How to configure Samba 4 as Secondary Domain Controller

by

I have written one more article with the steps to configure FreeIPA server and client which can also act as an alternate to Microsoft Active Directory. And since FreeIPA is a GUI based, it can be a better alternative then Samba4.

I started reading Samba4 Join a DC article with a belief that it shows the steps required to configure a backup domain controller for our PDC in Samba 4. (Please correct me if I am wrong).

But when I studied in depth I came to the conclusion that it was guiding us to create a secondary domain controller and not a backup dc.

Still I tried to configure the same using the steps as provided on that article and as to my belief I ended up configuring a secondary dc rather than a backup dc.

NOTE: This article guides you to configure secondary domain controller rather than a primary domain controller.

But still I would like to show the steps which I followed and the fix to errors which I faced while configuring the same.
Primary DC: 192.168.1.6
Hostname: test.example.com

Secondary DC: 192.168.1.5
Hostname: test1.example.com
So let me assume that you already have a working primary dc. It can be Samba 4 or Windows Server 2008 AD.

Before you start always make sure to check the pre-requisites

On the primary domain controller (test.example.com)
Verify the entry of kerberos config file is as shown below on your PDC
[root@test ~]# cat /etc/krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
Update your resolv.conf with the address of your DNS server which should be your PDC as for me

[root@test ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
On the secondary domain controller (test1.example.com)
Update your resolv.conf with the DNS server as used in your PDC (Primary Domain Controller)
[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
To prepare a SDC(Secondary Domain Controller) you will have to configure Samba 4.1 in your current server as well. These are the steps you need to do. You can follow the below article for configuring Samba 4.1
Samba 4.1 as Active Directory

  1. Download Samba 4.1
  2. Configure
  3. make && make install
  4. Remove /usr/local/samba/etc/smb.conf file
IMPORTANT NOTE:
Do not run the provision step for Samba 4.1

Run the below command as root

[root@test1 samba-4.1.4]# samba-tool domain join example.com DC -Uadministrator --realm=example.com
Finding a writeable DC for domain 'example.com'
Found DC test.example.com
Password for [EXAMPLEadministrator]: [Give your PDC password]
NO DNS zone information found in source domain, not replicating DNS
workgroup is EXAMPLE
realm is example.com
checking sAMAccountName
Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Setting account password for TEST1$
Enabling account
Calling bare provision
No IPv6 address will be assigned
ldb: module schema_load initialization failed : No such object
ldb: module rootdse initialization failed : No such object
ldb: module samba_dsdb initialization failed : No such object
ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)
samdb_connect failed
VFS connect failed!
Join failed - cleaning up
checking sAMAccountName
Deleted CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Deleted CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Deleted CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1172, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1076, in do_join
ctx.join_provision()
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 727, in join_provision
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 2052, in provision
raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")

In the first attempt I got the above error

Error:
Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option."
There are two solutions for this

Solution 1:
Your filesystem does not supports acl so you will have to remount your fs with acl, user_xattr parameter

Make sure these two rpms are installed in your server
[root@test ~]# rpm -qa|grep libattr
libattr-2.4.44-7.el6.i686
libattr-devel-2.4.44-7.el6.i686

[root@test ~]# rpm -qa|grep libacl
libacl-2.2.49-6.el6.i686
libacl-devel-2.2.49-6.el6.i686

Secondly remount your filesystem (For me my root partition is /dev/mapper/VolGroup-root. Make necessary changes as per your partition)

# mount -o remount,acl,user_xattr /dev/mapper/VolGroup-root
For making permanent changes update your fstab file
# cat /etc/fstab
/dev/mapper/VolGroup-root     /      ext4    defaults,acl,user_xattr     1 1

NOTE: Since this is something which you are making change in the kernel so the kernel has to boot to take the changes affect. Reboot your system and try again

Solution 2:
Use an extra parameter --use-ntvfs to skip the above work in case it is a production server as you will not be allowed to reboot a prod server.

[root@test1 ~]# samba-tool domain join example.com DC -Uadministrator --realm=example.com --use-ntvfs
Finding a writeable DC for domain 'example.com'
Found DC test.example.com
Password for [EXAMPLEadministrator]: [Give your PDC password]
NO DNS zone information found in source domain, not replicating DNS
workgroup is EXAMPLE
realm is example.com
checking sAMAccountName
Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Setting account password for TEST1$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[804/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1206/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1608/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1653/1653] linked_values[20/0]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[98/98] linked_values[23/0]
Partition[DC=example,DC=com] objects[394/296] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain EXAMPLE (SID S-1-5-21-2036099725-333104617-2937475635) as a DC
As you see above we have successfully joined our PDC as a SDC.

Now next step is to make sure your hostname for SDC is resolvable on the DNS

On DNS server (192.168.1.6)
[root@test ~]# nslookup test1.example.con
Server:         192.168.1.6
Address:        192.168.1.6#53

** server can't find test1.example.con: NXDOMAIN

As you see currently our hostname for SDC is not resolvable so lets make an entry for the same on your samba4 dns server
[root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
(Make an entry in last line)
test1           IN A    192.168.1.5
Save and exit

Restart the named services
[root@test ~]# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

Now retry to resolve the hostname

[root@test1 ~]# nslookup test1.example.com
Server:         192.168.1.6
Address:        192.168.1.6#53

Name:   test1.example.com
Address: 192.168.1.5

So we are good to move to the next step now

Verify if the objectGUID is resolvable to the new hostname, Run the below command

[root@test1 ~]# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903

record 2
dn: CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33

Here my objectUID for test1.example.com is record2 which is 607bc2dc-0754-49e3-aa37-9be403d0cc33
Now this objectUID should resolve using the below command

[root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
Host 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. not found: 3(NXDOMAIN)

But since there is no DNS entry for the same it is not getting resolved.

You can update your DNS record using the below command

# samba-tool dns add IP-of-your-DNS _msdcs.samdom.example.com 607bc2dc-0754-49e3-aa37-9be403d0cc33 CNAME test1.example.com -Uadministrator

But for me unfortunately the above command was throwing error so I had to manually update the DNS CNAME record.

So In case you are also facing the same issue follow the below steps to manually update your zone file in DNS

[root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
Make a new entry at the last line of the file
607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. IN CNAME test1

[root@test ~]# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

Now again retry to run the below command
[root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com is an alias for test1.example.com.
Well that fixed one of our problem so moving to the next step
Finally update the IP of your SDC in your resolv.conf of the same server which for our case is 192.168.1.5

[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
nameserver 192.168.1.5

Starting Samba

You have to follow the same step to start samba as used in PDC

# samba
[root@test1 ~]# ps -ef | grep samba
root      2957     1  0 11:06 ?        00:00:00 samba
root      2958  2957  0 11:06 ?        00:00:00 samba
root      2959  2957  0 11:06 ?        00:00:03 samba
root      2960  2957  0 11:06 ?        00:00:00 samba
root      2961  2957  0 11:06 ?        00:00:00 samba
root      2962  2957  0 11:06 ?        00:00:01 samba
root      2963  2957  0 11:06 ?        00:00:00 samba
root      2964  2957  0 11:06 ?        00:00:00 samba
root      2965  2958  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      2966  2957  0 11:06 ?        00:00:00 samba
root      2967  2957  0 11:06 ?        00:00:00 samba
root      2968  2957  0 11:06 ?        00:00:00 samba
root      2969  2957  0 11:06 ?        00:00:00 samba
root      2970  2957  0 11:06 ?        00:00:00 samba
root      2973  2965  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      3524  2703  0 11:18 pts/0    00:00:00 grep samba
# kinit administrator@EXAMPLE.COM
Password for administrator@EXAMPLE.COM: [Give password for Administrator]
Warning: Your password will expire in 41 days on Mon Mar 31 13:44:36 2014

Now it is time to see if the replication is working for both the domain controllers. So that if you make any change on one of the dc the same should reflect on the other dc.
To verify the same run the below command
[root@test1 ~]# samba-tool drs showrepl
Failed to connect host 192.168.1.5 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.1.5 (test1.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to test1.example.com failed - drsException: DRS connection to test1.example.com failed: (-1073741258, 'The connection was refused')
  File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
Now first time when I ran this command I got the above error so I did a little bit of dug up to look out for possible reason

[root@test1 ~]# cat /var/log/messages | grep 135

Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 on port 135 - NT_STATUS_CONNECTION_REFUSED
Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 (74b975bc-c25c-4ce7-9773-fe3f6eb1b903._msdcs.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Then just to be sure
[root@test1 ~]# telnet localhost 135
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

Then I checked my selinux which was in enforcing mode.
[root@test1 ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Change it to disabled state and reboot the system
Now retry the same

[root@test1 ~]# telnet localhost 135
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
So now port 135 is in listening state
Also check the below link to configure iptable rules for your Samba 4.1
Again I ran the below command
[root@test1 ~]# samba-tool drs showrepl
Default-First-Site-NameTEST1
DSA Options: 0x00000001
DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0

==== INBOUND NEIGHBORS ====

ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')

Next time I was getting the above error
Error:
NT_STATUS_RPC_PROTOCOL_ERROR

 Solution:
It looked like my samba services were not started properly when I checked the running processes. So I restarted my samba services and everything worked fine then
[root@test1 ~]# samba-tool drs showrepl
Default-First-Site-NameTEST1
DSA Options: 0x00000001
DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0
==== INBOUND NEIGHBORS ====
DC=example,DC=com
Default-First-Site-NameTEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:58 2014 IST
CN=Configuration,DC=example,DC=com
Default-First-Site-NameTEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:57 2014 IST
CN=Schema,CN=Configuration,DC=example,DC=com
Default-First-Site-NameTEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:53 2014 IST
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 77f4ad2e-ddca-4584-8d8c-7efbd1f7d93c
Enabled        : TRUE
Server DNS name : test.example.com
Server DN name  : CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
TransportType: RPC
options: 0x00000001
So, all looks good to verify our configuration.

On Windows client machine

Open the Active Directory User management console
You should be connected to the domain example.com
Click on Action and select "Change Domain Controller" as shown below
Here you should be able to see your available domain controllers and their status as shown below for my case both my dc are online.

You can switch to either dc using these steps
Now I tried to add a user on SDC(test1.example.com) using CLI
[root@test1 ~]# samba-tool user add test
New Password:
Retype Password:
User 'test' created successfully

[root@test1 ~]# samba-tool user list
Administrator
dns-test
krbtgt
Guest
test


 On PDC (test.example.com)
[root@test ~]# samba-tool user list
Administrator
dns-test
krbtgt
Guest
test
So the same user appeared on my PDC as well so our replication is working good. The same you can test from either domain controller.

But again as I had told in the beginning of this article this is NOT a backup domain controller, it is a secondary domain controller. I am waiting for Samba 4 developers to come up with a backup domain controller option as well.
Please let me know your success and failures.