linux:samba:samba_ad_dc_replication

Samba AD DCの冗長化

$ sudo yum install samba samba-dc samba-client bind-utils \
tdb-tools psmisc krb5-workstation --enablerepo=mgc

wbinfoを使えるように以下もインストールしておくとよい。

$ sudo yum install samba-winbind-clients --enablerepo=mgc
$ sudo cp /etc/krb5.conf /etc/krb5.conf.org
$ sudo vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = FIREBALL.LOCAL <-
 dns_lookup_realm = false       <- 追記
 dns_lookup_kdc = true          <-
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
 FIREBALL.LOCAL = {             <-
  kdc = blue-dc.fireball.local  <- 追記
  kdc = blue-dc1.fireball.local <-
 }                              <-
 
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 .fireball.local = FIREBALL.LOCAL <- 追記
 fireball.local = FIREBALL.LOCAL  <-
$ kinit administrator
Password for administrator@FIREBALL.LOCAL: <- パスワードを入力
Warning: Your password will expire in 41 days on 2013年11月20日 01時23分51秒
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org

または

$ sudo rm /etc/samba/smb.conf

※smb.confを移動 or 削除しないとsamba-toolでエラーが発生する。

$ sudo samba-tool domain join fireball.local DC -Uadministrator --realm=fireball.local
Finding a writeable DC for domain 'fireball.local'
Found DC blue-dc.fireball.local
Password for [WORKGROUP\administrator]: <-パスワードを入力
workgroup is FIREBALL
realm is fireball.local
checking sAMAccountName
Adding CN=BLUE-DC2,OU=Domain Controllers,DC=fireball,DC=local
Adding CN=BLUE-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
Adding CN=NTDS Settings,CN=BLUE-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
Adding SPNs to CN=BLUE-DC2,OU=Domain Controllers,DC=fireball,DC=local
Setting account password for BLUE-DC2$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=fireball,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=fireball,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=fireball,DC=local] objects[402/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[804/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1206/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1608/1615] linked_values[0/0]
Partition[CN=Configuration,DC=fireball,DC=local] objects[1615/1615] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=fireball,DC=local] objects[97/97] linked_values[28/0]
Partition[DC=fireball,DC=local] objects[365/268] linked_values[28/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=fireball,DC=local
Partition[DC=DomainDnsZones,DC=fireball,DC=local] objects[57/57] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=fireball,DC=local
Partition[DC=ForestDnsZones,DC=fireball,DC=local] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=fireball,DC=local] objects[36/18] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain FIREBALL (SID S-1-5-21-4124656217-1713613446-3469194152) as a DC
$ cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = FIREBALL
        realm = fireball.local
        netbios name = BLUE-DC2
        server role = active directory domain controller
        dns forwarder = 192.168.1.10 <- 最初に構築したDCのIPアドレスを追記
        idmap_ldb:use rfc2307 = yes  <- 追記
        printing = bsd               <- 追記
 
[netlogon]
        path = /var/lib/samba/sysvol/fireball.local/scripts
        read only = No
 
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
$ sudo vi /lib/systemd/system/samba.service
[Unit]
Description=Samba Active Directory Domain Controller Daemon
After=syslog.target network.target named.service
 
[Service]
Type=forking
PIDFile=/run/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/killall samba
 
[Install]
WantedBy=multi-user.target
$ sudo systemctl enable samba.service
$ sudo systemctl start samba.service
$ sudo samba-tool drs showrepl
Default-First-Site-Name\BLUE-DC2
DSA Options: 0x00000001
DSA object GUID: 7072208a-a934-4288-8df9-7f6140af0ee0
DSA invocationId: 0cc44a03-f4b5-45e5-9355-d73c65ef8206

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

CN=Schema,CN=Configuration,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

CN=Configuration,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

DC=ForestDnsZones,DC=fireball,DC=local
        Default-First-Site-Name\BLUE-DC via RPC
                DSA object GUID: ea201fc1-7580-4e6f-b041-8ee42f472a9a
                Last attempt @ Thu Oct 17 06:49:58 2013 JST was successful
                0 consecutive failure(s).
                Last success @ Thu Oct 17 06:49:58 2013 JST

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 4bd1dee9-545a-4ba1-ba73-0926e3fb22e7
        Enabled        : TRUE
        Server DNS name : blue-dc.fireball.local
        Server DN name  : CN=NTDS Settings,CN=BLUE-DC,CN=Servers,
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fireball,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
  • linux/samba/samba_ad_dc_replication.txt
  • 最終更新: 2019/05/18 02:23
  • by 非ログインユーザー