Aggiungere un Domain Controller in Samba

From RVM Wiki
Revision as of 12:26, 28 October 2022 by Gabriele.vivinetto (talk | contribs)
Jump to navigation Jump to search

Instllazionee Join

apt install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

vi /etc/krb5.conf

[libdefaults]
  default_realm = METRICA.PRIV
  dns_lookup_kdc = true
  dns_lookup_realm=false

reboot

     kinit administrator@METRICA.PRIV

klist

sudo systemctl stop smbd.service
sudo systemctl stop winbind.service
sudo systemctl stop nmbd.service
systemctl stop samba-ad-dc

sudo  mv /etc/samba/smb.conf /etc/samba/smb.conf.original

ps ax | egrep "samba|smbd|nmbd|winbindd"

sudo smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

cd /var/run/samba &&  find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
cd  /var/lib/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;
cd /var/cache/samba && find . -type f \( -iname \*.tdb -o -iname \*.ldb \) -print -exec /bin/rm -f {} \;

systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc


samba-tool domain join metrica.priv  DC -k yes



Setup ID mapping:

vi /etc/samba/smb.conf

[global]
dns forwarder = 192.168.1.254
idmap_ldb:use rfc2307 = yes

   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

systemctl restart samba-ad-dc
  • Verify replication:
samba-tool drs showrepl
  • This warning is ok:
 Warning: No NC replicated for Connection!
  • Adapt Kerberos config:
mv /etc/krb5.conf /etc/krb5.conf.initial
ln -s /var/lib/samba/private/krb5.conf /etc/
cat /etc/krb5.conf


  • Verify Kerberos authentication
kinit administrator
klist
  • Verify DNS records:
host ad.metrica.it

ad.metrica.it has address 192.168.1.111
ad.metrica.it has address 192.168.1.120

host -t SRV _kerberos._udp.ad.metrica.it  # UDP Kerberos SRV record

_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc01.ad.metrica.it.
_kerberos._udp.ad.metrica.it has SRV record 0 100 88 metdc02.ad.metrica.it.

host -t SRV _ldap._tcp.ad.metrica.it  # TCP LDAP SRV record

_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc01.ad.metrica.it.
_ldap._tcp.ad.metrica.it has SRV record 0 100 389 metdc02.ad.metrica.it.
  • Verify user sync:
# metdc02
samba-tool user create test_user



# metdc01
samba-tool user list | grep test_user
samba-tool user delete test_user

# metdc02
samba-tool user list | grep test_user

Configure Systemd services

systemctl disable smbd nmbd winbind
systemctl enable samba-ad-dc

DNS COnfig

  • Add metdc02 as secondary Nameserver in DHCP config

Setup Time sync

apt install ntp

vi /etc/ntp.conf

pool metdc01.ad.metrica.it
restrict source notrap nomodify noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/

systemctl restart ntp
ntpq -p
    • This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.

Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.**

  • To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.
ssh-keygen -t RSA  
ssh-copy-id root@metdc02.ad.metrica.it
ssh root@metdc02.ad.metrica.it cat .ssh/authorized_keys

rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
   /var/lib/samba/sysvol/ \
   root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ \
  --dry-run
  • If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers.
rsync -XAavz --chmod=775 --delete-after  --progress --stats  \
   /var/lib/samba/sysvol/ \
   root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/

On second DC, verofy that GP policies are present: 

ls /var/lib/samba/sysvol/ad.metrica.it/Policies/
  • Enable scheduled sync:
cat > /etc/cron.d/samba-sysvol-replication <<EOFile
*/5 * * * * root rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@metdc02.ad.metrica.it:/var/lib/samba/sysvol/ > /var/log/samba/samba-sysvol-replication.log 2>&1
EOFile
  • Check su dc01 e dc2:
 samba-tool ntacl sysvolcheck
  • Fix the DB ACL on GPO and VFS ACL errors
 samba-tool ntacl sysvolreset

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Aggiungere_un_Domain_Controller_in_Samba&oldid=10835"