Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Sentinella —

Avere un più di un DC (domain controller) in un dominio gestito da Active Directory è in generale una buona idea, per altro anche nei vecchi domini NT4 un  BDC (backup domain controller) era la norma, quindi visto che come si impara negli anni la ridondanza non è mai ne troppa ne immotivata.
Anche in questo caso ho optato per un partizionamento di questo tipo:

2 gb swap

16 gb /

2 gb /samba

La base sulla quale ho lavorato è una Devuan ascii, per scelta e per avere qualcosa di fresco rispetto alla pacchettizzazione ho scelto inoltre di compilare samba da sorgenti.
Assicuriamoci che il file /etc/krb5.conf sia come questo
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = MYFIRM.LAN
Verifichiamo che kerberos funzioni con:

# kinit administrator
Password for administrator@MYFIRM.LAN:Passw0rd

# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYFIRM.LAN

Valid starting Expires Service principal
13/09/2017 11:48:09 13/09/2017 21:48:09 krbtgt/MYFIRM.LAN@MYFIRM.LAN
renew until 14/09/2017 11:48:04

E ci siamo, adesso si tratta di fare il join al dominio MYFIRM.LAN come Domain Controler che funzioni anche come server DNS impiegando il DNS interno di Samba.

[root@sentinella ]# samba-tool domain join MYFIRM.LAN DC -U”MYFIRM\administrator” –dns-backend=SAMBA_INTERNAL –option=’idmap_ldb:use rfc2307 = yes’

Finding a writeable DC for domain ‘MYFIRM.LAN’
Found DC vedetta.myfirm.lan
Password for [MYFIRM\administrator]:
workgroup is MYFIRM
realm is myfirm.lan
Deleted CN=RID Set,CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan
Deleted CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan
Deleted CN=NTDS Settings,CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan
Deleted CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan
Adding CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan
Adding CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan
Adding CN=NTDS Settings,CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan
Adding SPNs to CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan
Setting account password for SENTINELLA$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=myfirm,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[402/1622] linked_values[0/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[804/1622] linked_values[0/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[1206/1622] linked_values[0/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[1608/1622] linked_values[0/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[1622/1622] linked_values[34/34]
Failed to commit objects: DOS code 0x000021bf
Missing target object – retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[2024/1622] linked_values[1/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[2426/1622] linked_values[0/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[2828/1622] linked_values[0/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[3230/1622] linked_values[0/1]
Partition[CN=Configuration,DC=myfirm,DC=lan] objects[3244/1622] linked_values[33/34]
Replicating critical objects from the base DN of the domain
Partition[DC=myfirm,DC=lan] objects[97/97] linked_values[23/23]
Partition[DC=myfirm,DC=lan] objects[369/272] linked_values[23/23]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=myfirm,DC=lan
Partition[DC=DomainDnsZones,DC=myfirm,DC=lan] objects[42/42] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=myfirm,DC=lan
Partition[DC=ForestDnsZones,DC=myfirm,DC=lan] objects[20/20] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=myfirm,DC=lan] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for SENTINELLA.myfirm.lan
Adding DNS A record SENTINELLA.myfirm.lan for IPv4 IP: 192.168.200.202
Adding DNS CNAME record e927bd2b-1358-416d-a903-4946e33f425a._msdcs.myfirm.lan for SENTINELLA.myfirm.lan
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=myfirm,DC=lan
Partition[DC=DomainDnsZones,DC=myfirm,DC=lan] objects[3/3] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=myfirm,DC=lan
Partition[DC=ForestDnsZones,DC=myfirm,DC=lan] objects[2/2] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain MYFIRM (SID S-1-5-21-1842202679-333570776-2307202636) as a DC
E il DC di supporto è a posto, si tratta adesso di allinearlo al AD-DC, si passa quindi sul AD e si crea una copia del file idmap.ldb che contiene gli ID di utenti e gruppi in formato ‘xidNumber’ con questo comando:

# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb

Quindi lo si sposta sul DC nello stesso path e lo si rinomina togliendo il .bak sostituendo di fatto il file esistente sul DC, questa operazione è necessaria perché se gli id non sono identici e per come funziona idmap.ldb non lo sono non si può garantire il funzionamento.
A questo punto mi sono trovato in difficoltà con l’interpretazione del wiki che dice sostanzialmente di eseguire prima il comando

# samba-tool ntacl sysvolreset 
e poi di tenere sincoronizzato sul DC con uno script ad esempio come questo che ho adottato in realta' per non avere una fila di errori che non finiva mai

ho dovuto fare esattamente l’opposto a quel punto tuto ha funzionato a dovere.

samba-tool drs showrepl
Default-First-Site-Name\SENTINELLA
DSA Options: 0x00000001
DSA object GUID: cbdfcb64-b9e4-472a-a40d-c98dfe5d0ec7
DSA invocationId: 24c73a94-23e4-4d05-bd50-0e3e0181c0a8

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ Thu Mar 21 15:57:31 2019 CET was successful
0 consecutive failure(s).
Last success @ Thu Mar 21 15:57:31 2019 CET

DC=DomainDnsZones,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ Thu Mar 21 15:57:31 2019 CET was successful
0 consecutive failure(s).
Last success @ Thu Mar 21 15:57:31 2019 CET

DC=ForestDnsZones,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ Thu Mar 21 15:57:31 2019 CET was successful
0 consecutive failure(s).
Last success @ Thu Mar 21 15:57:31 2019 CET

CN=Configuration,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ Thu Mar 21 15:57:31 2019 CET was successful
0 consecutive failure(s).
Last success @ Thu Mar 21 15:57:31 2019 CET

DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ Thu Mar 21 15:57:31 2019 CET was successful
0 consecutive failure(s).
Last success @ Thu Mar 21 15:57:31 2019 CET

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=ForestDnsZones,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=myfirm,DC=lan
Default-First-Site-Name\VEDETTA via RPC
DSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection —
Connection name: 75efe6bc-244f-44c1-af60-77ce503fefe0
Enabled : TRUE
Server DNS name : vedetta.myfirm.lan
Server DN name : CN=NTDS Settings,CN=VEDETTA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!

Il warning è di nessuna importanza e lo si trova nelle FAQ

Testiamo il server DNS locale

# host -t A myfirm.lan localhost
Using domain server:
Name: localhost
Address: ::1#53
Aliases:

myfirm.lan has address 192.168.2.205
myfirm.lan has address 192.168.2.202
Come per l’AD-DC anche qui essendo compilato a mano il samba necessita dello init-script che è lo stesso della macchina principale.

Reference: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

 


Categorised as: Linux | Networking | Samba | Work

Comments are disabled on this post


Comments are closed.