Big edit done on 30 Sep 2018
Windows 10 since the Fall Creators Update (1709)
Windows 10, since the Fall Creators Update (1709), is no longer shipping with SMB 1.0 support enabled. This means that if you enable "Windows 10 Domain Logons", Windows 10 machines can no longer access Windows Networking (Samba) Domains or use Flexshares in Simple filesharing mode. If you try to join a ClearOS Domain you may get the the popup in the picture at the bottom.
The cause is that SMB1.0 support is now disabled by default in Windows 10. The link takes you to this Microsoft document. To enable SMB1.0 support see this Microsoft document or just go Control Panel > Programs and Features > "Turn Windows Features on and off" then scroll down to SMB 1.0/CIFS File Sharing Support and enable it. You will need to reboot afterwards. There is also a PowerShell method in the document. However, for ClearOS 7.x users this may not be necessary. Please read on.
Windows 10 since the Spring Creators Update (1803)
Currently, if you are not a member of a ClearOS domain before upgrading to or installing the 1803 version of Windows 10, then once you are running the 1803 version you will not be able to join a ClearOS domain. You will receive a message to the effect that no AD DC (Active Directory Domain Controller) could be found. The solution now is to install the Windows 10 1809 KB4458469 update. This completely fixes the issue in both ClearOS 6.x and 7.x. You can check if you have this build standard by going Windows Key > Gear Wheel > System > About. Your Windows OS Build version should be 17134.319 or greater.
Note: Please do not think that, just because you have Windows Update set to automatically install updates, you are up to date. It all depends on your Windows Update settings. In your Windows Update Advanced settings, if you are on the "Semi-Annual Channel" then you are probably not up to date. Most Win 10 Pro users are probably on this channel. Even though when you check Windows Update you are told you are up to date, this means you have all security patches installed. It does not mean you have all feature releases installed. Furthermore, you can further delay Feature Updates by up to a year with the other dropdowns on that page. Please check the OS Build Version as described above.
Windows 10 Domain Logons / Force SMB1 Protocol
In ClearOS 6.x this has never had any effect as Samba is limited to using the SMB1 protocol unless you have made manual changes to smb.conf. However you will need to enable SMB1 in Win10 from version 1709 onwards. See above for instructions.
In ClearOS 7.x, samba upgraded to version 4.7.1-9.v7 in September. With this version you do not need to enable Windows 10 Domain Logons to join a domain and it is recommended that you don't. You also no longer need to enable SMB1 support in Win10 to join a domain. This means you can avoid using the SMB1 protocol which is considered to be insecure these days. If you do not have this update, it is strongly recommended you install it, as it makes life easier by not having to enable SMB1 in Win10 and obsoletes the need to use SMB1 on your LAN.
[edit 05 Nov-2018]
During W/C 29th Oct, the "Windows 10 Domain Logons" entry in the webconfig was renamed to "Force SMB1 Protocol". As there is no obvious reason to enable it, if it is not enabled, it will disappear from the Webconfig. Similarly if it is currently enabled and you subsequently disable it, it will disappear.
If you want to go for the secure option and disable SMB1 entirely you'd need to manually tweak /etc/samba/smb.conf adding the following to the [Global] section:
[/edit]
Windows Networking in Simple File Sharing / NAS mode
In ClearOS 6.x you will need to enable SMB1 in Win10 from version 1709 onwards. See above for instructions.
In ClearOS 7.x, if you do not use Domains and just use Windows Networking in Simple File Sharing / NAS mode, do not enable Windows 10 Domain Logons or you will have to enable SMB1 support in Win10. It does not matter which version of samba you are running; it as always worked OK without this parameter being set.
Browsing the Network Neighbourhood
Browsing the network neighbourhood in Windows Explorer has now also been disabled in Win10 1803. To re-enable it, please follow this link among others.
ClearOS as an Active Directory Domain Controller
I have got a fair way through a manual implementation in this post in the thread. There is little point going further with it although I recently tweaked it and may do so again in the future if I find bits on info relevant to the post.
Windows 10 since the Fall Creators Update (1709)
Windows 10, since the Fall Creators Update (1709), is no longer shipping with SMB 1.0 support enabled. This means that if you enable "Windows 10 Domain Logons", Windows 10 machines can no longer access Windows Networking (Samba) Domains or use Flexshares in Simple filesharing mode. If you try to join a ClearOS Domain you may get the the popup in the picture at the bottom.
The cause is that SMB1.0 support is now disabled by default in Windows 10. The link takes you to this Microsoft document. To enable SMB1.0 support see this Microsoft document or just go Control Panel > Programs and Features > "Turn Windows Features on and off" then scroll down to SMB 1.0/CIFS File Sharing Support and enable it. You will need to reboot afterwards. There is also a PowerShell method in the document. However, for ClearOS 7.x users this may not be necessary. Please read on.
Windows 10 since the Spring Creators Update (1803)
Currently, if you are not a member of a ClearOS domain before upgrading to or installing the 1803 version of Windows 10, then once you are running the 1803 version you will not be able to join a ClearOS domain. You will receive a message to the effect that no AD DC (Active Directory Domain Controller) could be found. The solution now is to install the Windows 10 1809 KB4458469 update. This completely fixes the issue in both ClearOS 6.x and 7.x. You can check if you have this build standard by going Windows Key > Gear Wheel > System > About. Your Windows OS Build version should be 17134.319 or greater.
Note: Please do not think that, just because you have Windows Update set to automatically install updates, you are up to date. It all depends on your Windows Update settings. In your Windows Update Advanced settings, if you are on the "Semi-Annual Channel" then you are probably not up to date. Most Win 10 Pro users are probably on this channel. Even though when you check Windows Update you are told you are up to date, this means you have all security patches installed. It does not mean you have all feature releases installed. Furthermore, you can further delay Feature Updates by up to a year with the other dropdowns on that page. Please check the OS Build Version as described above.
Windows 10 Domain Logons / Force SMB1 Protocol
In ClearOS 6.x this has never had any effect as Samba is limited to using the SMB1 protocol unless you have made manual changes to smb.conf. However you will need to enable SMB1 in Win10 from version 1709 onwards. See above for instructions.
In ClearOS 7.x, samba upgraded to version 4.7.1-9.v7 in September. With this version you do not need to enable Windows 10 Domain Logons to join a domain and it is recommended that you don't. You also no longer need to enable SMB1 support in Win10 to join a domain. This means you can avoid using the SMB1 protocol which is considered to be insecure these days. If you do not have this update, it is strongly recommended you install it, as it makes life easier by not having to enable SMB1 in Win10 and obsoletes the need to use SMB1 on your LAN.
[edit 05 Nov-2018]
During W/C 29th Oct, the "Windows 10 Domain Logons" entry in the webconfig was renamed to "Force SMB1 Protocol". As there is no obvious reason to enable it, if it is not enabled, it will disappear from the Webconfig. Similarly if it is currently enabled and you subsequently disable it, it will disappear.
If you want to go for the secure option and disable SMB1 entirely you'd need to manually tweak /etc/samba/smb.conf adding the following to the [Global] section:
min protocol = smb2[/edit]
Windows Networking in Simple File Sharing / NAS mode
In ClearOS 6.x you will need to enable SMB1 in Win10 from version 1709 onwards. See above for instructions.
In ClearOS 7.x, if you do not use Domains and just use Windows Networking in Simple File Sharing / NAS mode, do not enable Windows 10 Domain Logons or you will have to enable SMB1 support in Win10. It does not matter which version of samba you are running; it as always worked OK without this parameter being set.
Browsing the Network Neighbourhood
Browsing the network neighbourhood in Windows Explorer has now also been disabled in Win10 1803. To re-enable it, please follow this link among others.
ClearOS as an Active Directory Domain Controller
I have got a fair way through a manual implementation in this post in the thread. There is little point going further with it although I recently tweaked it and may do so again in the future if I find bits on info relevant to the post.
Attachments:
Share this post:
Responses (34)
-
Accepted Answer
Nick Howitt wrote:
Are you just trying to join a normal Samba domain or are you going for the docker/samba solution further down the post? I suspect the former.
At a very strong guess, you have not done the two registry updates. Click on the Windows Networking documentation to find out more. There is also a KB article. You probably can't do the KB4458469 update as your Version and OS Build Version are substantially later than the minimum required and already have the necessary updates.
Can I also check you have Win10 Pro and not Home as Home can't join a domain of any type.
Dear Nick,
You're absolutely right.
I was so worried working on the server side solution that I've missed the obvious!!!
The registry keys.
After add the registry keys, as usual (oh dummy)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
I was able to join the PC to the domain.
Thanks once again.
BR -
Accepted Answer
Are you just trying to join a normal Samba domain or are you going for the docker/samba solution further down the post? I suspect the former.
At a very strong guess, you have not done the two registry updates. Click on the Windows Networking documentation to find out more. There is also a KB article. You probably can't do the KB4458469 update as your Version and OS Build Version are substantially later than the minimum required and already have the necessary updates.
Can I also check you have Win10 Pro and not Home as Home can't join a domain of any type. -
Accepted Answer
Hello.
I've followed your excellent post and I couldn't get it working. I don't know what I can be missing. Can you please help?
So, about my ClearOS:
- Version is ClearOS 7 (with bronze subscription)
- Samba version: rpm --query samba returns : samba-4.7.1-9.v7.x86_64
- Force SMB1 Protocol was initially set to yes, but I've disabled it and now it disappeared (as expected)
- I've then deleted /var/lib/samba/wins.dat and restarted nmb and smb
- My ClearOS Samba server is also WINS server.
About my Windows 10:
- The installed versionwas inittialy 1809 (17763.55)
- I've updated today to 1809 (17763.134)
- SMB 1.0/CIFS file Sharing Support is disabled
- I can ping and nslookup domain correctly
When I try to join domain, the credentials box comes up, but when I input winadmin credentials, the error messages comes up saying that the domain doesn't exist or cant' be contacted.
I've also tried to install KB4458469 update, but with no avail, as it says the update is not suitable for my computer.
I can browse the server shares and authenticate with users account's.
Am I doing something wrong?
Thank's in advance. -
Accepted Answer
-
Accepted Answer
As a tidy up, you may want to stop Windows Networking (or just nmb), delete /var/lib/samba/wins.dat, then restart it.
Have you configured Windows Networking as the WINS server in your new machine by enabling WINS Support or are you pointing WINS Server to another machine? It should only be one or the other (or neither, if you insist). -
Accepted Answer
Thanks Nick,
Every computers are connected using cables. And yes, I can confirm nscd is running
I first had both server connected into the same network to transfer data and I had error message about master browser and so. yesterday, I removed the old server and these errors are gone but I found this in the nmbd log. I dont know if it is normal that the domain name has a <1d> added to its name..
For the errors , I've no idea if they are important or not..
Thanks
Samba server PAN is now a domain master browser for workgroup NDHS on subnet UNICAST_SUBNET
*****
[2018/11/01 01:28:55.028095, 0] ../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
become_domain_master_browser_bcast:
Attempting to become domain master browser on workgroup NDHS on subnet 192.168.20.1
[2018/11/01 01:28:55.028146, 0] ../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
become_domain_master_browser_bcast: querying subnet 192.168.20.1 for domain master browser on workgroup NDHS
[2018/11/01 01:28:57.034193, 0] ../source3/nmbd/nmbd_namequery.c:109(query_name_response)
query_name_response: Multiple (2) responses received for a query on subnet 192.168.20.1 for name NDHS<1d>.
This response was from IP 192.168.20.117, reporting an IP address of 192.168.20.117.
[2018/11/01 01:28:59.038173, 0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
become_logon_server_success: Samba is now a logon server for workgroup NDHS on subnet 192.168.20.1
[2018/11/01 01:29:03.044543, 0] ../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
*****
Samba server PAN is now a domain master browser for workgroup NDHS on subnet 192.168.20.1
*****
[2018/11/01 01:29:18.066578, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
*****
Samba name server PAN is now a local master browser for workgroup NDHS on subnet 192.168.20.1
*****
[2018/11/01 05:35:48.017395, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.20.117(138) ERRNO=Opération non permise
[2018/11/01 06:50:49.822350, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.20.117(138) ERRNO=Opération non permise
[2018/11/01 07:40:55.599647, 1] ../librpc/ndr/ndr.c:612(ndr_pull_error)
ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107)
[2018/11/01 07:40:55.599714, 1] ../source3/nmbd/nmbd_processlogon.c:352(process_logon_packet)
process_logon_packet: Failed to pull logon packet
[2018/11/01 09:50:54.670858, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.20.117(138) ERRNO=Opération non permise
-
Accepted Answer
Occasionally I see a delay and it has always been like that, but it is not every time and it may just be with WiFi connections . As it is rare, I've never tried to nail it down and it is not reproducible so will be very difficult to troubleshoot. In my case I am not domain joined. A bit of a long shot, but when you upgraded your server, have you removed your old one from the network or changed its LAN IP so it does not clash? Can you also confirm that nscd is running? -
Accepted Answer
Hello all,
I just migrated a system from clearos 6 to 7. I took the backup file from clearos 6 for the upgrade and remove some applications that were not used anymore. The system has a flexshare system with basic windows networking (no AD). clients computer belong to the COS windows domain (main reason why I decided to migrate using the backup file).
Now everything works good except the connection to the flexshare. Everytime a computer wants to access a share, computer waits about 2-3 seconds and that gives the acces. Once this is made, navigation to the the flexshare is very fast. On the ClearOS system, windows 10 domain logon is not checked.
I really dont know where I can have a look trying to solve that ... so if someone has an idea ..
Thanks to all -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
It looks like we are back in business with the old ClearOS Domains and better than before.
In Windows 10 there is an update coming through, KB4458469, which fixes the Domain Join issue. If you can't wait, you can install it directly from the Microsoft Update Catalog. Once installed your Windows OS Build version should be 17134.319 (Windows Key > Gear Wheel > System > About)
At the same time there has been an update to Samba in ClearOS7. I received mine on 11 Sep and it updated to v4.7.1-9.v7. With this update there is no need to enable SMB1 in Windows 10 1803 or later and there is no need to Enable "Windows 10 Domain Logons" in Windows Networking (Samba).
In ClearOS6, Samba defaults to SMB1 so I'd still expect you to need to enable SMB1 in Windows 10 1803. You can try enabling SMB2.0 in samba by setting:
in /etc/samba/smb.conf and seeing if you can join a domain without enabling SMB1 in Windows 10 1803. I ran with this set up for years in Simple Fileserver mode but I never used domains.max protocol = SMB2
I'd love it if people can independently confirm what I've found in ClearOS7 and also test ClearOS6 with domains if they able to, then post back to this thread with the results.
Note, when testing, please remember to do the registry change. I overlooked it on a new PC and it failed ......
[edit]
If you postponed the 1803 update, possibly the fastest way of installing it is to upgrade from Microsoft's Upgrade Link. You can upgrade directly from there or download the ISO if you want to upgrade more than one machine. If you download the ISO onto your Win 10 machine, double clicking on it will open the ISO. From there, double-clicking on setup.exe will launch the update.
[/edit] -
Accepted Answer
I don't think editing the hosts file will help as it won't resolve SRV records. Also, because of your zone record, dnsmasq probably ignores the hosts file and tries to hand off to the container. You need to get the domain resolving correctly. Double check the firewall rules, especially the last one in 11-docker-samba (it is probably better to use the longer complex form of the rule), the "server" record in your dnsmasq file, and that the bindings are working ("netstat -npl | grep :53)" where you should see dnsmasq binding to most interfaces and docker to the one virtual IP you set up. -
Accepted Answer
Nick Howitt wrote:
/etc/resolv-peerdns.conf should have been correct all along and refers to your upstream resolver.
The search domain was incorrect, as it pulled it must have from the DHCP server when I originally installed.
Nick Howitt wrote:
Have you checked you can resolve correctly the DC's FQDN both from inside and outside the container? Unfortunately for me, my set up has suddenly started resolving the DC's FQDN into 2 IP's, the container's internal and external IP. This has only been happening today, I think, or possibly yesterday after I did the domain join.
The DC FQDN was only resolving from inside the container. I manually added it to /etc/hosts outside of the container to match the /etc/hosts that was inside the container. Both resolve to the container's external IP.
Same error trying to connect though. I've been looking through as many log files as I can, but can't find any entry that is even remotely similar to the error message. Am I correct in assuming it's being generated by the Active Directory Connector app? -
Accepted Answer
/etc/resolv-peerdns.conf should have been correct all along and refers to your upstream resolver.
I have been concerned about DNS recursion because sometimes my load averages go have been going haywire. In order to break any possible circle, I've made the following changes from the docker run command:
1 - remove the line:
Manually you can comment out the "dns forwarder" lines in /var/clearos/samba/config/smb.conf. This will stop the Samba resolver resolving anything except domain FQDN's-e "DNSFORWARDER=172.22.22.1" \
2 - remove the first "--dns 172.22.22.2 \" line. This will stop the container resolving back into itself. It may be OK but I don't see it is needed. The other line is needed to set the external resolver for the container, I think, otherwise it falls back to the default external resolver (OpenDNS?)
Have you checked you can resolve correctly the DC's FQDN both from inside and outside the container? Unfortunately for me, my set up has suddenly started resolving the DC's FQDN into 2 IP's, the container's internal and external IP. This has only been happening today, I think, or possibly yesterday after I did the domain join.
Unfortunately I need to cut back the time I've been putting back into this, especially as my next step is possibly a full re-installation. -
Accepted Answer
Nick Howitt wrote:
@Cameron,
I think I have found the issue. Please make sure the Default Domain in Webconfig > Network > Settings > IP Settings is the same as the domain you are joining. Then /etc/resolv.conf and /etc/resolv-peerdns.conf get set as I'd expect.
I checked the webconfig IP settings page, but the domain was already set correctly, so /etc/resolv.conf is correct.
I manually edited /etc/resolv-peerdns.conf and restarted dnsmasq, but still getting the same error when trying to connect using the Active Directory Connector. -
Accepted Answer
@Cameron,
I think I have found the issue. Please make sure the Default Domain in Webconfig > Network > Settings > IP Settings is the same as the domain you are joining. Then /etc/resolv.conf and /etc/resolv-peerdns.conf get set as I'd expect.
Please can you post back with your findings and I'll update the HowTo.
[edit]
BTW, during yesterday I noticed a couple of typo's in the 11-docker-samba file. Lines should begin with "$IPTABLES" and not "iptables" when run from a firewall file. "iptables" should only be used from the command line. Depending on when you did your set up, you may or may not have picked up the corrected version.
[/edit] -
Accepted Answer
I am in discussion with the dev's now as I hit the same or a similar issue. Please can you check your /etc/resolv.conf. In an LDAP system it should show something like (from my production box):
After installing the AD connector on my test box, mine read:# Please do not edit this file.
# See http://www.clearcenter.com/support/documentation/clearos_guides/dns_and_resolver
domain howitts.co.uk
nameserver 127.0.0.1
For some reason dhclient-script has taken over it.; generated by /usr/sbin/dhclient-script
search howitts.co.uk test.lan
nameserver 172.17.2.1
Please let me know if you're in the same boat. You can fix it by changing the nameserver to 127.0.0.1 and restarting dnsmasq, but it reverts on every boot. -
Accepted Answer
I set up a new install using your ClearOS with Docker/Samba guide and it went well.
Docker is up and running, however I'm having trouble connecting the Active Directory Connector to it.
I'm getting the following:
Failed to join domain: failed to lookup DC info for domain 'DOMAIN' over rpc: {Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.
The system has plenty of RAM and HDD space available. Any suggestions? -
Accepted Answer
********************************************************************************************************************
* Note these instructions have now been transferred to the Knowledge base where they will be maintained. *
********************************************************************************************************************
HowTo set up ClearOS with Docker/Samba as an Active Directory Domain Controller
Note If you want to try this out you will need a Business version of ClearOS or you will have to purchase the Active Directory Connector.
If you follow this guide you should end up with a fully functioning Active Directory Domain Controller running in ClearOS. On a new installation of ClearOS you should be able to use the Active Directory Connector instead of OpenLDAP for you directory server. Dave Loper is working on a migration path for existing installations.
- Decide on a LAN IP for your Docker/Samba installation. This should be a fixed IP on your LAN, so outside if DHCP scope. My ClearOS LAN interface is 172.17.2.1/24 and I am going to use 172.17.2.2 for my Docker/Samba installation. Wherever you see 172.17.2.2 in this guide substitute it for your chosen LAN IP and 172.17.2.1 for your ClearOS LAN interface IP.
- In Webconfig > Network > Settings > IP Settings > Add Virtual button set up your Docker LAN IP as a virtual IP, attached your LAN interface with the same Netmask as your LAN. Note the name of the name if the interface it creates.
- Add a file /etc/sysconfig/network-scripts/ifcfg-docker0 and in it put:
- Note, if you're doing a fresh install with Community, do not install Windows Networking before you activate the AD Conector.
Change the ClearOS Samba port bindings to bind so it does not bind to the virtual interface. Edit /etc/samba/smb.conf and set: - Now we have to adjust a ClearOS routine which kills Winbind each time you visit the Users of Groups screen a while after you join the domain. The edits need to be made to /usr/clearos/apps/samba_common/libraries/Winbind.php. In the "// Classes" section, add a line:
and near the end of the file, change:clearos_load_library('base/Shell');
to$this->set_running_state(TRUE);$shell = new Shell();
$shell->Execute('/usr/bin/systemctl', 'start winbind', TRUE); - Add a guest user or Samba won't start
- Change the port bindings in dnsmasq not to bind on the virtual interface and, jumping ahead of ourselves set up a split DNS. Create a file /etc/dnsmasq.d/docker-samba (you can call it what you want as long as it is in this folder) and add the lines:
- Install app-docker, set it to start on boot and start it, then restart the firewall and dnsmasq:
- Now install the docker container from https://github.com/Fmstrat/samba-domain:
- Prep your data folders:
- Start your Docker/Samba container which will be called "samba":
- After a few seconds check the container is running with a:
- You now need to add some rules to the firewall. Create a file /etc/clearos/firewall.d/11-docker-samba (the name is unimportant but must begin with a number greater than 10) and in it put:
- Check that you can get the domain controller's IP address from ClearOS:
- Add an entry to the /etc/hosts file for the DC or you will fail to join the domain:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"
In the "interfaces" section, list all your normal LAN interfaces and possibly the tun interfaces and docker0 interface. If you do an "ifconfig" you'll see a full list from which to make your choice. Do not add the virtual interface. For the "socket address", just set it to one of your LAN interface IP's. this is a bit of a kludge.bind interfaces only = yes
interfaces = lo enp2s0f1
nmbd bind explicit broadcast = yes
socket address = 172.22.22.1
[edit]
Note that the Gateway Management/DNSThingy manager, dnsthingymgr, must not be running before you start the docker samba container as that also binds to udp:137 and will stop the docker samba container from starting. To disable it, disable Gateway Manager/DNSThingy. If they are already disabled, enable them and disable them again. Gateway Manager/DNSThingy can be started after docker/samba starts. Alternatively, for a permanent fix you can:
echo "disable-neighbour-discovery" > /etc/dnsthingy/dnsthingymgr.conf
or change the netbios ports in dnsthingymgr to something silly. In /etc/dnsthingy/dnsthingymgr.conf:
netbios-listen-port=54321
netbios-reply-port=54322
[/edit]
The forum formatting is playing tricks here. Both lines are needed, including the one in red (the forum has split the lines into two sections and made the second line red - there is nothing I can do about it
)
Then start smb, nmb and winbind.useradd -r guest
If smb won't start you may need to add a /var/samba/drivers folder manually:
mkdir /var/samba/drivers -p
enp2s0f1:0 is my virtual interface and howitts.local is my domain. Instead of "except-interfaces=" you can do "interfaces=" and list all your interfaces, including docker0. Restart dnsmasq with a:bind-dynamic
except-interface=enp2s0f1:0
server=/howitts.local/172.22.22.2systemctl restart dnsmasq.service
Note that if you already had docker installed and running, you'll need to restart it after creating your virtual interfaceyum install app-docker --enablerepo=clearos-updates
systemctl enable docker.service
systemctl start docker.service
systemctl restart firewall.service
systemctl restart dnsmasq.service
Also note that it is best to at least use app-docker v2.6.1 which is currently only available from clearos-updates so you may want to add the "--enablerepo-clearos-updates" to your yum command. The package has better firewall treatment.
Also note that Docker tries to choose a free /16 network for its docker0 interface. It may be worth at this point doing an "ifconfig" and checking it has chosen a subnet which does not clash with any of yours. It does not seem to spot VLAN subnets in use and can have other issues (mine, obscurely, is a VM running with natted interfaces on my desktop which has a local IP in the 172.17.2.0/24 subnet). If this is the case, see the "Configure the default bridge network" section of this doc and add a line between the braces:
in /etc/docker/daemon.json and restart the docker service and dnsmasq. Note that the IP address you use should be the IP address you want to give the docker0 interface, so 172.16.0.1/16 would give the docker interface an address of 172.16.0.1, and assign a /16 subnet to the interface. If you use 172.16.0.0/16, docker will not start as 172.16.0.0 is not a valid NIC IP. A /24 subnet should be big enough for just a domain controller docker container."bip": "your_manual_subnet"
docker pull nowsci/samba-domain
mkdir -p /var/clearos/samba/data
mkdir -p /var/clearos/samba/config
Notes:docker run -t -i -d \
-e "DOMAIN=HOWITTS.LOCAL" \
-e "DOMAINPASS=SomeC0mplexPassword" \
-e "DNSFORWARDER=172.22.22.1" \
-e "HOSTIP=172.22.22.2" \
-e "NOCOMPLEXITY=true" \
-p 172.22.22.2:53:53 \
-p 172.22.22.2:53:53/udp \
-p 172.22.22.2:88:88 \
-p 172.22.22.2:88:88/udp \
-p 172.22.22.2:135:135 \
-p 172.22.22.2:137-138:137-138/udp \
-p 172.22.22.2:139:139 \
-p 172.22.22.2:389:389 \
-p 172.22.22.2:389:389/udp \
-p 172.22.22.2:445:445 \
-p 172.22.22.2:464:464 \
-p 172.22.22.2:464:464/udp \
-p 172.22.22.2:636:636 \
-p 172.22.22.2:1024-1044:1024-1044 \
-p 172.22.22.2:3268-3269:3268-3269 \
-v /etc/localtime:/etc/localtime:ro \
-v /var/clearos/samba/data:/var/lib/samba \
-v /var/clearos/samba/config:/etc/samba/external \
--dns-search howitts.local \
--dns 172.22.22.2 \
--dns 172.22.22.1 \
--add-host localdc.howitts.local:172.22.22.2 \
-h localdc \
--name samba \
--privileged \
--restart unless-stopped \
nowsci/samba-domain
DOMAIN is the name of your domain. Best practice says to use a subdomain of your proper external domain which does not resolve externally. As an example, my proper domain is howitts.co.uk so a best practice AD domain could be ad.howitts.co.uk and not howitts.local as in my example. This domain name should also be the one you put into your /etc/dnsmasq.d/samba-domain.
Change all occurrences of howitts.local to your domain name.
I have set password complexity off but the start script only changes the settings after the administrator password is set so you must use a complex administrator password. You can leave complexity on by removing the "COMPLEXITY" line. You can also change the administrator password to something else (non-complex) later on. I am not sure what the restrictions are for complexity but I had to have at least one upper case character, one lower case character and a number. 16 mixed lower case and number characters did not work.
localdc is the name given to the domain controller (not very imaginative. I've just used their example for now)
Compared to the example, I've added "--restart unless-stopped \" to enable the container to start automatically when docker starts.
[edit]
It may be worth leaving out:
from the start up command. This will remove the ability of samba to resolve IP's externally, but is should not have to as the normal ClearOS dnsmasq DNS server looks after everything except domain lookups which must be handled by Docker/Samba. The container itself can still resolve externally because of the "--dns" lines.-e "DNSFORWARDER=172.22.22.1" \
I have noticed high loads at times and it may be because of DNS lookups going round and round between ClearOS/dnamasq and Docker/Samba.
[/edit]
If you have just a number of capitalised headers wrapped over a couple of lines, it is not running. You should see some output where you can match a lot of it to the start up command. If it fails, for me it was due to lack of password complexity and you'll see the error in /var/log/messages. If that is the case, the best thing to do is to do a:docker ps
Then remove everything in /var/clearos/samba/data and /var/clearos/samba/config and try again with a different password.docker rm samba
Then restart the firewall with a:if [ "$FW_PROTO" == "ipv4" ]; then true
DOCKER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "samba" 2>/dev/null)
if [ -z "$DOCKER_IP" ]; then
return
fi
$IPTABLES -I DOCKER ! -i docker0 -o docker0 -d $DOCKER_IP -j ACCEPT
$IPTABLES -A POSTROUTING -t nat -s $DOCKER_IP -d $DOCKER_IP -j MASQUERADE
$IPTABLES -A DOCKER -t nat ! -i docker0 -d 172.22.22.2 -j DNAT --to-destination $DOCKER_IP
fi
service firewall restart
This must resolve to the IP correctly (172.22.22.2 in my case) before you proceed to the next step as it checks if the DC is resolving names correctly.host localdc.howitts.local
Then, just to make sure the addition is used:172.22.22.2 localdc.howitts.local localdc
service dnsmasq restart
service nscd restart
At this point you should have a fully functioning AD Domain controller which will start every time ClearOS starts. You should be able to use the ClearOS Active Directory Connector to connect to it from a new ClearOS installation (instead of using the OpenLDAP Directory Server).
When joining ClearOS to the AD domain, I kept getting errors such as Accounts System is Offline, even though the join appeared to have worked. There is a troubleshooter here.
You can administer the domain using Microsoft's publicly available RSAT tool or the the Samba utility "samba-tool".
To use samba-tool you have to get to a command line within docker. To do this, you can issue the command:
Type "exit" to quit.docker exec -it samba /bin/bash
I suggest you use the docker command line to set up all the default groups you may need from Active Directory User Guide by doing:
samba-tool group add ftp_plugin
samba-tool group add imap_plugin
samba-tool group add openfire_plugin
samba-tool group add openvpn_plugin
samba-tool group add pptpd_plugin
samba-tool group add print_server_plugin
samba-tool group add smtp_plugin
samba-tool group add user_certificates_plugin
samba-tool group add web_proxy_plugin
Note The groups will show in RSAT but only show in the Webconfig when the relevant app is installed.
You can check password policies with:
and change them with commands like:samba-tool domain passwordsettings show
You were forced into setting a complex administrator password when initialising the docker container. You can change it here with:samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-length=4
and so on. RSAT may be the better tool to add users and add them to groups but that is down to you.samba-tool user setpassword administrator
Note that if you mess up you can blow everything away by doing a:
Then remove everything in /var/clearos/samba/data and /var/clearos/samba/config and starting again from step 9 (or step 8 if changing store locations).docker stop samba
docker rm samba
You can change some startup settings (I added "--restart unless-stopped \" much later), but only those related to the docker container and not to samba, just by doing:
then changing my "docker run" command but you can only change some things like that. Anything which as been written to the samba databases will not change (password complexity, the administrator password and so on)docker stop samba
docker rm samba
[edit]
If you run this on a production system it is **very strongly** recommended to regularly back up the contents of the two folders:
[/edit]/var/clearos/samba/data
/var/clearos/samba/config - Decide on a LAN IP for your Docker/Samba installation. This should be a fixed IP on your LAN, so outside if DHCP scope. My ClearOS LAN interface is 172.17.2.1/24 and I am going to use 172.17.2.2 for my Docker/Samba installation. Wherever you see 172.17.2.2 in this guide substitute it for your chosen LAN IP and 172.17.2.1 for your ClearOS LAN interface IP.
-
Accepted Answer
tomas wrote:
Hi
Anyone tried to share a printer on domain members running W10 1803 (1507 domain joined then upgraded to 1803)?.The client is visible, but can't be accessed most of the time...
I have managed to sort it out -> the client used static IP config (with WINS), I switched to DHCP and the client can be accessed now.
Update: it works if you are logged in on other clients with the same username e.g. "tom" on W10 1803 client sharing a printer and "tom" on another client accessing that client via "Network", it doesn't work if you login using different credentials e.g. "adam"..Ehh...
Update 2: So far I have manged to access that shared printer (and some test files shared by that client) only on 1 client (logged using the same user name), on any other clients I try I get "Windows cannot access \\client-name" message even when I login using that the same username; firewalls are disabled on both sides; I'm feeling silly now - how does one share a USB printer nowadays? It just doesn't seem to work - and it used to be just few clicks?
Update 3: Netlogon service was down on the sharing client -> starting and setting it to Automatic solved the issue. -
Accepted Answer
Hi
Anyone tried to share a printer on domain members running W10 1803 (1507 domain joined then upgraded to 1803)? I have one Zebra label printer connected to a client via USB and then shared to others.
I tried many things but couldn't get it to work reliably...3rd party firewall uninstalled, Windows firewall disabled and I get 95 times out of 100 "Could connect to \\client-name" message when accessed under Network. SMB1 added via Add/Remove Windows features....I have "Function Discovery Provider Host" and "Function Discovery Resource Publication" services enabled and set to Automatic (Delayed Start), but that for some reason doesn't solve the issue completely...The client is visible, but can't be accessed most of the time... -
Accepted Answer
Minor Update
To anyone following this, we are probably going to change docker containers to Fmstrat/samba-domain as it seems more geared to running as an AD Domain Controller. The other image mentioned earlier looks more suitable just for a NAS/File Server.
We've had a few issues to tackle and there is more info in https://docs.google.com/document/d/1-qH3pIcVKxO2Qf43jzfJV5LIPaqLkM7qGoWpmRxZBL8. The current ClearOS implementations of Samba and dnsmasq need to be changed to bind on specific interfaces or interface IP's. Details are in the doc and in issue trackers 20991 and 21001. For anyone using the Directory Server with Publish Policy = All Networks there is a further issue, but longer term may not be a required change as the AD Domain Controller will become the master LDAP server.
I've used the instructions in the container link to get the image starting up, but I've used different file locations. My start up command is:
As you can see, I have not given it a proper domain yet and it is unlikely I will want to use any DNS forwarder (both parameters set to 172.17.2.1) and instead, on a fresh installation, will set up an explicit subdomain for the AD DC and in the ClearOS set dnsmasq to forward queries for the domain only to Docker. Dnsmasq can handle the rest of the queries.docker run -t -i -d \
-e "DOMAIN=SAMDOM.LOCAL" \
-e "DOMAINPASS=SomeComplexPassword" \
-e "DNSFORWARDER=172.22.22.1" \
-e "HOSTIP=172.22.22.2" \
-p 172.22.22.2:53:53 \
-p 172.22.22.2:53:53/udp \
-p 172.22.22.2:88:88 \
-p 172.22.22.2:88:88/udp \
-p 172.22.22.2:135:135 \
-p 172.22.22.2:137-138:137-138/udp \
-p 172.22.22.2:139:139 \
-p 172.22.22.2:445:445 \
-p 172.22.22.2:464:464 \
-p 172.22.22.2:464:464/udp \
-p 172.22.22.2:636:636 \
-p 172.22.22.2:1024-1044:1024-1044 \
-p 172.22.22.2:3268-3269:3268-3269 \
-v /var/lib/docker/containers/samba/data:/var/lib/samba \
-v /var/lib/docker/containers/samba/config/samba:/etc/samba/external \
--dns-search samdom.local \
--dns 172.22.22.2 \
--dns 172.22.22.1 \
--add-host localdc.samdom.local:172.22.22.2 \
-h localdc \
--name samba \
--privileged \
nowsci/samba-domain
Dave is looking at how to implement this as a migration out of the current LDAP directory controller. -
Accepted Answer
@tomas,
It is currently quite easy to get hold of Win10 iso's, for example from here and I don't believe there is anything wrong in that. They can only be used if you have a licence. I'd suggest you get yourself a copy of 1703 and 1709, but remember in 1709 you will have to enable SMB1. There will be a bit less updating to do compared to the 15xx build.
Master/Slave is not going to work either because both are using NT4 domains. The solution is to use Samba as an AD Domain Controller. For the moment This has to be either on a standalone machine (because it will break various ClearOS functions) or on a docker image or VM in ClearOS. Once you have Samba AD running, you can change you ClearOS installation from using LDAP to using the AD Connector and join ClearOS to your AD Instance.
There are issues with these solutions:
- A migration path is needed to get the users and domain info out of ClearOS into Samba AD then switch off LDAP and switch on the AD Connector
- If Samba AD is hosted in docker or a VM in ClearOS, a number of bindings need to change in ClearOS. As an example, by default UDP port 53 (DNS) currently binds to all interfaces in ClearOS. Samba AD also needs to act as a DNS server for the domain. This means that dnsmasq (the ClearOS DNS forwarder) needs to be changed to just bind to the ClearOS LAN IP's and not to the docker/VM IP. The same goes for the Samba ports (UDP 137/8 and TCP 139/445). There may be other services affected by this as well (thinking LDAP when the policy is published globally)
- Other changes may be needed to the DNS set up to enable a split DNS.
We have been making some progress particularly with getting Samba to run in Docker with its own LAN IP. Dave. is working on the migration into Samba AD (Samba publish a guide and have some tools to help) on a separate machine and has ideas on how to get it into the Docker image -
Accepted Answer
Hi
Just started tracking this...We tried to join W10 1803 to our domain and got an error...Still have 15xx build .iso so will go with that for now, but future is uncertain....One day this possibly won't work anymore meaning after upgrading domain logons won't be possible...
How would any possible solutions work for paid 7.x customers using master server and slave server (PDC and BDC)? -
Accepted Answer
UPDATE:
Nick and I have found a method for doing the IP addressing on the docker image that might work. While I was working on other things inside the samba migration path, Nick was working on how to get the addressing compatible between ClearOS and the docker image. He hit a brick wall after exhausting some methods and even exhausting and proving that some of the items I thought might work were untenable. In the end, this left a limited set of options and I tried the stupid and simple one, which failed initially but then found that it would work with a restart of the docker daemon itself.
So with that daemon defeated, we are ready to put it together. The big thing that is left is the Samba Directory to Samba Directory artifacts migration. I've got a busy day today but will hit try and put some end to end testing together tonight and see if we can't come up with a comprehensive howto by the end of the weekend. -
Accepted Answer
That would require a highly customized docker. I'll look into whether or not this is possible to do the inline restore with existing docker images but I kind of doubt it. Typically those docker images are preloaded with "The NEW Install" paradigm. Essentially the following things have to happen on the 'staging' VM/image:
1) Validate that it has the samba and samba-dc packages in addition to the typical samba packages
2) Setup OpenLDAP (which you would want removed from your eventual docker image
3) Configure, import, and validate that it is running in a similar manner in order to be accessible by your current smb.ldap.conf
4) Run the samba-tool classic upgrade against the running slapd and flattened smb.conf.old config
When I did this I still ran into errors but my directory seems intact. But the fact that OpenLDAP is required for the migration is a big 'showstopper' for an elegant transition since you wouldn't want it at ALL running in your ideal endpoint. That being said, there is no need to torture everyone by making them jump through this hoop solo. The ideal thing to do here is to:
a) provide the VM via FTP to everyone to use with simple instructions.
b) provide individuals access to a hosted and snapshot version so that they can use the image like a time share.
c) provide individuals with a method in support where they simply send their configuration backups and we provide them with the outcomes.
d) provide individuals with the exact steps in the 'open source' model so they can do it all themselves if they so desire.
But the correct answer here is likely...
e) all of the above. Let them decide.
SIDE NOTES: I'm having trouble with the group import currently. I failed to import any group memberships even though it imported all the group names. The failure was with the 'flexshare' group name and I believe it fails because it is the same name as the flexshare users which is strictly prohibited. When I refine the steps, I'll contend with this and see if I get different results. Secondly, my workstation (previously joined to the old domain) can log in using cached credentials but cannot complete the login with another user ('no logon servers'). It can also use the RSAT tools to see the domain but since group membership import was broken, is not able to manipulate things.
For those of you following along at home, our evolving steps (distilling old, failed methods and current paradigms) are located here:
https://docs.google.com/document/d/1-qH3pIcVKxO2Qf43jzfJV5LIPaqLkM7qGoWpmRxZBL8
Lastly, the reason for Fedora and not ClearOS is because I cannot traverse Kerberos mismatch properly due to upstream inadequacies in support for DC mode for Samba Directory. The samba-tool, for example, doesn't exist properly which prompted me to go the Fedora route. -
Accepted Answer
Hi Dave,
As an alternative to the VM route, would it be possible to do an in-place migration of Samba to Samba Directory, back up the migrated Samba set up and restore it into docker then do a config restore of the original Samba? Higher risk in case your last restore fails.
Or, rather than use a Fedora VM, use a ClearOS VM or spare machine created by a config restore which will probably be much easier to set up initially. -
Accepted Answer
Hey,
I wanted to give you all an update of where we are with creating a workaround for the Samba/Windows 10 issue. One of the difficult barriers is the total lack of upstream mechanisms. There are various reasons for this but the short answer is that there isn't good support upstream for Samba Directory (which solves the issue totally). Redhat has their reasons for this but it may be until RHEL 8 that there is domain controller support upstream. For example, you can follow this guide:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)#LDAP
But you will get stuck with the fact that there isn't a samba-tool program in upstream which will require you to build Samba from source and then you will have a host of incompatibility problems. So that represents several development tracks that we have worked on and attempted. In the end, it isn't elegant.
My next attempts will focus on getting an existing directory to a docker container. The idea is this, since Samba Directory cannot be made to work well because of upstream, we will containerize the Samba Directory and then use the very stable AD Connector method. This means that that there are two development tracks...
1) The NEW install.
This install looks like this. Install ClearOS, fire up a docker image of a Samba Directory. Install the AD Connector module and connect it to the docker image. The dev that has to happen here is:
- Docker Samba Directory running on its OWN IP address
- If we can get this docker to work, it is preferred: (https://github.com/dperson/samba)
2) The migration
This is tricky. We want to end up in the same state as the 'NEW install' paradigm. To get there we have a full list of problems
- Exploring the migration of the domain off of ClearOS and then onto a Fedora VM with working Samba Directory
- From there either 1) create a way to backup the Samba Directory domain for use by the docker, or 2) join the docker image domain to the migrated domain then decommission the Fedora VM.
- Validate the domain
- Uninstall the DC from ClearOS and move to AD Connector.
If anyone wants to assist here. I will be focusing on the Samba elements so if you know docker and can point me to making the dperson image work on an alias LAN IP address in ClearOS, that would be very useful to me. -
Accepted Answer
Mansoor wrote:
I'm trying to access clearOS shares from Windows 10 but without success! The SMBv1 is enabled in Windows 10. The clearOS server is 7.5 beta and running Samba in "Simple Server" mode with "Windows 10 Domain Logons" disabled.
The server appears in the Windows file manager and in "nbtstat -A 192.168.0.1" output. When I double click on the server's icon, Windows asks for username and password. All usernames and passwords I enter are rejected! I tried to login with "winadmin" and with normal users, but always the same result.
EDIT: Just after posting this reply I was abel to login from Windows by entering "WORKGROUP\username" instead of just username
I've always found Win10 to be very picky. I use the same account name on the PC as in the server, but the PC has no password whereas the server has a strong one. Map Network Drive, connecting with different credentials was not reliable. I think a batch file with "net use" was better, but in the end I used the Credentials Manager to store the server credentials and this is 100% reliable. I also found that the drives would map on boot but stay in a disconnected state until you clicked on them. This was fine in a GUI environment but I used a batch file to do backups and if it tried to access the network drive it would not force a reconnect and the batch file failed. Trawling the internet I found a program which will automatically connect the drives using stored credentials which I run on boot.
At the end of the day the recommendation is to use the same credentials in the PC as in ClearOS, but I've never got round to testing it as the family works without logins to the PC's. -
Accepted Answer
I'm trying to access clearOS shares from Windows 10 but without success! The SMBv1 is enabled in Windows 10. The clearOS server is 7.5 beta and running Samba in "Simple Server" mode with "Windows 10 Domain Logons" disabled.
The server appears in the Windows file manager and in "nbtstat -A 192.168.0.1" output. When I double click on the server's icon, Windows asks for username and password. All usernames and passwords I enter are rejected! I tried to login with "winadmin" and with normal users, but always the same result.
EDIT: Just after posting this reply I was abel to login from Windows by entering "WORKGROUP\username" instead of just username -
Accepted Answer
One of my team got the following response from Support at Clearcenter today...
"We just had a Innovation conference in Toronto with the ClearOS development team there and the new direction that was decided is with a docker-based method for Samba directory. There are a couple of reasons for that; one of them being security isolation and the other is being able to partition the directory in a way that is more scalable. We will have further guidance by Monday, June 11."
Light at the end of the tunnel hopefully...... Dev's, how can we assist with this?....
Cheers..... Andy -
Accepted Answer
No word for the moment from the devs.
From what I've read, it would be more than just installing Samba 4. If Samba is running as AD Domain Controller it takes over LDAP completely and also insists on using its own DNS or BIND. This could mess with any programs using LDAP extensions. The DNS bit would mean changes to the Webconfig and I don't know how it would play with products like Gateway Management which are DNS based services. There is a Samba Directory (beta) app out there, but it is very much a beta and does not support a lot of apps. I think it also became a little unstable towards the end of last year as well. -
Accepted Answer
Hi Nick,
Thanks for the "heads-up" .... it saved me a lot of time this week when I ran into issues joining some new Windows 10 clients to one of my customers domains. Luckily, we were able to roll these back (remotely) to an earlier build (they'd been diligently updated prior to joining the domain), but this is going to be a major headache when PC's ship with an 1803 build pre-installed, and the only option will be to send someone to site to flatten and rebuild with a 1709 ISO.
Any word from the Dev's on moving forward with Samba 4 AD...... ?
Cheers.... Andy
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »