{"id":1590,"date":"2019-03-21T16:09:33","date_gmt":"2019-03-21T15:09:33","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=1590"},"modified":"2019-03-21T16:12:22","modified_gmt":"2019-03-21T15:12:22","slug":"samba-4-aggiungere-un-dc-nuovo-a-un-dominio-active-directory-esistente-2","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=1590","title":{"rendered":"Sentinella"},"content":{"rendered":"<p>Avere un pi\u00f9 di un <a href=\"https:\/\/it.wikipedia.org\/wiki\/Domain_controller\">DC<\/a> (domain controller) in un dominio gestito da <a href=\"https:\/\/it.wikipedia.org\/wiki\/Active_Directory\">Active Directory<\/a> \u00e8 in generale una buona idea, per altro anche nei vecchi domini NT4 un\u00a0 BDC (backup domain controller) era la norma, quindi visto che come si impara negli anni la ridondanza non \u00e8 mai ne troppa ne immotivata.<br \/>\nAnche in questo caso ho optato per un partizionamento di questo tipo:<\/p>\n<p>2 gb swap<\/p>\n<p>16 gb \/<\/p>\n<p>2 gb \/samba<\/p>\n<p>La base sulla quale ho lavorato \u00e8 una Devuan ascii, per scelta e per avere qualcosa di fresco rispetto alla pacchettizzazione ho scelto inoltre di compilare <a href=\"http:\/\/clark.tipistrani.it\/?p=1396\">samba da sorgenti<\/a>.<br \/>\nAssicuriamoci che il file \/etc\/krb5.conf sia come questo<br \/>\n[libdefaults]<br \/>\ndns_lookup_realm = false<br \/>\ndns_lookup_kdc = true<br \/>\ndefault_realm = MYFIRM.LAN<br \/>\nVerifichiamo che kerberos funzioni con:<\/p>\n<p># kinit administrator<br \/>\nPassword for administrator@MYFIRM.LAN:Passw0rd<\/p>\n<p># klist<\/p>\n<p>Ticket cache: FILE:\/tmp\/krb5cc_0<br \/>\nDefault principal: administrator@MYFIRM.LAN<\/p>\n<p>Valid starting Expires Service principal<br \/>\n13\/09\/2017 11:48:09 13\/09\/2017 21:48:09 krbtgt\/MYFIRM.LAN@MYFIRM.LAN<br \/>\nrenew until 14\/09\/2017 11:48:04<\/p>\n<p>E ci siamo, adesso si tratta di fare il join al dominio MYFIRM.LAN come Domain Controler che funzioni anche come server DNS impiegando il DNS interno di Samba.<\/p>\n<p>[root@sentinella ]# samba-tool domain join MYFIRM.LAN DC -U&#8221;MYFIRM\\administrator&#8221; &#8211;dns-backend=SAMBA_INTERNAL &#8211;option=&#8217;idmap_ldb:use rfc2307 = yes&#8217;<\/p>\n<p>Finding a writeable DC for domain &#8216;MYFIRM.LAN&#8217;<br \/>\nFound DC vedetta.myfirm.lan<br \/>\nPassword for [MYFIRM\\administrator]:<br \/>\nworkgroup is MYFIRM<br \/>\nrealm is myfirm.lan<br \/>\nDeleted CN=RID Set,CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan<br \/>\nDeleted CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan<br \/>\nDeleted CN=NTDS Settings,CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan<br \/>\nDeleted CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan<br \/>\nAdding CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan<br \/>\nAdding CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan<br \/>\nAdding CN=NTDS Settings,CN=SENTINELLA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan<br \/>\nAdding SPNs to CN=SENTINELLA,OU=Domain Controllers,DC=myfirm,DC=lan<br \/>\nSetting account password for SENTINELLA$<br \/>\nEnabling account<br \/>\nCalling bare provision<br \/>\nLooking up IPv4 addresses<br \/>\nLooking up IPv6 addresses<br \/>\nNo IPv6 address will be assigned<br \/>\nSetting up share.ldb<br \/>\nSetting up secrets.ldb<br \/>\nSetting up the registry<br \/>\nSetting up the privileges database<br \/>\nSetting up idmap db<br \/>\nSetting up SAM db<br \/>\nSetting up sam.ldb partitions and settings<br \/>\nSetting up sam.ldb rootDSE<br \/>\nPre-loading the Samba 4 and AD schema<br \/>\nUnable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs<\/p>\n<p>A Kerberos configuration suitable for Samba AD has been generated at \/usr\/local\/samba\/private\/krb5.conf<br \/>\nMerge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!<br \/>\nProvision OK for domain DN DC=myfirm,DC=lan<br \/>\nStarting replication<br \/>\nSchema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[402\/1550] linked_values[0\/0]<br \/>\nSchema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[804\/1550] linked_values[0\/0]<br \/>\nSchema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[1206\/1550] linked_values[0\/0]<br \/>\nSchema-DN[CN=Schema,CN=Configuration,DC=myfirm,DC=lan] objects[1550\/1550] linked_values[0\/0]<br \/>\nAnalyze and apply schema objects<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[402\/1622] linked_values[0\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[804\/1622] linked_values[0\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[1206\/1622] linked_values[0\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[1608\/1622] linked_values[0\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[1622\/1622] linked_values[34\/34]<br \/>\nFailed to commit objects: DOS code 0x000021bf<br \/>\nMissing target object &#8211; retrying with DRS_GET_TGT<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[2024\/1622] linked_values[1\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[2426\/1622] linked_values[0\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[2828\/1622] linked_values[0\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[3230\/1622] linked_values[0\/1]<br \/>\nPartition[CN=Configuration,DC=myfirm,DC=lan] objects[3244\/1622] linked_values[33\/34]<br \/>\nReplicating critical objects from the base DN of the domain<br \/>\nPartition[DC=myfirm,DC=lan] objects[97\/97] linked_values[23\/23]<br \/>\nPartition[DC=myfirm,DC=lan] objects[369\/272] linked_values[23\/23]<br \/>\nDone with always replicated NC (base, config, schema)<br \/>\nReplicating DC=DomainDnsZones,DC=myfirm,DC=lan<br \/>\nPartition[DC=DomainDnsZones,DC=myfirm,DC=lan] objects[42\/42] linked_values[0\/0]<br \/>\nReplicating DC=ForestDnsZones,DC=myfirm,DC=lan<br \/>\nPartition[DC=ForestDnsZones,DC=myfirm,DC=lan] objects[20\/20] linked_values[0\/0]<br \/>\nExop on[CN=RID Manager$,CN=System,DC=myfirm,DC=lan] objects[3] linked_values[0]<br \/>\nCommitting SAM database<br \/>\nAdding 1 remote DNS records for SENTINELLA.myfirm.lan<br \/>\nAdding DNS A record SENTINELLA.myfirm.lan for IPv4 IP: 192.168.200.202<br \/>\nAdding DNS CNAME record e927bd2b-1358-416d-a903-4946e33f425a._msdcs.myfirm.lan for SENTINELLA.myfirm.lan<br \/>\nAll other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup<br \/>\nReplicating new DNS records in DC=DomainDnsZones,DC=myfirm,DC=lan<br \/>\nPartition[DC=DomainDnsZones,DC=myfirm,DC=lan] objects[3\/3] linked_values[0\/0]<br \/>\nReplicating new DNS records in DC=ForestDnsZones,DC=myfirm,DC=lan<br \/>\nPartition[DC=ForestDnsZones,DC=myfirm,DC=lan] objects[2\/2] linked_values[0\/0]<br \/>\nSending DsReplicaUpdateRefs for all the replicated partitions<br \/>\nSetting isSynchronized and dsServiceName<br \/>\nSetting up secrets database<br \/>\nJoined domain MYFIRM (SID S-1-5-21-1842202679-333570776-2307202636) as a DC<br \/>\nE il DC di supporto \u00e8 a posto, si tratta adesso di allinearlo al AD-DC, si passa quindi sul AD e si crea una copia del file idmap.ldb che contiene gli ID di utenti e gruppi in formato &#8216;xidNumber&#8217; con questo comando:<\/p>\n<pre># tdbbackup -s .bak \/usr\/local\/samba\/private\/idmap.ldb<\/pre>\n<p>Quindi lo si sposta sul DC nello stesso path e lo si rinomina togliendo il .bak sostituendo di fatto il file esistente sul DC, questa operazione \u00e8 necessaria perch\u00e9 se gli id non sono identici e per come funziona idmap.ldb non lo sono non si pu\u00f2 garantire il funzionamento.<br \/>\nA questo punto mi sono trovato in difficolt\u00e0 con l&#8217;interpretazione del wiki che dice sostanzialmente di eseguire prima il comando<\/p>\n<pre># samba-tool ntacl sysvolreset \r\ne poi di tenere sincoronizzato sul DC con uno script ad esempio come <a href=\"http:\/\/clark.tipistrani.it\/?p=1592\">questo<\/a> che ho adottato in realta' per non avere una fila di errori che non finiva mai<\/pre>\n<p>ho dovuto fare esattamente l&#8217;opposto a quel punto tuto ha funzionato a dovere.<\/p>\n<p>samba-tool drs showrepl<br \/>\nDefault-First-Site-Name\\SENTINELLA<br \/>\nDSA Options: 0x00000001<br \/>\nDSA object GUID: cbdfcb64-b9e4-472a-a40d-c98dfe5d0ec7<br \/>\nDSA invocationId: 24c73a94-23e4-4d05-bd50-0e3e0181c0a8<\/p>\n<p>==== INBOUND NEIGHBORS ====<\/p>\n<p>CN=Schema,CN=Configuration,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ Thu Mar 21 15:57:31 2019 CET was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ Thu Mar 21 15:57:31 2019 CET<\/p>\n<p>DC=DomainDnsZones,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ Thu Mar 21 15:57:31 2019 CET was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ Thu Mar 21 15:57:31 2019 CET<\/p>\n<p>DC=ForestDnsZones,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ Thu Mar 21 15:57:31 2019 CET was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ Thu Mar 21 15:57:31 2019 CET<\/p>\n<p>CN=Configuration,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ Thu Mar 21 15:57:31 2019 CET was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ Thu Mar 21 15:57:31 2019 CET<\/p>\n<p>DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ Thu Mar 21 15:57:31 2019 CET was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ Thu Mar 21 15:57:31 2019 CET<\/p>\n<p>==== OUTBOUND NEIGHBORS ====<\/p>\n<p>CN=Schema,CN=Configuration,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ NTTIME(0) was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ NTTIME(0)<\/p>\n<p>DC=DomainDnsZones,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ NTTIME(0) was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ NTTIME(0)<\/p>\n<p>DC=ForestDnsZones,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ NTTIME(0) was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ NTTIME(0)<\/p>\n<p>CN=Configuration,DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ NTTIME(0) was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ NTTIME(0)<\/p>\n<p>DC=myfirm,DC=lan<br \/>\nDefault-First-Site-Name\\VEDETTA via RPC<br \/>\nDSA object GUID: 59217f72-7739-4de9-bd5e-01c3098fd4f8<br \/>\nLast attempt @ NTTIME(0) was successful<br \/>\n0 consecutive failure(s).<br \/>\nLast success @ NTTIME(0)<\/p>\n<p>==== KCC CONNECTION OBJECTS ====<\/p>\n<p>Connection &#8212;<br \/>\nConnection name: 75efe6bc-244f-44c1-af60-77ce503fefe0<br \/>\nEnabled : TRUE<br \/>\nServer DNS name : vedetta.myfirm.lan<br \/>\nServer DN name : CN=NTDS Settings,CN=VEDETTA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myfirm,DC=lan<br \/>\nTransportType: RPC<br \/>\noptions: 0x00000001<br \/>\nWarning: No NC replicated for Connection!<\/p>\n<p>Il warning \u00e8 di nessuna importanza e lo si trova nelle FAQ<\/p>\n<p>Testiamo il server DNS locale<\/p>\n<p># host -t A myfirm.lan localhost<br \/>\nUsing domain server:<br \/>\nName: localhost<br \/>\nAddress: ::1#53<br \/>\nAliases:<\/p>\n<p>myfirm.lan has address 192.168.2.205<br \/>\nmyfirm.lan has address 192.168.2.202<br \/>\nCome per l&#8217;AD-DC anche qui essendo compilato a mano il samba necessita dello init-script che \u00e8 lo stesso della macchina principale.<\/p>\n<p>Reference: https:\/\/wiki.samba.org\/index.php\/Joining_a_Samba_DC_to_an_Existing_Active_Directory<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Avere un pi\u00f9 di un DC (domain controller) in un dominio gestito da Active Directory \u00e8 in generale una buona idea, per altro anche nei vecchi domini NT4 un\u00a0 BDC (backup domain controller) era la norma, quindi visto che come si impara negli anni la ridondanza non \u00e8 mai ne troppa ne immotivata. Anche in [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,14,11,6],"tags":[115,114,15,84],"class_list":["post-1590","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking","category-samba","category-work","tag-ad","tag-dc","tag-dns","tag-samba4"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1590"}],"version-history":[{"count":6,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1590\/revisions"}],"predecessor-version":[{"id":1599,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1590\/revisions\/1599"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1590"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}