Discussion:
[PacketFence-users] generated chroot config for samba / krb5
lists
2017-05-08 11:20:21 UTC
Permalink
Hi,

I would like to ask for some feedback on the generated samba configs in
the chroot in packetfence.

The generated smb.conf includes a "password server = dc.ad.company.com".
On the samba mailinglist, it's always recommened to use the auto
discovery (using DNS) to locate the DCs. This will make use of ALL DC's,
plus there's no need edit the config file, when you make changes to your
DCs.

The packetfence generated krb5.conf does also not seem to use
autodiscover, but the same specific DC again. Samba folks recommend
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
(note also the UPPERCASE realm)

(see https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member)

But perhaps packetfence has valid reasons to not use those recommended
settings..?

Our concern is: we have three DCs, and packetfence only uses one. We
would like to have failover for samba and krb, and use all DCs. How can
we enable that behaviour in a packetfence-friendly way?

MJ
lists
2017-05-10 06:55:46 UTC
Permalink
Hi,

No reactions. Could anyone then please tell me how to make such
adjustments in our own installation, in a permanent way?

As in: we can edit .conf files in the chroot, but how can we make sure
they STAY the way we like them?

MJ
Post by lists
Hi,
I would like to ask for some feedback on the generated samba configs in
the chroot in packetfence.
The generated smb.conf includes a "password server = dc.ad.company.com".
On the samba mailinglist, it's always recommened to use the auto
discovery (using DNS) to locate the DCs. This will make use of ALL DC's,
plus there's no need edit the config file, when you make changes to your
DCs.
The packetfence generated krb5.conf does also not seem to use
autodiscover, but the same specific DC again. Samba folks recommend
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
(note also the UPPERCASE realm)
(see https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member)
But perhaps packetfence has valid reasons to not use those recommended
settings..?
Our concern is: we have three DCs, and packetfence only uses one. We
would like to have failover for samba and krb, and use all DCs. How can
we enable that behaviour in a packetfence-friendly way?
MJ
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Thierry Laurion
2017-05-10 13:54:42 UTC
Permalink
Hi MJ,

1-In PacketFence Admin, under domains configuration, clone your current
domain configuration.

2- Change the IP address of the ActiveDirectory Server by it's DNS name.
Rejoin the domain from each PacketFence server.

3-Make sure that the DNS server in the configuration can resolve that
domain name. (If you need multiple DNS server, this got introduced
recently: https://github.com/inverse-inc/packetfence/pull/2223/files)


The resulting configuration change:

/etc/krb5.conf:
[...]
[libdefaults]
default_realm = domainname.local

[...]


/chroots/domainname/etc/samba/domainname.conf

[...]

password server = domainname.local


Uppercase/Lowercase realm is not problematic.


Regards,
--
Thierry Laurion
***@inverse.ca :: +1.514.447.4918 *120 :: https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu) and PacketFence (https://packetfence.org)
Post by lists
Hi,
No reactions. Could anyone then please tell me how to make such
adjustments in our own installation, in a permanent way?
As in: we can edit .conf files in the chroot, but how can we make sure
they STAY the way we like them?
MJ
Post by lists
Hi,
I would like to ask for some feedback on the generated samba configs in
the chroot in packetfence.
The generated smb.conf includes a "password server = dc.ad.company.com".
On the samba mailinglist, it's always recommened to use the auto
discovery (using DNS) to locate the DCs. This will make use of ALL DC's,
plus there's no need edit the config file, when you make changes to your
DCs.
The packetfence generated krb5.conf does also not seem to use
autodiscover, but the same specific DC again. Samba folks recommend
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
(note also the UPPERCASE realm)
(see https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member)
But perhaps packetfence has valid reasons to not use those recommended
settings..?
Our concern is: we have three DCs, and packetfence only uses one. We
would like to have failover for samba and krb, and use all DCs. How can
we enable that behaviour in a packetfence-friendly way?
MJ
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
mj
2017-05-11 09:40:54 UTC
Permalink
Hi Thierry,

Thanks!

MJ
Post by Thierry Laurion
Hi MJ,
1-In PacketFence Admin, under domains configuration, clone your current
domain configuration.
2- Change the IP address of the ActiveDirectory Server by it's DNS name.
Rejoin the domain from each PacketFence server.
3-Make sure that the DNS server in the configuration can resolve that
domain name. (If you need multiple DNS server, this got introduced
recently: https://github.com/inverse-inc/packetfence/pull/2223/files)
Loading...