Closed killmasta93 closed 1 year ago
diegogslomp
commented
1 year ago Hello!
I don't have a windows domain to test it, but you can try join the domain using the samba-domain-join script, you can check the docker-compose from dc2,3,4 as example. After that you can use the samba-tool to transfer roles. Any trouble please let me know.
killmasta93
commented
1 year ago Thank you so much, i got it working to connect to the domain
killmasta93
commented
1 year ago Hi @diegogslomp So i was able to connect the second DC to a zentyal domain but i think i might be a bit confused as currently this is my docker compose file after connecting it i just realized 172.16.238.20 is the IP of the container and im guessing it has to be the IP of the VM so the local computers and see the IP? the local IP of the VM is 192.168.7.206 meaning that i should put that ip instead of 172.16.238.20?
version: "3.1"
services:
dc2:
image: samba:ubuntu
restart: unless-stopped
build:
context: .
dockerfile: dockerfiles/ubuntu
args:
SMB_VERSION: "${SMB_VERSION:-latest}"
container_name: dc2
hostname: DC2
privileged: true
environment:
REALM: TEST.LOCAL
DOMAIN: TEST
ADMIN_PASS: Passw0rd
DNS_FORWARDER: 8.8.8.8
BIND_NETWORK_INTERFACES: false
dns_search: test.local
dns:
- 192.168.3.195
- 172.16.238.20
extra_hosts:
- "zentyal zentyal.test.local:192.168.3.195"
- "DC2 DC2.test.local:172.16.238.20"
command: bash -c "samba-domain-join zentyal && samba -F"
volumes:
- dc2-local-samba:/usr/local/samba
networks:
static-network:
ipv4_address: 172.16.238.20
volumes:
dc2-local-samba:
networks:
static-network:
ipam:
config:
- subnet: 172.16.238.0/24For that you need the container in network host mode as in this docker compose file and remove the BIND_NETWORK_INTERFACES variable, you can remove the unused static network as well. You need to adapt you host files (/etc/resolv.conf and /etc/hosts) as described here.
Edit host /etc/resolv.conf:
search test.local
nameserver 192.168.7.206
nameserver 192.168.3.195Add to host /etc/hosts file:
192.168.3.195 dc2.test.local dc2
192.168.7.206 zentyal.test.local zentyalSet an static ip for you host before too. Any trouble please let me know.
killmasta93
commented
1 year ago Hi @diegogslomp Thank you so much for the reply, so i added i added back the container to the domain the i transferred the roles to the container
as for the network mode to host it seems that the container grabs all the IPs on the host which i think might be causing the issue with the DNS
This is the Docker compose before i transferred
version: "3.1"
services:
dc2:
image: samba:ubuntu
restart: unless-stopped
network_mode: host
build:
context: .
dockerfile: dockerfiles/ubuntu
args:
SMB_VERSION: "${SMB_VERSION:-latest}"
container_name: dc2
hostname: DC2
privileged: true
environment:
REALM: TEST.LOCAL
DOMAIN: TEST
ADMIN_PASS: Passw0rd
DNS_FORWARDER: 8.8.8.8
BIND_NETWORK_INTERFACES: false
dns_search: test.local
dns:
- 192.168.3.195
- 172.16.238.20
extra_hosts:
- "zentyal zentyal.test.local:192.168.3.195"
- "DC2 DC2.test.local:172.16.238.20"
command: bash -c "samba-domain-join zentyal && samba -F"
volumes:
- dc2-local-samba:/usr/local/samba
volumes:
dc2-local-samba:root@DC2:/usr/local/sbin# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=localthen on the zentyal i demoted the server
root@zentyal:~# samba-tool domain demote -U administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using dc2.test.local as partner server for the demotion
Using binding ncacn_ip_tcp:dc2.test.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc2.test.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc2.test.local<0x20>
Password for [TEST\administrator]:
Deactivating inbound replication
Asking partner server dc2.test.local to synchronize from us
resolve_lmhosts: Attempting lmhosts lookup for name dc2.test.local<0x20>
Changing userControl and container
INFO 2023-04-08 17:52:06,986 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #56: Removing Sysvol reference: CN=ZENTYAL,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=test,DC=local
INFO 2023-04-08 17:52:06,991 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #56: Removing Sysvol reference: CN=ZENTYAL,CN=test.local,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=test,DC=local
INFO 2023-04-08 17:52:06,995 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #80: Removing Sysvol reference: CN=ZENTYAL,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=test,DC=local
INFO 2023-04-08 17:52:06,998 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #80: Removing Sysvol reference: CN=ZENTYAL,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=test,DC=local
INFO 2023-04-08 17:52:07,073 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #163: updating DomainDnsZones.test.local keeping 28 values, removing 1 values
INFO 2023-04-08 17:52:07,139 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #163: updating test.local keeping 31 values, removing 1 values
INFO 2023-04-08 17:52:07,176 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #163: updating ForestDnsZones.test.local keeping 28 values, removing 1 values
INFO 2023-04-08 17:52:07,213 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_gc._tcp.Default-First-Site-Name._sites,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,232 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kerberos._tcp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 2 values
INFO 2023-04-08 17:52:07,260 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,298 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=@,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 30 values, removing 1 values
INFO 2023-04-08 17:52:07,316 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kerberos._udp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 2 values
INFO 2023-04-08 17:52:07,335 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.DomainDnsZones,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,364 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kpasswd._tcp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 2 values
INFO 2023-04-08 17:52:07,382 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kerberos._tcp.Default-First-Site-Name._sites,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,425 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kpasswd._udp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 2 values
INFO 2023-04-08 17:52:07,446 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.Default-First-Site-Name._sites,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,468 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_msdcs,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 0 values, removing 1 values
INFO 2023-04-08 17:52:07,490 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kerberos-master._udp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 0 values, removing 1 values
INFO 2023-04-08 17:52:07,514 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,531 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kerberos-master._tcp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 0 values, removing 1 values
INFO 2023-04-08 17:52:07,551 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_gc._tcp,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,567 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.ForestDnsZones,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,584 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,604 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=@,DC=3.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,627 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=@,DC=7.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,652 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.pdc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,669 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kerberos._tcp.dc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,699 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.gc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,714 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,731 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=f7539d51-1930-4630-a4c2-f4b78f5df067,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 0 values, removing 1 values
INFO 2023-04-08 17:52:07,748 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,776 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,791 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.dc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
INFO 2023-04-08 17:52:07,810 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=@,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 2 values, removing 1 values
INFO 2023-04-08 17:52:07,826 pid:29815 /usr/lib/python3/dist-packages/samba/remove_dc.py #204: updating DC=_ldap._tcp.2f0b15c0-a03c-49f3-ac2b-c447230dabe8.domains,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local keeping 1 values, removing 1 values
Demote successfulthen on the container dc2 i edited the docker compose and ran docker-compose up -d
services:
dc2:
image: samba:ubuntu
restart: unless-stopped
network_mode: host
build:
context: .
dockerfile: dockerfiles/ubuntu
args:
SMB_VERSION: "${SMB_VERSION:-latest}"
container_name: dc2
hostname: DC2
privileged: true
environment:
REALM: TEST.LOCAL
DOMAIN: TEST
ADMIN_PASS: Passw0rd
DNS_FORWARDER: 8.8.8.8
BIND_NETWORK_INTERFACES: false
dns_search: test.local
dns:
- 192.168.7.206
extra_hosts:
- "DC2 DC2.test.local:192.168.7.206"
volumes:
- dc2-local-samba:/usr/local/samba
volumes:
dc2-local-samba:then i checked the logs on the container but i see this error
root@DC2:/usr/local/samba/var# tail -f log.samba
[2023/04/08 22:58:01.932457, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: elif not check_dns_name(d):
[2023/04/08 22:58:01.932620, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 299, in check_dns_name
[2023/04/08 22:58:01.932805, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
[2023/04/08 22:58:01.932977, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: Exception: Timeout while waiting to contact a working DNS server while looking for A dc2.test.local 172.17.0.1 as dc2.test.local.
[2023/04/08 22:58:02.016473, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
dnsupdate_nameupdate_done: Failed DNS update with exit code 1i also tried checking with the RSAT tool but it seems something i missed? as its giving a an error to connect to the new domain controller which is the DC2
Thank you again
diegogslomp
commented
1 year ago When in network mode you must bind the container interface, if you remove the "BIND_NETWORK_INTERFACES: false" line from the file and join again should work, or you can try edit the smb.conf file, check how the samba-domain-join script do the binding.
killmasta93
commented
1 year ago Thank you so much, that did the trick, i also did the demote the zentyal server and it seems to work im going to keep testing out few other things and ill post back wanted to thank you so much again
killmasta93
commented
1 year ago Hi @diegogslomp quick question after transferring the FSMO roles to the docker container and demoting zentyal i tried then a gpupdate and got this error
my question is that should i of ran first this step?
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
Thank you
diegogslomp
commented
1 year ago Hello!
Did you update the /etc/resolv.conf and /etc/hosts removing the demoted server? Check what your host resolves for test.local
killmasta93
commented
1 year ago Hi @diegogslomp Thank you again for the reply, so i re did again all the steps and found out something, the issue is not when i demote the server the issue is when i transfer the FSMO roles to DC2 it seems thats cant find the gpt.ini
it seems that when i transfer the roles or when the dc2 joins the domain seems that the sysvol files do not get transferred
diegogslomp
commented
1 year ago Hello
As you can see here, samba doesn't provided sysvol replication, one workaround is to create a cron job with the rsync command:
*/5 * * * * rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@{IP-of-your-PDC-Emulator}/SysVol/ /path/to/your/sysvol/folder/Hi @diegogslomp Thank you again so much i ran this which fixed the issue and the demote worked perfectly
rsync --dry-run -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@192.168.7.206:/var/lib/docker/volumes/samba-ad-dc_dc2-local-samba/_data/var/locks/sysvol/
Hi I was wondering if its possible to join this container to a windows domain or linux domain (zentyal)
the idea is to transfer the FSMO roles and pass the AD to this container
Thank you