Samba 3 to 4 migration: a nightmare with DNS

Come here to share your tips and tricks for using Samba4
Answer
flipflip
Messages: 56
Registration: May 31, 2022 - 09:05

April 22, 2024 - 5:05 PM

Hello everyone,

I am struggling with my migration tests of my Samba 3 domain controller in NT4 mode to Samba 4.19. I own a domain name that I use for my website and emails; it is currently managed by OVH, and I have no intention of regaining control of it.

External domain name: masociete.fr
Local NT4 domain name: marue205
Local DNS zone: marue205

On the future AD server, the Kerberos part is configured as follows:

Code: Select all

[libdefaults]
        default_realm = marue205.masociete.fr
        dns_lookup_kdc = true
        dns_lookup_realm = false
In the global smb.conf file that I use with the samba-tool domain classic update command... I have

Code: Select all

        netbios name = svad01
        server string = Gestionnaire de domaine
        workgroup = marue205
When I launch the migration, I use the following command:

Code: Select all

samba-tool domain classicupgrade --dbdir=/root/backup/samba/var --realm=MARUE205.MASOCIETE.FR /root/backup/samba/etc/smb.conf
Everything is fine and I'm not getting any errors. The new smb.conf looks like this

Code: Select all

[global]
        netbios name = SVAD01
        realm = MARUE205.MASOCIETE.FR
        server role = active directory domain controller
        workgroup = MARUE205
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/marue205.masociete.fr/scripts
        read only = No
I'm adding the share profiles

Code: Select all

[profiles]
        path = /media/ds_cifs_profiles
        read only = No
        csc policy = disable
        vfs objects = acl_xattr
        force create mode = 0600
        force directory mode = 0700
        store dos attributes = yes
The folder exists on the new server as well as the user profile folder for my tests with the rights userDeTest:domain users.

I rebooted everything and launched a VM that connected without issue to the old NT4 domain controller (I stopped the smbd and nmbd processes on the old server). The session opened, but I got a notification saying it was on a temporary profile. Even with the log level set to 3, the Samba log didn't show any messages... in fact, I didn't even get any notification that a user had logged in. It's as if the VM can't find the Active Directory server, even though both are the only devices on the network.

Once the temporary Windows session was open, I tried accessing my Active Directory directly in the file explorer address bar via \\svad01, and magically, I could see all the shares. I could access the profiles share and create a directory within it. This eliminated the permissions problem.

In the Windows event console of the VM (it's Windows 7, I know it's old, but I'm migrating to Samba 4 so I can upgrade to Windows 10), I get the following message:

Code: Select all

Windows ne peut pas trouver de copie serveur de votre profil itinérant et tente de vous ouvrir une session avec votre profil local. Les modifications apportées au profil ne seront pas copiées sur le serveur lorsque vous fermerez votre session. Ce problème peut être causé par des problèmes réseau ou des droits de sécurité insuffisants. 

 DÉTAIL - Nom de réseau introuvable.
 
 Id : 1521
 Utilisateur : MARUE205\userDeTest
 Ordinateur : pc01.marue205.masociete.fr
I integrated the DNS part by following this documentation: https://samba.tranquil.it/doc/fr/samba_ ... ebian.html

On the network side, DHCP manages the configuration, and on the test machine it looks like this:

Code: Select all

Configuration IP de Windows

   Nom de l'hôte . . . . . . . . . . : pc01
   Suffixe DNS principal . . . . . . : marue205.masociete.fr
   Type de noeud. . . . . . . . . .  : Hybride
   Routage IP activé . . . . . . . . : Non
   Proxy WINS activé . . . . . . . . : Non
   Liste de recherche du suffixe DNS.: marue205.masociete.fr

Carte Ethernet Connexion au réseau local 4 :

   Suffixe DNS propre à la connexion. . . : marue205.masociete.fr
   Description. . . . . . . . . . . . . . : Carte Intel(R) PRO/1000 MT pour stat
ion de travail
   Adresse physique . . . . . . . . . . . : 08-00-27-8A-4A-F7
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.XXX.125(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : lundi 22 avril 2024 16:29:56
   Bail expirant. . . . . . . . . . . . . : lundi 22 avril 2024 17:29:55
   Passerelle par défaut. . . . . . . . . : 192.168.XXX.254
   Serveur DHCP . . . . . . . . . . . . . : 192.168.XXX.41
   Serveurs DNS. . .  . . . . . . . . . . : 192.168.XXX.41
                                       192.168.XXX.38
   Serveur WINS principal . . . . . . . . : 192.168.XXX.41
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé

Code: Select all

C:\Users\TEMP>ipconfig /flushdns

Configuration IP de Windows

Cache de résolution DNS vidé.

C:\Users\TEMP>ipconfig /flushdns

Configuration IP de Windows

Cache de résolution DNS vidé.

C:\Users\TEMP>ipconfig /flushdns

Configuration IP de Windows

Cache de résolution DNS vidé.

C:\Users\TEMP>ping svad01

Envoi d'une requête 'ping' sur svad01.marue205.masociete.fr [192.168.XXX.41] avec
 32 octets de données :
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64

Statistiques Ping pour 192.168.XXX.41:
    Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
    Minimum = 0ms, Maximum = 0ms, Moyenne = 0ms
I'm completely lost, and the more tests I do, the less it works :( Do you have any ideas?

Thanks in advance.
Philippe.
High
User avatar
dcardon
WAPT Expert
Messages: 1929
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

April 23, 2024 - 09:12

Hello Philippe,

* Roaming profiles are a bad idea. They should be avoided as much as possible.
* The problem isn't necessarily a DNS issue, but rather a permissions issue regarding profile sharing (Windows is very strict about this; simply being able to write access isn't enough).
* It is strongly recommended not to use the DC as a file/profile server
. * There are two DNS entries in the network adapter, while there appears to be only one AD server... DNS servers on a machine must be able to resolve exactly the same zones/records, otherwise, problems are guaranteed.

Regards,

Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
flipflip
Messages: 56
Registration: May 31, 2022 - 09:05

April 23, 2024 - 09:31

Hello Denis,

Thank you for your reply.
* Roaming profiles are a bad thing. They should be avoided as much as possible
I know and it's something I'll get rid of when I switch to samba 4, but for now I'm doing perimeter isolation.
The problem isn't necessarily a DNS issue, but a problem with permissions on profile sharing (Windows is very strict about this; simply being able to write is not enough)
Using the samba-tool dns zonelist command, I obtain the following zones:

Code: Select all

2 zone(s) found

  pszZoneName                 : marue205.masociete.fr
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.marue205.masociete.fr

  pszZoneName                 : _msdcs.marue205.masociete.fr
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.marue205.masociete.fr
So this corresponds well to the DNS configuration provided by DHCP
* It is strongly recommended not to use the DC as a file/profile server
We're a small organization with 30 users, and since roaming profiles are going to disappear, I'm putting everything back on the same server ;)
* There are two DNS entries in the network card, but there appears to be only one AD server... DNS servers on a machine must be able to resolve exactly the same zones/records, otherwise a problem is guaranteed.
Now you've lost me :(
High
flipflip
Messages: 56
Registration: May 31, 2022 - 09:05

April 23, 2024 - 10:06 AM

So, a small change on the DHCP side; I've reconfigured my range

Code: Select all

subnet 192.168.XXX.0 netmask 255.255.255.0 {
    server-name "svad01";
    option domain-name-servers 192.168.XXX.41, 192.168.XXX.38;
    option domain-name "marue205";
    option domain-search "marue205", "marue205.masociete.fr";
    option netbios-name-servers 192.68.XXX.41;
    option netbios-dd-server 192.68.XXX.41;
    option netbios-node-type 8;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.XXX.255;
    option routers 192.168.XXX.254;
    option ntp-servers 192.168.XXX.41;
    
    ...
This gives us the following on Windows

Code: Select all

C:\Users\Administrateur>ipconfig /all

Configuration IP de Windows

   Nom de l'hôte . . . . . . . . . . : PCINF03VA
   Suffixe DNS principal . . . . . . : marue205.masociete.fr
   Type de noeud. . . . . . . . . .  : Hybride
   Routage IP activé . . . . . . . . : Non
   Proxy WINS activé . . . . . . . . : Non
   Liste de recherche du suffixe DNS.: marue205.masociete.fr
                                       marue205

Carte Ethernet Connexion au réseau local 4 :

   Suffixe DNS propre à la connexion. . . : marue205
   Description. . . . . . . . . . . . . . : Carte Intel(R) PRO/1000 MT pour stat
ion de travail
   Adresse physique . . . . . . . . . . . : 08-00-27-8A-4A-F7
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.XXX.125(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : mardi 23 avril 2024 09:40:04
   Bail expirant. . . . . . . . . . . . . : mardi 23 avril 2024 10:48:48
   Passerelle par défaut. . . . . . . . . : 192.168.XXX.254
   Serveur DHCP . . . . . . . . . . . . . : 192.168.XXX.41
   Serveurs DNS. . .  . . . . . . . . . . : 192.168.XXX.41
                                       192.168.XXX.38
   Serveur WINS principal . . . . . . . . : 192.68.XXX.41
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé
With this configuration, there's an improvement just for the ping

Code: Select all

C:\Users\Administrateur>ping svad01

Envoi d'une requête 'ping' sur svad01.marue205.masociete.fr [192.168.5.41] avec
 32 octets de données :
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64

Statistiques Ping pour 192.168.5.41:
    Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
    Minimum = 0ms, Maximum = 0ms, Moyenne = 0ms

Code: Select all

C:\Users\Administrateur>ping svad01.marue205
La requête Ping n'a pas pu trouver l'hôte svad01.marue205. Vérifiez le nom et essayez à nouveau.

Code: Select all

C:\Users\Administrateur>ping svad01.marue205.masociete.fr

Envoi d'une requête 'ping' sur svad01.marue205.masociete.fr [192.168.XXX.41] avec
 32 octets de données :
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64
Réponse de 192.168.XXX.41 : octets=32 temps<1ms TTL=64

Statistiques Ping pour 192.168.XXX.41:
    Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
    Minimum = 0ms, Maximum = 0ms, Moyenne = 0ms
Of the 3 ping tests, only 2 passed:
- ping svad01
- ping svad01.marue205.masociete.fr

While ping svad01.marue205 does not work, which is a shame because I will inevitably have cases of machines that will try, for a totally unknown and probably absurd reason, to make this kind of request.

But where it gets really surprising is with nslookup

Code: Select all

C:\Users\Administrateur>nslookup svad01
Serveur :   svad01.marue205.masociete.fr
Address:  192.168.XXX.41

Nom :    svad01.marue205.masociete.fr
Address:  192.168.XXX.41


C:\Users\Administrateur>nslookup svad01.marue205
Serveur :   svad01.marue205.masociete.fr
Address:  192.168.XXX.41

Nom :    svad01.marue205.masociete.fr
Address:  192.168.XXX.41


C:\Users\Administrateur>nslookup svad01.marue205.masociete.fr
Serveur :   svad01.marue205.masociete.fr
Address:  192.168.XXX.41

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Nom :    svad01.marue205.masociete.fr
Address:  192.168.XXX.41
The last one doesn't return any results because the test platform doesn't currently have internet access, but I can see the DNS request going to the forwarder in the logs. So I don't understand why pinging svad01.marue205 fails when nslookup returns a result.
High
Answer

Return to "Tips and Tricks"


  • To go further with WAPT