Aggiungere un Domain Controller in Samba: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(13 intermediate revisions by the same user not shown)
Line 9: Line 9:
<pre>
<pre>
[libdefaults]
[libdefaults]
  default_realm = METRICA.PRIV
    default_realm = EXAMPLE.COM
  dns_lookup_kdc = true
    dns_lookup_kdc = true
  dns_lookup_realm=false
    dns_lookup_realm=false
</pre>
</pre>


Line 23: Line 23:
  sudoedit /etc/hosts
  sudoedit /etc/hosts


  10.0.0.103 gapsrv03.ad.gapartners.eu  gapsrv03
  192.168.1.112 mydc02.example.com mydc02


* Verificare hostname locale:
* Verificare hostname locale:
  hostname -f
  hostname -f


  gapsrv03.ad.gapartners.eu
  mydc02.example.com
 
 
* Riavviare:
* Riavviare:
  sudo reboot
  sudo reboot
Line 36: Line 34:
*Test autenticazione
*Test autenticazione


  kinit administrator@METRICA.PRIV
  kinit administrator@EXAMPLE.COM


  klist
  klist
Line 64: Line 62:


* Fare Join:
* Fare Join:
  samba-tool domain join metrica.priv DC -k yes
  samba-tool domain join example.com DC -k yes


* Impostare come DNS se stessi:
* Impostare come DNS se stessi:
Line 71: Line 69:


  nameserver 192.168.1.112
  nameserver 192.168.1.112
* Setup ID mapping:
* Setup ID mapping:


Line 79: Line 75:
<pre>
<pre>
[global]
[global]
dns forwarder = 192.168.1.254
    dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
</pre>
 
* Impostare configurazione kerberos:
 
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
cat /etc/krb5.conf
* Restart and enable daemons:


  template shell = /bin/bash
systemctl disable smbd nmbd winbind
  winbind use default domain = true
systemctl enable samba-ad-dc
  winbind offline logon = false
  winbind nss info = rfc2307
  winbind enum users = yes
  winbind enum groups = yes
</pre>


  systemctl restart samba-ad-dc
  systemctl restart samba-ad-dc
* Forzare DNS update:
samba_dnsupdate --use-samba-tool --verbose
* Verificare che il DC sia presente in
host example.com
== Configurazione Time Sync ==
* Installare chrony
apt install chrony ntpdate --purge
* Fare sync manuale
ntpdate -bu pool.ntp.org
* Configurare chrony aggiungendo le righe:
vi <code>/etc/chrony/chrony.conf</code>
allow 192.168.0.0/24
ntpsigndsocket  /var/lib/samba/ntp_signd
* Impostare permission:
chown root:_chrony /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/
* Abilitare e restartare:
systemctl enable chrony
systemctl restart chrony
* Verificare:
journalctl -u chrony.service -f
== Sites ==
Se ci sono Dc in altre subnet (sedi remote), bisogna, con il tool Windows "Active Directory Sites and Services"
* Definire i Sites
* Spostare i Dc nei relativi sites
* Definire le Subnet associandole ai relativi Sies
* Fare da ogni Dc
samba_dnsupdate --use-samba-tool --verbose
=Verifiche=


* Verify replication:
* Verify replication:
Line 98: Line 153:
* This warning is ok:
* This warning is ok:
   Warning: No NC replicated for Connection!
   Warning: No NC replicated for Connection!
* Adapt Kerberos config:
mv /etc/krb5.conf /etc/krb5.conf.initial
ln -s /var/lib/samba/private/krb5.conf /etc/
cat /etc/krb5.conf
* Verify Kerberos authentication
* Verify Kerberos authentication
  kinit administrator
  kinit administrator
  klist
  klist


* Verify DNS records:
* Impostare il dominio per i test:
  host ad.metrica.it
export DOMAIN=example.com
* Verify DNS records of DCs:
  host $DOMAIN | sort
 
example.com has address 192.168.1.111
example.com has address 192.168.1.120


ad.metrica.it has address 192.168.1.111
* Verify DNS records of KDCs:
ad.metrica.it has address 192.168.1.120


  host -t SRV _kerberos._udp.ad.metrica.it  # UDP Kerberos SRV record
  host -t SRV _kerberos._udp.$DOMAIN | sort


  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.
  _kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.


  host -t SRV _ldap._tcp.ad.metrica.it  # TCP LDAP SRV record
* Verify DNS records of LDAPs:
 
  host -t SRV _ldap._tcp.$DOMAIN | sort


  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.
  _ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.


* If DNS records are missing (*[https://lists.samba.org/archive/samba-technical/2015-October/109959.html <nowiki>[SambaMissing DNS entry after "domain join"]</nowiki>]), try:
samba_dnsupdate --use-samba-tool --verbose
* Verify user sync:
* Verify user sync:


  # metdc02
  # metdc02
  samba-tool user create test_user
  samba-tool user create test_user


  # metdc01
  # metdc01
Line 138: Line 192:
  # metdc02
  # metdc02
  samba-tool user list | grep test_user
  samba-tool user list | grep test_user
=Configure Systemd services=
systemctl disable smbd nmbd winbind
systemctl enable samba-ad-dc


=DNS Config=
=DNS Config=


* Add metdc02 as secondary Nameserver in DHCP config
* Add mydc02 as secondary Nameserver in DHCP config


* OPTIONAL: [[Installazione di un servizio DHCP ridondante|Setup DHCP redundancy]]
* OPTIONAL: [[Installazione di un servizio DHCP ridondante|Setup DHCP redundancy]]


=Setup Time sync=
=Setup SYSVOL Sync=
*Eventualmente vedere [https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_tis_sysvolsync.html#samba-tis-sysvolsync Synchronizing SYSVOLs between multiple domain controllers — Samba-AD 4.19 documentation]
*'''All GPO edits should be made only on the first DC that owns FMSO Roles'''
*'''The script must be run on this DC that owns the FMSO Roles.'''
*To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.


  sudo apt install ntp
  ssh-keygen -t RSA 
ssh-copy-id -i /root/.ssh/id_rsa.pub root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys


  sudoedit /etc/ntp.conf
* Installare ldb-tools
  apt install ldb-tools
* Creare lo script di sync:
<pre>
cat > /usr/local/sbin/samba-sysvol-sync <<'EOFile'
#!/bin/bash
echo "Start sysvol sync"
# Check if this is FMSO owner
NUMBER=$(samba-tool fsmo show | grep -i $(hostname) | wc -l)
if [ "$NUMBER" -ne 7 ]
then
echo "This is not the FMSO Owner DC. Aborting sysvol replication"  1>&2
exit 127
fi


pool metdc01.ad.metrica.it
restrict source notrap nomodify noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/


  sudo systemctl restart ntp
# get samba domain:
ntpq -p
DOMAIN=$(cat /etc/samba/smb.conf | grep realm| tr -d ' ' | cut -f 2 --delimiter='=' | tr "[:upper:]" "[:lower:]")
echo "DOMAIN is $DOMAIN"


=Setup SYSVOL Sync=
# get list of DCs
DCS=$(ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' dn  | grep -v "CN=Configuration,DC" | grep CN | cut -f 2 --delimiter='=' | cut -f 1 --delimiter=',' | tr "[:upper:]" "[:lower:]" | grep -v $(hostname))
# https://serverfault.com/questions/432572/what-is-correct-objectclass-for-domain-controller-objects


echo "DCs are:"
echo $DCS


*This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
echo "Resetting local sysvol ACL"
/usr/bin/samba-tool ntacl sysvolreset


* Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.
# Backup idmap.ldb
echo "Backup idmap.ldb"
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb


* To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.
for DC in $DCS
 
do
ssh-keygen -t RSA 
echo "Copy idmap.ldb.bak to ${DC}.${DOMAIN}"
ssh-copy-id root@metdc02.ad.metrica.it
scp -q /var/lib/samba/private/idmap.ldb.bak ${DC}.${DOMAIN}:/var/lib/samba/private/idmap.ldb
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys
echo "Run net cache flush on ${DC}.${DOMAIN}"
 
ssh ${DC}.${DOMAIN} /usr/bin/net cache flush
rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
echo "Syncing sysvol to ${DC}.${DOMAIN}"
    /var/lib/samba/sysvol/ \
rsync -a --quiet --delete-after /var/lib/samba/sysvol/ ${DC}.${DOMAIN}:/var/lib/samba/sysvol/
    root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ \
echo "Resetting sysvol acl on ${DC}.${DOMAIN}"
  --dry-run
ssh ${DC}.${DOMAIN} /usr/bin/samba-tool ntacl sysvolreset
 
done
* If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers.
echo "End of sysvol sync"
 
EOFile
rsync -XAavz --chmod=775 --delete-after --progress --stats  \
</pre>
    /var/lib/samba/sysvol/ \
    root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/


* On second DC, verofy that GP policies are present:
chmod 755 /usr/local/sbin/samba-sysvol-sync
* Run the script
/usr/local/sbin/samba-sysvol-sync
* On second DC, verify that GP policies are present:


  ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
  ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
Line 194: Line 268:


<pre>
<pre>
cat > /etc/cron.d/samba-sysvol-replication <<EOFile
cat > /etc/cron.d/samba-sysvol-sync <<EOFile
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@gapsrv03.ad.gapartners.eu:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1
*/5 * * * * root /usr/local/sbin/samba-sysvol-sync | systemd-cat -t samba-sysvol-sync
EOFile
EOFile
</pre>
</pre>


* Check su dc01 e dc2:
* Per vedere cosa logga:
  samba-tool ntacl sysvolcheck


* Fix the DB ACL on GPO and VFS ACL errors
journalctl -t samba-sysvol-sync -f
  samba-tool ntacl sysvolreset


=Riferimenti=
=Riferimenti=

Latest revision as of 09:51, 18 April 2024

Installazione Pacchetti e Join al dominio del DC da aggiungere

  • Installare pacchetti
apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
  • Confgurare Kerberos:
vi /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm=false
  • Impostare un DNS di un altro DC:
sudoedit /etc/resolv.conf

nameserver 192.168.1.111
  • Impostare hostname:
sudoedit /etc/hosts

192.168.1.112  mydc02.example.com mydc02
  • Verificare hostname locale:
hostname -f

mydc02.example.com
  • Riavviare:
sudo reboot
  • Test autenticazione
kinit administrator@EXAMPLE.COM

klist
  • Fermare tutti i servizi samba:
systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
systemctl stop samba-ad-dc.service
  • Verificare:
 ps ax | egrep "samba|smbd|nmbd|winbindd"
  • Rinominare il file di configurazione:
mv $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ') $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ').old
  • Verificare
ls /etc/samba
  • Eliminare i vecchi DB:
for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done
  • Abilitare daemon:
sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc
  • Fare Join:
samba-tool domain join example.com  DC -k yes
  • Impostare come DNS se stessi:
sudoedit /etc/resolv.conf

nameserver 192.168.1.112
  • Setup ID mapping:
vi /etc/samba/smb.conf

[global]
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
  • Impostare configurazione kerberos:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
cat /etc/krb5.conf
  • Restart and enable daemons:
systemctl disable smbd nmbd winbind
systemctl enable samba-ad-dc

systemctl restart samba-ad-dc
  • Forzare DNS update:
samba_dnsupdate --use-samba-tool --verbose
  • Verificare che il DC sia presente in
host example.com

Configurazione Time Sync

  • Installare chrony
apt install chrony ntpdate --purge
  • Fare sync manuale
ntpdate -bu pool.ntp.org
  • Configurare chrony aggiungendo le righe:
vi /etc/chrony/chrony.conf

allow 192.168.0.0/24
ntpsigndsocket  /var/lib/samba/ntp_signd
  • Impostare permission:
chown root:_chrony /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/
  • Abilitare e restartare:
systemctl enable chrony
systemctl restart chrony
  • Verificare:
journalctl -u chrony.service -f

Sites

Se ci sono Dc in altre subnet (sedi remote), bisogna, con il tool Windows "Active Directory Sites and Services"

  • Definire i Sites
  • Spostare i Dc nei relativi sites
  • Definire le Subnet associandole ai relativi Sies
  • Fare da ogni Dc
samba_dnsupdate --use-samba-tool --verbose

Verifiche

  • Verify replication:
samba-tool drs showrepl
  • This warning is ok:
 Warning: No NC replicated for Connection!
  • Verify Kerberos authentication
kinit administrator
klist
  • Impostare il dominio per i test:
export DOMAIN=example.com
  • Verify DNS records of DCs:
host $DOMAIN | sort

example.com has address 192.168.1.111
example.com has address 192.168.1.120
  • Verify DNS records of KDCs:
host -t SRV _kerberos._udp.$DOMAIN | sort

_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.
  • Verify DNS records of LDAPs:
host -t SRV _ldap._tcp.$DOMAIN | sort

_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.

samba_dnsupdate --use-samba-tool --verbose
  • Verify user sync:
# metdc02
samba-tool user create test_user

# metdc01
samba-tool user list | grep test_user
samba-tool user delete test_user

# metdc02
samba-tool user list | grep test_user

DNS Config

  • Add mydc02 as secondary Nameserver in DHCP config

Setup SYSVOL Sync

ssh-keygen -t RSA  
ssh-copy-id -i /root/.ssh/id_rsa.pub root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys
  • Installare ldb-tools
apt install ldb-tools
  • Creare lo script di sync:
cat > /usr/local/sbin/samba-sysvol-sync <<'EOFile'
#!/bin/bash
echo "Start sysvol sync"
# Check if this is FMSO owner
NUMBER=$(samba-tool fsmo show | grep -i $(hostname) | wc -l)
if [ "$NUMBER" -ne 7 ]
then
	echo "This is not the FMSO Owner DC. Aborting sysvol replication"  1>&2
	exit 127
fi


# get samba domain:
DOMAIN=$(cat /etc/samba/smb.conf | grep realm| tr -d ' ' | cut -f 2 --delimiter='=' |  tr "[:upper:]" "[:lower:]")
echo "DOMAIN is $DOMAIN"

# get list of DCs
DCS=$(ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' dn  | grep -v "CN=Configuration,DC" | grep CN | cut -f 2 --delimiter='=' | cut -f 1 --delimiter=',' | tr "[:upper:]" "[:lower:]" | grep -v $(hostname))
# https://serverfault.com/questions/432572/what-is-correct-objectclass-for-domain-controller-objects

echo "DCs are:"
echo $DCS

echo "Resetting local sysvol ACL"
/usr/bin/samba-tool ntacl sysvolreset

# Backup idmap.ldb
echo "Backup idmap.ldb"
tdbbackup -s .bak /var/lib/samba/private/idmap.ldb

for DC in $DCS
do
	echo "Copy idmap.ldb.bak to ${DC}.${DOMAIN}"
	scp -q /var/lib/samba/private/idmap.ldb.bak ${DC}.${DOMAIN}:/var/lib/samba/private/idmap.ldb
	echo "Run net cache flush on ${DC}.${DOMAIN}"
	ssh ${DC}.${DOMAIN} /usr/bin/net cache flush
	echo "Syncing sysvol to ${DC}.${DOMAIN}"
	rsync -a --quiet --delete-after /var/lib/samba/sysvol/ ${DC}.${DOMAIN}:/var/lib/samba/sysvol/
	echo "Resetting sysvol acl on ${DC}.${DOMAIN}"
	ssh ${DC}.${DOMAIN} /usr/bin/samba-tool ntacl sysvolreset
done
echo "End of sysvol sync"
EOFile

chmod 755 /usr/local/sbin/samba-sysvol-sync
  • Run the script
/usr/local/sbin/samba-sysvol-sync
  • On second DC, verify that GP policies are present:
ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
  • Enable scheduled sync:
cat > /etc/cron.d/samba-sysvol-sync <<EOFile
*/5 * * * * root /usr/local/sbin/samba-sysvol-sync | systemd-cat -t samba-sysvol-sync
EOFile
  • Per vedere cosa logga:
journalctl -t samba-sysvol-sync -f

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Aggiungere_un_Domain_Controller_in_Samba&oldid=11157"