Aggiungere un Domain Controller in Samba: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
mNo edit summary
Line 152: Line 152:
=Setup Time sync=
=Setup Time sync=


  apt install ntp
  sudo apt install ntp


  vi /etc/ntp.conf
  sudoedit /etc/ntp.conf


  pool metdc01.ad.metrica.it
  pool metdc01.ad.metrica.it
Line 160: Line 160:
  ntpsigndsocket /var/lib/samba/ntp_signd/
  ntpsigndsocket /var/lib/samba/ntp_signd/


  systemctl restart ntp
  sudo systemctl restart ntp
  ntpq -p
  ntpq -p


**This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
=Setup SYSVOL Sync=


Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.**
 
*This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
 
* Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.


* To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.
* To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.
Line 184: Line 187:
     root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/
     root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/


On second DC, verofy that GP policies are present:
* On second DC, verofy that GP policies are present:


  ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
  ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
Line 192: Line 195:
<pre>
<pre>
cat > /etc/cron.d/samba-sysvol-replication <<EOFile
cat > /etc/cron.d/samba-sysvol-replication <<EOFile
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@gapsrv03.ad.gapartners.eu:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1
EOFile
EOFile
</pre>
</pre>

Revision as of 14:52, 1 December 2022

Installazione Pacchetti e Join al dominio del DC da aggiungere

  • Installare pacchetti
apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
  • Confgurare Kerberos:
vi /etc/krb5.conf

[libdefaults]
  default_realm = METRICA.PRIV
  dns_lookup_kdc = true
  dns_lookup_realm=false
  • Impostare un DNS di un altro DC:
sudoedit /etc/resolv.conf

nameserver 192.168.1.111
  • Impostare hostname:
sudoedit /etc/hosts

10.0.0.103  gapsrv03.ad.gapartners.eu   gapsrv03
  • Verificare hostname locale:
hostname -f

gapsrv03.ad.gapartners.eu


  • Riavviare:
sudo reboot
  • Test autenticazione
kinit administrator@METRICA.PRIV

klist
  • Fermare tutti i servizi samba:
systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
systemctl stop samba-ad-dc.service
  • Verificare:
 ps ax | egrep "samba|smbd|nmbd|winbindd"
  • Rinominare il file di configurazione:
mv $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ') $(smbd -b | grep "CONFIGFILE" | tr -s ' '| cut -f 3 --delimiter=' ').old
  • Verificare
ls /etc/samba
  • Eliminare i vecchi DB:
for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done
  • Abilitare daemon:
sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc
  • Fare Join:
samba-tool domain join metrica.priv  DC -k yes
  • Impostare come DNS se stessi:
sudoedit /etc/resolv.conf

nameserver 192.168.1.112


  • Setup ID mapping:
vi /etc/samba/smb.conf

[global]
dns forwarder = 192.168.1.254
idmap_ldb:use rfc2307 = yes

   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

systemctl restart samba-ad-dc
  • Verify replication:
samba-tool drs showrepl
  • This warning is ok:
 Warning: No NC replicated for Connection!
  • Adapt Kerberos config:
mv /etc/krb5.conf /etc/krb5.conf.initial
ln -s /var/lib/samba/private/krb5.conf /etc/
cat /etc/krb5.conf


  • Verify Kerberos authentication
kinit administrator
klist
  • Verify DNS records:
host ad.metrica.it

ad.metrica.it has address 192.168.1.111
ad.metrica.it has address 192.168.1.120

host -t SRV _kerberos._udp.ad.metrica.it  # UDP Kerberos SRV record

_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.

host -t SRV _ldap._tcp.ad.metrica.it  # TCP LDAP SRV record

_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.
  • Verify user sync:
# metdc02
samba-tool user create test_user



# metdc01
samba-tool user list | grep test_user
samba-tool user delete test_user

# metdc02
samba-tool user list | grep test_user

Configure Systemd services

systemctl disable smbd nmbd winbind
systemctl enable samba-ad-dc

DNS Config

  • Add metdc02 as secondary Nameserver in DHCP config

Setup Time sync

sudo apt install ntp

sudoedit /etc/ntp.conf

pool metdc01.ad.metrica.it
restrict source notrap nomodify noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/

sudo systemctl restart ntp
ntpq -p

Setup SYSVOL Sync

  • This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
  • Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.
  • To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.
ssh-keygen -t RSA  
ssh-copy-id root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys

rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
   /var/lib/samba/sysvol/ \
   root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ \
  --dry-run
  • If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers.
rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
   /var/lib/samba/sysvol/ \
   root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/
  • On second DC, verofy that GP policies are present:
ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
  • Enable scheduled sync:
cat > /etc/cron.d/samba-sysvol-replication <<EOFile
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@gapsrv03.ad.gapartners.eu:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1
EOFile
  • Check su dc01 e dc2:
 samba-tool ntacl sysvolcheck
  • Fix the DB ACL on GPO and VFS ACL errors
 samba-tool ntacl sysvolreset

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Aggiungere_un_Domain_Controller_in_Samba&oldid=10860"