Installazione di Samba 4 AD in Debian

From RVM Wiki
Jump to navigation Jump to search
Attenzione questo articolo è ancora incompleto.
Sentiti libero di contribuire cliccando sul tasto edit.

TODO

  • Verificare se ci sono problemi ad importare i nomi DNS (è meglio far replicare ?)

Installazione pre requisiti

sudo apt-get install ntp ntpdate

sudoedit /etc/hosts

127.0.0.1  localhost
10.0.0.254 server01 server01.dominio.local
  • Eliminare:
127.0.1.1  server01 server01.dominio.local
  • Allo stesso modo:
sudoedit /etc/hostname

server01.dominio.local
  • Installare prima bind altrimenti si avranno errori e si dovrà cambiare permissiona dei files
sudo apt-get install bind9 bind9-host
  • Impostare la configurazione base di bind:
sudoedit /etc/bind/named.conf.options 

   //dnssec-validation auto;

systemctl restart bind9.service ; sleep 5; systemctl status bind9.service -l;
  • Se si vogliono risolvere altre zone locali tramite un nameserver interno, impostarle così:
vi /var/lib/bind/myzone.priv

zone "myzone.priv" {
	type forward;
	forwarders { 192.168.0.100; };
};

vi /etc/bind/named.conf.local

//
include "/var/lib/bind/myzone.priv";


  • Verifichiamo adesso la configurazione di rete del nostro server, che deve avere un indirizzo IP statico:
sudoedit /etc/network/interfaces

auto eth0
iface eth0 inet static
       address 10.0.0.254
       netmask 255.255.255.0
       gateway 10.0.0.1
       dns-nameserver 10.0.0.254
       dns-search dominio.local
  • Infine controlliamo il file:
sudoeit /etc/resolv.conf

search dominio.local
nameserver 10.0.0.254
  • Installiamo infine alcuni pacchetti che ci serviranno in seguito:
sudo apt-get install apt-transport-https mc zip bzip2 arj

Installazione

Installazione ex novo

  • Questa installazione è per creare un nuovo dominio
  • Installare i pacchetti samba
sudo apt-get install samba samba-client samba-common-bin samba-testsuite cifs-utils winbind krb5-user

Impostare IN MAIUSCOLO il Default Kerberos version 5 realm: │ 

│                                                                           │  
│ EXAMPLE.PRIV______
  • Rimuoviamo il file di configurazione originale:
sudo  mv /etc/samba/smb.conf /etc/samba/smb.conf.original


  • Verificare che i demoni siano tutti inattivi:
sudo systemctl stop smbd.service 
sudo systemctl stop winbind.service 
sudo systemctl stop nmbd.service 

ps ax | egrep "samba|smbd|nmbd|winbindd"
  • Eliminare eventuali database samba*.tdb *.ldb :
sudo smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

  LOCKDIR: /var/run/samba
  STATEDIR: /var/lib/samba
  CACHEDIR: /var/cache/samba
  PRIVATE_DIR: /var/lib/samba/private

cd /var/run/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
cd  /var/lib/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
cd /var/cache/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
  • Rimuovere la configurazione kerberos client:
rm /etc/krb5.conf
  • Effettuare il provisioning non interattivo: la password deve rispettare i cirteri di complessità (8 caratteri con maiuscolo,minuscolo,numero, simbolo):
samba-tool domain provision \
 --use-rfc2307 \
 --realm EXAMPLE.PRIV \
 --domain EXAMPLE \
 --server-role dc \
 --dns-backend BIND9_DLZ \
 --adminpass Mysample-1


  • Riavviare samba:
systemctl stop samba-ad-dc.service ; systemctl start samba-ad-dc.service


Inserimento in un dominio AD Win2k3 esistente

  • Questa installazione permette di inserire il DC samba in un dominio Win2k3 esistente, e di sostituire il DC esistente.
  • Verifichiamo il forest functional level sul DC Windows ed eventualmente alzarlo almeno a 2003

Farlo sia per forest che per domain 

Open Active Directory Domains and Trusts. 
To open Active Directory Domains and Trusts:
click Start
click Administrative Tools
click Active Directory Domains and Trust

In the console tree, right-click the domain and then click Raise Forest Functional Level

In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level
  • Installare i pacchetti samba
sudo apt-get install samba samba-client samba-common-bin samba-testsuite cifs-utils winbind
  • Rimuoviamo il file di configurazione originale:
sudo  mv /etc/samba/smb.conf /etc/samba/smb.conf.original
  • Verifichiamo di risolvere il nome del Domain controller attuale
host -t A domaincontroller.example.priv
  • Installare kerberos
sudo apt-get install krb5-user
  • ATTENZIONE scrivere il dominio dns in maiuscolo, altrimenti si ottiene l'errore:
kinit: KDC reply did not match expectations while getting initial credentials
  • Modificare i parametri:
sudoedit /etc/krb5.conf

[libdefaults] 

   dns_lookup_realm = true
   dns_lookup_kdc = true
   default_realm = SAMDOM.EXAMPLE.COM


  • Verify the correct Kerberos setup by obtaining a ticket:
sudo -i

kinit administrator
Password for administrator@SAMDOM.EXAMPLE.COM:

klist

 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: administrator@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
09.11.2014 17:34:09  10.11.2014 03:34:09   krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
        renew until 10.11.2014 17:34:07
  • Fare join del dominio, vine richiesta la password di administrator del dominio (ignorre il fato che ci sia scritto WORKGROUP\Administrator):
samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ
  • Se è tutto corretto, questo è il transcript:
Finding a writeable DC for domain 'mannesmann.priv'
Found DC mansrv01.mannesmann.priv
Password for [WORKGROUP\administrator]:
workgroup is MANNESMANN
realm is mannesmann.priv
checking sAMAccountName
Adding CN=MANSRV03,OU=Domain Controllers,DC=mannesmann,DC=priv
Adding CN=MANSRV03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mannesmann,DC=priv
Adding CN=NTDS Settings,CN=MANSRV03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mannesmann,DC=priv
Adding SPNs to CN=MANSRV03,OU=Domain Controllers,DC=mannesmann,DC=priv
Setting account password for MANSRV03$
Enabling account
Adding DNS account CN=dns-MANSRV03,CN=Users,DC=mannesmann,DC=priv with dns/ SPN
Setting account password for dns-MANSRV03
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=mannesmann,DC=priv
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=mannesmann,DC=priv] objects[402] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=mannesmann,DC=priv] objects[804] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=mannesmann,DC=priv] objects[1206] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=mannesmann,DC=priv] objects[1376] linked_values[0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=mannesmann,DC=priv] objects[402] linked_values[0]
Partition[CN=Configuration,DC=mannesmann,DC=priv] objects[804] linked_values[0]
Partition[CN=Configuration,DC=mannesmann,DC=priv] objects[1206] linked_values[0]
Partition[CN=Configuration,DC=mannesmann,DC=priv] objects[1549] linked_values[10]
Replicating critical objects from the base DN of the domain
Partition[DC=mannesmann,DC=priv] objects[93] linked_values[0]
Partition[DC=mannesmann,DC=priv] objects[495] linked_values[0]
Partition[DC=mannesmann,DC=priv] objects[897] linked_values[0]
Partition[DC=mannesmann,DC=priv] objects[1044] linked_values[0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=mannesmann,DC=priv
Partition[DC=DomainDnsZones,DC=mannesmann,DC=priv] objects[21] linked_values[0]
Replicating DC=ForestDnsZones,DC=mannesmann,DC=priv
Partition[DC=ForestDnsZones,DC=mannesmann,DC=priv] objects[5] linked_values[0]
Partition[DC=ForestDnsZones,DC=mannesmann,DC=priv] objects[10] linked_values[0]
Committing SAM database
descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=mannesmann,DC=priv not found under DC=mannesmann,DC=priv
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=mannesmann,DC=priv not found under DC=mannesmann,DC=priv
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain MANNESMANN (SID S-1-5-21-2840287441-1676082587-3800659398) as a DC


Before you start the joining, make yourself familiar with the parameters and options of „samba-tool domain join“: 

samba-tool domain join --help

Expecially the following two options are required, if your future Domain Controllers have multiple NICs. Because „samba-tool“ would auto-choose one of the IPv4/IPv6 addresses, if multiple where found, it might be necessary to bind Samba to the desired interfaces using 

--option="interfaces=lo eth0" --option="bind interfaces only=yes"

Join the existing domain (parameter explanation below): 

samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ

Finding a writeable DC for domain 'samdom.example.com'
Found DC dc1.samdom.example.com
Password for [WORKGROUP\administrator]: passw0rd
workgroup is SAMDOM
realm is samdom.example.com
checking sAMAccountName
Adding CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Setting account password for DC2$
Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com with dns/ SPN
Setting account password for dns-DC2
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=samdom,DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=samdom,DC=example,DC=com] objects[1618/1618] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=example,DC=com] objects[98/98] linked_values[23/0]
Partition[DC=samdom,DC=example,DC=com] objects[395/297] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=DomainDnsZones,DC=samdom,DC=example,DC=com] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[19/19] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=samdom,DC=example,DC=com] objects[38/19] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMDOM (SID S-1-5-21-469703510-2364959079-1506205053) as a DC
  • Se fallisce con
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

SIGNIFICA CHE l'ORARIO delle due macchine è troppo diverso (general - Bug#688004: samba-tool: need display warning, if time is not correct - msg#27461 - Recent Discussion OSDir.com)


Installazione di BIND come DNS

apt-get install bind9 dnsutils
  • Verificare che risolva i nomi esterni, e che sia in ascolto su localhost e eth0:
host google.com 127.0.0.1
host google.com 192.168.1.10
  • Includere la configurazione generata durante il provisioning:
sudoedit /etc/bind/named.conf.local

include "/var/lib/samba/private/named.conf";
  • Modificare la versione di bind usata se necessario in:
sudoedit /var/lib/samba/private/named.conf

database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
  • Riavviare bind e verificare nei log che nonc i siano errori
/etc/init.d/bind9 restart
  • Riavviare samba
/etc/init.d/samba restart
  • Poi aggiungiamo le seguenti righe al file /etc/bind/named.conf.options appena sotto alla definizione dei forwarders:
sudoedit /etc/bind/named.conf.options

   // Abilito l'autenticazione Samba
   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
  • Cambiare:
   auth-nxdomain yes;
  • Quindi impostiamo i permessi corretti per la chiave di autenticazione Samba:
chown -R root:bind /var/lib/samba/private/
chmod -R 774 /var/lib/samba/private/
chmod -R 700 /var/lib/samba/private/smbd.tmp/msg 
chmod 600 /var/lib/samba/private/tls/key.pem
  • NON FARE QUESTO, NON SERVE
* Per consentire all’accoppiata Samba/Kerberos di effettuare gli aggiornamenti automatici del nostro DNS, occorre aggiungere le seguenti direttive al file di default:

 sudoedit  /etc/default/bind9

<pre>
KEYTAB_FILE="/var/lib/samba/private/dns.keytab" 
KRB5_KTNAME="/var/lib/samba/private/dns.keytab" 
export KEYTAB_FILE 
export KRB5_KTNAME
  • Infine riavviamo Bind:
sudo /etc/init.d/bind9 restart
  • Attendere il trasferimento del file di zona.
  • Collegarsi tramite lo snapin mmc dal server windows sul nuovo dns
  • Se non replica, verificare che le zone DNS sul server origine siano:
  • AD Integrated
  • Update=Secure Only
  • Replication: to all dns server in the forest (non i DC)


  • NON FARE QUESTO, altrimenti i record DNS non saranno aggiornabili per problemi di sicurezza, e creereanno problemi di logon sui client. Per risolverli, cancellare i record, e ricrearli facendo ipconfig /registerdns sui client.
* Per effettuare una verifica del funzionamento dell’update dinamico possiamo utilizzare il comando:

 samba_dnsupdate --verbose --all-names

 samba_dnsupdate --verbose
 ...
 No DNS updates needed

* Se da errore seguente, non si è installato dnsutils ([https://lists.samba.org/archive/samba/2012-February/166460.html [Samba] V4 - New Install - Missing Zone File]):
 Failed nsupdate: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.metrica.priv metsrv04.metrica.priv 389 : [Errno 2] No such file or directory

Check DNS entries

When you join a new Domain Controller to the domain, Samba currently doesn't create two important DNS records (Bug #10928). This documentation shows how to check, if the records exist and if not, how to add them manually.

For a successful setup and failover purposes, it is required, that all important DNS records are added to the DNS zones. Check, if the important DNS records are existing and if not (see Bug #10928), add them manually. Don't skip this step!

Resolve the A record of the new joined Domain Controller 

host -t A DC2.samdom.example.com.

Se non risolve: 

samba-tool dns add DC1 samdom.example.com DC2 A 10.99.0.2 -Uadministrator
  • Find out the objectGUID of the new joined Domain Controller:
apt-get install ldb-tools
/etc/init.d/samba stop

/etc/init.d/samba start

ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep SERVERNAME -A1

dn: CN=NTDS Settings,CN=METSRV04,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=metrica,DC=priv
objectGUID: e34ccfe0-72a2-4033-8e82-c2ff60853f34
  • Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:
host -t CNAME e34ccfe0-72a2-4033-8e82-c2ff60853f34._msdcs.metrica.priv metsrv02

If the record could not be resolved,you have to add the record manually to the AD DNS zone: 

samba-tool dns add METSRV02 _msdcs.metrica.priv e34ccfe0-72a2-4033-8e82-c2ff60853f34._msdcs.metrica.priv CNAME METSRV04.metrica.priv -Uadministrator
  • Re-check afterwards again!
host -t CNAME e34ccfe0-72a2-4033-8e82-c2ff60853f34._msdcs.metrica.priv metsrv02


Verifica login

  • Dal DC provare a loggarsi:
smbclient -U Administrator%Mysample-1 -W EXAMPLE //SERVERNAME/netlogon

Abilitazione ACL

Per utilizzare le funzioni avanzate di Samba4 è necessario che il filesystem supporti le estensioni di xattr. Queste estensioni permettono la gestione delle funzioni e delle opzioni avanzate del nostro filesystem.

Filesystem ext4

La direttiva va caricata nel file fstab come opzione della partizione che vogliamo gestire con samba o per tutto il filesystem a seconda della nostra configurazione: 

sudoedit /etc/fstab

# / was on /dev/sda1 during installation 
UUID=a416ec5c-baff-48fb-9ab7-e6ddfd06f520 / ext4 user_xattr,errors=remount-ro 0 1

Filesystem ZFS

  • Creare il dataset come:
 zfs create DATA/testshare -o mountpoint=/media/samba/testshare -o compression=on -o acltype=posixacl -o xattr=sa
  • Impostare nella configurazione globale e per ogni share:
sudoedit /etc/samba/smb.conf

 [global]
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

[testshare]
    inherit permissions = yes
    inherit acls = yes

Riferimenti

Verifica ACL

Per verificare l’effettivo supporto del nostro sistema e del nostro filesystem possiamo utilizzare il pacchetto attr ed i seguenti comandi: 

sudo apt-get install attr 

sudo touch test.txt 
sudo setfattr -n user.test -v test test.txt 
sudo setfattr -n security.test -v test2 test.txt

Per verificare la corretta risposta del filesystem: 

sudo getfattr -d test.txt

file: test.txt 
user.test="test" 

sudo getfattr -n security.test -d test.txt 

file: test.txt 
security.test="test2"

Strumenti di Amministrazione

  • Scaricarli da questi link:


  • Installare il file scaricato
  • Aggiungere gli strumenti desiderati da
Programmi e funzionalità / Componenti di Windows / Strumwnti di amministrazione server emoti

Creare delle condivisioni di rete

sudo mkdir /dati/condivisione
sudo chmod 770 /dati/condivisione

Per creare delle condivisioni di rete basta semplicemente aggiungere al file 

sudoedit /etc/samba/smb.conf

[condivisione]
     comment = Condivisione cani e porci
     path = /dati/condivisione
     read only = No
     directory mask = 0770
     create mask = 0770

I permessi potranno poi essere gestiti dalle proprietà della condivisione da Windows, attraverso lo Snap-In "Gestione Computer": 

   Gestione Computer - Connetti a un altro computer - <Immettere il nome del Server> - Strumenti di sistema - Condivisioni


DA QUI ==========================


GID mappings of built-in groups

There are current issues with GID mappings of built-in groups. The GIDs of groups owning files and directories on in the sysvol folder may differ between Domain Controllers. Currently Samba doesn't provide a replication of these GIDs.

Use the following workaround, if you encounter any problems: 

   Shutdown Samba on the new joined Domain Controller. 

   Create a hot-backup of idmap.ldb on the first Domain Controller:
  1. tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
   Move the backup file „/usr/local/samba/private/idmap.ldb.bak“ to "/usr/local/samba/private" on the newly joined Domain Controller and remove the .bak suffix, this will replace the original file. 

   Start Samba on the new joined Domain Controller again. 

   Reset the ACLs on the local sysvol folder of the new joined Domain Controller:
  1. samba-tool ntacl sysvolreset


Start Samba

To start the Samba Active Directory Domain Controller in „standard“ mode, which is suitable for production use, run

  1. samba

Samba doesn't yet have init scripts included. You can find examples on the Samba Init-Script page.



Directory replication

A few minutes after you have started Samba, connections with other DC will be established automatically.

  1. samba-tool drs showrepl

Default-First-Site-Name\DC2 DSA Options: 0x00000001 DSA object GUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 DSA invocationId: 8e30d69f-c20f-4744-9833-5b050e611375

INBOUND NEIGHBORS

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov  9 19:56:07 2014 CET

DC=DomainDnsZones,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sun Nov  9 19:56:06 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov  9 19:56:06 2014 CET

CN=Configuration,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov  9 19:56:07 2014 CET

DC=ForestDnsZones,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sun Nov  9 19:56:07 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov  9 19:56:07 2014 CET

DC=samdom,DC=example,DC=com 

        Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sun Nov  9 19:56:13 2014 CET was successful
               0 consecutive failure(s).
               Last success @ Sun Nov  9 19:56:13 2014 CET

OUTBOUND NEIGHBORS

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

CN=Configuration,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com 

       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

KCC CONNECTION OBJECTS

Connection -- 

       Connection name: 5745d481-1d26-48f4-ab65-273263e28a45
       Enabled        : TRUE
       Server DNS name : DC1.samdom.example.com
       Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
               TransportType: RPC
               options: 0x00000001

Warning: No NC replicated for Connection!

Depending on your replication settings - if defined - it may take a few minutes until all connections are established. So please be patient! On the long shot that the outbound connections aren't established automatically - even not after several minutes - you can force the replication (generally not necessary!). See samba-tool drs replicate.

Note about the„Warning: No NC replicated for Connection!“ line: It can be safely ignored. See FAQ: Message: Warning: No NC replicated for Connection!



Start BIND

Please check (samba-tool drs showrepl), that the DC=ForestDnsZones,DC=samdom,DC=example,DC=com and DC=DomainDnsZones,DC=samdom,DC=example,DC=com partitions are already replicated!

If so, it's time to start BIND now, if you have a BIND9_DLZ backend.


Follow-Up on /etc/resolv.conf

Now the DNS on your new Domain Controller is working, it is recommended to add it to /etc/resolv.conf.

It is best practice to have more than one nameserver entry in the Domain Controllers /etc/resolv.conf! This is in case of a dns failure where the DC cannot resolve the AD zones, this would cause several other services that rely on DNS to fail e.g. directory replication.

So you should always rely on at least two DNS servers, that are both able to resolve the AD DNS zones.

/etc/resolv.conf on DC2 nameserver 10.99.0.1 nameserver 127.0.0.1 search samdom.example.com

/etc/resolv.conf on DC1 nameserver 10.99.0.2 nameserver 127.0.0.1 search samdom.example.com

If you have more than two Domain Controllers, then you should think in a circle. The following example supposes an additional Domain Controller DC3 to have the IP 10.99.0.3:

/etc/resolv.conf on DC1 nameserver 10.99.0.2 nameserver 10.99.0.3 search samdom.example.com

/etc/resolv.conf on DC2 nameserver 10.99.0.3 nameserver 10.99.0.1 search samdom.example.com

/etc/resolv.conf on DC3 nameserver 10.99.0.1 nameserver 10.99.0.2 search samdom.example.com

This will prevent the DC's suffering DNS islanding. SysVol replication

Currently replication of the SysVol share isn't implemented. If you make any changes on that share, you have to keep them in sync on all your Domain Controllers. An example, how to achieve this automatically, is provided in the SysVol Replication documentation.


Testing directory replication

To check that replication is working correctly between your two domain controllers, try adding/modifying e. g. a user on one DC using either the Samba command line tools or the Windows GUI admin tools. Then check that the changes shows up within a few seconds on the other Domain Controller.


ldapcmp

You may wish to use samba-tool ldapcmp to verify that the same data is being served from all Domain Controllers.


Troubleshooting

If you encounter any problems when using the documentation, see the Samba AD DC Troubleshooting page. 

   Log in / create account

   Page
   Discussion

   Read
   View source
   View history



Test e connessione al dominio

Il nostro server è ora pronto per essere utilizzato. Per testarne le funzionalità è possibile procedere per gradi, in modo da isolare quelli che sono i problemi di configurazione da quelli che sono i problemi di rete o dei client Windows. A tal fine il primo accesso può essere fatto dal server stesso con il comando:

  1. smbclient -L localhost -U Administrator

Dovrebbe essere richiesta la password impostata precedentemente per l'utente Administrator e, di seguito, dovrebbero venire elencate le condivisioni samba impostate sul server.

La procedura di connessione dei client al dominio varia a seconda del sistema operativo utilizzato sulle macchine client: 

   Windows 95/98/ME 

   Non più supportato 

   Windows NT 

   Non più supportato 

   Windows 2000 

   Pannello di Controllo -> Sistema -> Identificazione Rete (oppure, sul Desktop, cliccare col tasto destro del mouse sull'icona Risorse del Computer, selezionare Proprietà, cliccare sulla tab Identificazione Rete e sul tasto Proprietà). 

   Windows XP 

   Come su Windows NT/2000: Tasto destro su Risorse del Computer, selezionare Proprietà, Nome del Computer e tasto Modifica oppure cliccare su Identificazione di Rete ed eseguire il Wizard fornendo le credenziali di Administrator. 

   Windows Vista 

   Non ancora testato. 

   Windows 7 

   Come su Windows XP: Tasto destro su Risorse del Computer, selezionare Proprietà, Nome del Computer e tasto Modifica oppure cliccare su Identificazione di Rete ed eseguire il Wizard fornendo le credenziali di Administrator.

Ulteriori configurazioni

Arrivati a questo possiamo: 

   Aggiungere una scansione antivirus alle nostre condivisioni Samba: ClamAV: scansione antivirus delle condivisioni Samba
   Creare un cestino di rete per evitare di cancellare per sbaglio file importanti: Samba: creare un cestino di rete per le condivisioni

Configurare un Groupware

Se non ci basta avere ottenuto un dominio Actove Directory con strumenti opensource e vogliamo di più, a questo punto possiamo configurare un intero ambiente Groupware che sostituisca Microsoft Exchange. E' sufficiente seguire questa guida: Installare un ambiente Groupware integrato in Samba4 Bibliografia 

   egrath
   Sistemisti Indipendenti (PDF)
   iabsis
   Wiki ufficiale Samba
   AskUbuntu
   Linux on a Server


Guida scritta da: Ferdybassi

Swirl-auth16.png Debianized 16% Verificata da: Estesa da:

Verificare ed estendere la guida | Cos'è una guida Debianized Categorie: Reti con Windows | Samba 

   Entra / Registrati

   Pagina
   Discussione

   Leggi
   Visualizza sorgente
   Visualizza cronologia

Trasferimento ruoli


Unable to find group id for BIND, 

               set permissions to sam.ldb* files manually

See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: centos01 NetBIOS Domain: TESTING DNS Domain: testing.priv DOMAIN SID: S-1-5-21-2224154923-2659347834-3076944234

Gestione DNS da command line

  • Aggiungere un record dns newname.example.priv con ip 1.2.3.4 nella zona example.priv sul server dnsserver.example.priv:
samba-tool dns add dnsserver.example.priv example.priv newname.example.priv A 1.2.3.4 -U administrator
  • Rimuovere un nome dns (A record myserver con ip 1.2.3.4):
samba-tool dns delete myserver.example.priv dnsname A 1.2.3.4 -U administrator --password secretPAssword

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Installazione_di_Samba_4_AD_in_Debian&oldid=10070"