, if you want to make the adjustment, you can do it from the Webmin Samaba server page. Click the cog icon in the top left of the main window/area and change the commands that are run (i.e. remove all of the default) to:

service samba-ad-dc COMMAND

Where COMMAND is the relevant of start, stop or restart.

Alternatively, as I noted on the issue, from the commandline:

conf=/etc/webmin/samba/config
for command in start restart stop; do
    sed -i "\|^${command}_cmd=| s|=.*|=service samba-ad-dc ${command}|" $conf
done
Juan's picture

Hello, I have not been able to make the samba start buttons work through Webmin, in fact there are more tools that do not work, for example the visualization of samba groups.
In the end I decided to use the terminal interface, through the browser, putty or kitty (kitty is a fork of putty with auto connection in case of crash). and I have made the sharing work, you can also create directories per user domain, I am preparing the explanation.


Another error that I have detected is that when I change the IP of server of DHCP to STATIC with confconsole, they only change it in /etc/network/interfaces, so itself has to modify it manually in /etc/samba/smb.conf and /etc/hosts

hosts static

 
 
 

 

Jeremy Davis's picture

Thanks for your feedback.

Webmin not being able to restart the Samba Domain Controller service is a known issue. Hopefully that should be improved in the next release.

The point you raise re Confconsole is valid, although as noted on the doc page, if you use an alternate IP (to the one assigned via DHCP) then it's best to re-run the firstboot script (and that will take care of the changes that you needed to make manually).

Regardless, I have opened a feature request to make the changes you've suggested as that would certainly be preferable.

Juan's picture

It is true that it needs improvements in the management of confconsole, but based on the tests I have carried out, I can say that it is an excellent distribution, it works perfectly with all the versions of Windows with which I have tested it, XP, Vista, 7, 8 , 8.1, 10 and even with the trial version of Windows 11.

 

Many thanks for your work.

Juan's picture

To perform this action, we will use the command samba-tool.

We create independent management files and a folder that will contain the users' personal directories:

#:mkdir /home/users

#:echo > /etc/samba/diruserdc.conf

At the end of the smb.conf file, add the line:

include = /etc/samba/diruserdc.conf

 

Previously and for ease, remove the password conditions to facilitate the creation of users with:

samba-tool domain passwordsettings set --complexity=off &&
samba-tool domain passwordsettings set --history-length=0 &&
samba-tool domain passwordsettings set --min-pwd-length=4 &&
samba-tool domain passwordsettings set --min-pwd-age=0 &&
samba-tool domain passwordsettings set --max-pwd-age=0

 

The password will be the same as the user: sevilla

###Using home####
samba-tool user create sevilla sevilla --given-name="Sevilla" --surname="Spain Andalucia" &&
mkdir /home/users/sevilla && chmod 770 /home/users/sevilla &&
echo >> /etc/samba/diruserdc.conf "[sevilla]" &&
echo >> /etc/samba/diruserdc.conf "browseable = no" &&
echo >> /etc/samba/diruserdc.conf "read only = no" &&
echo >> /etc/samba/diruserdc.conf "path = /home/users/sevilla" &&
echo >> /etc/samba/diruserdc.conf "admin users = sevilla" &&
smbcontrol all reload-config

User sevilla like domain user:

Personal floder of user sevilla:

Config personal floder of sevilla user in file:  /etc/samba/diruserdc.conf

User sevilla fron Windows 8.1:

Configutation dominio system en Windows 8.1:

Network drive in windows 8.1 with user sevilla:

I have created a script with whiptail to facilitate the incorporation of more users

I will publish it soon.

 

 

 

Wojciech's picture

Like in Subject.

If TDC is running in full VM everything is ok. Joining WIN10 works, two different DC  under Turnkey Domain controller works. RSAT in WIN10 is showing that everyting is perfect:

 

If your TDC ver 16.1-1 is running in LxC Container, WIN10 Machine can't find Domain controller.

What is interesting if you try join to TDC ver 15.01 in LxC container - everythin is ok.

What wrong could be in container ?

Any ideas ?

 

Jeremy Davis's picture

If it's a privileged container, then that's the issue! Either run it as unprivileged, or enable nesting.

Wojciech's picture

It's interesting that in DC2 (Additional Domain Controler in VM) configs files are diffrent, that in DC5 (Additional Domain Controler in Lxc) - there is dc5.default.lan, and should be dc5.net.lan.

There are more differences:

dc5 (Lxc):

dc2 :

DC5:

DC2:

DC2:

 

 

Jeremy Davis's picture

Samba used to not play nice within a container unless you did some funky network setup. I was under the impression that was no longer the case, but perhaps there has been some regression(s) in newer Samba versions which makes it incompatible with default LXC config? TBH, I would have expected it to "just work" as a container, but that may well not be the case... Perhaps you need to use a "proper" VM?

Looking at your screenshots though, are you allowing it to inherit DNS from the host? (That's what it looks like). If so, that's likely an issue (if not the issue). 127.0.0.1 or it's own IP (assuming it's set as a static IP) should be the first DNS server, and you probably shouldn't list any other DNS servers (Samba's built-in DNS can be configured to forward queries to whatever DNS you want, although by default it's set to use Google; 8.8.8.8).

Re the 'dc5.default.net' entry; where did that come from? That's not something that it ships with. The firstboot scripts will configure that if you set 'default.net' as the realm, but if you re-run the first boot scripts that should be replaced?! Regardless, I recommend removing that one.

Also, the Samba components of Webmin are more suited to managing legacy (non-AD) style Samba set ups. I suspect that there is something you may have tweaked via Webmin that has had a negative impact?

Wojciech's picture

Anyway:

1. Using LxC on host with Proxmox with ZFS file system gives you amazing features with snapshots of data sharing via TDC, so I'm very upset that ver 16.1-1 in LXC is not working like 15.0.1 because of new feature joining TDC to the existing domain like additional domain controller - I have waited for that.

2. All the configs are fresh after instalation without any my changing.

So the 'dc5.default.net' exist in config, because of old default settings of domain after instalation. Of course I've changed domain name during instalation from default.net to  net.lan, and that's all, but this line is still exist. In VM instalation this problem is not present.

Comparing DC2 (VM) and DC5(LxC) after fresh instalation and join tho the DC1 (First domain controller in VM) shown, that something is going wrong during process of instalation from the container.

I' will test all of this variants on host with older version od Proxmox (6.4) and I will show results.

 

 

Jeremy Davis's picture

The default domain should be 'domain.lan' though not 'default.net'? Thinking about this some more, I'm guessing you set it up with that originally and then changed it? If so, it should have been overwritten, not added. So that would suggest a bug in our config scripts.

Regardless, you'll need to get rid of that wrong line. Find where it is like this:

grep -r default.net /etc

Once you've found it (probably in /etc/hosts), try removing that line and retrying.

Also, check if the samba-ad-dc service is running:

systemclt status samba-ad-dc

If not, try restarting it:

systemclt restart samba-ad-dc

And check the status again. If it's still not starting, then please post the error message(s).

If it starts, follow the testing steps as noted in the Samba wiki. I suggest that you particularly take note of the DNS tests and Kerberos tests. There is also a specific troubleshooting page which might help?

Wojciech's picture

I've tested this under host Proxmox 7.0

We have two problems:

1. In unprivileged container instalation of Turnkey linux AD controller failed. (Screenshots under the text)

2. In privileged container of 16.1-1 the problem is in DNS records of domain controller.

I've compared ver. 15.0.1 and 16.1-1

In 15.0.1 (provileged container) verything by DNS from WiKi:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory...

tests od DNS passed well:

root@dc4 ~# host -t SRV _ldap._tcp.net.lan.
_ldap._tcp.net.lan has SRV record 0 100 389 dc4.net.lan.
root@dc4 ~#

in 16.1-1 test of DNS don't pass:

root@DC8 ~# host -t SRV _ldap._tcp.net.lan.
;; connection timed out; no servers could be reached
root@DC8 ~# host -t SRV _kerberos._udp.net.lan.
;; connection timed out; no servers could be reached
root@DC8 ~# host -t A dc8.net.com.
;; connection timed out; no servers could be reached
root@DC8 ~#

In 16.1-1 (unprivileged container) instalation finished with errors, so I did not test it:

 

Jeremy Davis's picture

Thanks for sharing.

Ok so it appears that the problem is that within pre-launch container configuration, you are allowing the guest to use the host's DNS config (which is default AFAIK). So you'll need to start again and this time, manually set up the DNS yourself. Hopefully that should resolve the issue?!

Wojciech's picture

Maybe Proxmox 7.0 host configuration gives some settings of DNS to the LXC containers, because of some specific configuration of hypervisor ? but in both variants (15.0 and 16.) I  set DNS and the domain during creation of the contener manually, and more - I set this on the host, and in 15.0.1 everything works fine. It is interesting, that is impossible to create TDC 16.1-1, in unprivilleged container under proxMox 7, because of the error listed in post before - it's confusing. I will try to repeat tests under the proxmox 6.4 - the last stable version. I'will show result. But anyway there is something in configuration or scripts, that in 15.0 everything looks well, and in 16.1-1 not.

 

 

Jeremy Davis's picture

I tested the v16.1 Domain Controller LXC (unprivileged) container works fine on Proxmox v5.x. I haven't yet tested on v6.x, but I hope to soon (I only just updated my Proxmox host to v6.x recently).

Actually though, I just noticed that there have been some changes to the firstboot script since the v16.1 release. It's queued to be rebuilt, but that probably won't happen until next week - I hadn't prioritised it as I only recalled the minor changes that I made, but perhaps it's more significant than I thought?

If you want to test it, please download the latest inithook to your v16.1 container. Like this:

URL=https://raw.githubusercontent.com/turnkeylinux-apps/domain-controller/master/overlay
FILE=usr/lib/inithooks/bin/domain-controller.py
wget -O /$FILE $URL/$FILE

Perhaps that might fix it? Please let me know...

Wojciech's picture

root@DC0 /# FILE=usr/lib/inithooks/bin/domain-controller.py
root@DC0 /# URL=https://raw.githubusercontent.com/turnkeylinux-apps/domain-controller/master/overlay
root@DC0 /# wget -O /$FILE $URL/$FILE
--2021-08-19 18:05:47--  https://raw.githubusercontent.com/turnkeylinux-apps/domain-controller/master/overlay/usr/lib/inithooks/bin/domain-controller.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23971 (23K) [text/plain]
Saving to: '/usr/lib/inithooks/bin/domain-controller.py'

/usr/lib/inithooks/bin/domain-controller.p 100%[=======================================================================================>]  23.41K  --.-KB/s    in 0.02s   

2021-08-19 18:05:53 (1.27 MB/s) - '/usr/lib/inithooks/bin/domain-controller.py' saved [23971/23971]

root@DC0 /#

But still DNS test of Domain Controler failed:

root@DC0 /# smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk     
        sysvol          Disk     
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
root@DC0 /# smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk     
        sysvol          Disk     
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
root@DC0 /# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter NET\Administrator's password:
  .                                   D        0  Thu Aug 19 17:34:12 2021
  ..                                  D        0  Thu Aug 19 17:34:14 2021

                31457280 blocks of size 1024. 30887424 blocks available
root@DC0 /# host -t SRV _ldap._tcp.net.lan.
Host _ldap._tcp.net.lan. not found: 3(NXDOMAIN)
root@DC0 /# host -t SRV _kerberos._udp.net.lan.
Host _kerberos._udp.net.lan. not found: 3(NXDOMAIN)
root@DC0 /# host -t A DC0.net.lan.
Host DC0.net.lan. not found: 3(NXDOMAIN

I'll change host to Proxmox 6.4 and make all the tests again. Maybe reason in in new modules of LXC in ver 7.0 ?

 

Wojciech's picture

1. Good information: LxC Privileged container works well:

DNS and amba test passes, and VM with WIN10 join to the TDC

 

2. Bad news: In all combinations of "features" (NESTED, FUSE, etc)  LxC unprivileged container  failed with errors:

 

Tomorow I'will test Joining second  TDC in LxC to domain like additional domain cotroller and working WIN10 with them, and I 'll test last fix from GitHub on unprivileged version of LxC containers

Conclusion is that under Proxmox 6.4 TDC 16.1-1 in  LxC works fine in Privileged container only, and in proxmox 7.0 doesn't work at all.

Intersting is what is the reason.

 

 

 

Wojciech's picture

1. WIN10 join to domain correct. In both variants (DC1 or DC2 or DC1 and DC2 is working)

2. I could add new domain users, when first domain controller was down, changing passwors too.

3. After turn on First Domain Controler, and shutdown Second everything works fine.

4. RSAT show correct two domain controlers and users:

 

So scenario with two TDC in LxC privileged under Proxmox 6.4 works ok, and it is very good news, because ZFS system of the host with all the snapshots, replication and mirrored domain controllers in LAN network. Dellicious.

Question is why unprivileged LxC  doesn.t work from Proxmox ver. 6.4, and nothing works in Proxmox 7.0.

Maybe I've made some error, please correct me,  but all the configurations of the hosts, and containers were fresh without any changing.

I hope. that answer will help  build next version of TDC, and this is very important, because Proxmox is very popular Hypervisor, and during migration to the ver. 7.0 and higher, peoples will prompt this problem.

 

Jeremy Davis's picture

Thanks heaps for the testing and info.

I'm really glad to hear that you managed to get it working ok. That is great news.

When I get a chance, I will try to see why it's not working when run unprivileged on PVEv6.x. I'm not sure when I'll get a chance to check against PVEv7.x though. We will be working on our next major version; v17.0 pretty soon. Hopefully that may even "just work" on Proxmox v7.x.

Regardless, this info that you've published here is a great help!

Wojciech's picture

I 've observed that configuration with two TDC are unstabled sometimes.

First variants:

DC1 (in VM) and try JOIN DC2 (LxE) - "DC2.NET.LAN is allredy registered in network" and join failed. And the same is if I change to DC3, DC4 - never used name in network.

Second variants

DC1 in (VM) and DC2 (VM) - everythink looks well, but sometimes Kerberos test failed for DC2. Even if is correct, from time to time (RSAT show in domains controller both), but if you down DC1, you can't login to Domain with DC2 working.

In tests before everything was ok, but on the next try I have problems like hat. I think, that is problem with DNS Zones transfer between them.

So my conlusion is, that single TDC like Domain Controller under proxmox 6.4 works ok (in privilleged LxC or full VM) like domain controller, but model with two domain controllers is unstable.

 

Add new comment