Samba : Samba AD DC : 既存 AD に Samba DC を追加2018/06/27 |
|
すでに存在する Windows の Active Directory のフォレストに Samba DC を追加します。
当例では、以下のような Active Directory 環境で設定します。
|
|||||||||||||
| [1] | ドメイン管理ユーザーの Kerberos チケットの取得 等々を実施しておきます。 |
|
root@smb:~#
apt -y install krb5-user
root@smb:~#
vi /etc/krb5.conf # 以下の内容に変更 (レルムは自身の環境に置き換え)
[libdefaults]
default_realm = SRV.WORLD
dns_lookup_realm = false
dns_lookup_kdc = true
root@smb:~#
systemctl stop systemd-resolved root@smb:~# systemctl disable systemd-resolved Removed /etc/systemd/system/samba-ad-dc.service. # resolv.conf のリンクは削除して実体を新規作成 root@smb:~# ll /etc/resolv.conf lrwxrwxrwx 1 root root 39 Apr 27 10:30 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf root@smb:~# rm /etc/resolv.conf
root@smb:~#
vi /etc/resolv.conf # 参照する DNS を AD に変更 (ドメイン名は自身の環境に置き換え) domain srv.world nameserver 10.0.0.100
root@smb:~#
root@smb:~# kinit administrator Password for administrator@SRV.WORLD: klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SRV.WORLD
Valid starting Expires Service principal
06/27/2018 20:52:11 06/28/2018 06:52:11 krbtgt/SRV.WORLD@SRV.WORLD
renew until 06/28/2018 20:52:07
|
| [2] | 既存 AD に Samba DC を追加します。 |
|
# デフォルトの設定ファイルはリネームまたは削除 root@smb:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org root@smb:~# samba-tool domain join srv.world DC -U "FD3S01\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'srv.world' Found DC FD3S.srv.world Password for [FD3S01\administrator]: workgroup is FD3S01 realm is srv.world Adding CN=DLP,OU=Domain Controllers,DC=srv,DC=world Adding CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world Adding CN=NTDS Settings,CN=DLP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world Adding SPNs to CN=DLP,OU=Domain Controllers,DC=srv,DC=world Setting account password for DLP$ Enabling account Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Provision OK for domain DN DC=srv,DC=world Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[402/1438] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[804/1438] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1206/1438] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1608/1438] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=srv,DC=world] objects[1743/1438] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=srv,DC=world] objects[402/2159] linked_values[0/39] Partition[CN=Configuration,DC=srv,DC=world] objects[804/2159] linked_values[0/39] Partition[CN=Configuration,DC=srv,DC=world] objects[1206/2159] linked_values[0/39] Partition[CN=Configuration,DC=srv,DC=world] objects[1608/2159] linked_values[0/39] Partition[CN=Configuration,DC=srv,DC=world] objects[1776/2159] linked_values[39/39] Replicating critical objects from the base DN of the domain Partition[DC=srv,DC=world] objects[110/110] linked_values[25/28] Partition[DC=srv,DC=world] objects[381/4798] linked_values[28/28] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=srv,DC=world Partition[DC=DomainDnsZones,DC=srv,DC=world] objects[36/36] linked_values[0/0] Replicating DC=ForestDnsZones,DC=srv,DC=world Partition[DC=ForestDnsZones,DC=srv,DC=world] objects[19/19] linked_values[0/0] Exop on[CN=RID Manager$,CN=System,DC=srv,DC=world] objects[3] linked_values[0] Committing SAM database Adding 1 remote DNS records for DLP.srv.world Adding DNS A record DLP.srv.world for IPv4 IP: 10.0.0.30 Adding DNS CNAME record e856365c-3f62-4774-b8a8-0c8b06d566c7._msdcs.srv.world for DLP.srv.world All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup Replicating new DNS records in DC=DomainDnsZones,DC=srv,DC=world Partition[DC=DomainDnsZones,DC=srv,DC=world] objects[1/36] linked_values[0/0] Replicating new DNS records in DC=ForestDnsZones,DC=srv,DC=world Partition[DC=ForestDnsZones,DC=srv,DC=world] objects[1/19] linked_values[0/0] Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain FD3S01 (SID S-1-5-21-1764851099-3332435390-390327390) as a DCroot@smb:~# systemctl stop smbd nmbd winbind root@smb:~# systemctl disable smbd nmbd winbind root@smb:~# systemctl unmask samba-ad-dc Removed /etc/systemd/system/samba-ad-dc.service. # 任意の AD ユーザーでローカルホストに対して認証可能か確認 root@smb:~# smbclient //127.0.0.1/netlogon -U Serverworld -c 'ls'
Enter FD3S01\Serverworld's password:
. D 0 Wed Jun 27 20:54:35 2018
.. D 0 Wed Jun 27 20:54:35 2018
29832064 blocks of size 1024. 26234432 blocks available
# ディレクトリのレプリケーションのステータス確認 root@smb:~# samba-tool drs showrepl
Default-First-Site-Name\DLP
DSA Options: 0x00000001
DSA object GUID: e856365c-3f62-4774-b8a8-0c8b06d566c7
DSA invocationId: 6c2f7dda-a93e-4158-9b8b-3a494863c3d9
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=srv,DC=world
Default-First-Site-Name\SMB via RPC
DSA object GUID: ab920914-1b88-4df9-9146-f2d13d04830e
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
.....
.....
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 465f7e2b-02ab-4d47-8265-9e5a7388ddd2
Enabled : TRUE
Server DNS name : smb.srv.world
Server DN name : CN=NTDS Settings,CN=SMB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=srv,DC=world
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
# No NC replicated for Connection! は公式ドキュメントによると、害は無くさほど気にしなくとも良いとのこと
|
| [3] |
| Sponsored Link |