====== Samba AD DCの冗長化 ====== ===== プライベートリポジトリの設定 ===== [[linux:samba:private_repository_setting|プライベートリポジトリの設定]]を参照。 ===== パッケージインストール =====


$ sudo yum install samba samba-dc samba-client bind-utils \
tdb-tools psmisc krb5-workstation --enablerepo=mgc

wbinfoを使えるように以下もインストールしておくとよい。


$ sudo yum install samba-winbind-clients --enablerepo=mgc

===== Kerberosクライアントのデフォルト設定 ===== ==== 設定ファイルのバックアップ ====


$ sudo cp /etc/krb5.conf /etc/krb5.conf.org

==== 設定ファイルの編集 ====


$ sudo vi /etc/krb5.conf


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FIREBALL.LOCAL <-
 dns_lookup_realm = false       <- 追記
 dns_lookup_kdc = true          <-
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
 FIREBALL.LOCAL = {             <-
  kdc = blue-dc.fireball.local  <- 追記
  kdc = blue-dc1.fireball.local <-
 }                              <-

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 .fireball.local = FIREBALL.LOCAL <- 追記
 fireball.local = FIREBALL.LOCAL  <-

===== Kerberosの動作確認 =====


$ kinit administrator
Password for administrator@FIREBALL.LOCAL: <- パスワードを入力
Warning: Your password will expire in 41 days on 2013年11月20日 01時23分51秒

===== DCとしてドメインへ参加 ===== ==== 設定ファイルのバックアップ ====


$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org

または


$ sudo rm /etc/samba/smb.conf

※smb.confを移動 or 削除しないとsamba-toolでエラーが発生する。 ==== DCのドメイン参加 ====


$ sudo samba-tool domain join fireball.local DC -Uadministrator --realm=fireball.local


Finding a writeable DC for domain 'fireball.local'
Found DC blue-dc.fireball.local
Password for [WORKGROUP\administrator]: <-パスワードを入力
workgroup is FIREBALL
realm is fireball.local
checking sAMAccountName
Adding CN=BLUE-DC2,OU=Domain Controllers,DC=fireball,DC=local
Adding CN=BLUE-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
Adding CN=NTDS Settings,CN=BLUE-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
Adding SPNs to CN=BLUE-DC2,OU=Domain Controllers,DC=fireball,DC=local
Setting account password for BLUE-DC2$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=fireball,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=fireball,DC=local] objects[402/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[804/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1206/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1608/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1615/1615] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=fireball,DC=local] objects[97/97] linked_values[28/0]
Partition[DC=fireball,DC=local] objects[365/268] linked_values[28/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=fireball,DC=local
Partition[DC=DomainDnsZones,DC=fireball,DC=local] objects[57/57] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=fireball,DC=local
Partition[DC=ForestDnsZones,DC=fireball,DC=local] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=fireball,DC=local] objects[36/18] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain FIREBALL (SID S-1-5-21-4124656217-1713613446-3469194152) as a DC

==== 生成された設定ファイルの修正 ====


$ cat /etc/samba/smb.conf


# Global parameters
[global]
        workgroup = FIREBALL
        realm = fireball.local
        netbios name = BLUE-DC2
        server role = active directory domain controller
        dns forwarder = 192.168.1.10 <- 最初に構築したDCのIPアドレスを追記
        idmap_ldb:use rfc2307 = yes  <- 追記
        printing = bsd               <- 追記

[netlogon]
        path = /var/lib/samba/sysvol/fireball.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

===== サービス定義ファイルの作成 =====


$ sudo vi /lib/systemd/system/samba.service


[Unit]
Description=Samba Active Directory Domain Controller Daemon
After=syslog.target network.target named.service

[Service]
Type=forking
PIDFile=/run/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/killall samba

[Install]
WantedBy=multi-user.target

===== サービス自動起動設定 =====


$ sudo systemctl enable samba.service

===== サービス起動 =====


$ sudo systemctl start samba.service

===== DC間のレプリケーション動作確認 =====


$ sudo samba-tool drs showrepl


Default-First-Site-Name\BLUE-DC2
DSA Options: 0x00000001
DSA object GUID: 7072208a-a934-4288-8df9-7f6140af0ee0
DSA invocationId: 0cc44a03-f4b5-45e5-9355-d73c65ef8206

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

CN=Schema,CN=Configuration,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

CN=Configuration,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

DC=ForestDnsZones,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 4bd1dee9-545a-4ba1-ba73-0926e3fb22e7
        Enabled        : TRUE
        Server DNS name : blue-dc.fireball.local
        Server DN name  : CN=NTDS Settings,CN=BLUE-DC,CN=Servers,
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

===== 参考文献 ===== [[http://www.unix-power.net/linux/samba4_secondary.html|CentOS6 Samba4でドメインコントローラを冗長化]]\\ [[https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC|Samba4/HOWTO/Join a domain as a DC - SambaWiki]]\\