Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Samba 4 Aggiungere un DC nuovo a un dominio Active Directory esistente. —

Avere un più di un DC (domain controller) in un dominio gestito da Active Directory è in generale una buona idea, per altro anche nei vecchi domini NT4 un  BDC (backup domain controller) era la norma, quindi visto che come si impara negli anni la ridondanza non è mai ne troppa ne immotivata, e visto che ormai con la virtualizzazione il costo delle macchine è se non azzerato quasi non si hanno “scuse” per non farlo.
La base sulla quale ho lavorato è una Devuan Jessie, per scelta e per avere qualcosa di fresco rispetto alla pacchettizzazione ho scelto inoltre di compilare samba da sorgenti.
Assicuriamoci che il file /etc/krb5.conf sia come questo
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = MYADDOMAIN.LOCAL
Verifichiamo che kerberos funzioni con:

# kinit administrator
Password for administrator@MYADDOMAIN.LOCAL:Passw0rd

# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYADDOMAIN.LOCAL

Valid starting Expires Service principal
13/09/2017 11:48:09 13/09/2017 21:48:09 krbtgt/MYADDOMAIN.LOCAL@MYADDOMAIN.LOCAL
renew until 14/09/2017 11:48:04

E ci siamo, adesso si tratta di fare il join al dominio MYADDOMAIN.LOCAL come Domain Controler che funzioni anche come server DNS impiegando il DNS interno di Samba.

[root@sentinella private]# samba-tool domain join myaddomain.local DC -U”MYADDOMAIN\administrator” –dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain ‘myaddomain.local’
Found DC vedetta.myaddomain.local
Password for [MYADDOMAIN\administrator]:
workgroup is MAYADDOMAIN
realm is MAYADDOMAIN.local
Deleted CN=RID Set,CN=SENTINELLA,OU=Domain Controllers,DC=MAYADDOMAIN,DC=local
Deleted CN=SENTINELLA,OU=Domain Controllers,DC=MAYADDOMAIN,DC=local
Deleted CN=NTDS Settings,CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MAYADDOMAIN,DC=local
Deleted CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MAYADDOMAIN,DC=local
Adding CN=SENTINELLA,OU=Domain Controllers,DC=MAYADDOMAIN,DC=local
Adding CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MAYADDOMAIN,DC=local
Adding CN=NTDS Settings,CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MAYADDOMAIN,DC=local
Adding SPNs to CN=SENTINELLA,OU=Domain Controllers,DC=MAYADDOMAIN,DC=local
Setting account password for SENTINELLA$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Provision OK for domain DN DC=MAYADDOMAIN,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[402/1620] linked_values[0/1]
Partition[CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[804/1620] linked_values[0/1]
Partition[CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[1206/1620] linked_values[0/1]
Partition[CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[1608/1620] linked_values[0/1]
Partition[CN=Configuration,DC=MAYADDOMAIN,DC=local] objects[1620/1620] linked_values[34/34]
Replicating critical objects from the base DN of the domain
Partition[DC=MAYADDOMAIN,DC=local] objects[97/97] linked_values[23/23]
Partition[DC=MAYADDOMAIN,DC=local] objects[364/267] linked_values[23/23]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=MAYADDOMAIN,DC=local
Partition[DC=DomainDnsZones,DC=MAYADDOMAIN,DC=local] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=MAYADDOMAIN,DC=local
Partition[DC=ForestDnsZones,DC=MAYADDOMAIN,DC=local] objects[19/19] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=MAYADDOMAIN,DC=local] objects[3] linked_values[0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain MAYADDOMAIN (SID S-1-5-21-2391961727-3932715082-4100264994) as a DC
[root@sentinella etc]#

Adesso si tratta di creare manualmente i record DNS necessari,

# host -t A sentinella.myaddomain.local
Host sentinella.myaddomain.local not found: 3(NXDOMAIN)

samba-tool dns add vedetta mydomain.local sentinella A 192.168.2.202 -Uadministrator
Password for [MYDOMAIN\administrator]:
Record added successfully

Ricaviamo i DCs obiectGUID
ldbsearch -H /usr/local/samba/private/sam.ldb ‘(invocationId=*)’ –cross-ncs objectguid

# record 1
dn: CN=NTDS Settings,CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myaddomain,DC=local
objectGUID: 71f6a17c-51b7-42ce-80f1-5fb321ee46c5

# record 2
dn: CN=NTDS Settings,CN=VEDETTA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myaddomain,DC=local
objectGUID: dce95f67-39b2-4618-ad07-3848e950d672

# returned 2 records
# 2 entries
# 0 referrals

Verifica e creazione di un record objectGUID
# host -t CNAME 71f6a17c-51b7-42ce-80f1-5fb321ee46c5._msdcs.myaddomain.local
Host 71f6a17c-51b7-42ce-80f1-5fb321ee46c5._msdcs.myaddomain.local not found: 3(NXDOMAIN)
# samba-tool dns add vedetta _msdcs.myaddomain.local 71f6a17c-51b7-42ce-80f1-5fb321ee46c5 CNAME sentinella.myaddomain.local -Uadministrator
Password for [myaddomain\administrator]:
Record added successfully
host -t CNAME 71f6a17c-51b7-42ce-80f1-5fb321ee46c5._msdcs.myaddomain.local
71f6a17c-51b7-42ce-80f1-5fb321ee46c5._msdcs.myaddomain.local is an alias for sentinella.myaddomain.local.
controlliamo lo stato di replicazione delle directory dal AD DC

#samba-tool drs showrepl
Default-First-Site-Name\SENTINELLA
DSA Options: 0x00000001
DSA object GUID: 71f6a17c-51b7-42ce-80f1-5fb321ee46c5
DSA invocationId: f26ce2e5-e4e7-4399-998f-cb730e9797c2

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ Wed Sep 13 14:22:20 2017 CEST was successful
0 consecutive failure(s).
Last success @ Wed Sep 13 14:22:20 2017 CEST

DC=DomainDnsZones,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ Wed Sep 13 14:22:20 2017 CEST was successful
0 consecutive failure(s).
Last success @ Wed Sep 13 14:22:20 2017 CEST

CN=Configuration,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ Wed Sep 13 14:22:20 2017 CEST was successful
0 consecutive failure(s).
Last success @ Wed Sep 13 14:22:20 2017 CEST

DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ Wed Sep 13 14:22:20 2017 CEST was successful
0 consecutive failure(s).
Last success @ Wed Sep 13 14:22:20 2017 CEST

DC=ForestDnsZones,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ Wed Sep 13 14:22:20 2017 CEST was successful
0 consecutive failure(s).
Last success @ Wed Sep 13 14:22:20 2017 CEST

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=ForestDnsZones,DC=myaddomain,DC=local
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: dce95f67-39b2-4618-ad07-3848e950d672
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection —
Connection name: f1097eff-75bb-40c3-a625-63d5a666fd9a
Enabled : TRUE
Server DNS name : vedetta.myaddomain.local
Server DN name : CN=NTDS Settings,CN=VEDETTA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myaddomain,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!

Testiamo il server DNS locale

# host -t A myaddomain.local localhost
Using domain server:
Name: localhost
Address: ::1#53
Aliases:

myaddomain.local has address 192.168.2.201
myaddomain.local has address 192.168.2.202

Reference: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

 


Categorised as: Linux | Networking | Samba | Work

Comments are disabled on this post


Comments are closed.