Juan's picture

Domain controller V 16.0 works with windows 8 or windows 10 ???

I'm doing tests and with Xp it works but I try to make it work with windows 10 and windows 8 and it does not work.

 

 

Forum: 
Jeremy Davis's picture

I'm currently working on the (not yet released) v16.1 Domain Controller. I just tried connecting to that on a Win 10 Pro machine I had handy. It worked fine?!

It does have all the latest Debian packages though. If you do an 'apt update && apt upgrade' then you'll be 99.99% the same.

I have tweaked our firstboot script a bit, but mostly that has been the "join" functionality (i.e. joining to an existing AD domain). Once I'm done with it, I'm happy to share if you want to try re-running the initial setup with the newer script? Regardless, I doubt that has anything to do with it.

Also my Win machine hasn't had updates since late last year, so perhaps a newer Windows update has changed something (and broken joining a Samba domain)? I removed my Win machine from the domain again and the updates are installing as we speak. So once they've installed, I'll try again and report back.

The only thing that initially tripped me up was that it couldn't find the domain from Windows. But then I remembered that I hadn't configured it to use the DC for DNS. After setting Windows DNS to be the IP of the Domain Controller, it worked fine.

So perhaps you could explain in a bit more detail exactly what "does not work" means? I.e. exact error messages you are getting, steps you've taken, etc.

Also if you aren't using a US-International keyboard, there may be issues with special characters (e.g. in passwords).

Juan's picture

Indeed, when configuring the DNS of the windows 8 and 10 machines with the turnkey Domain, it worked correctly. Thanks a lot

Jeremy Davis's picture

Awesome. I wish all issues were that simple to fix! :)

Good luck with it all!

Juan's picture

 I keep testing DC, as user control works perfectly, what I can't make it work is restarting the samba services through webmin, I have to restart the system every time I make a change.

I have started the tests with the folder sharing and I can see the folders but I cannot create or delete anything within them, neither does the access and control of the home (linux system user folders) work, the users see and access the folder but they cannot write or delete anything from the domain access.

I have also not been able to change the keyboard language from confconsole.

I hope I have explained well.

 

smb.conf made from webmin:

# Global parameters
[global]
    dns forwarder = 8.8.8.8
    interfaces = 127.0.0.1 192.168.0.7
    netbios name = dc1
    realm = VERSALLES.LAN
    server role = active directory domain controller
    workgroup = VERSALLES
    idmap_ldb:use rfc2307 = yes

[netlogon]
    path = /var/lib/samba/sysvol/versalles.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[homes]
    valid users = %S
    path = /home
    writeable = yes

[comun]
    comment = comun
    writeable = yes
    path = /media/compart

 

Jeremy Davis's picture

As noted on the Domain Controller doc page (in the Administer your AD section), when using Samba as a AD Domain Controller, management is best done using Windows own RSAT (Remote Server Administration Tool) - installed on an AD member Windows machine. By my understanding, everything should "just work" in that scenario.

As also noted on that doc page, in the General best practice recommendations section (under the sub heading "File storage/fileserver") it is not recommended to use a DC as a file server (a separate Samba Fileserver AD member should be used instead). It should probably work, but Samba themselves recommend against it. Our separate Fileserver appliance might be useful in that situation? However, unfortunately, it doesn't yet have an easy way to be added as a Domain member (it uses the legacy Samba config by default). Alternatively, you could add an additional DC member and just reconfigure it as a Fileserver. FWIW the "Join existing AD domain" functionality on firstboot is broken in v16.0. It's been fixed in the new v16.1 release, but that is not yet available from the Domain Controller appliance page, but it will be soon - in the meantime, you could download the v16.1 iso here).

Apologies that I didn't highlight that doc page in my previous post. I hope this post helps get you going in the right direction...

Please continue to share further feedback on pain points as it really useful for us! Also, whilst it is/was a known issue, it wasn't actually being tracked... So I have opened an issue with Webmin upstream, plus an issue on our own issue tracker so it doesn't get forgotten and/or hopefully new users will find it easier.

Juan's picture

Hello! Jeremy.

 I should read the documents about distros before writing, sorry for that, it´s a shame that sharing is not implemented, I hope that this feature will add soon. I will continue with my tests and tell my experiences in this forum. Thank you very much for the quick response.

We will speak soon.

 

Jeremy Davis's picture

Just to clarify, it's not that "sharing is not implemented". It's that the Samba developers recommend not using the same server for Domain Controller and Fileserver functionality. It may well be possible, but it's just not something that I've never tried (because of the Samba dev's notes).

It turns out though, that the link in the docs to the Samba wiki on how to set up a Samba Domain Member was dead (they must have reorganised their docs?). I've found the right page (in the link above) and updated it in the docs too.

I hope that helps. Please post back with any more issues you hit, questions you have, and/or any suggestions you have on how we might make it better...

Juan's picture

Thank you, I am reviewing the Samba Wiki docs, I will report my progress or setbacks.

Jeremy Davis's picture

Following your bug report re Webmin, I passed the report upstream (to Webmin devs) that the Samba server start/stop/restart buttons didn't work, and it turns out that the commands that run when the buttons are clicked, can be changed.

So as noted by the lead Webmin developer, if you want to make the adjustment, you can do it from the Webmin Samaba server page. Click the cog icon in the top left of the main window/area and change the commands that are run (i.e. remove all of the default) to:

service samba-ad-dc COMMAND

Where COMMAND is the relevant of start, stop or restart.

Alternatively, as I noted on the issue, from the commandline:

conf=/etc/webmin/samba/config
for command in start restart stop; do
    sed -i "\|^${command}_cmd=| s|=.*|=service samba-ad-dc ${command}|" $conf
done
Juan's picture

Hello, I have not been able to make the samba start buttons work through Webmin, in fact there are more tools that do not work, for example the visualization of samba groups.
In the end I decided to use the terminal interface, through the browser, putty or kitty (kitty is a fork of putty with auto connection in case of crash). and I have made the sharing work, you can also create directories per user domain, I am preparing the explanation.


Another error that I have detected is that when I change the IP of server of DHCP to STATIC with confconsole, they only change it in /etc/network/interfaces, so itself has to modify it manually in /etc/samba/smb.conf and /etc/hosts

hosts static

 
 
 

 

Jeremy Davis's picture

Thanks for your feedback.

Webmin not being able to restart the Samba Domain Controller service is a known issue. Hopefully that should be improved in the next release.

The point you raise re Confconsole is valid, although as noted on the doc page, if you use an alternate IP (to the one assigned via DHCP) then it's best to re-run the firstboot script (and that will take care of the changes that you needed to make manually).

Regardless, I have opened a feature request to make the changes you've suggested as that would certainly be preferable.

Juan's picture

It is true that it needs improvements in the management of confconsole, but based on the tests I have carried out, I can say that it is an excellent distribution, it works perfectly with all the versions of Windows with which I have tested it, XP, Vista, 7, 8 , 8.1, 10 and even with the trial version of Windows 11.

 

Many thanks for your work.

Juan's picture

To perform this action, we will use the command samba-tool.

We create independent management files and a folder that will contain the users' personal directories:

#:mkdir /home/users

#:echo > /etc/samba/diruserdc.conf

At the end of the smb.conf file, add the line:

include = /etc/samba/diruserdc.conf

 

Previously and for ease, remove the password conditions to facilitate the creation of users with:

samba-tool domain passwordsettings set --complexity=off &&
samba-tool domain passwordsettings set --history-length=0 &&
samba-tool domain passwordsettings set --min-pwd-length=4 &&
samba-tool domain passwordsettings set --min-pwd-age=0 &&
samba-tool domain passwordsettings set --max-pwd-age=0

 

The password will be the same as the user: sevilla

###Using home####
samba-tool user create sevilla sevilla --given-name="Sevilla" --surname="Spain Andalucia" &&
mkdir /home/users/sevilla && chmod 770 /home/users/sevilla &&
echo >> /etc/samba/diruserdc.conf "[sevilla]" &&
echo >> /etc/samba/diruserdc.conf "browseable = no" &&
echo >> /etc/samba/diruserdc.conf "read only = no" &&
echo >> /etc/samba/diruserdc.conf "path = /home/users/sevilla" &&
echo >> /etc/samba/diruserdc.conf "admin users = sevilla" &&
smbcontrol all reload-config

User sevilla like domain user:

Personal floder of user sevilla:

Config personal floder of sevilla user in file:  /etc/samba/diruserdc.conf

User sevilla fron Windows 8.1:

Configutation dominio system en Windows 8.1:

Network drive in windows 8.1 with user sevilla:

I have created a script with whiptail to facilitate the incorporation of more users

I will publish it soon.

 

 

 

Juan's picture

I have written a script to use response boxes with dialog, it is improvable but functional for managing users and shared resources, I leave code and screenshots. Copy script to file and make it executable.

Script

#################################################

#!/bin/bash
#Juan  https://j20003.es
HEIGHT=15
WIDTH=50
CHOICE_HEIGHT=8
BACKTITLE="Conf Domain"
TITLE="Domain Config, choose option"
MENU="\nChoose one of the following options:"

OPTIONS=(1 "Change password options of Domain"
 2 "List Domain Users"
 3 "Add New Admin Domain"
 4 "Add Domain User"
 5 "Change password of domain user"
 6 "List user of Domain verbose"
 7 "Delete domain user"
 8 "Add new share in Domain"
 9 "Delete net Share in Domain"
 10 "List Computer Of Domain"
 11 "Show Net Shares"
 12 "Delete files"
 13 "Exit"
 14 "Shutdown")


CHOICE=$(dialog --clear \
                --backtitle "$BACKTITLE" \
                --title "$TITLE" \
                --menu "$MENU" \
                $HEIGHT $WIDTH $CHOICE_HEIGHT \
                "${funcheck[@]}" \
        "${OPTIONS[@]}" \
        2>&1 >/dev/tty)

clear
case $CHOICE in
    1)
 #####################Change password options of Domain#################################
exec 3>&1

# Store data to $VALUES variable
VALUES=$(dialog --ok-label "Submit" \
      --backtitle "" \
      --title "Default Settings Passwords" \
      --form "\nCan Change this Settings Passwords" \
0 0 0 \
    "Define_complexity?"        1 1 "off" 1 26 6 0 \
    "Change_password_history"       2 1 "3"   2 26 6 0 \
    "min_password_character"        3 1 "4"   3 26 6 0 \
    "min_password_valid time"       4 1 "0"   4 26 6 0 \
    "password_expiration_time"      5 1 "0"   5 26 6 0 \
2>&1 1>&3)

exec 3>&-

complexity=$(echo "$VALUES" | sed -n 1p)
historylength=$(echo "$VALUES" | sed -n 2p)
minpwdlength=$(echo "$VALUES" | sed -n 3p)
minpwdage=$(echo "$VALUES" | sed -n 4p)
maxpwdage=$(echo "$VALUES" | sed -n 5p)

samba-tool domain passwordsettings set --complexity=$complexity
samba-tool domain passwordsettings set --history-length=$historylength
samba-tool domain passwordsettings set --min-pwd-length=$minpwdlength
samba-tool domain passwordsettings set --min-pwd-age=$minpwdage
samba-tool domain passwordsettings set --max-pwd-age=$maxpwdage
smbcontrol all reload-config

#samba-tool domain passwordsettings show

passwordset=$(samba-tool domain passwordsettings show)

    (dialog --title "Settings Passwords" \
    --stdout \
    --msgbox "$passwordset" 0 0 )

./domainconfmenu.sh
 ;;

        2)
 #######################List Domain Users########################
 users=$(samba-tool user list)
    (dialog --title "Users list" \
    --stdout \
    --msgbox "$users" 0 0 )
 ./domainconfmenu.sh
;;


        3)
 ######################Add New Domain Admin################################
  answer=$(dialog --title "Add New Admin Domain"                  \
                   --separate-widget $"\n"               \
                   --form  ""         \
                   0 0 0                                 \
                   "Name:"   1 1 "$name" 1 10 20 0 \
                   "Password:" 2 1 "versalles" 2 10 20 0 $name \
                   "Surname:"    3 1 "Domain user" 3 10 20 0 \
                   3>&1 1>&2 2>&3 3>&-)

name=$(echo "$answer" | sed -n 1p)
password=$(echo "$answer" | sed -n 2p)
surname=$(echo "$answer" | sed -n 3p)

samba-tool user create $name $password --given-name="$name" --surname="$surname" &&
samba-tool group addmembers "administrators" $name &&
samba-tool group addmembers "Domain Admins" $name &&
samba-tool group addmembers "Domain Admins" $name &&
samba-tool group addmembers "enterprise admins" $name &&
samba-tool group addmembers "group policy creator owners" $name
smbcontrol all reload-config
./domainconfmenu.sh
 ;;

    4)
 ########################Add Domain User##############################

  answer=$(dialog --title "Add New Admin Domain"                  \
                   --separate-widget $"\n"               \
                   --form  ""         \
                   0 0 0                                 \
                   "Name:"   1 1 "$name" 1 10 20 0 \
                   "Password:" 2 1 "versalles" 2 10 20 0 $name \
                   "Surname:"    3 1 "Domain user" 3 10 20 0 \
                   3>&1 1>&2 2>&3 3>&-)

name=$(echo "$answer" | sed -n 1p)
password=$(echo "$answer" | sed -n 2p)
surname=$(echo "$answer" | sed -n 3p)

name2=""
usersdc=$(samba-tool user list | grep $name )

if [ $name = $name2 ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "Variable is empty\nWrite a name valid" 0 0 )

elif [ $name = $usersdc ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "The user exist \nWrite a new name" 0 0 )

else
 
    mkdir /home/users/$name
    chmod 700 /home/users/$name
    samba-tool user create $name $password --given-name="$name" --surname="$surname"
    echo >> /etc/samba/diruserdc.conf
    echo >> /etc/samba/diruserdc.conf "#1"$name
    echo >> /etc/samba/diruserdc.conf [$name]
    echo >> /etc/samba/diruserdc.conf "browseable = no"
    echo >> /etc/samba/diruserdc.conf "path = /home/users/"$name
    echo >> /etc/samba/diruserdc.conf "read only = no"
    echo >> /etc/samba/diruserdc.conf "admin users = "$name
    echo >> /etc/samba/diruserdc.conf "#2"$name
    pdbedit $name -D Y:
    pdbedit $name -h \\\\versalles.local\\$name
    smbcontrol all reload-config

    var1=$(pdbedit $name -v)
        (dialog --title "User of Domain added verbose" \
    --stdout \
    --msgbox "$var1" 0 0 )

fi
    ./domainconfmenu.sh
 ;;

    5)

 #######################Change password of domain user###############################

        userpwchange=$(dialog --title "" \
        --stdout \
        --inputbox "name domain user to change the password" 0 0 )

var1=$userpwchange
var2=$(samba-tool user list | grep $userpwchange)
var3=""

if [ $var1 = $var3 ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "You have left the field of username empty\nWrite a name valid" 0 0 )

elif [ $var1 = $var2 ]

    then
           password=$(dialog --title "" \
                   --stdout \
                   --inputbox "write the new password\nDefault versalles" 0 0 versalles)

        samba-tool user setpassword $userpwchange --newpassword=$password

        (dialog --title "Changed the password for $var1" \
        --msgbox "For $var1\nNew password is $password" 0 0 )

    else
        (dialog --title "" \
        --msgbox "User $var1 no exists" 0 0 )
fi
./domainconfmenu.sh
 ;;

    6)
 ######################List user of Domain verbose################################
 user=$(dialog --title "Listing User Domain Verbose" \
                   --stdout \
                   --inputbox "user name?" 0 0)


           userexists1=$(samba-tool user list | grep $user)
           userexists2=""
           userexists3=$(pdbedit $user -v)

           if [ $userexists1 = $userexists2 ]

           then
            (dialog --title "ERROR" \
            --stdout \
            --msgbox "The user no exists\nOr the field is empy" 0 0 )

                   else

            (dialog --title "Listing User Domain Verbose" \
            --stdout \
            --msgbox "$userexists3" 0 0 )
           fi

    ./domainconfmenu.sh
 ;;

    7)
 ########################Delete domain user##############################
deleteuserdc=$(dialog --title "" \
       --stdout \
       --inputbox "Write the name of domain user to delete?" 0 0 \
       --yesno "Do you want to remove the user?" 0 0 )

var1=$deleteuserdc
var2=$(samba-tool user list | grep $deleteuserdc)
var3=""

if [ $var1 = $var3 ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "Variable is empty\nWrite a name valid" 0 0 )

elif [ $var1 = $var2 ]


    then
        smbpasswd -x $var1
        rm -r /home/users/$var1
                #########delete records in samba files###################
        sed -i "/"#1"${var1}/,/"#2"${var1}/d" /etc/samba/diruserdc.conf
        sed -i "s/", "${var1}//g" /etc/samba/shares.conf
        sed -i "s/${var1}","//g" /etc/samba/shares.conf
        sed -i "s/${var1}//g" /etc/samba/shares.conf


        (dialog --title "" \
        --msgbox "User $var1 has been delete" 0 0 )

    else
        (dialog --title "" \
        --msgbox "User $deleteuserdc no exists" 0 0 )
fi


./domainconfmenu.sh
;;


        8)
 #######################Add new share in Domain###############################
   share=$(dialog --title "" \
                   --stdout \
                   --inputbox "¿Name New Share?" 0 0)

    var1=$share
    var2=""
    var3=$(ls /home/shares | grep $share)

if [ $var1 = $var2 ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "Variable is empty\nWrite a name valid" 0 0 )

elif [ $var3 = $var1 ]

    then
         (dialog --title "ERROR" \
        --stdout \
        --msgbox "Net share exists\nGive it a different name" 0 0 )
                ./domainconfmenu.sh

    else

  admin=$(dialog --title "" \
                   --stdout \
                   --inputbox "¿Admin Groups or Users?\n
Examples:\n
User: madrid\n
Several users: madrid, caceres\n
Several groups: @profesores, @comun\n
Several users and groups: @profesores, @comun, madrid, caceres" 0 0)


varuser1=""
varuser2=$(samba-tool user list | grep $admin)

       if [ $varuser2 = $varuser1 ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "Variable is empty.\nOr the user no exists\nWrite a name valid" 0 0 )

    else


    mkdir /home/shares/$share
    chmod 770 /home/shares/$share
    echo >> /etc/samba/shares.conf
    echo >> /etc/samba/shares.conf "#1"$share
    echo >> /etc/samba/shares.conf ""[$share]
    echo >> /etc/samba/shares.conf "path = /home/shares/"$share
    echo >> /etc/samba/shares.conf "read only = no"
    echo >> /etc/samba/shares.conf "admin users = "$admin
    echo >> /etc/samba/shares.conf "#2"$share
    smbcontrol all reload-config

    varshare=$(smbclient -L localhost -U%)
    (dialog --title "List net disk Shares" \
    --stdout \
    --msgbox "$varshare" 0 0 )
    fi
fi
 ./domainconfmenu.sh
;;

    9)
 #######################Delete net Share in Domain###############################

sharedelete=$(dialog --title "Selet net share to delete" \
                   --stdout \
                   --dselect /home/shares/.  14 70 )

var1=$(basename $sharedelete)

if [ $sharedelete = /home/shares/. ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "\nNo net share floder selected\nTry again" 0 0 )

elif [ $sharedelete = /home/shares/.. ]

        then
        (dialog --title "ERROR" \
        --stdout \
        --msgbox "\nNo net share floder selected\nTry again" 0 0 )


else

        (dialog --title "Are you sure to erase net share?" \
        --msgbox "\nIF YOU PRESS ENTER\n\n
WILL DEFINITELY ELIMINATE\n\nTHE NETWORK SHARED DIRECTORY CALLED $sharedelete\n\nTo cacel Ctrl+x" 0 0 )
                       
rm -r $sharedelete
#########delete records in samba files###################
sed -i "/"#1"${var1}/,/"#2"${var1}/d" /etc/samba/shares.conf

        (dialog --msgbox "The net share ${varshare1} was erased" 0 0)
fi
./domainconfmenu.sh
;;


    10)
 ######################List Computer Of Domain################################
#samba-tool computer list
#sleep 3
computer=$(samba-tool computer list)
    (dialog --title "computer list" \
    --stdout \
    --msgbox "$computer" 0 0 )
./domainconfmenu.sh
 ;;


    11)
#######################Show Net Shares###############################
    varshare=$(smbclient -L localhost -U%)
    (dialog --title "List net disk Shares" \
    --stdout \
    --msgbox "$varshare" 0 0 )
./domainconfmenu.sh
;;


    12)
    ######################Browse and select files to delete################################

filedelete=$(dialog --title "Choose a file" \
                   --stdout \
                   --fselect $HOME/  14 70)
if [ -f "$filedelete" ]
then
    dialog --title "File erased" \
           --yesno "Are you sure to want delete the file called $filedelete?" 0 0
    ans=$?
    if [ $ans -eq 0 ]
    then
        rm "$filedelete"
        dialog --msgbox "El archivo $filedelete fue borrado" 0 0
    fi
fi
./domainconfmenu.sh
 ;;

    13)
 #########################Exit#############################

    (dialog --title "Exit of application" \
    --stdout \
    --msgbox "Do you want to exit now?" 0 0 )

exit
;;

    14)
#######################Shutdown###############################
    (dialog --title "SHUTDOWN" \
    --stdout \
    --msgbox "In ten shutting down the system?" 0 0 )

for i in $(seq 0 10 100) ;
do sleep 1;
echo $i | dialog --gauge "turning off the machine" 10 70 0; done
halt -p
;;
esac


#################################################################

Jeremy Davis's picture

I'm not sure how, but I missed this post of yours Juan. This looks awesome!

I've taken the liberty of proposing that we include it with the next release of the domain-controller appliance.

I hope that you are ok with the name I've given it ('turnkey-dc-conf'). As per general convention, TurnKey provided end user helper script names generally start with 'turnkey-' (or 'tkl'). The rationale for that is that it makes it easier for users to know that it's a script we include; plus easy to find via cli tab complete. Having said that, if you have a preference for something in particular, feel free to share.

I also set 'e' as a matter of good practice bash scripting. In case you are unaware, setting 'e' means that the script will crash if it encounters a non-zero exit code when running commands. Any acceptable failures need to be explicitly handled. I haven't actually tested whether it makes any difference for your script as I've only done a visual code review.

I also added a link back to your post that includes the script.

I haven't actually tested it at all yet though. If you have time to double check my copy of your code, that's be really cool. You can do that like this:

# running as root
URL=https://raw.githubusercontent.com/JedMeister/domain-controller/inc-juan-script/overlay
BIN=usr/local/bin/turnkey-dc-conf
wget -O /$BIN $URL/$BIN
chmod +x /$BIN

And it should then run via the command 'turnkey-dc-conf'.

Also, if you have further improvements that you've already implemented and/or further ideas, perhaps consider setting up a GitHub account so we can collaborate directly there?

Juan's picture

Totally agree, I'll work on it

Jeremy Davis's picture

That's awesome. Thanks! :)

Juan's picture

I am already a member of github, username j20003, I am seeing how it works.

Jeremy Davis's picture

(wrote this ages ago, but just realised I hadn't posted it)

If you have any feedback, thoughts or improvements, please feel free to open a pull request.

I'm not sure how familiar with git/GitHub and/or whether you have some sort of established workflow for this sort of thing or not. If you are totally unfamiliar, have a look at this first time with git/GitHub. If you want any more guidance or feedback, please feel free to ask.

Juan's picture

The link not work
 

root@dc1 ~# URL=https://raw.githubusercontent.com/JedMeister/domain-controller/inc-juan-...
root@dc1 ~# BIN=usr/local/bin/turnkey-dc-conf
root@dc1 ~# wget -O /$BIN /$URL/$BIN
/https://raw.githubusercontent.com/JedMeister/domain-controller/inc-juan-... Scheme missing.
root@dc1 ~# chmod +x /$BIN
root@dc1 ~#

 

Jeremy Davis's picture

I've fixed the previous post, but you need to remove the slash in front of the $URL. I.e. like this:

wget -O /$BIN $URL/$BIN

FWIW, the scheme is the 'http' or 'https' at the start of a URL. Because there was a leading slash (that shouldn't have been there) wget though it was missing the scheme.

Wojciech's picture

Like in Subject.

If TDC is running in full VM everything is ok. Joining WIN10 works, two different DC  under Turnkey Domain controller works. RSAT in WIN10 is showing that everyting is perfect:

 

If your TDC ver 16.1-1 is running in LxC Container, WIN10 Machine can't find Domain controller.

What is interesting if you try join to TDC ver 15.01 in LxC container - everythin is ok.

What wrong could be in container ?

Any ideas ?

 

Jeremy Davis's picture

If it's a privileged container, then that's the issue! Either run it as unprivileged, or enable nesting.

Wojciech's picture

It's interesting that in DC2 (Additional Domain Controler in VM) configs files are diffrent, that in DC5 (Additional Domain Controler in Lxc) - there is dc5.default.lan, and should be dc5.net.lan.

There are more differences:

dc5 (Lxc):

dc2 :

DC5:

DC2:

DC2:

 

 

Jeremy Davis's picture

Samba used to not play nice within a container unless you did some funky network setup. I was under the impression that was no longer the case, but perhaps there has been some regression(s) in newer Samba versions which makes it incompatible with default LXC config? TBH, I would have expected it to "just work" as a container, but that may well not be the case... Perhaps you need to use a "proper" VM?

Looking at your screenshots though, are you allowing it to inherit DNS from the host? (That's what it looks like). If so, that's likely an issue (if not the issue). 127.0.0.1 or it's own IP (assuming it's set as a static IP) should be the first DNS server, and you probably shouldn't list any other DNS servers (Samba's built-in DNS can be configured to forward queries to whatever DNS you want, although by default it's set to use Google; 8.8.8.8).

Re the 'dc5.default.net' entry; where did that come from? That's not something that it ships with. The firstboot scripts will configure that if you set 'default.net' as the realm, but if you re-run the first boot scripts that should be replaced?! Regardless, I recommend removing that one.

Also, the Samba components of Webmin are more suited to managing legacy (non-AD) style Samba set ups. I suspect that there is something you may have tweaked via Webmin that has had a negative impact?

Wojciech's picture

Anyway:

1. Using LxC on host with Proxmox with ZFS file system gives you amazing features with snapshots of data sharing via TDC, so I'm very upset that ver 16.1-1 in LXC is not working like 15.0.1 because of new feature joining TDC to the existing domain like additional domain controller - I have waited for that.

2. All the configs are fresh after instalation without any my changing.

So the 'dc5.default.net' exist in config, because of old default settings of domain after instalation. Of course I've changed domain name during instalation from default.net to  net.lan, and that's all, but this line is still exist. In VM instalation this problem is not present.

Comparing DC2 (VM) and DC5(LxC) after fresh instalation and join tho the DC1 (First domain controller in VM) shown, that something is going wrong during process of instalation from the container.

I' will test all of this variants on host with older version od Proxmox (6.4) and I will show results.

 

 

Jeremy Davis's picture

The default domain should be 'domain.lan' though not 'default.net'? Thinking about this some more, I'm guessing you set it up with that originally and then changed it? If so, it should have been overwritten, not added. So that would suggest a bug in our config scripts.

Regardless, you'll need to get rid of that wrong line. Find where it is like this:

grep -r default.net /etc

Once you've found it (probably in /etc/hosts), try removing that line and retrying.

Also, check if the samba-ad-dc service is running:

systemclt status samba-ad-dc

If not, try restarting it:

systemclt restart samba-ad-dc

And check the status again. If it's still not starting, then please post the error message(s).

If it starts, follow the testing steps as noted in the Samba wiki. I suggest that you particularly take note of the DNS tests and Kerberos tests. There is also a specific troubleshooting page which might help?

Wojciech's picture

I've tested this under host Proxmox 7.0

We have two problems:

1. In unprivileged container instalation of Turnkey linux AD controller failed. (Screenshots under the text)

2. In privileged container of 16.1-1 the problem is in DNS records of domain controller.

I've compared ver. 15.0.1 and 16.1-1

In 15.0.1 (provileged container) verything by DNS from WiKi:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory...

tests od DNS passed well:

root@dc4 ~# host -t SRV _ldap._tcp.net.lan.
_ldap._tcp.net.lan has SRV record 0 100 389 dc4.net.lan.
root@dc4 ~#

in 16.1-1 test of DNS don't pass:

root@DC8 ~# host -t SRV _ldap._tcp.net.lan.
;; connection timed out; no servers could be reached
root@DC8 ~# host -t SRV _kerberos._udp.net.lan.
;; connection timed out; no servers could be reached
root@DC8 ~# host -t A dc8.net.com.
;; connection timed out; no servers could be reached
root@DC8 ~#

In 16.1-1 (unprivileged container) instalation finished with errors, so I did not test it:

 

Jeremy Davis's picture

Thanks for sharing.

Ok so it appears that the problem is that within pre-launch container configuration, you are allowing the guest to use the host's DNS config (which is default AFAIK). So you'll need to start again and this time, manually set up the DNS yourself. Hopefully that should resolve the issue?!

Wojciech's picture

Maybe Proxmox 7.0 host configuration gives some settings of DNS to the LXC containers, because of some specific configuration of hypervisor ? but in both variants (15.0 and 16.) I  set DNS and the domain during creation of the contener manually, and more - I set this on the host, and in 15.0.1 everything works fine. It is interesting, that is impossible to create TDC 16.1-1, in unprivilleged container under proxMox 7, because of the error listed in post before - it's confusing. I will try to repeat tests under the proxmox 6.4 - the last stable version. I'will show result. But anyway there is something in configuration or scripts, that in 15.0 everything looks well, and in 16.1-1 not.

 

 

Jeremy Davis's picture

I tested the v16.1 Domain Controller LXC (unprivileged) container works fine on Proxmox v5.x. I haven't yet tested on v6.x, but I hope to soon (I only just updated my Proxmox host to v6.x recently).

Actually though, I just noticed that there have been some changes to the firstboot script since the v16.1 release. It's queued to be rebuilt, but that probably won't happen until next week - I hadn't prioritised it as I only recalled the minor changes that I made, but perhaps it's more significant than I thought?

If you want to test it, please download the latest inithook to your v16.1 container. Like this:

URL=https://raw.githubusercontent.com/turnkeylinux-apps/domain-controller/master/overlay
FILE=usr/lib/inithooks/bin/domain-controller.py
wget -O /$FILE $URL/$FILE

Perhaps that might fix it? Please let me know...

Wojciech's picture

root@DC0 /# FILE=usr/lib/inithooks/bin/domain-controller.py
root@DC0 /# URL=https://raw.githubusercontent.com/turnkeylinux-apps/domain-controller/master/overlay
root@DC0 /# wget -O /$FILE $URL/$FILE
--2021-08-19 18:05:47--  https://raw.githubusercontent.com/turnkeylinux-apps/domain-controller/master/overlay/usr/lib/inithooks/bin/domain-controller.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23971 (23K) [text/plain]
Saving to: '/usr/lib/inithooks/bin/domain-controller.py'

/usr/lib/inithooks/bin/domain-controller.p 100%[=======================================================================================>]  23.41K  --.-KB/s    in 0.02s   

2021-08-19 18:05:53 (1.27 MB/s) - '/usr/lib/inithooks/bin/domain-controller.py' saved [23971/23971]

root@DC0 /#

But still DNS test of Domain Controler failed:

root@DC0 /# smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk     
        sysvol          Disk     
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
root@DC0 /# smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk     
        sysvol          Disk     
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
root@DC0 /# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter NET\Administrator's password:
  .                                   D        0  Thu Aug 19 17:34:12 2021
  ..                                  D        0  Thu Aug 19 17:34:14 2021

                31457280 blocks of size 1024. 30887424 blocks available
root@DC0 /# host -t SRV _ldap._tcp.net.lan.
Host _ldap._tcp.net.lan. not found: 3(NXDOMAIN)
root@DC0 /# host -t SRV _kerberos._udp.net.lan.
Host _kerberos._udp.net.lan. not found: 3(NXDOMAIN)
root@DC0 /# host -t A DC0.net.lan.
Host DC0.net.lan. not found: 3(NXDOMAIN

I'll change host to Proxmox 6.4 and make all the tests again. Maybe reason in in new modules of LXC in ver 7.0 ?

 

Wojciech's picture

1. Good information: LxC Privileged container works well:

DNS and amba test passes, and VM with WIN10 join to the TDC

 

2. Bad news: In all combinations of "features" (NESTED, FUSE, etc)  LxC unprivileged container  failed with errors:

 

Tomorow I'will test Joining second  TDC in LxC to domain like additional domain cotroller and working WIN10 with them, and I 'll test last fix from GitHub on unprivileged version of LxC containers

Conclusion is that under Proxmox 6.4 TDC 16.1-1 in  LxC works fine in Privileged container only, and in proxmox 7.0 doesn't work at all.

Intersting is what is the reason.

 

 

 

Wojciech's picture

1. WIN10 join to domain correct. In both variants (DC1 or DC2 or DC1 and DC2 is working)

2. I could add new domain users, when first domain controller was down, changing passwors too.

3. After turn on First Domain Controler, and shutdown Second everything works fine.

4. RSAT show correct two domain controlers and users:

 

So scenario with two TDC in LxC privileged under Proxmox 6.4 works ok, and it is very good news, because ZFS system of the host with all the snapshots, replication and mirrored domain controllers in LAN network. Dellicious.

Question is why unprivileged LxC  doesn.t work from Proxmox ver. 6.4, and nothing works in Proxmox 7.0.

Maybe I've made some error, please correct me,  but all the configurations of the hosts, and containers were fresh without any changing.

I hope. that answer will help  build next version of TDC, and this is very important, because Proxmox is very popular Hypervisor, and during migration to the ver. 7.0 and higher, peoples will prompt this problem.

 

Jeremy Davis's picture

Thanks heaps for the testing and info.

I'm really glad to hear that you managed to get it working ok. That is great news.

When I get a chance, I will try to see why it's not working when run unprivileged on PVEv6.x. I'm not sure when I'll get a chance to check against PVEv7.x though. We will be working on our next major version; v17.0 pretty soon. Hopefully that may even "just work" on Proxmox v7.x.

Regardless, this info that you've published here is a great help!

Wojciech's picture

I 've observed that configuration with two TDC are unstabled sometimes.

First variants:

DC1 (in VM) and try JOIN DC2 (LxE) - "DC2.NET.LAN is allredy registered in network" and join failed. And the same is if I change to DC3, DC4 - never used name in network.

Second variants

DC1 in (VM) and DC2 (VM) - everythink looks well, but sometimes Kerberos test failed for DC2. Even if is correct, from time to time (RSAT show in domains controller both), but if you down DC1, you can't login to Domain with DC2 working.

In tests before everything was ok, but on the next try I have problems like hat. I think, that is problem with DNS Zones transfer between them.

So my conlusion is, that single TDC like Domain Controller under proxmox 6.4 works ok (in privilleged LxC or full VM) like domain controller, but model with two domain controllers is unstable.

 

MiKo's picture

Hello together,

searching for an alternative method to double an existing Windows DC, I yesterday found your project.

Downloaded the .ova, installed in VBox ... and got stuck multiple:

- the AD's standard "Administrator" user does not exist (at least not openly)

- this account's password contains characters that are not first-hand available on a non-german keyboard, and also does not fulfill your reuirements

- the domain I want to join is "inoffice.-my-external-domain.tld" - but these '-' are not accepted

So I hoped that this is one of the topics mentioned by "joining an existing non-Samba domain might fail", I tried using samba-tool - but no success there also. Even the testwise setup of a new domain with '-' failed, so I had to cancel the testing ... :(

My wishes and suggestions from the experience, to make this project more successful:

- please make the setup ask for keyboard layout and IP address, as many other appliances do, instead of setting EN-US and DHCP

- please make the naming restriction on "alphanumeric" realm names more prominent

- please change the typo in the splash screen fom "sambatool" into "samba-tool" (certainly the least prio).

- no, that might be this: I had to write this twice, because after the first sending attempt there was a plausibility check in the form that did not like my "homepage" value ... and then the edit field was empty again ... :(

and as I am in the form generator: the preview after sending does not take the paragraphs into respect that are clearly contained in the html source code ...

Greets
Michael

Jeremy Davis's picture

Hi and welcome to TurnKey. Thanks for providing your feedback and apologies on my slow response. I did actually start yesterday, but got sidetracked before I finished.

the AD's standard "Administrator" user does not exist (at least not openly)

So you use an AD Administrator account name other than "administrator"?! Hmm, that's a pretty good point. It should probably ask username (defaulting to "administrator").

I've opened a bug.

this account's password contains characters that are not first-hand available on a non-german keyboard, and also does not fulfill your reuirements

Yes that's a known issue (for all of our appliances - not just this one). It's something that we really should do something about.

Currently the only way to work around that is to create a new domain on firstboot, then once you can login, set your keyboard and language. You can do that within Confconsole. It's within the Region Config section. Once you've done that, re-run the firstboot scripts like this:

turnkey-init

Or just the domain-controller specific part like this:

/usr/lib/inithooks/bin/domain-controller.py
the domain I want to join is "inoffice.-my-external-domain.tld" - but these '-' are not accepted

This part bug and part problem with your realm/AD domain.

Samba requires that the AD kerberos realm/AD DNS domain must be a valid DNS name. Unfortunately, Windows allows you to create a realm/AD domain which is are not generally valid DNS name (by default Windows uses it's own internal DNS server which allows non-valid DNS names). Whilst the '-' character is a valid in a DNS name (which is a bug) AFAIK, it must start with an alphanumeric character. From my understanding, the domain that you have shared is incompatible with Samba.

Given your scenario, if you want to test/use Samba, you'll need to create a new AD domain from scratch.

please make the setup ask for keyboard layout and IP address, as many other appliances do, instead of setting EN-US and DHCP

Yes, asking for keyboard at firstboot would be a good thing, so I've added that as an issue too. Asking for IP is a bit more complicated as we support running on AWS and that must always use DHCP to get an initial (private) IP - but again, I agree it should be easy to do.

please make the naming restriction on "alphanumeric" realm names more prominent

As noted before, we should allow inclusion of the '-' character. Although I would argue that currently it makes it pretty clear that alphanumeric characters are required.

please change the typo in the splash screen fom "sambatool" into "samba-tool" (certainly the least prio).

I have just fixed this so it will be included in the next release. I know that you said it was lowest priority, but it's also the only one that cane be simply fixed.

no, that might be this: I had to write this twice, because after the first sending attempt there was a plausibility check in the form that did not like my "homepage" value ... and then the edit field was empty again ... :(

Hmm, yeah that sucks. Although it was probably the spam filter that caught that. The workaround is to create a website user account and post as a logged in user.

and as I am in the form generator: the preview after sending does not take the paragraphs into respect that are clearly contained in the html source code ...

Again that is because you were not logged in. There is only a subset of html tags supported for non-logged in users. The unsupported tags are still saved, but it requires manual intervention by me to ensure that your post is displayed as you intended it. That is a security measure.

Thanks again for providing your feedback. I hope to implement at least some of them in our upcoming new major release (v7.0).

MiKo's picture

Hi Jeremy,
just before switching off the PC for the night, I see your comment - good night postponed ;)

 

Thank you for the broad explanations.

And sorry for the typo - in my realm/domain name the first character of course is not a '-', that's a typo - unfortunately the worst case that might happen ... as this domain is really existing in the "outside world" network, as you see in my mail address, it would not have been accepted by any official registrar otherwise. 

Regarding the dhcp or fixed address, I see your point on the AWS. I've had some experiences on other DC systems in earlier times that did not work well anymore after an address change, because the change did not crawl thru all config files ... so I'm rather reserved on that topic.

I guess I'll play a bit with it again, although my main goal was to get a 2nd DC for a Win2k16-AD - which is not really possible with this Samba release, as I learned meanwhile. There I'd have the existing testing environment readily available - thus I've to create some new VMs.

Till later
Michael

Jeremy Davis's picture

You're welcome.

And sorry for the typo - in my realm/domain name the first character of course is not a '-', that's a typo - unfortunately the worst case that might happen ... as this domain is really existing in the "outside world" network

Ah ok. No problem. If it's a valid DNS name, then it should certainly work. I will definitely ensure that '-' is allowed in the realm/AD domain in the next release of our Domain Controller.

Regarding the dhcp or fixed address, I see your point on the AWS. I've had some experiences on other DC systems in earlier times that did not work well anymore after an address change, because the change did not crawl thru all config files ... so I'm rather reserved on that topic.

Yes, I agree it's sub-optimal. But currently, before using in production you will need to set a static IP and reconfigure (use of DHCP for testing is fine).

For what it's worth, that is noted on the Domain Controller doc page (which I should have noted in my previous message).

I guess I'll play a bit with it again, although my main goal was to get a 2nd DC for a Win2k16-AD - which is not really possible with this Samba release, as I learned meanwhile.

Yeah, unfortunately Samba is not compatible with the Win2k16 AD schema out of the box. It seems that there may be a workaround but I'm not even sure that will work with the version of Samba in our current appliance? You may need to wait for our upcoming v17.0 release - hopefully will be published within the next month or 2. For what it's worth, I've added a compatability section to the doc page.

MiKo's picture

Hi again, so that there will be a new release so soon, is great to hear - I think I can wait for this "late christmas surprise" ;) Thank you Michael

Add new comment