Aggiungere un Domain Controller in Samba: Difference between revisions
Jump to navigation
Jump to search
Created page with "<pre> apt install ntp apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind vi /etc/krb5.conf [libdefaults] default_realm = METRICA.PRIV dns_loo..." |
mNo edit summary |
||
| Line 1: | Line 1: | ||
<pre> | <pre> | ||
apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind | apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind | ||
| Line 34: | Line 32: | ||
systemctl unmask samba-ad-dc | systemctl unmask samba-ad-dc | ||
systemctl enable samba-ad-dc | systemctl enable samba-ad-dc | ||
samba-tool domain join metrica.priv DC -k yes | samba-tool domain join metrica.priv DC -k yes | ||
</pre> | </pre> | ||
Setup ID mapping: | |||
vi /etc/samba/smb.conf | |||
<pre> | |||
[global] | |||
dns forwarder = 192.168.1.254 | |||
idmap_ldb:use rfc2307 = yes | |||
template shell = /bin/bash | |||
winbind use default domain = true | |||
winbind offline logon = false | |||
winbind nss info = rfc2307 | |||
winbind enum users = yes | |||
winbind enum groups = yes | |||
</pre> | |||
systemctl restart samba-ad-dc | |||
* Setup Time sync | |||
apt install ntp | |||
vi /etc/ntp.conf | |||
pool metdc01.ad.metrica.it | |||
restrict source notrap nomodify noquery mssntp | |||
ntpsigndsocket /var/lib/samba/ntp_signd/ | |||
systemctl restart ntp | |||
ntpq -p | |||
**This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories. | |||
Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.** | |||
* To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands. | |||
ssh-keygen -t RSA | |||
ssh-copy-id root@metdc02.ad.metrica.it | |||
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys | |||
rsync -XAavz --chmod=775 --delete-after --progress --stats \ | |||
/var/lib/samba/sysvol/ \ | |||
root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ \ | |||
--dry-run | |||
* If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers. | |||
rsync -XAavz --chmod=775 --delete-after --progress --stats \ | |||
/var/lib/samba/sysvol/ \ | |||
root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ | |||
On second DC, verofy that GP policies are present: | |||
ls /var/lib/samba/sysvol/ad.metrica.it/Policies/ | |||
* | * Enable scheduled sync: | ||
<pre> | |||
cat > /etc/cron.d/samba-sysvol-replication <<EOFile | |||
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1 | |||
EOFile | |||
</pre> | |||
=Riferimenti= | =Riferimenti= | ||
| Line 52: | Line 111: | ||
*[https://howtoforge.com/tutorial/samba-4-additional-domain-controller-for-failover-replication-on-centos-7/ Samba 4 Additional Domain Controller for failover Replication on CentOS 7] | *[https://howtoforge.com/tutorial/samba-4-additional-domain-controller-for-failover-replication-on-centos-7/ Samba 4 Additional Domain Controller for failover Replication on CentOS 7] | ||
*[https://michlstechblog.info/blog/samba-join-an-additional-domain-controller-to-samba-active-directory/ Samba: Join an additional Domain Controller to Samba Active Directory] | *[https://michlstechblog.info/blog/samba-join-an-additional-domain-controller-to-samba-active-directory/ Samba: Join an additional Domain Controller to Samba Active Directory] | ||
*[https://www.tecmint.com/samba4-ad-dc-sysvol-replication/ Setup SysVol Replication Across Two Samba4 AD DC with Rsync - Part 6] | |||
*[https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround Rsync based SysVol replication workaround - SambaWiki] | |||
Revision as of 11:56, 28 October 2022
apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
vi /etc/krb5.conf
[libdefaults]
default_realm = METRICA.PRIV
dns_lookup_kdc = true
dns_lookup_realm=false
reboot
kinit administrator@METRICA.PRIV
klist
sudo systemctl stop smbd.service
sudo systemctl stop winbind.service
sudo systemctl stop nmbd.service
systemctl stop samba-ad-dc
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.original
ps ax | egrep "samba|smbd|nmbd|winbindd"
sudo smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
cd /var/run/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
cd /var/lib/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
cd /var/cache/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
samba-tool domain join metrica.priv DC -k yes
Setup ID mapping:
vi /etc/samba/smb.conf
[global] dns forwarder = 192.168.1.254 idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes
systemctl restart samba-ad-dc
- Setup Time sync
apt install ntp
vi /etc/ntp.conf
pool metdc01.ad.metrica.it restrict source notrap nomodify noquery mssntp ntpsigndsocket /var/lib/samba/ntp_signd/
systemctl restart ntp ntpq -p
- This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.**
- To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.
ssh-keygen -t RSA ssh-copy-id root@metdc02.ad.metrica.it ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys
rsync -XAavz --chmod=775 --delete-after --progress --stats \ /var/lib/samba/sysvol/ \ root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ \ --dry-run
- If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers.
rsync -XAavz --chmod=775 --delete-after --progress --stats \ /var/lib/samba/sysvol/ \ root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/
On second DC, verofy that GP policies are present:
ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
- Enable scheduled sync:
cat > /etc/cron.d/samba-sysvol-replication <<EOFile */5 * * * * root rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1 EOFile
Riferimenti
- Join an Additional Ubuntu DC to Samba4 AD DC for FailOver Replication - Part 5
- Joining a Samba DC to an Existing Active Directory - SambaWiki
- Installing and configuring a secondary Samba-AD on Debian — Samba-AD 4.16 documentation
- Samba 4 Additional Domain Controller for failover Replication on CentOS 7
- Samba: Join an additional Domain Controller to Samba Active Directory
- Setup SysVol Replication Across Two Samba4 AD DC with Rsync - Part 6