Collected config --- 2019-06-27-14:59 ----------- Hostname: DC3 DNS Domain: lthddom.lthd.com FQDN: DC3.lthddom.lthd.com ipaddress: 172.16.0.101 ----------- Samba is running as an AD DC ----------- Checking file: /etc/os-release NAME=Fedora VERSION="30 (Container Image)" ID=fedora VERSION_ID=30 VERSION_CODENAME="" PLATFORM_ID="platform:f30" PRETTY_NAME="Fedora 30 (Container Image)" ANSI_COLOR="0;34" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:30" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f30/system-administrators-guide/" SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=30 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=30 PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" VARIANT="Container Image" VARIANT_ID=container ----------- This computer is running an unknown distribution x86_64 ----------- running command : ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 44: eth0@if3: mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:10:00:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.16.0.101/16 brd 172.16.255.255 scope global eth0 ----------- Checking file: /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.16.0.71 DC1.lthddom.lthd.com DC1 172.16.0.72 DC2.lthddom.lthd.com DC2 172.16.0.101 DC3.lthddom.lthd.com DC3 ----------- Checking file: /etc/resolv.conf # Generated by NetworkManager search lthddom.lthd.com domain.lthd.com dev.lthddom.lthd.com dev.domain.lthd.com lthd.com nameserver 172.16.0.101 nameserver 172.16.0.71 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = LTHDDOM.LTHD.COM dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind systemd shadow: files group: files winbind systemd #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] workgroup = LTHDDOM realm = LTHDDOM.LTHD.COM netbios name = DC3 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = Yes tls enabled = Yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem dsdb:schema update allowed = Yes winbind enum users = Yes winbind enum groups = Yes wins support = Yes preferred master = Yes invalid users = +"smb denyed users" vfs objects = acl_xattr dfs_samba4 map acl inherit = Yes store dos attributes = Yes hide dot files = No host msdfs = Yes csc policy = disable ntlm auth = mschapv2-and-ntlmv2-only [netlogon] path = /var/lib/samba/sysvol/lthddom.lthd.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [shares] path = /var/lib/samba/shares read only = No msdfs root = Yes browsable = No ----------- Detected bind DLZ enabled.. Checking file: /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; allow-query { any; }; forwarders { 172.16.0.51; 172.16.0.50; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; auth-nxdomain no; # conform to RFC1035 tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; check-names master ignore; check-names slave ignore; check-names response ignore; notify yes; also-notify { 172.16.0.50; 172.16.0.51; 172.16.0.15; }; allow-transfer { 172.16.0.50; 172.16.0.51; 172.16.0.15; }; masterfile-format text; notify-source 172.16.0.101; transfer-source 172.16.0.101; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/var/lib/samba/bind-dns/named.conf"; include "/etc/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; }; ----------- Samba DNS zone list: 4 zone(s) found pszZoneName : lthddom.lthd.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.lthddom.lthd.com pszZoneName : dev.lthddom.lthd.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.lthddom.lthd.com pszZoneName : vpn.lthddom.lthd.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.lthddom.lthd.com pszZoneName : _msdcs.lthddom.lthd.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.lthddom.lthd.com Samba DNS zone list Automated check : zone : lthddom.lthd.com ok, no Bind flat-files found ----------- zone : dev.lthddom.lthd.com ok, no Bind flat-files found ----------- zone : vpn.lthddom.lthd.com ok, no Bind flat-files found ----------- zone : _msdcs.lthddom.lthd.com ok, no Bind flat-files found ----------- Installed packages: acl.x86_64 2.2.53-3.fc30 @anaconda attr.x86_64 2.4.48-5.fc30 @fedora bind.x86_64 32:9.11.6-5.P1.fc30 @updates bind-dnssec-utils.x86_64 32:9.11.6-5.P1.fc30 @updates bind-export-libs.x86_64 32:9.11.6-5.P1.fc30 @updates bind-libs.x86_64 32:9.11.6-5.P1.fc30 @updates bind-libs-lite.x86_64 32:9.11.6-5.P1.fc30 @updates bind-license.noarch 32:9.11.6-5.P1.fc30 @updates bind-utils.x86_64 32:9.11.6-5.P1.fc30 @updates bindfs.x86_64 1.14.0-1.fc30 @updates krb5-libs.x86_64 1.17-14.fc30 @koji-override-0 krb5-server.x86_64 1.17-14.fc30 @updates krb5-workstation.x86_64 1.17-14.fc30 @updates libacl.x86_64 2.2.53-3.fc30 @anaconda libattr.x86_64 2.4.48-5.fc30 @anaconda libsmbclient.x86_64 2:4.10.4-1.fc30 @updates python3-bind.noarch 32:9.11.6-5.P1.fc30 @updates python3-samba.x86_64 2:4.10.4-1.fc30 @updates python3-samba-dc.x86_64 2:4.10.4-1.fc30 @updates samba.x86_64 2:4.10.4-1.fc30 @updates samba-client.x86_64 2:4.10.4-1.fc30 @updates samba-client-libs.x86_64 2:4.10.4-1.fc30 @updates samba-common.noarch 2:4.10.4-1.fc30 @updates samba-common-libs.x86_64 2:4.10.4-1.fc30 @updates samba-common-tools.x86_64 2:4.10.4-1.fc30 @updates samba-dc.x86_64 2:4.10.4-1.fc30 @updates samba-dc-bind-dlz.x86_64 2:4.10.4-1.fc30 @updates samba-dc-libs.x86_64 2:4.10.4-1.fc30 @updates samba-libs.x86_64 2:4.10.4-1.fc30 @updates samba-winbind.x86_64 2:4.10.4-1.fc30 @updates samba-winbind-clients.x86_64 2:4.10.4-1.fc30 @updates samba-winbind-krb5-locator.x86_64 2:4.10.4-1.fc30 @updates samba-winbind-modules.x86_64 2:4.10.4-1.fc30 @updates -----------