KVM Archive on lore.kernel.org
 help / color / Atom feed
From: Turritopsis Dohrnii Teo En Ming <ceo@teo-en-ming-corp.com>
To: "kvm@vger.kernel.org" <kvm@vger.kernel.org>
Cc: Turritopsis Dohrnii Teo En Ming <ceo@teo-en-ming-corp.com>
Subject: Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC)
Date: Sat, 15 Feb 2020 06:38:50 +0000
Message-ID: <SG2PR01MB21410FC1931594D546E1818087140@SG2PR01MB2141.apcprd01.prod.exchangelabs.com> (raw)

Subject: Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC)

Subject: Teo En Ming's Manual for Setting Up Samba 4.11.6 and CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine as an Active Directory Domain Controller (AD DC)

PUBLISHED 15 FEB 2020 SATURDAY, SINGAPORE, SINGAPORE, SINGAPORE

This manual/guide is meant for small and medium businesses (SMB) which do not want to spend a lot of money on Windows Server 2016/2019 licensing.

REFERENCE GUIDE
===============

Guide: Setting up Samba as an Active Directory Domain Controller

Link: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING'S MANUAL
=======================================================

Starting CentOS 8.1 (1911) Linux Server QEMU/KVM Virtual Machine on Ubuntu 18.04.3 LTS Desktop Host
===================================================================================================

Virtual Machine Manager (virt-manager) depends on libvirtd service.

$ sudo systemctl start libvirtd.service

Start the Virtual Machine Manager.

$ sudo virt-manager

Select the CentOS 8.1 QEMU/KVM virtual machine and click "Power on the virtual machine".

REFERENCE GUIDE
===============

Guide: ENABLING HOST-GUEST NETWORKING WITH KVM, MACVLAN AND MACVTAP

Link: https://www.furorteutonicus.eu/2013/08/04/enabling-host-guest-networking-with-kvm-macvlan-and-macvtap/

Still on the Ubuntu 18.04.3 LTS Desktop host.

$ nano /home/teo-en-ming/macvlan.sh

#!/bin/bash

# Adapted by Teo En Ming on 14 Feb 2020 Friday (Valentine's Day in Singapore).
 
# let host and guests talk to each other over macvlan
# configures a macvlan interface on the hypervisor
# run this on the hypervisor (e.g. in /etc/rc.local)
# made for IPv4; need modification for IPv6
# meant for a simple network setup with only eth0 or enp5s0 on the host,
# and a static (manual) ip config
# Original Author: Evert Mouw, 2013 (European Union)
 
#HWLINK=eth0
HWLINK=enp5s0
MACVLN=macvlan0
TESTHOST=www.google.com
 
# ------------
# wait for network availability
# ------------
 
# IPv4 pings only

while ! ping -4 -q -c 1 $TESTHOST > /dev/null
do
    echo "$0: Cannot ping $TESTHOST, waiting another 5 secs..."
    sleep 5
done
 
# ------------
# get network config
# ------------
 
IP=$(ip address show dev $HWLINK | grep "inet " | awk '{print $2}')
NETWORK=$(ip -o route | grep $HWLINK | grep -v default | grep -v 169 | awk '{print $1}')
GATEWAY=$(ip -o route | grep default | awk '{print $3}')
 
# ------------
# setting up $MACVLN interface
# ------------
 
ip link add link $HWLINK $MACVLN type macvlan mode bridge
ip address add $IP dev $MACVLN
ip link set dev $MACVLN up
 
# ------------
# routing table
# ------------
 
# empty routes
ip route flush dev $HWLINK
ip route flush dev $MACVLN
 
# add routes
ip route add $NETWORK dev $MACVLN metric 0
 
# add the default gateway
ip route add default via $GATEWAY

===END OF LINUX SHELL SCRIPT===

$ sudo chmod +x /home/teo-en-ming/macvlan.sh

$ sudo /home/teo-en-ming/macvlan.sh

192.168.1.122 is the IP address (DHCP auto configuration) of the CentOS 8.1 Linux Server.
ssh into the CentOS 8.1 Linux Server.

ssh teo-en-ming@192.168.1.122

PREPARING THE INSTALLATION ON CENTOS 8.1 LINUX SERVER
=====================================================

Setting hostname of CentOS 8.1 Linux Server.
============================================

# hostnamectl set-hostname dc1

To see the hostname:

# hostnamectl

Output:

   Static hostname: dc1
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 668fdf5de7214d56be0ef8b65f7166e9
           Boot ID: 5691a1a2dacd41c4ab5871d25885e138
    Virtualization: kvm
  Operating System: CentOS Linux 8 (Core)
       CPE OS Name: cpe:/o:centos:centos:8
            Kernel: Linux 4.18.0-147.el8.x86_64
      Architecture: x86-64

How to set static IP address 192.168.1.10 on CentOS 8.1 Linux Server
====================================================================

# cd /etc/sysconfig/network-scripts/

# nano ifcfg-ens3

TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens3"
UUID="8e179c97-1388-48ee-a8be-d173ee3ff40c"
DEVICE="ens3"
ONBOOT="yes"
IPADDR="192.168.1.10"
PREFIX="24"
GATEWAY="192.168.1.1"
DNS1="8.8.8.8" ===>>> (IF YOU USE THIS LINE, NETWORK MANAGER WILL ALWAYS OVERWRITE /etc/resolv.conf, which is undesirable)

# reboot

ssh into CentOS 8.1 Linux Server with static IP address 192.168.1.10.

$ ssh teo-en-ming@192.168.1.10

Check if Samba processes are running:

# ps ax | egrep "samba|smbd|nmbd|winbindd"

# nano /etc/hosts

Contents of file:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.10	dc1.teo-en-ming.corp dc1

Backup the original /etc/krb5.conf

# mv /etc/krb5.conf /etc/krb5.conf.bak

INSTALLING SAMBA 4.11.6 ON CENTOS 8.1 LINUX SERVER QEMU/KVM VIRTUAL MACHINE
===========================================================================

REFERENCE GUIDE
===============

Guide: Build Samba from Source

Link: https://wiki.samba.org/index.php/Build_Samba_from_Source

Installing package dependencies before building Samba on CentOS 8.1 Linux Server.

# yum -y install dnf-plugins-core

# yum config-manager --set-enabled PowerTools

# yum install docbook-style-xsl gcc gdb gnutls-devel gpgme-devel jansson-devel
# yum install keyutils-libs-devel krb5-workstation libacl-devel libaio-devel 
# yum install libarchive-devel libattr-devel libblkid-devel libtasn1 libtasn1-tools 
# yum install libxml2-devel libxslt openldap-devel pam-devel perl 
# yum install perl-ExtUtils-MakeMaker perl-Parse-Yapp popt-devel python3-cryptography 
# yum install python3-dns python3-gpg python36-devel readline-devel rpcgen systemd-devel 
# yum install tar zlib-devel

Compulsory Packages NOT installed at the moment:

lmdb-devel

Download Samba current stable release 4.11.6.

# wget https://download.samba.org/pub/samba/stable/samba-4.11.6.tar.gz

# tar -zxf samba-4.11.6.tar.gz

# cd samba-4.11.6/

# ./configure

Output:

Samba AD DC and --enable-selftest requires lmdb 0.9.16 or later

# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

# yum install lmdb-devel

Run ./configure again.

# ./configure

Output:

'configure' finished successfully (42.262s)

Make full use of all 4 cores on my AMD Ryzen 3 3200G processor.

# make -j 4

Output:

Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'build' finished successfully (9m24.396s)

# make install

Output:

Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'install' finished successfully (2m58.171s)

# nano /etc/profile

Append the following line:

export PATH=$PATH:/usr/local/samba/bin/:/usr/local/samba/sbin/

PROVISIONING A SAMBA ACTIVE DIRECTORY DOMAIN CONTROLLER
=======================================================

Provisioning Samba AD DC in Interactive Mode.

The original intention was to use SAMBA_INTERNAL DNS backend.

# samba-tool domain provision --use-rfc2307 --interactive

Output:

Realm [TEO-EN-MING.CORP]:  TEO-EN-MING.CORP
Domain [TEO-EN-MING]:  TEO-EN-MING
Server Role (dc, member, standalone) [dc]:  dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:  8.8.8.8
Administrator password: 
Retype password: 
INFO 2020-02-14 22:56:13,700 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-14 22:56:13,702 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-14 22:56:14,152 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb
INFO 2020-02-14 22:56:14,595 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-14 22:56:14,848 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-14 22:56:16,031 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-14 22:56:16,721 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-14 22:56:17,155 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-14 22:56:17,263 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-14 22:56:17,266 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-14 22:56:17,331 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2020-02-14 22:56:17,548 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-14 22:56:17,646 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-14 22:56:17,722 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-14 22:56:21,121 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-14 22:56:21,263 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-14 22:56:23,502 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-14 22:56:23,543 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-14 22:56:23,545 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-14 22:56:23,547 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-14 22:56:23,549 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-14 22:56:23,550 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-14 22:56:23,695 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-14 22:56:23,760 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-14 22:56:24,075 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=ms-DS-Replication-Notify-First-DSA-Delay,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=interSiteTransport-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-14 22:56:27,001 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-14 22:56:27,377 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-14 22:56:27,401 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-14 22:56:27,620 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.dc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-14 22:56:28,660 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-14 22:56:28,734 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-14 22:56:29,720 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-14 22:56:29,720 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-14 22:56:30,078 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-14 22:56:30,277 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-14 22:56:30,277 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role:           active directory domain controller
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname:              dc1
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain:        TEO-EN-MING
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain:            teo-en-ming.corp
INFO 2020-02-14 22:56:30,278 pid:2609 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID:            S-1-5-21-3028196010-72872391-2123559056

Configuring the DNS Resolver. Network Manager will keep overwriting /etc/resolv.conf. This problem will be resolved later.

# nano /etc/resolv.conf


Contents of file:

search teo-en-ming.corp
nameserver 192.168.1.10

REFERENCE GUIDE
===============

Guide: Managing the Samba AD DC Service Using Systemd

Link: https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service_Using_Systemd

# systemctl mask smbd nmbd winbind

# systemctl disable smbd nmbd winbind

# nano /etc/systemd/system/samba-ad-dc.service

Contents of file:

[Unit]
Description=Samba Active Directory Domain Controller
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/local/samba/sbin/samba -D
PIDFile=/usr/local/samba/var/run/samba.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target


# systemctl daemon-reload

# systemctl enable samba-ad-dc

# systemctl start samba-ad-dc

Output:

Job for samba-ad-dc.service failed because the control process exited with error code.
See "systemctl status samba-ad-dc.service" and "journalctl -xe" for details.

The SAMBA AD DC service cannot start because SELINUX is enabled on CentOS 8.1.
We will see later.

# systemctl status samba-ad-dc

Output:

● samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2020-02-15 08:39:58 +08; 46s ago
  Process: 6967 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=203/EXEC)
 Main PID: 1595 (code=exited, status=203/EXEC)

Feb 15 08:39:58 dc1 systemd[1]: Starting Samba Active Directory Domain Controller...
Feb 15 08:39:58 dc1 systemd[1]: samba-ad-dc.service: Control process exited, code=exited status=203
Feb 15 08:39:58 dc1 systemd[1]: samba-ad-dc.service: Failed with result 'exit-code'.
Feb 15 08:39:58 dc1 systemd[1]: Failed to start Samba Active Directory Domain Controller.

SAMBA AD DC service cannot start because SELINUX is enabled on CentOS 8.1.
We will see later.


# reboot

Start Samba AD DC manually.

# samba -D

Create a reverse zone in Samba Internal DNS Backend.

# samba-tool dns zonecreate 192.168.1.10 1.168.192.in-addr.arpa -U administrator

Output:

Password for [TEO-EN-MING\administrator]:
Zone 1.168.192.in-addr.arpa created successfully

Configuring Kerberos
====================

cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

Starting Samba AD DC Manually.

# samba -D

Verifying the File Server.
==========================

$ smbclient -L localhost -U%

Output:

	Sharename       Type      Comment
	---------       ----      -------
	sysvol          Disk      
	netlogon        Disk      
	IPC$            IPC       IPC Service (Samba 4.11.6)
SMB1 disabled -- no workgroup available

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'

Output:

Enter TEO-EN-MING\Administrator's password: 
  .                                   D        0  Fri Feb 14 22:56:17 2020
  ..                                  D        0  Fri Feb 14 22:56:24 2020

		17811456 blocks of size 1024. 12025652 blocks available

Verifying DNS (Failed)
======================

# killall dnsmasq

$ host -t SRV _ldap._tcp.teo-en-ming.corp.

Output: 

Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN)


$ host -t SRV _kerberos._udp.teo-en-ming.corp.

Output: 

Host _kerberos._udp.teo-en-ming.corp. not found: 3(NXDOMAIN)

$ host -t A dc1.teo-en-ming.corp.

Output:

Host dc1.teo-en-ming.corp. not found: 3(NXDOMAIN)

I am unable to find the above DNS records because Network Manager keeps overwriting /etc/resolv.conf
As a result, I am always looking up the WRONG DNS server.

Verifying Kerberos
==================

$ kinit administrator

Output:

kinit: Cannot find KDC for realm "TEO-EN-MING.CORP" while getting initial credentials

The above problem is also due to Network Manager keeps overwriting /etc/resolv.conf.
As a result, I am always looking up the WRONG DNS server.

TROUBLESHOOTING: DISABLE SELINUX ON CENTOS 8.1
==============================================

$ sestatus

Output:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

# nano /etc/sysconfig/selinux

Change from SELINUX=enforcing to SELINUX=disabled

# reboot

$ sestatus

SELinux status:                 disabled

After disabling SELINUX, now we can start Samba AD DC successfully.

# systemctl status samba-ad-dc

Output:

● samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-02-15 08:50:22 +08; 1min 0s ago
  Process: 1084 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS)
 Main PID: 1131 (samba)
    Tasks: 44 (limit: 23972)
   Memory: 261.8M
   CGroup: /system.slice/samba-ad-dc.service
           ├─1131 /usr/local/samba/sbin/samba -D
           ├─1375 /usr/local/samba/sbin/samba -D
           ├─1376 /usr/local/samba/sbin/samba -D
           ├─1377 /usr/local/samba/sbin/samba -D
           ├─1379 /usr/local/samba/sbin/samba -D
           ├─1380 /usr/local/samba/sbin/samba -D
           ├─1387 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1389 /usr/local/samba/sbin/samba -D
           ├─1391 /usr/local/samba/sbin/samba -D
           ├─1392 /usr/local/samba/sbin/samba -D
           ├─1393 /usr/local/samba/sbin/samba -D
           ├─1396 /usr/local/samba/sbin/samba -D
           ├─1398 /usr/local/samba/sbin/samba -D
           ├─1399 /usr/local/samba/sbin/samba -D
           ├─1403 /usr/local/samba/sbin/samba -D
           ├─1404 /usr/local/samba/sbin/samba -D
           ├─1407 /usr/local/samba/sbin/samba -D
           ├─1408 /usr/local/samba/sbin/samba -D
           ├─1409 /usr/local/samba/sbin/samba -D
           ├─1411 /usr/local/samba/sbin/samba -D
           ├─1412 /usr/local/samba/sbin/samba -D
           ├─1413 /usr/local/samba/sbin/samba -D
           ├─1415 /usr/local/samba/sbin/samba -D
           ├─1416 /usr/local/samba/sbin/samba -D
           ├─1418 /usr/local/samba/sbin/samba -D
           ├─1419 /usr/local/samba/sbin/samba -D
           ├─1420 /usr/local/samba/sbin/samba -D
           ├─1422 /usr/local/samba/sbin/samba -D
           ├─1423 /usr/local/samba/sbin/samba -D
           ├─1424 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─1426 /usr/local/samba/sbin/samba -D
           ├─1427 /usr/local/samba/sbin/samba -D
           ├─1429 /usr/local/samba/sbin/samba -D
           ├─1464 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1465 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1469 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1490 /usr/local/samba/sbin/samba -D
           ├─1492 /usr/local/samba/sbin/samba -D
           ├─1493 /usr/local/samba/sbin/samba -D
           ├─1495 /usr/local/samba/sbin/samba -D
           ├─1496 /usr/local/samba/sbin/samba -D
           ├─1498 /usr/local/samba/sbin/samba -D
           ├─1499 /usr/local/samba/sbin/samba -D
           └─1501 /usr/local/samba/sbin/samba -D

Feb 15 08:50:25 dc1 samba[1131]: [2020/02/15 08:50:25.778777,  0] ../../source4/smbd/process_prefork.c:512(prefork_child_pipe_handler)
Feb 15 08:50:25 dc1 samba[1131]:   prefork_child_pipe_handler: Parent 1131, Child 1406 exited with status 0
Feb 15 08:50:27 dc1 smbd[1387]: [2020/02/15 08:50:27.634592,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
Feb 15 08:50:27 dc1 smbd[1387]:   daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Feb 15 08:50:27 dc1 winbindd[1424]: [2020/02/15 08:50:27.761081,  0] ../../source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache)
Feb 15 08:50:27 dc1 winbindd[1424]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Feb 15 08:50:27 dc1 winbindd[1424]: [2020/02/15 08:50:27.770049,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
Feb 15 08:50:27 dc1 winbindd[1424]:   daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections
Feb 15 08:50:27 dc1 samba[1426]: [2020/02/15 08:50:27.870385,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:50:27 dc1 samba[1426]:   /usr/local/samba/sbin/samba_dnsupdate: WARNING: no network interfaces found

We need to kill dnsmasq so that Samba's internal DNS server can start.

# killall dnsmasq

# systemctl restart samba-ad-dc

# systemctl status samba-ad-dc

● samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-02-15 08:53:28 +08; 21s ago
  Process: 2512 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS)
 Main PID: 2514 (samba)
    Tasks: 58 (limit: 23972)
   Memory: 215.6M
   CGroup: /system.slice/samba-ad-dc.service
           ├─2514 /usr/local/samba/sbin/samba -D
           ├─2516 /usr/local/samba/sbin/samba -D
           ├─2517 /usr/local/samba/sbin/samba -D
           ├─2518 /usr/local/samba/sbin/samba -D
           ├─2519 /usr/local/samba/sbin/samba -D
           ├─2520 /usr/local/samba/sbin/samba -D
           ├─2521 /usr/local/samba/sbin/samba -D
           ├─2522 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─2523 /usr/local/samba/sbin/samba -D
           ├─2524 /usr/local/samba/sbin/samba -D
           ├─2525 /usr/local/samba/sbin/samba -D
           ├─2526 /usr/local/samba/sbin/samba -D
           ├─2527 /usr/local/samba/sbin/samba -D
           ├─2528 /usr/local/samba/sbin/samba -D
           ├─2529 /usr/local/samba/sbin/samba -D
           ├─2530 /usr/local/samba/sbin/samba -D
           ├─2531 /usr/local/samba/sbin/samba -D
           ├─2532 /usr/local/samba/sbin/samba -D
           ├─2533 /usr/local/samba/sbin/samba -D
           ├─2534 /usr/local/samba/sbin/samba -D
           ├─2535 /usr/local/samba/sbin/samba -D
           ├─2536 /usr/local/samba/sbin/samba -D
           ├─2537 /usr/local/samba/sbin/samba -D
           ├─2538 /usr/local/samba/sbin/samba -D
           ├─2539 /usr/local/samba/sbin/samba -D
           ├─2540 /usr/local/samba/sbin/samba -D
           ├─2541 /usr/local/samba/sbin/samba -D
           ├─2542 /usr/local/samba/sbin/samba -D
           ├─2543 /usr/local/samba/sbin/samba -D
           ├─2544 /usr/local/samba/sbin/samba -D
           ├─2545 /usr/local/samba/sbin/samba -D
           ├─2546 /usr/local/samba/sbin/samba -D
           ├─2547 /usr/local/samba/sbin/samba -D
           ├─2548 /usr/local/samba/sbin/samba -D
           ├─2549 /usr/local/samba/sbin/samba -D
           ├─2550 /usr/local/samba/sbin/samba -D
           ├─2551 /usr/local/samba/sbin/samba -D
           ├─2552 /usr/local/samba/sbin/samba -D
           ├─2553 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─2554 /usr/local/samba/sbin/samba -D
           ├─2555 /usr/local/samba/sbin/samba -D
           ├─2556 /usr/local/samba/sbin/samba -D
           ├─2557 /usr/local/samba/sbin/samba -D
           ├─2558 /usr/local/samba/sbin/samba -D
           ├─2559 /usr/local/samba/sbin/samba -D
           ├─2560 /usr/local/samba/sbin/samba -D
           ├─2562 /usr/local/samba/sbin/samba -D
           ├─2569 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─2570 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─2571 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─2572 /usr/local/samba/sbin/samba -D
           ├─2573 /usr/local/samba/sbin/samba -D
           ├─2574 /usr/local/samba/sbin/samba -D
           ├─2575 /usr/local/samba/sbin/samba -D
           ├─2576 /usr/local/samba/sbin/samba -D
           ├─2577 /usr/local/samba/sbin/samba -D
           ├─2578 /usr/local/samba/sbin/samba -D
           └─2579 /usr/local/samba/sbin/samba -D

Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742774,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]:   /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 945, in run
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742787,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]:   /usr/local/samba/sbin/samba_dnsupdate:     raise e
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742800,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]:   /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 941, in run
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.742813,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Feb 15 08:53:38 dc1 samba[2556]:   /usr/local/samba/sbin/samba_dnsupdate:     0, server, zone, name, add_rec_buf, None)
Feb 15 08:53:38 dc1 samba[2556]: [2020/02/15 08:53:38.767521,  0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Feb 15 08:53:38 dc1 samba[2556]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 39


Testing your Samba AD DC
========================

# killall dnsmasq

# systemctl restart samba-ad-dc

Verifying the File Server
=========================

$ smbclient -L localhost -U%

Output:


	Sharename       Type      Comment
	---------       ----      -------
	sysvol          Disk      
	netlogon        Disk      
	IPC$            IPC       IPC Service (Samba 4.11.6)
SMB1 disabled -- no workgroup available

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'

Output:

Enter TEO-EN-MING\Administrator's password: 
  .                                   D        0  Fri Feb 14 22:56:17 2020
  ..                                  D        0  Fri Feb 14 22:56:24 2020

		17811456 blocks of size 1024. 12018876 blocks available

Verifying DNS (Failed again)
============================

$ host -t SRV _ldap._tcp.teo-en-ming.corp.

Output:

Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN)

Unable to find above DNS record because Network Manager is always overwriting /etc/resolv.conf
As a result, I am always looking up the WRONG DNS server.

# systemctl stop samba-ad-dc

TROUBLESHOOTING AGAIN
=====================

Re-provisioning the Samba AD DC, using Samba Internal DNS Backend again.

# samba-tool domain provision --use-rfc2307 --interactive

Output:

Realm [TEO-EN-MING.CORP]:  
Domain [TEO-EN-MING]:  
Server Role (dc, member, standalone) [dc]:  
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:  
Administrator password: 
Retype password: 
INFO 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 09:01:10,638 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 09:01:10,639 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 09:01:11,057 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 09:01:11,436 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 09:01:11,620 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 09:01:12,200 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 09:01:12,667 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 09:01:12,817 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 09:01:12,820 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 09:01:12,893 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2020-02-15 09:01:13,093 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:01:13,201 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 09:01:13,342 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 09:01:16,649 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 09:01:16,794 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 09:01:19,013 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 09:01:19,053 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 09:01:19,056 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 09:01:19,057 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 09:01:19,060 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 09:01:19,061 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 09:01:19,199 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 09:01:19,261 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 09:01:19,564 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=MSMQ-Sign-Certificates-Mig,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=lostAndFound-Display,CN=411,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:01:21,879 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 09:01:22,122 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:01:22,144 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 09:01:22,393 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record DC=gc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:01:23,163 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 09:01:23,213 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 09:01:24,265 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 09:01:24,265 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 09:01:24,581 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role:           active directory domain controller
INFO 2020-02-15 09:01:24,772 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname:              dc1
INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain:        TEO-EN-MING
INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain:            teo-en-ming.corp
INFO 2020-02-15 09:01:24,773 pid:2672 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID:            S-1-5-21-3427788993-2190856266-1509719656

# systemctl start samba-ad-dc

Verifying DNS (Failed again)
=============

host -t SRV _ldap._tcp.teo-en-ming.corp.

Output:

Host _ldap._tcp.teo-en-ming.corp. not found: 3(NXDOMAIN)

Unable to find above DNS record because Network Manager is always overwriting /etc/resolv.conf
As a result, I am always looking up the WRONG DNS server.

Installing BIND DNS Server and Using it as the DNS Backend for Samba
====================================================================

# yum install bind

# systemctl stop samba-ad-dc

We are going to use BIND9 as the Samba DNS backend this time.
I changed my mind. I decided not to use Samba's Internal DNS backend.

# samba-tool domain provision --use-rfc2307 --interactive

Output:

Realm [TEO-EN-MING.CORP]:  
Domain [TEO-EN-MING]:  
Server Role (dc, member, standalone) [dc]:  
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  BIND9_DLZ
Administrator password: 
Retype password: 
INFO 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 09:13:53,976 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 09:13:53,977 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 09:13:54,381 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 09:13:54,704 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 09:13:54,888 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 09:13:55,478 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 09:13:55,819 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 09:13:55,886 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 09:13:55,888 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 09:13:55,945 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2020-02-15 09:13:56,187 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:13:56,362 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 09:13:56,518 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 09:13:59,846 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 09:13:59,991 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 09:14:02,238 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 09:14:02,279 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 09:14:02,280 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 09:14:02,282 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 09:14:02,283 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 09:14:02,284 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 09:14:02,425 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 09:14:02,489 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 09:14:02,777 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=MS-TS-Property02,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=localPolicy-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=PolicyType,CN=WMIPolicy,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:14:05,299 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 09:14:05,558 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:14:05,587 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 09:14:05,778 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.DomainDnsZones,DC=teo-en-ming.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:14:07,207 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
INFO 2020-02-15 09:14:07,207 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
INFO 2020-02-15 09:14:07,333 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 09:14:07,383 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 09:14:08,576 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 09:14:08,576 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 09:14:09,009 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 09:14:09,200 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role:           active directory domain controller
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname:              dc1
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain:        TEO-EN-MING
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain:            teo-en-ming.corp
INFO 2020-02-15 09:14:09,201 pid:3479 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID:            S-1-5-21-3153339276-3256266220-4030185391

# nano /etc/named.conf

Append the following line:

include "/usr/local/samba/bind-dns/named.conf";

# named -v

Output:

BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el8 (Extended Support Version) <id:7107deb>

# nano /usr/local/samba/bind-dns/named.conf

Contents of file:

# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/bind-dns/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
     database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";

    # For BIND 9.12.x
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so";
};

Setting up BIND9 options and keytab for Kerberos
================================================


# nano /etc/named.conf

Add the following to the options {} section of your main BIND named.conf file. For example:

options {
     [...]
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
     minimal-responses yes;
};

Verify that your /etc/krb5.conf Kerberos client configuration file is readable by your BIND user. For example:

# ls -l /etc/krb5.conf

Output:

-rw-r--r--. 1 root root 97 Feb 15 00:49 /etc/krb5.conf

# chown root:named /etc/krb5.conf

Verify that the nsupdate utility exists on your domain controller (DC):

# which nsupdate

/usr/bin/nsupdate

Starting the BIND DNS Service
=============================

# named-checkconf

# systemctl enable named.service

# systemctl start named.service

# systemctl status named.service
 
Output:

● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-02-15 09:28:54 +08; 26s ago
  Process: 3670 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 3667 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disab>
 Main PID: 3673 (named)
    Tasks: 4 (limit: 23972)
   Memory: 73.1M
   CGroup: /system.slice/named.service
           └─3673 /usr/sbin/named -u named -c /etc/named.conf

Feb 15 09:28:54 dc1 named[3673]: zone 0.in-addr.arpa/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone localhost/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone localhost.localdomain/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Feb 15 09:28:54 dc1 named[3673]: all zones loaded
Feb 15 09:28:54 dc1 named[3673]: running
Feb 15 09:28:54 dc1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Feb 15 09:29:04 dc1 named[3673]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Feb 15 09:29:04 dc1 named[3673]: resolver priming query complete

I still cannot find the mandatory DNS records. Re-provisioning Samba AD DC again.

# cd /usr/local/samba/etc

# mv smb.conf smb.conf.bak

# samba-tool domain provision --use-rfc2307 --interactive

Realm [TEO-EN-MING.CORP]:  
Domain [TEO-EN-MING]:  
Server Role (dc, member, standalone) [dc]:  
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  BIND9_DLZ
Administrator password: 
Retype password: 
INFO 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 09:34:24,411 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 09:34:24,412 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 09:34:24,817 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 09:34:25,101 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 09:34:25,269 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 09:34:25,783 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 09:34:26,233 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 09:34:26,316 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 09:34:26,317 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 09:34:26,367 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2020-02-15 09:34:26,551 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:34:26,684 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 09:34:26,791 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 09:34:30,087 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 09:34:30,230 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 09:34:32,425 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 09:34:32,465 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 09:34:32,467 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 09:34:32,467 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 09:34:32,469 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 09:34:32,470 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 09:34:32,608 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 09:34:32,667 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 09:34:32,967 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=userPKCS12,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=pKICertificateTemplate-Display,CN=406,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:34:35,720 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 09:34:35,963 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 09:34:35,982 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 09:34:36,248 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 09:34:37,633 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
INFO 2020-02-15 09:34:37,633 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
INFO 2020-02-15 09:34:37,763 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 09:34:37,804 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 09:34:38,781 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 09:34:38,781 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 09:34:39,223 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 09:34:39,438 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role:           active directory domain controller
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname:              dc1
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain:        TEO-EN-MING
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain:            teo-en-ming.corp
INFO 2020-02-15 09:34:39,439 pid:3873 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID:            S-1-5-21-2121330042-1058780221-1881093528

# cat /usr/local/samba/etc/smb.conf

# Global parameters
[global]
	netbios name = DC1
	realm = TEO-EN-MING.CORP
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = TEO-EN-MING
	idmap_ldb:use rfc2307 = yes

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/teo-en-ming.corp/scripts
	read only = No


# systemctl start samba-ad-dc

TROUBLESHOOTING SAMBA INSTALLATION BY RE-COMPILING SAMBA FROM SOURCE AGAIN
==========================================================================

I was afraid that SELINUX might affect the previous build of Samba from source.


# cd /root

# rm -rf samba-4.11.6

# systemctl stop samba-ad-dc

# cd /usr/local

# rm -rf samba/

# cd /root

# tar xfvz samba-4.11.6.tar.gz

# cd samba-4.11.6/

# ./configure

# make -j 4

Output:

Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'build' finished successfully (9m21.630s)

# make install

Output:

Waf: Leaving directory `/root/samba-4.11.6/bin/default'
'install' finished successfully (2m47.846s)

Provisioning Samba AD DC from scratch after rebuilding Samba from source.

# samba-tool domain provision --use-rfc2307 --interactive

Realm [TEO-EN-MING.CORP]:  
Domain [TEO-EN-MING]:  
Server Role (dc, member, standalone) [dc]:  
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  BIND9_DLZ
Administrator password: 
Retype password: 
INFO 2020-02-15 10:00:20,082 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
WARNING 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2134: More than one IPv4 address found. Using 192.168.1.10
INFO 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2020-02-15 10:00:20,083 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: More than one IPv6 address found. Using 2401:7400:c802:de67::14c2
INFO 2020-02-15 10:00:20,505 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb
INFO 2020-02-15 10:00:20,871 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2020-02-15 10:00:21,131 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2020-02-15 10:00:22,314 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2020-02-15 10:00:22,838 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2020-02-15 10:00:23,230 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2020-02-15 10:00:23,322 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2020-02-15 10:00:23,324 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2020-02-15 10:00:23,398 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2020-02-15 10:00:23,573 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=teo-en-ming,DC=corp
INFO 2020-02-15 10:00:23,653 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2020-02-15 10:00:23,749 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2020-02-15 10:00:27,115 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2020-02-15 10:00:27,261 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2020-02-15 10:00:29,491 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2020-02-15 10:00:29,531 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2020-02-15 10:00:29,532 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2020-02-15 10:00:29,533 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2020-02-15 10:00:29,534 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2020-02-15 10:00:29,535 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2020-02-15 10:00:29,674 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2020-02-15 10:00:29,735 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
INFO 2020-02-15 10:00:30,058 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1609: Setting up self join
Repacking database from v1 to v2 format (first record CN=rpc-Ns-Bindings,CN=Schema,CN=Configuration,DC=teo-en-ming,DC=corp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=nTFRSSubscriber-Display,CN=40C,CN=DisplaySpecifiers,CN=Configuration,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record CN=Incoming Forest Trust Builders,CN=Builtin,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 10:00:33,052 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1138: Adding DNS accounts
INFO 2020-02-15 10:00:33,285 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1172: Creating CN=MicrosoftDNS,CN=System,DC=teo-en-ming,DC=corp
INFO 2020-02-15 10:00:33,305 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1185: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2020-02-15 10:00:33,511 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1190: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=@,DC=teo-en-ming.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=teo-en-ming,DC=corp)
Repacking database from v1 to v2 format (first record DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.teo-en-ming.corp,CN=MicrosoftDNS,DC=ForestDnsZones,DC=teo-en-ming,DC=corp)
INFO 2020-02-15 10:00:34,921 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1272: See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
INFO 2020-02-15 10:00:34,921 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1274: and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
INFO 2020-02-15 10:00:35,045 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2032: Setting up sam.ldb rootDSE marking as synchronized
INFO 2020-02-15 10:00:35,095 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Fixing provision GUIDs
INFO 2020-02-15 10:00:36,238 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2395: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2020-02-15 10:00:36,238 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2396: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2020-02-15 10:00:36,771 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2102: Setting up fake yp server settings
INFO 2020-02-15 10:00:37,012 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #491: Once the above files are installed, your Samba AD server will be ready to use
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Server Role:           active directory domain controller
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: Hostname:              dc1
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: NetBIOS Domain:        TEO-EN-MING
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DNS Domain:            teo-en-ming.corp
INFO 2020-02-15 10:00:37,013 pid:28453 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #499: DOMAIN SID:            S-1-5-21-4032533190-753116703-2394070240

# systemctl start samba-ad-dc

TROUBLESHOOTING THE BIND9_DLZ BACKEND
=====================================

# samba_upgradedns --dns-backend=BIND9_DLZ

Output:

Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/TEO-EN-MING.CORP.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc1 account already exists
See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

TROUBLESHOOTING "MISSING" MANDATORY SAMBA DNS RECORDS
=====================================================

REFERENCE
=========

Finally! I found the problem and discovered the solution.

Guide: CentOS 7 NetworkManager Keeps Overwriting /etc/resolv.conf

Link: https://ma.ttias.be/centos-7-networkmanager-keeps-overwriting-etcresolv-conf/

To prevent Network Manager to overwrite your resolv.conf changes, remove the DNS1, DNS2, … lines from /etc/sysconfig/network-scripts/ifcfg-*.

# cd /etc/sysconfig/network-scripts/

# nano ifcfg-ens3

Remove DNS1 entry.

To make BIND listen on all interfaces
=====================================

# nano /etc/named.conf

Change the following entry:

listen-on port 53 { any; };

# systemctl restart named

# netstat -anp | grep -v unix | grep LISTEN

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      28855/samba         
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      29436/named         
tcp        0      0 192.168.1.10:53         0.0.0.0:*               LISTEN      29436/named         
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      29436/named         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1090/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1087/cupsd          
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      28855/samba         
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      29436/named         
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      28847/samba         
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      28839/smbd          
tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN      28837/samba         
tcp        0      0 0.0.0.0:49153           0.0.0.0:*               LISTEN      28845/samba         
tcp        0      0 0.0.0.0:49154           0.0.0.0:*               LISTEN      28845/samba         
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN      28847/samba         
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN      28847/samba         
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      28847/samba         
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      28845/samba         
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      28839/smbd          
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      1597/systemd-resolv 
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           
tcp6       0      0 :::464                  :::*                    LISTEN      28855/samba         
tcp6       0      0 ::1:53                  :::*                    LISTEN      29436/named         
tcp6       0      0 :::22                   :::*                    LISTEN      1090/sshd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      1087/cupsd          
tcp6       0      0 :::88                   :::*                    LISTEN      28855/samba         
tcp6       0      0 ::1:953                 :::*                    LISTEN      29436/named         
tcp6       0      0 :::636                  :::*                    LISTEN      28847/samba         
tcp6       0      0 :::445                  :::*                    LISTEN      28839/smbd          
tcp6       0      0 :::49152                :::*                    LISTEN      28837/samba         
tcp6       0      0 :::49153                :::*                    LISTEN      28845/samba         
tcp6       0      0 :::49154                :::*                    LISTEN      28845/samba         
tcp6       0      0 :::3268                 :::*                    LISTEN      28847/samba         
tcp6       0      0 :::3269                 :::*                    LISTEN      28847/samba         
tcp6       0      0 :::389                  :::*                    LISTEN      28847/samba         
tcp6       0      0 :::135                  :::*                    LISTEN      28845/samba         
tcp6       0      0 :::5355                 :::*                    LISTEN      1597/systemd-resolv 
tcp6       0      0 :::139                  :::*                    LISTEN      28839/smbd          

Modify /etc/resolv.conf again. This is the crux of the problem.

# nano /etc/resolv.conf

search teo-en-ming.corp
nameserver 192.168.1.10

Verifying DNS (Successful this time)
====================================

$ host -t SRV _ldap._tcp.teo-en-ming.corp.

Output:

_ldap._tcp.teo-en-ming.corp has SRV record 0 100 389 dc1.teo-en-ming.corp.

$ host -t SRV _kerberos._udp.teo-en-ming.corp.

Output:

_kerberos._udp.teo-en-ming.corp has SRV record 0 100 88 dc1.teo-en-ming.corp.

$ host -t A dc1.teo-en-ming.corp.

Output:

dc1.teo-en-ming.corp has address 192.168.122.1
dc1.teo-en-ming.corp has address 192.168.1.10

Verifying Kerberos (Successful this time)
=========================================

# kninit administrator

Output: 

Password for administrator@TEO-EN-MING.CORP: 
Warning: Your password will expire in 41 days on Sat 28 Mar 2020 10:00:30 AM +08

# klist

Output:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEO-EN-MING.CORP

Valid starting       Expires              Service principal
02/15/2020 10:56:56  02/15/2020 20:56:56  krbtgt/TEO-EN-MING.CORP@TEO-EN-MING.CORP
	renew until 02/16/2020 10:56:53

OVERWHELMING SUCCESS!
=====================

Joining Domain from Windows 10 Pro QEMU/KVM virtual machine
===========================================================

Install Windows 10 Pro version 1909 as a QEMU/KVM virtual machine.

Ping Samba AD DC from Windows.

ping 192.168.1.10

SUCCESS!

Configure Preferred DNS Server as 192.168.1.10 for your virtual NIC.

Alternate DNS Server: 8.8.8.8 (Compulsory for internet access)

REFERENCE GUIDE
===============

Guide: DNS Administration

Link: https://wiki.samba.org/index.php/DNS_Administration

Listing zone records
====================

# samba-tool dns query 192.168.1.10 teo-en-ming.corp @ ALL -U administrator

Output:

Password for [TEO-EN-MING\administrator]:
  Name=, Records=6, Children=0
    SOA: serial=241, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc1.teo-en-ming.corp., email=hostmaster.teo-en-ming.corp. (flags=600000f0, serial=241, ttl=3600)
    NS: dc1.teo-en-ming.corp. (flags=600000f0, serial=1, ttl=900)
    A: 192.168.1.10 (flags=600000f0, serial=1, ttl=900)
    AAAA: 2401:7400:c802:de67:0000:0000:0000:14c2 (flags=600000f0, serial=1, ttl=900)
    A: 192.168.122.1 (flags=600000f0, serial=26, ttl=900)
    AAAA: 2401:7400:c802:de67:0d19:690d:f659:ad40 (flags=600000f0, serial=27, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=dc1, Records=4, Children=0
    A: 192.168.1.10 (flags=f0, serial=1, ttl=900)
    AAAA: 2401:7400:c802:de67:0000:0000:0000:14c2 (flags=f0, serial=1, ttl=900)
    A: 192.168.122.1 (flags=f0, serial=24, ttl=900)
    AAAA: 2401:7400:c802:de67:0d19:690d:f659:ad40 (flags=f0, serial=25, ttl=900)
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2

Disable IPv6 on Windows 10 Pro QEMU/KVM virtual machine.

Deleting Unneccessary DNS Records (OPTIONAL TASK)
=================================================

# samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp A 192.168.122.1 -U administrator

# samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp AAAA 2401:7400:c802:de67:0000:0000:0000:14c2 -U administrator

# samba-tool dns delete 192.168.1.10 teo-en-ming.corp teo-en-ming.corp AAAA 2401:7400:c802:de67:0d19:690d:f659:ad40 -U administrator

# samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 A 192.168.122.1 -U administrator

# samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 AAAA 2401:7400:c802:de67:0000:0000:0000:14c2 -U administrator

# samba-tool dns delete 192.168.1.10 teo-en-ming.corp dc1 AAAA 2401:7400:c802:de67:0d19:690d:f659:ad40 -U administrator

Disabling the Firewall on CentOS 8.1
==================================== 

# systemctl stop firewalld

# systemctl disable firewalld

Join Domain from Windows 10 Pro QEMU/KVM Virtual Machine
========================================================

Domain: teo-en-ming.corp

Welcome to the teo-en-ming.corp domain.

Download and install Microsoft Remote Server Administration Tools (RSAT) for Windows 10.

Restart Windows 10 Pro QEMU/KVM virtual machine.

Login as domain administrator.

User: TEO-EN-MING\administrator

Password: Unknown

Open Active Directory Users and Computers.

Final Success!
==============

AUTHOR: MR. TURRITOPSIS DOHRNII TEO EN MING, SINGAPORE














-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************



Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):


[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----




                 reply index

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=SG2PR01MB21410FC1931594D546E1818087140@SG2PR01MB2141.apcprd01.prod.exchangelabs.com \
    --to=ceo@teo-en-ming-corp.com \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

KVM Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/kvm/0 kvm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kvm kvm/ https://lore.kernel.org/kvm \
		kvm@vger.kernel.org
	public-inbox-index kvm

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.kvm


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git