Aggiungere un Domain Controller in Samba: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Installazione Pacchetti e Join al dominio del DC da aggiungere=
=Installazione Pacchetti e Join al dominio del DC da aggiungere=
* Installare pacchetti
apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
* Confgurare Kerberos:
vi /etc/krb5.conf
<pre>
<pre>
apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm=false
</pre>
 
* Impostare un DNS di un altro DC:
sudoedit /etc/resolv.conf
 
nameserver 192.168.1.111
 
* Impostare hostname:
 
sudoedit /etc/hosts
 
192.168.1.112  mydc02.example.com mydc02
 
* Verificare hostname locale:
hostname -f


vi /etc/krb5.conf
mydc02.example.com
* Riavviare:
sudo reboot


[libdefaults]
*Test autenticazione
  default_realm = METRICA.PRIV
  dns_lookup_kdc = true
  dns_lookup_realm=false


reboot
kinit administrator@EXAMPLE.COM


    kinit administrator@METRICA.PRIV
klist


klist
* Fermare tutti i servizi samba:
systemctl stop smbd.service
systemctl stop nmbd.service
systemctl stop winbind.service
systemctl stop samba-ad-dc.service


sudo systemctl stop smbd.service
* Verificare:
sudo systemctl stop winbind.service
  ps ax | egrep "samba|smbd|nmbd|winbindd"
sudo systemctl stop nmbd.service
systemctl stop samba-ad-dc


sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.original
* Rinominare il file di configurazione:
  mv $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ') $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ').old


ps ax | egrep "samba|smbd|nmbd|winbindd"
* Verificare
ls /etc/samba


sudo smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
* Eliminare i vecchi DB:
for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done


cd /var/run/samba &&  find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
* Abilitare daemon:
cd  /var/lib/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
cd /var/cache/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;


systemctl unmask samba-ad-dc
sudo systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
sudo systemctl enable samba-ad-dc


* Fare Join:
samba-tool domain join example.com  DC -k yes


samba-tool domain join metrica.priv  DC -k yes
* Impostare come DNS se stessi:
</pre>


sudoedit /etc/resolv.conf


  Setup ID mapping:
  nameserver 192.168.1.112
* Setup ID mapping:


  vi /etc/samba/smb.conf
  vi /etc/samba/smb.conf
Line 45: Line 75:
<pre>
<pre>
[global]
[global]
dns forwarder = 192.168.1.254
    dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
</pre>
 
* Impostare configurazione kerberos:
 
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
cat /etc/krb5.conf
* Restart and enable daemons:


  template shell = /bin/bash
systemctl disable smbd nmbd winbind
  winbind use default domain = true
systemctl enable samba-ad-dc
  winbind offline logon = false
  winbind nss info = rfc2307
  winbind enum users = yes
  winbind enum groups = yes
</pre>


  systemctl restart samba-ad-dc
  systemctl restart samba-ad-dc
* Forzare DNS update:
samba_dnsupdate --use-samba-tool --verbose
* Verificare che il DC sia presente in
host example.com
== Configurazione Time Sync ==
* Installare chrony
apt install chrony ntpdate --purge
* Fare sync manuale
ntpdate -bu pool.ntp.org
* Configurare chrony aggiungendo le righe:
vi <code>/etc/chrony/chrony.conf</code>
allow 192.168.0.0/24
ntpsigndsocket  /var/lib/samba/ntp_signd
* Impostare permission:
chown root:_chrony /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/
* Abilitare e restartare:
systemctl enable chrony
systemctl restart chrony
* Verificare:
journalctl -u chrony.service -f
== Sites ==
Se ci sono Dc in altre subnet (sedi remote), bisogna, con il tool Windows "Active Directory Sites and Services"
* Definire i Sites
* Spostare i Dc nei relativi sites
* Definire le Subnet associandole ai relativi Sies
* Fare da ogni Dc
samba_dnsupdate --use-samba-tool --verbose
=Verifiche=


* Verify replication:
* Verify replication:
Line 64: Line 153:
* This warning is ok:
* This warning is ok:
   Warning: No NC replicated for Connection!
   Warning: No NC replicated for Connection!
* Adapt Kerberos config:
mv /etc/krb5.conf /etc/krb5.conf.initial
ln -s /var/lib/samba/private/krb5.conf /etc/
cat /etc/krb5.conf
* Verify Kerberos authentication
* Verify Kerberos authentication
  kinit administrator
  kinit administrator
  klist
  klist


* Verify DNS records:
* Impostare il dominio per i test:
  host ad.metrica.it
export DOMAIN=example.com
* Verify DNS records of DCs:
  host $DOMAIN | sort


  ad.metrica.it has address 192.168.1.111
  example.com has address 192.168.1.111
  ad.metrica.it has address 192.168.1.120
  example.com has address 192.168.1.120


  host -t SRV _kerberos._udp.ad.metrica.it  # UDP Kerberos SRV record
* Verify DNS records of KDCs:
 
  host -t SRV _kerberos._udp.$DOMAIN | sort


  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.
  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.


  host -t SRV _ldap._tcp.ad.metrica.it  # TCP LDAP SRV record
* Verify DNS records of LDAPs:
 
  host -t SRV _ldap._tcp.$DOMAIN | sort


  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.
  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.


* If DNS records are missing (*[https://lists.samba.org/archive/samba-technical/2015-October/109959.html <nowiki>[SambaMissing DNS entry after "domain join"]</nowiki>]), try:
samba_dnsupdate --use-samba-tool --verbose
* Verify user sync:
* Verify user sync:


  # metdc02
  # metdc02
  samba-tool user create test_user
  samba-tool user create test_user


  # metdc01
  # metdc01
Line 105: Line 193:
  samba-tool user list | grep test_user
  samba-tool user list | grep test_user


=Configure Systemd services=
=DNS Config=


systemctl disable smbd nmbd winbind
* Add mydc02 as secondary Nameserver in DHCP config
systemctl enable samba-ad-dc


=DNS COnfig=
* OPTIONAL: [[Installazione di un servizio DHCP ridondante|Setup DHCP redundancy]]


* Add metdc02 as secondary Nameserver in DHCP config
=Setup SYSVOL Sync=
*Eventualmente vedere [https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_tis_sysvolsync.html#samba-tis-sysvolsync Synchronizing SYSVOLs between multiple domain controllers — Samba-AD 4.19 documentation]
*'''All GPO edits should be made only on the first DC that owns FMSO Roles'''
*'''The script must be run on this DC that owns the FMSO Roles.'''
*To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.


=Setup Time sync=
ssh-keygen -t RSA 
ssh-copy-id -i /root/.ssh/id_rsa.pub root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys


  apt install ntp
* Installare ldb-tools
  apt install ldb-tools
* Creare lo script di sync:
<pre>
cat > /usr/local/sbin/samba-sysvol-sync <<'EOFile'
#!/bin/bash
echo "Start sysvol sync"
# Check if this is FMSO owner
NUMBER=$(samba-tool fsmo show | grep -i $(hostname) | wc -l)
if [ "$NUMBER" -ne 7 ]
then
echo "This is not the FMSO Owner DC. Aborting sysvol replication"  1>&2
exit 127
fi


vi /etc/ntp.conf


pool metdc01.ad.metrica.it
# get samba domain:
restrict source notrap nomodify noquery mssntp
DOMAIN=$(cat /etc/samba/smb.conf | grep realm| tr -d ' ' | cut -f 2 --delimiter='=' |  tr "[:upper:]" "[:lower:]")
ntpsigndsocket /var/lib/samba/ntp_signd/
echo "DOMAIN is $DOMAIN"


  systemctl restart ntp
# get list of DCs
ntpq -p
DCS=$(ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' dn | grep -v "CN=Configuration,DC" | grep CN | cut -f 2 --delimiter='=' | cut -f 1 --delimiter=',' | tr "[:upper:]" "[:lower:]" | grep -v $(hostname))
# https://serverfault.com/questions/432572/what-is-correct-objectclass-for-domain-controller-objects


**This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
echo "DCs are:"
echo $DCS


Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.**
echo "Resetting local sysvol ACL"
/usr/bin/samba-tool ntacl sysvolreset


* To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.
# Backup idmap.ldb
echo "Backup idmap.ldb"
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb


ssh-keygen -t RSA 
for DC in $DCS
ssh-copy-id root@metdc02.ad.metrica.it
do
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys
echo "Copy idmap.ldb.bak to ${DC}.${DOMAIN}"
 
scp -q /var/lib/samba/private/idmap.ldb.bak ${DC}.${DOMAIN}:/var/lib/samba/private/idmap.ldb
rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
echo "Run net cache flush on ${DC}.${DOMAIN}"
    /var/lib/samba/sysvol/ \
ssh ${DC}.${DOMAIN} /usr/bin/net cache flush
    root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ \
echo "Syncing sysvol to ${DC}.${DOMAIN}"
  --dry-run
rsync -a --quiet --delete-after /var/lib/samba/sysvol/ ${DC}.${DOMAIN}:/var/lib/samba/sysvol/
 
echo "Resetting sysvol acl on ${DC}.${DOMAIN}"
* If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers.
ssh ${DC}.${DOMAIN} /usr/bin/samba-tool ntacl sysvolreset
 
done
rsync -XAavz --chmod=775 --delete-after --progress --stats  \
echo "End of sysvol sync"
    /var/lib/samba/sysvol/ \
EOFile
    root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/
</pre>


On second DC, verofy that GP policies are present:
chmod 755 /usr/local/sbin/samba-sysvol-sync
* Run the script
/usr/local/sbin/samba-sysvol-sync
* On second DC, verify that GP policies are present:


  ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
  ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
Line 155: Line 268:


<pre>
<pre>
cat > /etc/cron.d/samba-sysvol-replication <<EOFile
cat > /etc/cron.d/samba-sysvol-sync <<EOFile
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1
*/5 * * * * root /usr/local/sbin/samba-sysvol-sync | systemd-cat -t samba-sysvol-sync
EOFile
EOFile
</pre>
</pre>


* Check su dc01 e dc2:
* Per vedere cosa logga:
  samba-tool ntacl sysvolcheck


* Fix the DB ACL on GPO and VFS ACL errors
journalctl -t samba-sysvol-sync -f
  samba-tool ntacl sysvolreset


=Riferimenti=
=Riferimenti=

Latest revision as of 09:51, 18 April 2024

Installazione Pacchetti e Join al dominio del DC da aggiungere

  • Installare pacchetti
apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
  • Confgurare Kerberos:
vi /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm=false
  • Impostare un DNS di un altro DC:
sudoedit /etc/resolv.conf

nameserver 192.168.1.111
  • Impostare hostname:
sudoedit /etc/hosts

192.168.1.112  mydc02.example.com mydc02
  • Verificare hostname locale:
hostname -f

mydc02.example.com
  • Riavviare:
sudo reboot
  • Test autenticazione
kinit administrator@EXAMPLE.COM

klist
  • Fermare tutti i servizi samba:
systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
systemctl stop samba-ad-dc.service
  • Verificare:
 ps ax | egrep "samba|smbd|nmbd|winbindd"
  • Rinominare il file di configurazione:
mv $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ') $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ').old
  • Verificare
ls /etc/samba
  • Eliminare i vecchi DB:
for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done
  • Abilitare daemon:
sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc
  • Fare Join:
samba-tool domain join example.com  DC -k yes
  • Impostare come DNS se stessi:
sudoedit /etc/resolv.conf

nameserver 192.168.1.112
  • Setup ID mapping:
vi /etc/samba/smb.conf

[global]
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
  • Impostare configurazione kerberos:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
cat /etc/krb5.conf
  • Restart and enable daemons:
systemctl disable smbd nmbd winbind
systemctl enable samba-ad-dc

systemctl restart samba-ad-dc
  • Forzare DNS update:
samba_dnsupdate --use-samba-tool --verbose
  • Verificare che il DC sia presente in
host example.com

Configurazione Time Sync

  • Installare chrony
apt install chrony ntpdate --purge
  • Fare sync manuale
ntpdate -bu pool.ntp.org
  • Configurare chrony aggiungendo le righe:
vi /etc/chrony/chrony.conf

allow 192.168.0.0/24
ntpsigndsocket  /var/lib/samba/ntp_signd
  • Impostare permission:
chown root:_chrony /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/
  • Abilitare e restartare:
systemctl enable chrony
systemctl restart chrony
  • Verificare:
journalctl -u chrony.service -f

Sites

Se ci sono Dc in altre subnet (sedi remote), bisogna, con il tool Windows "Active Directory Sites and Services"

  • Definire i Sites
  • Spostare i Dc nei relativi sites
  • Definire le Subnet associandole ai relativi Sies
  • Fare da ogni Dc
samba_dnsupdate --use-samba-tool --verbose

Verifiche

  • Verify replication:
samba-tool drs showrepl
  • This warning is ok:
 Warning: No NC replicated for Connection!
  • Verify Kerberos authentication
kinit administrator
klist
  • Impostare il dominio per i test:
export DOMAIN=example.com
  • Verify DNS records of DCs:
host $DOMAIN | sort

example.com has address 192.168.1.111
example.com has address 192.168.1.120
  • Verify DNS records of KDCs:
host -t SRV _kerberos._udp.$DOMAIN | sort

_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.
  • Verify DNS records of LDAPs:
host -t SRV _ldap._tcp.$DOMAIN | sort

_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.

samba_dnsupdate --use-samba-tool --verbose
  • Verify user sync:
# metdc02
samba-tool user create test_user

# metdc01
samba-tool user list | grep test_user
samba-tool user delete test_user

# metdc02
samba-tool user list | grep test_user

DNS Config

  • Add mydc02 as secondary Nameserver in DHCP config

Setup SYSVOL Sync

ssh-keygen -t RSA  
ssh-copy-id -i /root/.ssh/id_rsa.pub root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys
  • Installare ldb-tools
apt install ldb-tools
  • Creare lo script di sync:
cat > /usr/local/sbin/samba-sysvol-sync <<'EOFile'
#!/bin/bash
echo "Start sysvol sync"
# Check if this is FMSO owner
NUMBER=$(samba-tool fsmo show | grep -i $(hostname) | wc -l)
if [ "$NUMBER" -ne 7 ]
then
	echo "This is not the FMSO Owner DC. Aborting sysvol replication"  1>&2
	exit 127
fi


# get samba domain:
DOMAIN=$(cat /etc/samba/smb.conf | grep realm| tr -d ' ' | cut -f 2 --delimiter='=' |  tr "[:upper:]" "[:lower:]")
echo "DOMAIN is $DOMAIN"

# get list of DCs
DCS=$(ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' dn  | grep -v "CN=Configuration,DC" | grep CN | cut -f 2 --delimiter='=' | cut -f 1 --delimiter=',' | tr "[:upper:]" "[:lower:]" | grep -v $(hostname))
# https://serverfault.com/questions/432572/what-is-correct-objectclass-for-domain-controller-objects

echo "DCs are:"
echo $DCS

echo "Resetting local sysvol ACL"
/usr/bin/samba-tool ntacl sysvolreset

# Backup idmap.ldb
echo "Backup idmap.ldb"
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb

for DC in $DCS
do
	echo "Copy idmap.ldb.bak to ${DC}.${DOMAIN}"
	scp -q /var/lib/samba/private/idmap.ldb.bak ${DC}.${DOMAIN}:/var/lib/samba/private/idmap.ldb
	echo "Run net cache flush on ${DC}.${DOMAIN}"
	ssh ${DC}.${DOMAIN} /usr/bin/net cache flush
	echo "Syncing sysvol to ${DC}.${DOMAIN}"
	rsync -a --quiet --delete-after /var/lib/samba/sysvol/ ${DC}.${DOMAIN}:/var/lib/samba/sysvol/
	echo "Resetting sysvol acl on ${DC}.${DOMAIN}"
	ssh ${DC}.${DOMAIN} /usr/bin/samba-tool ntacl sysvolreset
done
echo "End of sysvol sync"
EOFile

chmod 755 /usr/local/sbin/samba-sysvol-sync
  • Run the script
/usr/local/sbin/samba-sysvol-sync
  • On second DC, verify that GP policies are present:
ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
  • Enable scheduled sync:
cat > /etc/cron.d/samba-sysvol-sync <<EOFile
*/5 * * * * root /usr/local/sbin/samba-sysvol-sync | systemd-cat -t samba-sysvol-sync
EOFile
  • Per vedere cosa logga:
journalctl -t samba-sysvol-sync -f

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Aggiungere_un_Domain_Controller_in_Samba&oldid=11157"