I also run a test AD domain at home, but most of my servers are
standalone and don't use an external server for authentication.
As an IT person, Active Directory has been a necessary evil, regardless
if the majority of the server base is running Linux. All of the
companies I have worked for have had an AD Domain, regardless if their
products were Unix/Linux-based.
With that said, I have found that learning to run Active Directory on
Linux has been a more in-depth learning experience than just firing up a
Domain on a Windows server. AD is a collection of different protocols
and learning how they interact will benefit you no matter what your
preferred OS is. When you setup a domain in Windows, you are never
exposed to the underpinnings like you are in Linux.
With AD, you don't even need to use Samba/Winbind for client
authentication and do LDAP instead.
Going back to the original problems:
1) 'samba-tool drs showrepl' gets a NT_STATUS_LOGON_FAILURE (meaning I can't
verify that replication's working, or not).
Certain things need to be in place before you can talk to the DC:
2) The samba_dnsupdate process gets an error in syslog "RuntimeError: kinit
for DC03$@ETHER.CI.NET failed (Preauthentication failed)" and prevents the
internal DNS server from coming up.
There should be samba logs in /var/log that can give more detailed
information. If it's not detailed enough, you should be able to make it
more verbose
When getting Linux machines talking to Windows AD, I’ve had to have the
following in place:
-Manually adding a DNS entry in the AD DNS
-Setting a hostname identical to the DNS entry
-Pointing /etc/resolv.conf to the PDC/BDC DNS and setting the default
search domain to the AD one
-Having NTP sync to the PDC/BDC, this is more important than you think
because too much time skew will cause the sGoing back to the original
problems:
1) 'samba-tool drs showrepl' gets a NT_STATUS_LOGON_FAILURE (meaning I can't
verify that replication's working, or not).
Certain things need to be in place before you can talk to the DC:
2) The samba_dnsupdate process gets an error in syslog "RuntimeError: kinit
for DC03$@ETHER.CI.NET failed (Preauthentication failed)" and prevents the
internal DNS server from coming up.
There should be samba logs in /var/log that can give more detailed
information. If it's not detailed enough, you should be able to make it
more verbose
When getting Linux machines talking to Windows AD, i've had to have the
following in place:
-Manually adding a DNS entry in the AD DNS
-Setting a hostname identical to the DNS entry
-Pointing /etc/resolv.conf to the PDC/BDC DNS
-Having NTP sync to the PDC/BDC
-Editing the /etc/krb5.conf file because you need that keytab first and
the vanilla default won't work:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.COM = {
kdc = 192.168.0.1
kdc = 192.168.0.2
admin_server = 192.168.0.1
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticketlifetime = 36000
renewlifetime = 36000
forwardable = true
krb4_convert = false
}erver to stop responding to requests
-Editing the /etc/krb5.conf file because you need that keytab first and
the vanilla default won't work:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.COM = {
kdc = 192.168.0.1
kdc = 192.168.0.2
admin_server = 192.168.0.1
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticketlifetime = 36000
renewlifetime = 36000
forwardable = true
krb4_convert = false
}
As for your Windows 2008 servers, if the license expires, you should
still be able to continue to use them and get security updates. God only
knows I have a few of those in non-production. The only thing that
should happen is that you will get nag alerts that it's not a genuine
Windows system.
Hope this helps
On 08/12/2015 08:59 AM, Edward Ned Harvey (blu) wrote:
From: Rich Braun [mailto:ri...@pioneer.ci.net]
I guess I didn't make it clear: this is my home LAN. My domain controllers
exist solely to support a couple of Windows instances that run software that
has yet to become available on Linux, and/or devices that want to
communicate
with SMB network shares.
Oh - Uh - That makes a lot of sense now. ;-)
The part that's still missing is: Why run a domain at all? Why not just let the
couple of windows boxen run standalone, and use basic authentication to the SMB
share?
_______________________________________________
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
_______________________________________________
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
