Контроллер домена¶
samba-tool domain provision --use-rfc2307 --interactive
Realm [SAMDOM.EXAMPLE.COM]: SAMDOM.EXAMPLE.COM
Domain [SAMDOM]: SAMDOM
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:SAMBA_INTERNAL
Administrator password: pa$$w0rd
Retype password: pa$$w0rd
Проверка первоначальной установки SAMBA¶
smbclient -L localhost -U%
Для проверки корректной работы аутентификации попробуем приконнектиться к «netlogon» используя аккаунт администратора, созданный во время настройки:
smbclient //localhost/netlogon -UAdministrator -c 'ls'
проверяем DNS:¶
host -t SRV _ldap._tcp.samdom.example.com.
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.
host -t SRV _kerberos._udp.samdom.example.com.
_kerberos._udp.samdom.example.com has SRV record 0 100 88 dc1.samdom.example.com.
host -t A dc1.samdom.example.com.
dc1.samdom.example.com has address 192.168.1.1
Проверяем Kerberos:¶
kinit administrator@SAMDOM.EXAMPLE.COM
Password for administrator@SAMDOM.EXAMPLE.COM:
Warning: Your password will expire in 41 days on Sat Aug 16 21:41:28 2014
создание записей днс¶
samba-tool dns zonecreate net.lan 0.168.192.in-addr.arpa
samba-tool dns add net.lan 0.168.192.in-addr.arpa 251 PTR dc0.net.lan
Второй контроллер домена¶
/etc/krb5.conf:
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = LOCAL.MY
[realms]
LOCAL.MY = {
kdc = dc.local.my
admin_server = dc.local.my
default_domain = local.my
}
[domain_realm]
.local.my = LOCAL.MY
local.my = LOCAL.MY
Минимально рабочий smb.conf в среде с AD DC
[global]
debug level = 1
syslog = 1
workgroup = LOCAL
realm = LOCAL.MY
netbios name = DC02
; https://smb-conf.ru/server-role.html
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
allow dns updates = nonsecure
dns forwarder = DNS_Server
idmap_ldb:user rfc2307 = Yes
[netlogon]
path = /usr/local/samba/sysvol/local.my/scripts
read only = No
[sysvol]
path = /usr/local/samba/sysvol
read only = No
вывести из домена:
net ads leave -U user
ввести в домен:
kinit
klist
samba-tool domain join local.my DC --krb5-ccache=/tmp/krb5cc_0 --dns-backend=NONE
#or
samba-tool domain join local.my DC --dns-backend=NONE -U user
samba-tool dbcheck --cross-ncs --fix --yes 'fix_replmetadata_unsorted_attid'
samba-tool dbcheck --cross-ncs --fix --yes 'fix_replica_locations'
- ошибка WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
проверка:
wbinfo -u
wbinfo -g
net groupmap list
# работа службы репликации каталогов (DRS)
samba-tool drs showrepl