Samba AD DCの冗長化

プライベートリポジトリの設定を参照。

$ sudo yum install samba samba-dc samba-client tdb-tools psmisc krb5-workstation --enablerepo=mgc

$ sudo cp /etc/krb5.conf /etc/krb5.conf.org

$ sudo vi /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = FIREBALL.LOCAL <-
 dns_lookup_realm = false       <- 追記
 dns_lookup_kdc = true          <-
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
 FIREBALL.LOCAL = {            <-
  kdc = blue-dc.fireball.local <- 追記
 }                             <-
 
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 .fireball.local = FIREBALL.LOCAL <- 追記
 fireball.local = FIREBALL.LOCAL  <-

$ kinit administrator
Password for administrator@FIREBALL.LOCAL: <- パスワードを入力
Warning: Your password will expire in 41 days on 2013年11月20日 01時23分51秒

$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org

または

$ sudo rm /etc/samba/smb.conf

※smb.confを移動 or 削除しないとsamba-toolでエラーが発生する。

$ sudo samba-tool domain join fireball.local DC -Uadministrator --realm=fireball.local
Finding a writeable DC for domain 'fireball.local'
Found DC blue-dc.fireball.local
Password for [WORKGROUP\administrator]: <-パスワードを入力
workgroup is FIREBALL
realm is fireball.local
checking sAMAccountName
Adding CN=BLUE-DC2,OU=Domain Controllers,DC=fireball,DC=local
Adding CN=BLUE-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
Adding CN=NTDS Settings,CN=BLUE-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
Adding SPNs to CN=BLUE-DC2,OU=Domain Controllers,DC=fireball,DC=local
Setting account password for BLUE-DC2$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=fireball,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=fireball,DC=local] objects[402/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[804/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1206/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1608/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1615/1615] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=fireball,DC=local] objects[97/97] linked_values[28/0]
Partition[DC=fireball,DC=local] objects[365/268] linked_values[28/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=fireball,DC=local
Partition[DC=DomainDnsZones,DC=fireball,DC=local] objects[57/57] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=fireball,DC=local
Partition[DC=ForestDnsZones,DC=fireball,DC=local] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=fireball,DC=local] objects[36/18] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain FIREBALL (SID S-1-5-21-4124656217-1713613446-3469194152) as a DC

$ cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = FIREBALL
        realm = fireball.local
        netbios name = BLUE-DC2
        server role = active directory domain controller

[netlogon]
        path = /var/lib/samba/sysvol/fireball.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

$ sudo vi /lib/systemd/system/samba.service

[Unit]
Description=Samba Active Directory Domain Controller Daemon
After=syslog.target network.target named.service
 
[Service]
Type=forking
PIDFile=/run/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/killall samba
 
[Install]
WantedBy=multi-user.target

$ sudo systemctl enable samba.service

$ sudo systemctl start samba.service

CentOS6 Samba4でドメインコントローラを冗長化
Samba4/HOWTO/Join a domain as a DC - SambaWiki